IR 05000255/2015403: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
(Created page by program invented by StriderTol)
 
(3 intermediate revisions by the same user not shown)
Line 2: Line 2:
| number = ML15170A386
| number = ML15170A386
| issue date = 06/18/2015
| issue date = 06/18/2015
| title = Ltr 06/18/15 Palisades - Information Request for Temporary Instruction 2201/004 Inspection, Notification to Perform Inspecting of Implementation of Interim Cyber Security Milestones 1-7, 05000255/2015403
| title = Information Request for Temporary Instruction 2201/004 Inspection, Notification to Perform Inspecting of Implementation of Interim Cyber Security Milestones 1-7, 05000255/2015403
| author name = Szwarc D
| author name = Szwarc D
| author affiliation = NRC/RGN-III/DRS
| author affiliation = NRC/RGN-III/DRS
Line 18: Line 18:


=Text=
=Text=
{{#Wiki_filter:UNITED STATES NUCLEAR REGULATORY COMMISSION REGION III 2443 WARRENVILLE RD. SUIT E 210 LISLE, IL 60532
{{#Wiki_filter:UNITED STATES une 18, 2015
-4352 June 18, 2015 Mr. Anthony Vitale Vice President, Operations Entergy Nuclear Operations, Inc.


Palisades Nuclear Plant 27780 Blue Star Memorial Highway Covert, MI 49043
==SUBJECT:==
-9530 SUBJECT: PALISADES NUCLEAR PLANT - INFORMATION REQUEST FOR TEMPORARY INSTRUCTION 2201/004 INSPECTION
PALISADES NUCLEAR PLANT - INFORMATION REQUEST FOR TEMPORARY INSTRUCTION 2201/004 INSPECTION, NOTIFICATION TO PERFORM INSPECTION OF IMPLEMENTATION OF INTERIM CYBER SECURITY MILESTONES 1 - 7; 05000255/2015403
, NOTIFICATION TO PERFORM "INSPECTION OF IMPLEMENTATION OF INTERIM CYBER SECURITY MILESTONES 1 - 7"; 05000255/2015403


==Dear M r. Vitale:==
==Dear Mr. Vitale:==
O n August 31, 201 5, the U.S.
On August 31, 2015, the U.S. Nuclear Regulatory Commission (NRC) will begin an inspection of Temporary Instruction (TI) 2201/004 at your Palisades Nuclear Plant (PNP). The TI inspection will be performed to evaluate and verify your ability to meet the interim milestone requirements of the NRCs Cyber Security Rule, Title 10, Code of Federal Regulations (CFR), Part 73, Section 54, Protection of Digital Computer and Communication Systems and Networks.


Nuclear Regulatory Commission (NRC) will begin a n inspection of Temporary Instruction (TI)
In accordance with 10 CFR 73.54, each nuclear power plant licensee was required to submit a proposed Cyber Security Plan (CSP), and associated implementation schedule for NRC approval. On December 14, 2009, by letter (ML093080517) to the Nuclear Energy Institute (NEI), the NRC provided their expectations for the proposed implementation schedule. On January 5, 2011, by letter (ML110060093) to the NRC, NEI issued an initial Template for the Cyber Security Plan Implementation Schedule (ML110060097). On February 28, 2011, by letter (ML110600206) to the NRC, NEI provided a revised Template for the Cyber Security Plan Implementation Schedule. The purpose of the letters attachment was to provide the licensee with a generically written template to develop their proposed CSP implementation schedule. Utilization of the generic template required the licensee to make conforming changes to ensure the submitted schedule accurately accounted for site-specific activities. Based on an NRC technical review (ML110070348), the template was found acceptable to develop the licensees CSP implementation schedule (i.e., Milestones 1 through 8). On November 19, 2009, by letter (ML093230831) to the NRC, Entergy Nuclear Operations, Inc. (ENO) provided the PNP CSP and the CSPs associated implementation schedule that accounted for the site-specific activities. On July 26, 2010, by letter (ML102110090) to the NRC, ENO submitted a license amendment withdrawal, and revised license amendment request for PNP. On July 28, 2011, by letter (ML111801243) to ENO, the NRC issued Amendment No. 243 that approved the existing license condition regarding physical protection in the facility operating license to require the licensee to fully implement and maintain in effect all provisions of the NRC-approved CSP. On June 20, 2012, by letter (ML12184A149) to the NRC, ENO requested the NRC approve a license amendment change to Milestone 6. On December 5, 2012, by letter (ML12318A234) to ENO, the NRC issued Amendment No. 248 that approved the Milestone 6 implementation schedule change. On December 30, 2013, by letter (ML13364A328) to the NRC, ENO requested a change to the PNP CSPs Milestone 8 full implementation date. On December 8, 2014, by letter (ML14237A144) to ENO, the NRC issued Amendment No. 253 that approved the Milestone 8 implementation schedules date change for PNP.
2201/004 at you r Palisades Nuclear Plant (PNP). The TI inspection will be performed to evaluate and verify your ability to meet the interim milestone requirements of the NRC's Cyber Security Rule , Title 10 , Code of Federal Regulations (CFR), Part 73 , Section 54, "Protection of Digital Computer and Communication Systems and Networks."


