ML14239A257: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
Line 13: | Line 13: | ||
| document type = Letter, License-Operating (New/Renewal/Amendments) DKT 50, Safety Evaluation | | document type = Letter, License-Operating (New/Renewal/Amendments) DKT 50, Safety Evaluation | ||
| page count = 26 | | page count = 26 | ||
| project = TAC:MF3165, TAC:MF3166, TAC:MF3167 | |||
}} | }} | ||
=Text= | |||
{{#Wiki_filter: Karen D. Fili Site Vice President Monticello Nuclear Generating Plant Northern States Power Company -Minnesota 2807 West County Road 75 Monticello, MN 55362-9637 November 28, 2014 Mr. Kevin Site Vice President Prairie Island Nuclear Generating Plant Northern States Power Company -Minnesota 1717 Wakonade Drive East Welch, MN 55089 | |||
SUBJECT: MONTICELLO NUCLEAR GENERATING PLANT, AND PRAIRIE ISLAND NUCLEAR GENERATING PLANT, UNITS 1 AND 2 -ISSUANCE OF LICENSE AMENDMENTS REGARDING CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE MILESTONES (TAC NOS. MF3165, MF3166, AND MF3167) | |||
==Dear Ms. Fili and Mr. Davison:== | |||
The U.S. Nuclear Regulatory Commission (NRC) has issued the enclosed Amendment Nos. 186, 212, and 200, to Renewed Facility Operating License Nos. DPR-22, DPR-42, and DPR-60 for the Monticello Nuclear Generating Plant (MNGP), and Prairie Island Nuclear Generating Plant (PINGP), Units 1 and 2, respectively. The amendments consist of changes to the facility operating licenses in response to your application dated November 27, 2013, as supplemented by letter dated May 5, 2014. The amendments revise the date of the Cyber Security Plan (CSP) Implementation Milestone 8 to December 1, 2016, and the existing operating license Physical Protection license condition regarding full implementation of the CSP. | |||
K. Fili, et al. -2-A copy of our related safety evaluation is also enclosed. The Notice of Issuance will be included in the Commission's biweekly Federal Register notice. Docket Nos. 50-263, 50-282, and 50-306 | |||
===Enclosures:=== | |||
1. Amendment No. 186 to DPR-22 2. Amendment No. 212 to DPR-42 3. Amendment No. 200 to DPR-60 4. Safety Evaluation cc: Distribution via Listserv | |||
Sincerely,Scott P. Wall, Senior Project Manager Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation NORTHERN STATES POWER COMPANY-MINNESOTA DOCKET NO. 50-263 MONTICELLO NUCLEAR GENERATING PLANT AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 186 Renewed License No. DPR-22 1. The Nuclear Regulatory Commission (the Commission) has found that: A. The application for amendment by Northern States Power Company -Minnesota (NSPM, the licensee), dated November 27, 2013, as supplemented by letter dated May 5, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in Title 10 of the Code of Federal Regulations (1 0 CFR) Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied. 2. Accordingly, the license is amended by changes to paragraphs 2.C.2 and 2.C.3 of Renewed Facility Operating License No. DPR-22. Paragraph 2.C.2 is hereby amended to read as follows: Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 186, are hereby incorporated in the license. NSPM shall operate the facility in accordance with the Technical Specifications. Enclosure 1 | |||
-2 -Paragraph 2.C.3 is hereby amended to read as follows: NSPM shall fully implement and maintain in effect all provisions of the Commission-approved Northern States Power Company-Minnesota (NSPM) Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NSPM CSP was approved by License Amendment No. 166 and supplemented by a License Amendment No. 186. 3. This license amendment is effective as of its date of issuance and shall be implemented within 90 days from the date of issuance. | |||
===Attachment:=== | |||
Changes to the Renewed Facility Operating License No. DPR-22 Davi L. Pelton, Chief Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Date of Issuance: November 28, 2014 ATTACHMENT TO LICENSE AMENDMENT NO. 186 RENEWED FACILITY OPERATING LICENSE NO. DPR-22 DOCKET NO. 50-263 Replace the following pages of Renewed Facility Operating License DPR-22 with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the area of change. Remove Pages 3 4 Insert Pages 3 4 | |||
-3-2. Pursuant to the Act and 10 CFR Part 70, NSPM to receive, possess, and use at any time special nuclear material as reactor fuel, in accordance with the limitations for storage and amounts required for reactor operations, as described in the Final Safety Analysis Report, as supplemented and amended, and the licensee's filings dated August 16, 1974 (those portions dealing with handling of reactor fuel); 3. Pursuant to the Act and 10 CFR Parts 30, 40 and 70, NSPM to receive, possess, and use at any time any byproduct, source and special nuclear material as sealed neutron sources for reactor startup, sealed sources for reactor instrumentation and radiation monitoring equipment calibration, and as fission detectors in amounts as required; 4. Pursuant to the Act and 10 CFR Parts 30, 40 and 70, NSPM to receive, possess, and use in amounts as required any byproduct, source or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration or associated with radioactive apparatus or components; and 5. Pursuant to the Act and 10 CFR Parts 30 and 70, NSPM to possess, but not separate, such byproduct and special nuclear material as may be produced by operation of the facility. C This renewed operating license shall be deemed to contain and is subject to the conditions specified in the Commission's regulations in 10 CFR Chapter I and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission, now or hereafter in effect; and is subject to the additional conditions specified or incorporated below: 1 . Maximum Power Level NSPM is authorized to operate the facility at steady state reactor core power levels not in excess of 2004 megawatts (thermal). 2. Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 186 are hereby incorporated in the license. NSPM shall operate the facility in accordance with the Technical Specifications. 3. Physical Protection NSPM shall implement and maintain in effect all provisions of the Commission--approved physical security, guard training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Renewed License No. DPR-22 Amendment No. -1--tAfl:l 186 | |||
-4-Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p)(2). The combined set of plans which contain Safeguards Information protected under 10 CFR 73.21, are entitled: "Monticello Nuclear Generating Plant Physical Security, Training and Qualification, and Safeguards Contingency Plan," with revisions submitted through May 12, 2006. NSPM shall fully implement and maintain in effect all provisions of the Commission-approved Northern States Power Company -Minnesota (NSPM) Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NSPM CSP was approved by License Amendment No. 166 and supplemented by License Amendment No. 186. 4. Fire Protection NSPM shall implement and maintain in effect all provisions of the approved fire protection program as described in the Updated Safety Analysis Report for the facility and as approved in the SER dated August 29, 1979, and supplements dated February 12, 1981 and October 2, 1985, subject to the following provision: NSPM may make changes to the approved fire protection program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire. 5. Emergency Preparedness Plan NSPM shall follow and maintain in effect emergency plans which meet the standards of 10 CFR 50.47(b) and the requirements in 10 CFR 50, Appendix E, including amendments and changes made pursuant to the authority of 10 CFR 50.54(q). The licensee shall meet the requirements of 10 CFR 50.54(s), 50.54(t), and 50.54(u). 6. TMI Action Plan NSPM has satisfactorily met all TMI-2 Lessons Learned Category "A" requirements applicable to the facility. NSPM shall make a timely submittal in response to the letter dated October 31, 1980 regarding TMI requirements from Darrell G. Eisenhut, Director, Division of Licensing, Office of Nuclear Reactor Regulation to All Licensees of Operating Plants and Applicants for Operating Licenses and Holders of Construction Permits (NUREG-0737). 7. Repairs to the Recirculation System Piping The repairs to the recirculation system piping are approved and the unit is hereby authorized to return to power operation, subject to the following condition: Prior to the startup of Cycle 11 , NSPM shall submit by August 1 , 1983 for the Commission's review and approval, a program for inspection and/or modification of the recirculation system piping. Renewed License No. DPR-22 Amendment No. 166, 175, 186 NORTHERN STATES POWER COMPANY-MINNESOTA DOCKET NO. 50-282 PRAIRIE ISLAND NUCLEAR GENERATING PLANT, UNIT 1 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 212 Renewed License No. DPR-42 1. The Nuclear Regulatory Commission (the Commission) has found that: A. The application for amendment by Northern States Power Company -Minnesota (NSPM, the licensee), dated November 27, 2013, as supplemented by letter dated May 5, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in Title 10 of the Code of Federal Regulations (1 0 CFR) Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied. 2. Accordingly, the license is amended by changes to paragraphs 2.C.(2) and 2.C.(3) of Renewed Facility Operating License No. DPR-42. Paragraph 2.C.(2) is hereby amended to read as follows: Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 212, are hereby incorporated in the license. NSPM shall operate the facility in accordance with the Technical Specifications. Enclosure 2 | |||
-2-Paragraph 2.C.(3) is hereby amended to read as follows: NSPM shall fully implement and maintain in effect all provisions of the Commission-approved Northern States Power Company -Minnesota (NSPM) Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NSPM CSP was approved by License Amendment No. 202 and supplemented by a License Amendment No. 212. 3. This license amendment is effective as its date of issuance and shall be implemented within 90 days from the date of issuance. | |||
===Attachment:=== | |||