In accordance with 10 CFR 73.54, each nuclear power plant licensee was required to submit a proposed Cyber Security Plan (CSP), and associated implementation schedule for NRC approval. On December 14, 2009, by letter (ML093080517) to the Nuclear Energy Institute (NEI), the NRC provided their expectations for the proposed implementation schedule.
The subject TI inspection provides a programmatic level review and verification of the licensees site-specific implementation of Interim Milestones 1 through 7. The schedule for the onsite TI Inspection for the Interim Milestones 1 through 7 is as follows:
Information Gathering Visit: August 31 - September 4, 2015; and Cyber Security TI Inspection: September 14 - 18, 2015 The purpose of the information gathering visit is to: (1) obtain information and documentation needed to support the TI inspection; (2) become familiar with your CSP and plant layout; and (3) arrange administrative details, such as office space, availability of knowledgeable office personnel, and to ensure unescorted site access privileges.


On January 5, 2011, by letter (ML11006009 3) to the NRC, NEI issued an initial "Template for the Cyber Security Plan Implementation Schedule" (ML110060097). On February 28, 2011, by letter (ML110600206) to the NRC, NEI provided a revised "Template for the Cyber Security Plan Implementation Schedule
In order to assure a productive TI inspection, we have enclosed a request for documents needed to ensure that the inspectors are adequately prepared. These documents have been divided into four groups.
." Th e purpose of th e letter's attachment was to provide the licensee with a generically written template to develop their proposed CSP implementation schedule
. Utilization of the generic template require d the licensee to make conforming changes to ensure the submitted schedule accurately account ed for site-specific activities. Based on an NRC technical review (ML110070348), the template was found acceptable to develop the licensees' CSP implementation schedule (i.e., Milestones 1 through 8). On November 19, 2009 , by letter (ML093230831) to the NRC, Entergy Nuclear Operations, Inc. (ENO) provided the PNP CSP and the CSP's associated implementation schedule that accounted for the site
-specific activities. On July 26, 2010, by letter (ML 102110090) to the NRC, ENO submitted a license amendment withdrawal
, and revised license amendment request for PNP. On July 28, 2011, by letter (ML111801243) to ENO, the NRC issued Amendment No.


243 that approved the existing license condition regarding physical protection in the facility operating license to require the licensee to fully implement and maintain in effect all provisions of the NRC
The first group lists information necessary to aid the inspectors in planning for the TI inspection.
-approved CSP.


On June 20, 2012 , by letter (ML12 184 A 149) to the NRC, ENO requested the NRC approve a license amendment change to Milestone 6. On December 5, 2012, by letter (ML12318A234)
It is requested that this information be provided to the lead inspector via mail or electronically no later than August 17, 2015. The second group also lists information and possible areas for discussion necessary to assist the inspectors during the TI inspection. It is requested this information be available during the information gathering visit (August 31 - September 4, 2015).
to ENO, the NRC issued Amendment No.


248 that approved the Milestone 6 implementation schedule change. On December 30, 2013 , by letter (ML13364A328) to the NRC, ENO requested a change to the P NP CSP's Milestone 8 full implementation date. On December 8, 2014, by letter (ML14 237 A 144) to ENO , the NRC issued Amendment No. 253 that approved the Milestone 8 implementation schedule's date change for PNP. The subject TI inspection provides a programmatic level review and verification of the licensee's site-specific implementation of Interim Milestones 1 through 7. The schedule for the onsite TI Inspection for the Interim Milestones 1 through 7 is as follows:
The third group of requested documents consists of those items that the inspectors will review, or need access to, during the TI inspection. Please have this information available by the first day of the onsite inspection week (September 14, 2015). The fourth group lists the information necessary to aid the inspectors in tracking questions and answers identified as a result of the TI inspection. It is requested that this information be provided to the lead inspector as the information is generated during the TI inspection. It is important that all of these documents are up to date and complete in order to minimize the number of additional documents requested during the preparation and/or the onsite portions of the TI inspection.
Information Gathering Visit: August 31 - September 4, 201 5; and Cyber Security TI Inspectio n: September 14
- 18, 201 5 The purpose of the information gathering visit is to: (1) obtain information and documentation needed to support the TI inspection; (2) become familiar with your C SP and plant layout; and (3) arrange administrative details, such as office space, availability of knowledgeable office personnel , and to ensure unescorted site access privileges.


In order to assure a productive TI inspection, we have enclosed a request for documents needed to ensure that the inspectors are adequately prepared.
The lead inspector for this inspection is Mr. Gregory Hansen. We understand that our regulatory contact for this inspection is Mr. James Miksa of your organization. If there are any questions about the TI inspection or the material requested, please contact the lead inspector at (630) 829-9610, or via e-mail at Gregory.Hansen@nrc.gov. This letter does not contain new or amended information collection requirements subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). Existing information collection requirements were approved by the Office of Management and Budget, Control Number 3150-0011. The NRC may not conduct or sponsor, and a person is not required to respond to, a request for information or an information collection requirement unless the requesting document displays a currently valid Office of Management and Budget Control Number.


These documents have been divided into four groups.
In accordance with Title 10 of the Code of Federal Regulations (10 CFR) 2.390, Public Inspections, Exemptions, Requests for Withholding, of the NRC's "Rules of Practice," a copy of this letter, its enclosure, and your response (if any) will be available electronically for public inspection in the NRCs Public Document Room or from the Publicly Available Records (PARS)
component of the NRC's Agencywide Documents Access and Management System (ADAMS).