Changes to the Renewed Facility Operating License No. DPR-42 FOR THE NUCLEAR REGULATORY COMMISSION ____ __ Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Date of Issuance: November 28, 2014 ATTACHMENT TO LICENSE AMENDMENT NO. 212 RENEWED FACILITY OPERATING LICENSE NO. DPR-42 DOCKET NO. 50-282 Replace the following pages of Renewed Facility Operating License No. DPR-42 with the attached revised pages. The revised page is identified by amendment number and contains a marginal line indicating the area of change. Remove Pages 3 4 Insert Pages 3 4 | |||
-3 -(3) Pursuant to the Act and 10 CFR Parts 30, 40 and 70, NSPM to receive, possess, and use at any time any byproduct, source and special nuclear material as sealed neutron sources for reactor startup, sealed sources for reactor instrumentation and radiation monitoring equipment calibration, and as fission detectors in amounts as required; (4) Pursuant to the Act and 10 CFR Parts 30, 40, and 70, NSPM to receive, possess and use in amounts as required any byproduct, source or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument and equipment calibration or associated with radioactive apparatus or components; (5) Pursuant to the Act and 10 CFR Parts 30 and 70, NSPM to possess but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility; (6) Pursuant to the Act and 10 CFR Parts 30 and 70, NSPM to transfer byproduct materials from other job sites owned by NSPM for the purpose of volume reduction and decontamination. C. This renewed operating license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter 1: Part 20, Section 30.34 of Part 30, Sections 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below: (1) Maximum Power Level NSPM is authorized to operate the facility at steady state reactor core power levels not in excess of 1677 megawatts thermal. (2) Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 212, are hereby incorporated in the renewed operating license. NSPM shall operate the facility in accordance with the Technical Specifications. (3) Physical Protection NSPM shall fully implement and maintain in effect all provisions of the Commission-approved physical security, guard training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains Renewed Operating License No. DPR-42 Amendment No. 212 I | |||
-4 -Safeguards Information protected under 10 CFR 73.21, is entitled: "Prairie Island Nuclear Generating Plant Security Plan, Training and Qualification Plan, Safeguards Contingency Plan, and Independent Spent Fuel Storage Installation Security Program," submitted by letters dated October 18, 2006 and January 10, 2007, and as supplemented by letters dated March 18 and June 2, 2011, and approved by NRC Safety Evaluation dated August 16, 2011. NSPM shall fully implement and maintain in effect all provisions of the Commission-approved Northern States Power Company -Minnesota (NSPM) Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NSPM CSP was approved by License Amendment No. 202 and supplemented by License Amendment No. 212. (4) Fire Protection NSPM shall implement and maintain in effect all provisions of the approved fire protection program as described and referenced in the Updated Safety Analysis Report for the Prairie Island Nuclear Generating Plant, Units 1 and 2, and as approved in Safety Evaluation Reports dated February 14, 1978, September 6, 1979, April 21, 1980, December 29, 1980, July 28, 1981, October 27, 1989, and October 6, 1995, subject to the following provision: NSPM may make changes to the approved Fire Protection Program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire. (5) Additional Conditions The Additional Conditions contained in Appendix B, as revised through Amendment No. 206, are hereby incorporated into this license. NSPM shall operate the facility in accordance with the Additional Conditions. (6) Mitigation Strategy License Condition Develop and maintain strategies for addressing large fires and explosions and that include the following key areas: (a) Fire fighting response strategy with the following elements: 1. Pre-defined coordinated fire response strategy and guidance 2. Assessment of mutual aid fire fighting assets 3. Designated staging areas for equipment and materials 4. Command and control 5. Training of response personnel Renewed Operating License No. DPR-42 Amendment No. 212 I NORTHERN STATES POWER COMPANY-MINNESOTA DOCKET NO. 50-306 PRAIRIE ISLAND NUCLEAR GENERATING PLANT, UNIT 2 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 200 Renewed License No. DPR-60 1. The Nuclear Regulatory Commission (the Commission) has found that: A. The application for amendment by Northern States Power Company -Minnesota (NSPM, the licensee), dated November 27, 2013, as supplemented by letter dated May 5, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in Title 10 of the Code of Federal Regulations (1 0 CFR) Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied. 2. Accordingly, the license is amended by changes to paragraphs 2.C.(2) and 2.C.(3) of Renewed Facility Operating License No. DPR-60. Paragraph 2.C.(2) is hereby amended to read as follows: Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 200, are hereby incorporated in the license. NSPM shall operate the facility in accordance with the Technical Specifications. Enclosure 3 | |||
-2 -Paragraph 2.C.(3) is hereby amended to read as follows: NSPM shall fully implement and maintain in effect all provisions of the Commission-approved Northern States Power Company-Minnesota (NSPM) Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NSPM CSP was approved by License Amendment No. 189 and supplemented by a License Amendment No. 200. 3. This license amendment is effective as of its date of issuance and shall be implemented within 90 days from the date of issuance. | |||
===Attachment:=== | |||
Changes to the Renewed Facility Operating License No. DPR-60 FOR THE NUCLEAR REGULATORY COMMISSION Da . Pe on, Chief Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Date of Issuance: November 28, 2014 ATTACHMENT TO LICENSE AMENDMENT NO. 200 RENEWED FACILITY OPERATING LICENSE NO. DPR-60 DOCKET NO. 50-306 Replace the following pages of Renewed Facility Operating License No. DPR-60 with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the area of change. Remove Pages 3 4 Insert Pages 3 4 | |||
-3 -(3) Pursuant to the Act and 10 CFR Parts 30, 40 and 70, NSPM to receive, possess, and use at any time any byproduct, source and special nuclear material as sealed neutron sources for reactor startup, sealed sources for reactor instrumentation and radiation monitoring equipment calibration, and as fission detectors in amounts as required; (4) Pursuant to the Act and 10 CFR Parts 30, 40, and 70, NSPM to receive, possess and use in amounts as required any byproduct, source or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument and equipment calibration or associated with radioactive apparatus or components; (5) Pursuant to the Act and 10 CFR Parts 30 and 70, NSPM to possess but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility; (6) Pursuant to the Act and 10 CFR Parts 30 and 70, NSPM to transfer byproduct materials from other job sites owned by NSPM for the purpose of volume reduction and decontamination. C. This renewed operating license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter 1: Part 20, Section 30.34 of Part 30, Sections 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below: (1) Maximum Power Level NSPM is authorized to operate the facility at steady state reactor core power levels not in excess of 1677 megawatts thermal. (2) Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 200, are hereby incorporated in the renewed operating license. NSPM shall operate the facility in accordance with the Technical Specifications. (3) Physical Protection NSPM shall fully implement and maintain in effect all provisions of the Commission-approved physical security, guard training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains Renewed Operating License No. DPR-60 Amendment No. 200 I | |||
-4 -Safeguards Information protected under 10 CFR 73.21, is entitled: "Prairie Island Nuclear Generating Plant Security Plan, Training and Qualification Plan, Safeguards Contingency Plan, and Independent Spent Fuel Storage Installation Security Program," submitted by letters dated October 18, 2006 and January 10, 2007, and as supplemented by letters dated March 18 and June 2, 2011, and approved by NRC Safety Evaluation dated August 16, 2011. NSPM shall fully implement and maintain in effect all provisions of the Commission-approved Northern States Power Company -Minnesota (NSPM) Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NSPM CSP was approved by License Amendment No. 189 and supplemented by License Amendment No. 200. (4) Fire Protection NSPM shall implement and maintain in effect all provisions of the approved fire protection program as described and referenced in the Updated Safety Analysis Report for the Prairie Island Nuclear Generating Plant, Units 1 and 2, and as approved in Safety Evaluation Reports dated February 14, 1978, September 6, 1979, April 21, 1980, December 29, 1980, July 28, 1981, October 27, 1989, and October 6, 1995, subject to the following provision: NSPM may make changes to the approved Fire Protection Program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire. (5) Additional Conditions The Additional Conditions contained in Appendix B, as revised through Amendment No. 193, are hereby incorporated into this license. NSPM shall operate the facility in accordance with the Additional Conditions. (6) Mitigation Strategy License Condition Develop and maintain strategies for addressing large fires and explosions and that include the following key areas: (a) Fire fighting response strategy with the following elements: 1. Pre-defined coordinated fire response strategy and guidance 2. Assessment of mutual aid fire fighting assets 3. Designated staging areas for equipment and materials 4. Command and control 5. Training of response personnel (b) Operations to mitigate fuel damage considering the following: 1. Protection and use of personnel assets 2. Communications 3. Minimizing fire spread 4. Procedures for implementing integrated fire response strategy 5. Identification of readily-available pre-staged equipment 6. Training on integrated fire response strategy 7. Spent fuel pool mitigation measures Renewed Operating License No. DPR-60 Amendment No. 200 I SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 