The first group lists information necessary to aid the inspectors in planning for the TI inspection. It is requested that this information be provided to the lead inspector via mail or electronically no later than August 17 , 201 5. The second group also lists information and possible areas for discussion necessary to assist the inspectors during the TI inspection. It is requested this information be available during the information gathering visit (August 31 - September 4, 201 5). The third group of requested documents consists of those items that the inspectors will review, or need access to, during the TI inspection. Please have this information available by the first day of the onsite inspection week (September 14
ADAMS is accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html (the Public Electronic Reading Room).
, 201 5). The fourth group lists the information necessary to aid the inspectors in tracking questions and answers identified as a result of the TI inspection. It is requested that this information be provided to the lead inspector as the information is generated during the TI inspection. It is important that all of these documents are up to date and complete in order to minimize the number of additional documents requested during the preparation and/or the onsite portions of the TI inspection
. The lead inspector for this inspection is M r. Gregory Hansen. We understand that our regulatory contact for this inspection is M r. James Miksa of your organization. If there are any questions about the TI inspection or the material requested, please contact the lead inspector at (630) 829-9 610 , or via e-mail at Gregory.Hansen@nrc.gov
. This letter does not contain new or amended information collection requirements subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). Existing information collection requirements were approved by the Office of Management and Budget, Control Number 3150-0011. The NRC may not conduct or sponsor, and a person is not required to respond to, a request for information or an information collection requirement unless the requesting document displays a currently valid Office of Management and Budget Control Number. In accordance with Title 10 of the Code of Federal Regulations (10 CFR) 2.390, "Public Inspections, Exemptions, Requests for Withholding," of the NRC's "Rules of Practice," a copy of this letter, its enclosure, and your response (if any) will be available electronically for public inspection in the NRC's Public Document Room or from the Publicly Available Records (PARS) component of the NRC's Agencywide Documents Access and Management System (ADAMS). ADAMS is accessible from the NRC Web site at http://www.nrc.gov/reading
-rm/adams.html (the Public Electronic Reading Room).


Sincerely,
Sincerely,
/RA/ Dariusz Szwarc, Chief (Acting) Engineering Branch 3 Division of Reactor Safety Docket Nos. 50
/RA/
-255 and 72
Dariusz Szwarc, Chief (Acting)
-007 License No. DPR
Engineering Branch 3 Division of Reactor Safety Docket Nos. 50-255 and 72-007 License No. DPR-20 Enclosure:
-20 Enclosure:
Information Request for Cyber Security Temporary Instruction 2201/004, Interim Milestones 1 - 7 Inspection cc w/encl: Distribution via LISTSERV
Information Request for Cyber Security Temporary Instruction 2201/004 , Interim Milestones 1 - 7 Inspection cc w/encl: Distribution via LISTSERV


INFORMATION REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004 INTERIM MILESTONES 1 - 7 INSPECTION Enclosure Inspection R epor t No: 05000 25 5/201 5 40 3 Inspection Onsite Dates: August 31  
INFORMATION REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004 INTERIM MILESTONES 1 - 7 INSPECTION Inspection Report No: 05000255/2015403 Inspection Onsite Dates: August 31 - September 4, 2015, (Information Gathering Visit)
- September 4, 201 5 , (Information Gathering Visit) September 14
September 14 - 18, 2015, (Cyber Security Temporary Instruction Inspection)
- 1 8 , 20 1 5 , (Cyber Security Temporary Instruction Inspection
Inspection Procedure: Temporary Instruction 2201/004, Inspection of Implementation of Interim Cyber Security Milestones 1 - 7 NRC Inspectors: Gregory Hansen, Lead Inspector George Hausman (630) 829-9610  (630) 829-9743 Gregory.Hansen@nrc.gov George.Hausman@nrc.gov Alan Konkal (Cyber Security Contractor)
) Inspection Procedure: Temporary Instruction 2201/004, "Inspection of Implementation of Interim Cyber Security Milestones 1 - 7" NRC Inspectors: Gregory Hansen, Lead Inspector George Hausman (630) 829-9 610 (630) 829-97 43 Gregory.Hansen@nrc.gov George.Hausman@nrc.gov Alan Konkal (Cyber Security Contractor
  (561) 859-5232 (cell)
) (561) 859-5232 (cell) Alan.Konkal@nrc.gov I. Information Requested Prior to the Information Gathering Visit The following information is requested by August 17, 201 5. If you have any questions regarding this request, please call the lead inspector as soon as possible.
Alan.Konkal@nrc.gov I. Information Requested Prior to the Information Gathering Visit The following information is requested by August 17, 2015. If you have any questions regarding this request, please call the lead inspector as soon as possible. All information should be sent to Mr. Gregory Hansen (e-mail address Gregory.Hansen@nrc.gov). Electronic media is preferred. Where information is provided that includes tables and/or lists of data or other such information, please do not scan such tables and/or lists as images. The preferred file format is a searchable Excel spreadsheet or pdf file on a compact disk (CD). The CD should be indexed and hyper-linked to facilitate ease of use. Please provide 3 copies of each CD submitted (one for each inspector and for a cyber security contractor).