186 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-22 AND AMENDMENT NO. 212 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-42 AND AMENDMENT NO. 200 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-60 NORTHERN STATES POWER COMPANY-MINNESOTA MONTICELLO NUCLEAR GENERATING PLANT AND PRAIRIE ISLAND NUCLEAR GENERATING PLANT, UNITS 1 AND 2 DOCKET NOS. 50-263, 50-282 AND 50-306 1.0 INTRODUCTION By application dated November 27, 2013 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML 13333B674), as supplemented by letter dated May 5, 2014 (ADAMS Accession No. ML 14126A727), Northern States Power Company-Minnesota (NSPM, the licensee), doing business as Xcel Energy, Inc., submitted a request to amend Renewed Facility Operating License (FOL) Nos. DPR-22, DPR-42, and DPR-60, for the Monticello Nuclear Generating Plant (MNGP) and Prairie Island Nuclear Generating Plant (PINGP), Units 1 and 2, respectively. The proposed change would revise the date of Cyber Security Plan (CSP) Implementation Schedule Milestone 8 and the existing license condition in the FOLs. Milestone 8 of the CSP implementation schedule concerns the full implementation of the CSP. Portions of letters dated November 27, 2013, and May 5, 2014, contain sensitive unclassified non-safeguards information and those portions are withheld from public disclosure in accordance with the provisions of section 2.390(d)(1) of Title 10 of the Code of Federal Regulations (CFR). 2.0 REGULATORY EVALUATION The U.S. Nuclear Regulatory Commission (NRC) staff approved the existing CSP Implementation Schedule for MNGP by Amendment No. 166, and for PINGP, Units 1 and 2, by Amendment Nos. 202 and 189, in letters dated July 29, 2011 (ADAMS Accession Enclosure 4 | |||
-2 -Nos. ML 11186A992 and ML 11187A231, respectively), concurrent with the incorporation of the CSP into the facilities' current licensing bases. The NRC staff considered the following regulatory requirements and guidance in its review of the current license amendment requests to modify the existing CSP implementation schedule: | |||
* 1 0 CFR 73.54, "Protection of digital computer and communication systems and networks," states: "Each [CSP] submittal must include a proposed implementation schedule. Implementation of the licensee's cyber security program must be consistent with the approved schedule." | |||
* The licensees' FOLs include a license condition that requires the licensees to fully implement and maintain in effect all provisions of the Commission-approved CSP. | |||
* In a publicly-available NRC memorandum dated October 24, 2013 (ADAMS Accession No. ML 13295A467), the NRC staff listed 8 criteria that it would consider during its evaluations of licensees' requests to postpone their cyber security programs implementation dates (commonly known as Milestone 8). The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that "[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML 11 0980538), implementation of the plan, including the key intermediate milestone dates and full implementation date, shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRC-approved CSP implementation schedule, thus, will require prior NRC approval pursuant to 10 CFR 50.90. 3.0 TECHNICAL EVALUATION 3.1 Licensee's Requested Change On July 29, 2011, the NRC issued Amendment No. 166 to Renewed FOL DPR-22 for MNGP, and Amendments Nos. 202 and 189 to Renewed FOLs DPR-42 and DPR-60 for PINGP, Units 1 and 2. The NRC staff also approved the licensee's CSP implementation schedule, as discussed in the safety evaluation issued with the amendments. The implementation schedule had been submitted by the licensee based on a template prepared by the Nuclear Energy Institute (NEI) (ADAMS Accession No. ML 11 0600218), which the staff found acceptable for licensees to use in developing their CSP implementation schedules (ADAMS Accession No. ML 11 0070348). The licensee's proposed implementation schedule for the CSP identified completion dates and bases for the following eight milestones: 1) Establish the Cyber Security Assessment Team (CSAT); 2) Identify Critical Systems (CSs) and Critical Digital Assets (CDAs); | |||
-3 -3) Install a data diode device between lower level devices and higher level devices; 4) Implement the security control "Access Control For Portable And Mobile Devices"; 5) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds; 6) Identify, document, and implement technical cyber security controls in accordance with "Mitigation of Vulnerabilities and Application of Cyber Security Controls" for CDAs that could adversely impact the design function of physical security target set equipment; 7) Perform ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented; and 8) Fully implement the CSP. Currently, Milestone 8 of the NSPM CSP requires the licensee to fully implement the CSP by December 1, 2014. In its November 27, 2013, application, as supplemented by letter dated May 5, 2014, the licensee proposed to change the Milestone 8 completion date to December 1, 2016. The licensee's application addressed the eight criteria in the NRC's guidance memorandum dated October 24, 2013 (ADAMS Accession No. ML 13295A467). The licensee provided the following information pertinent to each of the criteria identified in the NRC guidance memorandum. 1) Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement. The licensee stated that the specific CSP requirement requiring additional time to implement is CSP Section 3.1.6, Mitigation of Vulnerabilities and Application of Cyber Security Controls. It also noted that most of the remaining actions require an outage for implementation. The licensee provided a list of additional activities required to implement the CSP requirements, such as resolution of NEI/NRC discussion on CDA scope/security controls, change management challenges, and implementation and training for all CSP required policies, procedures, and program enhancements 2) Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified. The licensee stated it had a project team of 12 fulltime-equivalent (FTE) staff, including six FTE certified qualified cyber security professionals. It noted a large number of factors contributing to major challenges with full implementation of Milestone 8. These challenges included the following: | |||
* The large volume of effort associated with documentation of CDA assessment using deterministic process in CSP Section 3.1; and | |||
-4 -* The lack of clarity concerning interpretation of security controls including the deterministic methodology in the CSP which could lead to inconsistent implementation of security controls. The licensee provided detailed justification for additional time to fully implement the CSP per Section 3.1, as follows: | |||
* The likely scope changes concerning CDA identification and security controls resulting from ongoing discussions with NRC could require significant rework; | |||
* The CDA assessment work is resource intensive. For example, the licensee has identified approximately 2300 CDAs, a number much larger than the original 400-500 that were estimated, resulting in the licensee underestimating the level of effort necessary to address security controls; and the licensee needs to increase resources to address the magnitude of work involved in each CDA assessment; | |||
* Change management challenges and integration of cyber security controls is taking longer than expected due to impacts on the work control process and maintenance activities. For example, cyber security has proven challenging since it must be integrated into day-to-day plant operations, maintenance, engineering and procurement activities; | |||
* The site training needs and schedules are normally established up to a year in advance and have to be presented to, and approved by, the NSPM Training Review Boards. Cyber security training adds a new burden on training resources that was not fully understood when the new cyber-related processes and procedures were first being developed. NSPM initially underestimated the level of effort and coordination needed to meet the requirements of NSPM's systematic approach to training process. Cyber security training needs can be accommodated outside of normal training cycles, but this adds an unanticipated burden on training resources; and | |||
* Given the remaining amount of work needed to be completed by December 1, 2014, and the licensee's inability to find additional cyber security personnel with required nuclear industry background, the licensee is unable to meet the December 1, 2014 implementation date. 3) A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available. The licensee proposed a Milestone 8 completion date of December 1, 2016, and stated the revised Milestone 8 date will encompass additional refueling outages which will provide adequate time to plan and schedule the implementation of design changes identified as a result of the CDA assessments. The licensee further stated that the revised completion date will prevent costly rework, and that extending the Full Program Implementation date (Milestone 8) an additional two years allows the necessary time to fully integrate cyber controls into the plant processes, provide all the necessary training and change management, and reinforce behavior changes of the entire organization toward nuclear cyber security. | |||
-5 -4) An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall cyber security program in the context of milestones already completed. The licensee indicated it was secure based on the cyber security implementation activities already completed. The licensee completed the implementation of interim milestones 1 through 7 as required by December 31, 2012. The licensee provided the activities completed in each of the Milestones 1 through 7. The completed activities provide a high degree of protection against cyber security attacks while the licensee implements the full program. The activities address significant cyber-attack vectors and applied controls to the most significant CDAs. The additional time required to complete Milestone 8 will not impact the over-all effectiveness of the cyber security plan. Considering the cyber security plan currently in place and the completed Milestones 1 through 7, the extended Milestone 8 date will allow for completion of the CDA assessments and any remediation from previous assessments. 