All information should be sent to Mr. Gregory Hansen (e-mail address Gregory.Hansen@nrc.gov
A. Cyber Security Temporary Instruction Documentation 1. Provide a list of all documents required to complete each of the Cyber Security Milestones 1 - 7 identified by letter (ML102110090) dated July 26, 2010, Entergy Nuclear Operations, Inc. (ENO) - Palisades Nuclear Plant (PNP) Cyber Security Plan (CSP), and Revised Implementation Schedule, Attachments 6 and 5 respectively. Provide each milestone in a separate folder on the CD (e.g., Milestone 1, Milestone 2, etc.). Each milestone document shall be listed in a table as follows:
). Electronic media is preferred. Where information is provided that includes tables and/or lists of data or other such information, please do not scan such tables and/or lists as images. The preferred file format is a searchable Excel spreadsheet or "pdf" file on a compact disk (CD). The CD should be indexed an d hyper-linked to facilitate ease of use. Please provide 3 copies of each CD submitted (one for each inspector and for a cyber security contractor
MILESTONE X, where X equals 1- 7 Document Number Title Description Rev Status No. 1 No. 2 No. 3 etc.
). A. Cyber Security Temporary Instruction Documentation 1. Provide a list of all documents required to complete each of the Cyber Security Milestones 1 - 7 identified by letter (ML102110090) dated July 26, 2010 , Entergy Nuclear Operations
, Inc. (ENO)  
- Palisades Nuclear Plant (PNP) Cyber Security Plan (CSP), and Revised Implementation Schedule , Attachments 6 and 5 respectively
. Provide each milestone in a separate folder on the CD (e.g., Milestone 1, Milestone 2, etc.). Each milestone document shall be list ed in a table as follows:
MILESTONE X, where X equals 1- 7 Document Number Title Description Rev Status No. 1 No. 2 No. 3 etc.


INFORMATION REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004 INTERIM MILESTONES 1 - 7 INSPECTION 2 Based on the list of documents identified in I.A.1 above, for each milestone document where the "Status" is identified as complete d , place th e completed document in i t s associated folder and hyperlink the associated document number to th e completed document
Enclosure
. For each document , the "Status" should be identified as "not started," "in
-progress" or "completed."


In addition to the documents identified in I.A.1 above, ensure the documents identified below (I.A.2 - I.A.8) for MILESTONE 1 - 7 are included in the I.A.1 table above. 2. MILESTON E 1 - Provide the following documentation for the Cyber Security Asse ssment Team (CSAT): a. Procedures establishing the CSAT team
INFORMATION REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004 INTERIM MILESTONES 1 - 7 INSPECTION Based on the list of documents identified in I.A.1 above, for each milestone document where the Status is identified as completed, place the completed document in its associated folder and hyperlink the associated document number to the completed document. For each document, the Status should be identified as not started, in-progress or completed.
. b. List of CSAT members noting primary areas of responsibility
. c. Procedures detailing qualification requirements for CSAT members
. d. Supporting documentation that demonstrates each CSAT member meets the requirements to fulfill their respective position on the team. For example
: member resumes
; evaluation of previous education and experience; training required by your implementing procedures and supporting documentation which shows training was completed; or industry certifications.


3. MILESTONE 2 - Provide the following documentation
In addition to the documents identified in I.A.1 above, ensure the documents identified below (I.A.2 - I.A.8) for MILESTONE 1 - 7 are included in the I.A.1 table above.
: a. List of plant system s noting which system s have been identified as Critical System s (CS s). b. List of all digital assets noting which have been classified as Critical Digital Assets (CDAs), and which have not.


c. Procedure documenting the process by which CSs and CDAs are identified in accordance with your CSP , Section 3.1.3. 4. MILESTONE 3 - Provide the following documentation
2. MILESTONE 1 - Provide the following documentation for the Cyber Security Assessment Team (CSAT):
: a. Procedures establishing your cyber defensive architecture. Explain any variances from your CSP, Section 4.3, and tracking documents for their correction.
a. Procedures establishing the CSAT team.


b. Provide an overview of your cyber defensive architecture, preferably with overview level diagrams showing the various levels and location of the subject deterministic one
b. List of CSAT members noting primary areas of responsibility.
-way device.


c. Provide details of the implementation of the subject deterministic one
c. Procedures detailing qualification requirements for CSAT members.
-way device.


INFORMATION REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004 INTERIM MILESTONES 1 - 7 INSPECTION 3 5. MILESTONE 4 - Provide the following documentation
d. Supporting documentation that demonstrates each CSAT member meets the requirements to fulfill their respective position on the team.
: a. Procedures implementing the security control "Access Control for Portable and Mobile Devices
." Include any training material or promotional literature distributed to staff associated with the control
. 6. MILESTONE 5 - Provide the following documentation
: a. Procedures implementing the requirements described in Milestone 5. b. Training materials associated with the changes to plant programs associated with Milestone 5. 7. MILESTONE 6 - Provide the following documentation
: a. Procedures documenting the process by which technical cyber security controls have been identified for those CDAs which require the implementation of technical security controls for Milestone 6. 8. MILESTONE 7 - Provide the following documentation: a. Procedures implementing the ongoing monitoring and assessment activities as described in your CSP, Section 4.4. B. Cyber Security Supporting Documentation 1. Provide a copy of the current version of the Updated Safety Analysis Report , Technical Specifications
, an d Technical Requirements Manual or equivalent.


2. Provide a copy of the current cyber security
For example: member resumes; evaluation of previous education and experience; training required by your implementing procedures and supporting documentation which shows training was completed; or industry certifications.
"Health Report," if available.


3. Provide a copy of the current plant drawings use d for operator training that provide additional information on system operation, system operating parameters, setpoints, etc. (e.
3. MILESTONE 2 - Provide the following documentation:
a. List of plant systems noting which systems have been identified as Critical Systems (CSs).


g., some licensees refer to these drawings as "Horse Notes
b. List of all digital assets noting which have been classified as Critical Digital Assets (CDAs), and which have not.
") for identified cyber security CSs, if available.
 
c. Procedure documenting the process by which CSs and CDAs are identified in accordance with your CSP, Section 3.1.3.
 
4. MILESTONE 3 - Provide the following documentation:
a. Procedures establishing your cyber defensive architecture. Explain any variances from your CSP, Section 4.3, and tracking documents for their correction.
 
b. Provide an overview of your cyber defensive architecture, preferably with overview level diagrams showing the various levels and location of the subject deterministic one-way device.
 
c. Provide details of the implementation of the subject deterministic one-way device.
 
INFORMATION REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004 INTERIM MILESTONES 1 - 7 INSPECTION 5. MILESTONE 4 - Provide the following documentation:
a. Procedures implementing the security control Access Control for Portable and Mobile Devices. Include any training material or promotional literature distributed to staff associated with the control.
 
6. MILESTONE 5 - Provide the following documentation:
a. Procedures implementing the requirements described in Milestone 5.
 
b. Training materials associated with the changes to plant programs associated with Milestone 5.
 
7. MILESTONE 6 - Provide the following documentation:
a. Procedures documenting the process by which technical cyber security controls have been identified for those CDAs which require the implementation of technical security controls for Milestone 6.
 
8. MILESTONE 7 - Provide the following documentation:
a. Procedures implementing the ongoing monitoring and assessment activities as described in your CSP, Section 4.4.
 
B. Cyber Security Supporting Documentation 1. Provide a copy of the current version of the Updated Safety Analysis Report, Technical Specifications, and Technical Requirements Manual or equivalent.
 
2. Provide a copy of the current cyber security Health Report, if available.
 
3. Provide a copy of the current plant drawings used for operator training that provide additional information on system operation, system operating parameters, setpoints, etc. (e.g., some licensees refer to these drawings as Horse Notes) for identified cyber security CSs, if available.


4. Provide operator training lesson plans and/or operator training aids for identified cyber security CSs, if available.
4. Provide operator training lesson plans and/or operator training aids for identified cyber security CSs, if available.


II. Information Requested During the Information Gathering Visit (August 31-September 4, 201 5) The following information is requested to be provided to the inspectors during the on-site information gathering visit.
II. Information Requested During the Information Gathering Visit (August 31-September 4, 2015)
The following information is requested to be provided to the inspectors during the on-site information gathering visit. It is requested that the following information be provided on three sets of CDs (searchable, if possible).


It is requested that the following information be provided on three sets of CDs (searchable, if possible
A. General Information:
). A. General Information
1. A listing of abbreviations and/or designators for plant systems; 2. Organizational chart for corporate and site personnel involved in establishing, overseeing, and maintaining the CSP and; 3. A phone list for licensee personnel.
: 1. A listing of abbreviations and/or designators for plant systems; 2. Organization al chart for corporate and site personnel involved in establishing, overseeing
, and maintaining the C SP and; 3. A phone list for licensee personnel.


INFORMATION REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004 INTERIM MILESTONES 1 - 7 INSPECTION 4 B. Facility Information:
INFORMATION REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004 INTERIM MILESTONES 1 - 7 INSPECTION B. Facility Information:
1. Provide a presentation
1. Provide a presentation/discussion of your CSP, existing cyber security CSs, and associated CDAs.
/discussion of your CSP, existing cyber security CSs , and associated CDAs. 2. Provide a list and discussion of currently scheduled or planned cyber security related modifications to be installed in the plant.
 
2. Provide a list and discussion of currently scheduled or planned cyber security related modifications to be installed in the plant.


C. Specific Information Associated with the Milestones:
C. Specific Information Associated with the Milestones:
1. MILESTONE 3 - Be prepared to provide an overview walkdown of the cyber architecture with in the plant including safety, security and emergency preparedness related CDA s. 2. MILESTONE 6 - Be prepared to present information for target set CDAs including a list of target set CDAs, and documentation of the process for identifying them.
1. MILESTONE 3 - Be prepared to provide an overview walkdown of the cyber architecture within the plant including safety, security and emergency preparedness related CDAs.
 
2. MILESTONE 6 - Be prepared to present information for target set CDAs including a list of target set CDAs, and documentation of the process for identifying them.
 
3. MILESTONE 6 - For selected CDAs, be prepared to produce documentation for each of the technical controls in Appendix D of Nuclear Energy Institute (NEI) 08-09, Revision 6, the results of reviews required under your CSP, Section 3.1.6.
 
a. For controls that are implemented, provide the procedures implementing the control. Common controls for all CDAs may be provided in a separate list with the procedures implementing each of them.
 
b. For alternate controls that have been implemented, provide the documented basis for employing alternative countermeasures, and the procedures implementing the alternative measures.


3. MILESTONE 6 - For selected CDAs, be prepared to produce documentation for each of the technical controls in Appendix D of Nuclear Energy Institute (NEI) 08-09 , Revision 6, the results of reviews required under your CSP, Section 3.1.6. a. For controls that are implemented, provide the procedures implementing the control. Common controls for all CDAs may be provided in a separate list with the procedures implementing each of them. b. For alternate controls that have been implemented, provide the documented basis for employing alternative countermeasures, and the procedures implementing the alternative measures
c. Where controls have been deemed unnecessary, provide the threat vector analysis supporting the conclusion that the threat vector does not exist.
. c. Where controls have been deemed unnecessary, provide the threat vector analysis supporting the conclusion that the threat vector does not exist.


4. MILESTONE 7 - For the CDAs selected above, be prepared to produce documentation for each of the technical controls in Appendix D of NEI 08-09 , Revision 6, and the results of immediate activities required under your CSP, Section 4.4. a. For all controls that are implemented, provide the objective evidence that the control is effective in accordance with your CSP, Section 4.4.3.1. This may be combined with the documentation provided for Milestone 6. b. Documentation for common controls for all CDAs may be provided in a separate list with the procedures implementing each of them.
4. MILESTONE 7 - For the CDAs selected above, be prepared to produce documentation for each of the technical controls in Appendix D of NEI 08-09, Revision 6, and the results of immediate activities required under your CSP, Section 4.4.


c. Provide governing procedures and results of vulnerability scans
a. For all controls that are implemented, provide the objective evidence that the control is effective in accordance with your CSP, Section 4.4.3.1. This may be combined with the documentation provided for Milestone 6.


performed to comply with your CSP, Section 4.4.3.2 INFORMATION REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004 INTERIM MILESTONES 1 - 7 INSPECTION 5 III. Information Requested to be Available on First D ay of the S econd O n-site W eek (September 14, 201 5) Th e following information is requested to be provided on the first day of the T I inspection. It is requested that th is information be provided on three sets of CDs (searchable, if possible).
b. Documentation for common controls for all CDAs may be provided in a separate list with the procedures implementing each of them.
 
c. Provide governing procedures and results of vulnerability scans performed to comply with your CSP, Section 4.4.3.2
 
INFORMATION REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004 INTERIM MILESTONES 1 - 7 INSPECTION III. Information Requested to be Available on First Day of the Second On-site Week (September 14, 2015)
The following information is requested to be provided on the first day of the TI inspection. It is requested that this information be provided on three sets of CDs (searchable, if possible).


A. Any updates to information previously provided.
A. Any updates to information previously provided.


IV. Information Requested to Be Provided Throughout the TI Inspection A. Copies of the list of questions
IV. Information Requested to Be Provided Throughout the TI Inspection A. Copies of the list of questions/documents requested identified by the inspector and the status/resolution of the information requested (provided daily during the TI inspection to each inspector).
/documents requested identified by the inspector and the status/resolution of the information requested (provided daily during the TI inspection to each inspector). If you have questions regarding the information requested, please contact Mr. Gregory Hansen , the Lead Inspector
 
.
If you have questions regarding the information requested, please contact Mr. Gregory Hansen, the Lead Inspector.
 
5
}}
}}

Latest revision as of 23:35, 16 November 2019

Information Request for Temporary Instruction 2201/004 Inspection, Notification to Perform Inspecting of Implementation of Interim Cyber Security Milestones 1-7, 05000255/2015403
ML15170A386
Person / Time
Site: Palisades  Entergy icon.png
Issue date: 06/18/2015
From: Dariusz Szwarc
Division of Reactor Safety III
To: Vitale A
Entergy Nuclear Operations
References
IR 2015403
Download: ML15170A386 (9)


Text

UNITED STATES une 18, 2015

SUBJECT:

PALISADES NUCLEAR PLANT - INFORMATION REQUEST FOR TEMPORARY INSTRUCTION 2201/004 INSPECTION, NOTIFICATION TO PERFORM INSPECTION OF IMPLEMENTATION OF INTERIM CYBER SECURITY MILESTONES 1 - 7; 05000255/2015403

Dear Mr. Vitale:

On August 31, 2015, the U.S. Nuclear Regulatory Commission (NRC) will begin an inspection of Temporary Instruction (TI) 2201/004 at your Palisades Nuclear Plant (PNP). The TI inspection will be performed to evaluate and verify your ability to meet the interim milestone requirements of the NRCs Cyber Security Rule, Title 10, Code of Federal Regulations (CFR), Part 73, Section 54, Protection of Digital Computer and Communication Systems and Networks.

In accordance with 10 CFR 73.54, each nuclear power plant licensee was required to submit a proposed Cyber Security Plan (CSP), and associated implementation schedule for NRC approval. On December 14, 2009, by letter (ML093080517) to the Nuclear Energy Institute (NEI), the NRC provided their expectations for the proposed implementation schedule. On January 5, 2011, by letter (ML110060093) to the NRC, NEI issued an initial Template for the Cyber Security Plan Implementation Schedule (ML110060097). On February 28, 2011, by letter (ML110600206) to the NRC, NEI provided a revised Template for the Cyber Security Plan Implementation Schedule. The purpose of the letters attachment was to provide the licensee with a generically written template to develop their proposed CSP implementation schedule. Utilization of the generic template required the licensee to make conforming changes to ensure the submitted schedule accurately accounted for site-specific activities. Based on an NRC technical review (ML110070348), the template was found acceptable to develop the licensees CSP implementation schedule (i.e., Milestones 1 through 8). On November 19, 2009, by letter (ML093230831) to the NRC, Entergy Nuclear Operations, Inc. (ENO) provided the PNP CSP and the CSPs associated implementation schedule that accounted for the site-specific activities. On July 26, 2010, by letter (ML102110090) to the NRC, ENO submitted a license amendment withdrawal, and revised license amendment request for PNP. On July 28, 2011, by letter (ML111801243) to ENO, the NRC issued Amendment No. 243 that approved the existing license condition regarding physical protection in the facility operating license to require the licensee to fully implement and maintain in effect all provisions of the NRC-approved CSP. On June 20, 2012, by letter (ML12184A149) to the NRC, ENO requested the NRC approve a license amendment change to Milestone 6. On December 5, 2012, by letter (ML12318A234) to ENO, the NRC issued Amendment No. 248 that approved the Milestone 6 implementation schedule change. On December 30, 2013, by letter (ML13364A328) to the NRC, ENO requested a change to the PNP CSPs Milestone 8 full implementation date. On December 8, 2014, by letter (ML14237A144) to ENO, the NRC issued Amendment No. 253 that approved the Milestone 8 implementation schedules date change for PNP.

The subject TI inspection provides a programmatic level review and verification of the licensees site-specific implementation of Interim Milestones 1 through 7. The schedule for the onsite TI Inspection for the Interim Milestones 1 through 7 is as follows:

Information Gathering Visit: August 31 - September 4, 2015; and Cyber Security TI Inspection: September 14 - 18, 2015 The purpose of the information gathering visit is to: (1) obtain information and documentation needed to support the TI inspection; (2) become familiar with your CSP and plant layout; and (3) arrange administrative details, such as office space, availability of knowledgeable office personnel, and to ensure unescorted site access privileges.

In order to assure a productive TI inspection, we have enclosed a request for documents needed to ensure that the inspectors are adequately prepared. These documents have been divided into four groups.

The first group lists information necessary to aid the inspectors in planning for the TI inspection.

It is requested that this information be provided to the lead inspector via mail or electronically no later than August 17, 2015. The second group also lists information and possible areas for discussion necessary to assist the inspectors during the TI inspection. It is requested this information be available during the information gathering visit (August 31 - September 4, 2015).

The third group of requested documents consists of those items that the inspectors will review, or need access to, during the TI inspection. Please have this information available by the first day of the onsite inspection week (September 14, 2015). The fourth group lists the information necessary to aid the inspectors in tracking questions and answers identified as a result of the TI inspection. It is requested that this information be provided to the lead inspector as the information is generated during the TI inspection. It is important that all of these documents are up to date and complete in order to minimize the number of additional documents requested during the preparation and/or the onsite portions of the TI inspection.

The lead inspector for this inspection is Mr. Gregory Hansen. We understand that our regulatory contact for this inspection is Mr. James Miksa of your organization. If there are any questions about the TI inspection or the material requested, please contact the lead inspector at (630) 829-9610, or via e-mail at Gregory.Hansen@nrc.gov. This letter does not contain new or amended information collection requirements subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). Existing information collection requirements were approved by the Office of Management and Budget, Control Number 3150-0011. The NRC may not conduct or sponsor, and a person is not required to respond to, a request for information or an information collection requirement unless the requesting document displays a currently valid Office of Management and Budget Control Number.

In accordance with Title 10 of the Code of Federal Regulations (10 CFR) 2.390, Public Inspections, Exemptions, Requests for Withholding, of the NRC's "Rules of Practice," a copy of this letter, its enclosure, and your response (if any) will be available electronically for public inspection in the NRCs Public Document Room or from the Publicly Available Records (PARS)

component of the NRC's Agencywide Documents Access and Management System (ADAMS).

ADAMS is accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html (the Public Electronic Reading Room).

Sincerely,

/RA/

Dariusz Szwarc, Chief (Acting)

Engineering Branch 3 Division of Reactor Safety Docket Nos. 50-255 and 72-007 License No. DPR-20 Enclosure:

Information Request for Cyber Security Temporary Instruction 2201/004, Interim Milestones 1 - 7 Inspection cc w/encl: Distribution via LISTSERV

INFORMATION REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004 INTERIM MILESTONES 1 - 7 INSPECTION Inspection Report No: 05000255/2015403 Inspection Onsite Dates: August 31 - September 4, 2015, (Information Gathering Visit)

September 14 - 18, 2015, (Cyber Security Temporary Instruction Inspection)

Inspection Procedure: Temporary Instruction 2201/004, Inspection of Implementation of Interim Cyber Security Milestones 1 - 7 NRC Inspectors: Gregory Hansen, Lead Inspector George Hausman (630) 829-9610 (630) 829-9743 Gregory.Hansen@nrc.gov George.Hausman@nrc.gov Alan Konkal (Cyber Security Contractor)

(561) 859-5232 (cell)

Alan.Konkal@nrc.gov I. Information Requested Prior to the Information Gathering Visit The following information is requested by August 17, 2015. If you have any questions regarding this request, please call the lead inspector as soon as possible. All information should be sent to Mr. Gregory Hansen (e-mail address Gregory.Hansen@nrc.gov). Electronic media is preferred. Where information is provided that includes tables and/or lists of data or other such information, please do not scan such tables and/or lists as images. The preferred file format is a searchable Excel spreadsheet or pdf file on a compact disk (CD). The CD should be indexed and hyper-linked to facilitate ease of use. Please provide 3 copies of each CD submitted (one for each inspector and for a cyber security contractor).

A. Cyber Security Temporary Instruction Documentation 1. Provide a list of all documents required to complete each of the Cyber Security Milestones 1 - 7 identified by letter (ML102110090) dated July 26, 2010, Entergy Nuclear Operations, Inc. (ENO) - Palisades Nuclear Plant (PNP) Cyber Security Plan (CSP), and Revised Implementation Schedule, Attachments 6 and 5 respectively. Provide each milestone in a separate folder on the CD (e.g., Milestone 1, Milestone 2, etc.). Each milestone document shall be listed in a table as follows:

MILESTONE X, where X equals 1- 7 Document Number Title Description Rev Status No. 1 No. 2 No. 3 etc.

Enclosure

INFORMATION REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004 INTERIM MILESTONES 1 - 7 INSPECTION Based on the list of documents identified in I.A.1 above, for each milestone document where the Status is identified as completed, place the completed document in its associated folder and hyperlink the associated document number to the completed document. For each document, the Status should be identified as not started, in-progress or completed.

In addition to the documents identified in I.A.1 above, ensure the documents identified below (I.A.2 - I.A.8) for MILESTONE 1 - 7 are included in the I.A.1 table above.

2. MILESTONE 1 - Provide the following documentation for the Cyber Security Assessment Team (CSAT):

a. Procedures establishing the CSAT team.

b. List of CSAT members noting primary areas of responsibility.

c. Procedures detailing qualification requirements for CSAT members.

d. Supporting documentation that demonstrates each CSAT member meets the requirements to fulfill their respective position on the team.

For example: member resumes; evaluation of previous education and experience; training required by your implementing procedures and supporting documentation which shows training was completed; or industry certifications.

3. MILESTONE 2 - Provide the following documentation:

a. List of plant systems noting which systems have been identified as Critical Systems (CSs).

b. List of all digital assets noting which have been classified as Critical Digital Assets (CDAs), and which have not.

c. Procedure documenting the process by which CSs and CDAs are identified in accordance with your CSP, Section 3.1.3.

4. MILESTONE 3 - Provide the following documentation:

a. Procedures establishing your cyber defensive architecture. Explain any variances from your CSP, Section 4.3, and tracking documents for their correction.

b. Provide an overview of your cyber defensive architecture, preferably with overview level diagrams showing the various levels and location of the subject deterministic one-way device.

c. Provide details of the implementation of the subject deterministic one-way device.

INFORMATION REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004 INTERIM MILESTONES 1 - 7 INSPECTION 5. MILESTONE 4 - Provide the following documentation:

a. Procedures implementing the security control Access Control for Portable and Mobile Devices. Include any training material or promotional literature distributed to staff associated with the control.

6. MILESTONE 5 - Provide the following documentation:

a. Procedures implementing the requirements described in Milestone 5.

b. Training materials associated with the changes to plant programs associated with Milestone 5.

7. MILESTONE 6 - Provide the following documentation:

a. Procedures documenting the process by which technical cyber security controls have been identified for those CDAs which require the implementation of technical security controls for Milestone 6.

8. MILESTONE 7 - Provide the following documentation:

a. Procedures implementing the ongoing monitoring and assessment activities as described in your CSP, Section 4.4.

B. Cyber Security Supporting Documentation 1. Provide a copy of the current version of the Updated Safety Analysis Report, Technical Specifications, and Technical Requirements Manual or equivalent.

2. Provide a copy of the current cyber security Health Report, if available.

3. Provide a copy of the current plant drawings used for operator training that provide additional information on system operation, system operating parameters, setpoints, etc. (e.g., some licensees refer to these drawings as Horse Notes) for identified cyber security CSs, if available.

4. Provide operator training lesson plans and/or operator training aids for identified cyber security CSs, if available.

II. Information Requested During the Information Gathering Visit (August 31-September 4, 2015)

The following information is requested to be provided to the inspectors during the on-site information gathering visit. It is requested that the following information be provided on three sets of CDs (searchable, if possible).

A. General Information:

1. A listing of abbreviations and/or designators for plant systems; 2. Organizational chart for corporate and site personnel involved in establishing, overseeing, and maintaining the CSP and; 3. A phone list for licensee personnel.

INFORMATION REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004 INTERIM MILESTONES 1 - 7 INSPECTION B. Facility Information:

1. Provide a presentation/discussion of your CSP, existing cyber security CSs, and associated CDAs.

2. Provide a list and discussion of currently scheduled or planned cyber security related modifications to be installed in the plant.

C. Specific Information Associated with the Milestones:

1. MILESTONE 3 - Be prepared to provide an overview walkdown of the cyber architecture within the plant including safety, security and emergency preparedness related CDAs.

2. MILESTONE 6 - Be prepared to present information for target set CDAs including a list of target set CDAs, and documentation of the process for identifying them.

3. MILESTONE 6 - For selected CDAs, be prepared to produce documentation for each of the technical controls in Appendix D of Nuclear Energy Institute (NEI) 08-09, Revision 6, the results of reviews required under your CSP, Section 3.1.6.

a. For controls that are implemented, provide the procedures implementing the control. Common controls for all CDAs may be provided in a separate list with the procedures implementing each of them.

b. For alternate controls that have been implemented, provide the documented basis for employing alternative countermeasures, and the procedures implementing the alternative measures.

c. Where controls have been deemed unnecessary, provide the threat vector analysis supporting the conclusion that the threat vector does not exist.

4. MILESTONE 7 - For the CDAs selected above, be prepared to produce documentation for each of the technical controls in Appendix D of NEI 08-09, Revision 6, and the results of immediate activities required under your CSP, Section 4.4.

a. For all controls that are implemented, provide the objective evidence that the control is effective in accordance with your CSP, Section 4.4.3.1. This may be combined with the documentation provided for Milestone 6.

b. Documentation for common controls for all CDAs may be provided in a separate list with the procedures implementing each of them.

c. Provide governing procedures and results of vulnerability scans performed to comply with your CSP, Section 4.4.3.2

INFORMATION REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004 INTERIM MILESTONES 1 - 7 INSPECTION III. Information Requested to be Available on First Day of the Second On-site Week (September 14, 2015)

The following information is requested to be provided on the first day of the TI inspection. It is requested that this information be provided on three sets of CDs (searchable, if possible).

A. Any updates to information previously provided.

IV. Information Requested to Be Provided Throughout the TI Inspection A. Copies of the list of questions/documents requested identified by the inspector and the status/resolution of the information requested (provided daily during the TI inspection to each inspector).

If you have questions regarding the information requested, please contact Mr. Gregory Hansen, the Lead Inspector.

5