5) A description of the licensee's methodology for prioritizing completion of work for critical digital assets associated with significant safety consequences and with reactivity effects in the balance of plant. The licensee stated that its methodology for prioritizing Milestone 8 activities is centered on considerations for safety, security, emergency preparedness (EP) and Balance of Plant (continuity of power) consequences. The methodology is based on depth, installed configuration of the CDA and susceptibility to the five commonly identified threat vectors. Prioritization for CDA assessment begins with safety related CDAs and continues through lower priority non-safety and EP CDAs. 6) A discussion of the licensee's cyber security program performance up to the date of the license amendment request. The licensee stated that milestone 1 through 7 activities provide a high degree of protection against cyber security related attacks. A focused self-assessment was conducted in June 2013 and recommendations for improvement were placed in the licensee's corrective action program (CAP). Finally, a Nuclear Oversight audit and Quality Assurance surveillances have concluded that the licensee has an effective program. 7) A discussion of cyber security issues pending in the licensee's corrective action program. The licensee provided examples of cyber security issues in its corrective action program. 8) A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications. | |||
-6 -The licensee provided a discussion of completed modifications and pending modifications. 3.2 NRC Staff Evaluation The NRC staff evaluated the licensee's application using the regulatory requirements and the guidance set forth above. The NRC staff's evaluation is set forth below. The licensee indicated that completion of the activities associated with the CSP, as described in Milestones 1 through 7 and completed prior to December 31, 2012, provide a high degree of protection to ensure that the most significant digital computer and communication systems and networks associated with safety, security, and EP systems are already protected against attacks. It detailed activities completed for each milestone and noted that several elements of Milestone 8 have already been implemented or will be implemented by the original Milestone 8 date of December 1, 2014. The licensee provided details about the completed milestones and elements. The NRC staff finds that the licensee's sites are more secure after implementation of Milestones 1 through 7 because the activities the licensee has completed mitigate the most significant cyber-attack vectors for the most significant CDAs. Therefore, the NRC has reasonable assurance that full implementation of the CSP by December 1, 2016 will provide adequate protection of the public health and safety and the common defense and security. The licensee stated that the scope of actions required to fully implement its CSP were not anticipated when the implementation schedule was originally determined. The staff recognizes that CDA assessment work is much more complex and resource intensive than originally anticipated, in part due to the NRC expanding the scope of the cyber security requirements to include balance of plant. As a result, the licensee has a large number of additional tasks not originally considered when developing its CSP implementation schedule. Accordingly, the NRC staff finds that the licensee's request for additional time to implement Milestone 8 is reasonable given the unanticipated complexity, volume, and scope of the remaining work required to fully implement its CSP. The licensee proposed a Milestone 8 completion date of December 1, 2016. The licensee stated that changing the completion date of Milestone 8 allows for one additional refueling outage to methodically plan, implement, and test the required additions or changes and allows those additions or changes that require a design change to be performed. The licensee stated its methodology for prioritizing Milestone 8 activities is centered on considerations for safety, security, emergency preparedness, and balance-of-plant (continuity of power) consequences. The methodology is based on defense-in-depth, installed configuration of the CDA and susceptibility to the five commonly identified threat vectors. Prioritization for CDA assessment begins with safety related CDAs and continues through lower priority non-safety and EP CDAs. The NRC staff finds that based on the large number of digital assets described above and the limited personnel with the appropriate expertise to perform these activities, the licensee's methodology for prioritizing work on CDAs is appropriate. The NRC staff further finds that the licensees request to delay final implementation of the CSP until December 1, 2016, is reasonable given the complexity of the remaining unanticipated work and need to perform certain work during the scheduled refueling outage. | |||
-7-3.3 Technical Evaluation Conclusion The NRC staff concludes that the licensee's request to delay full implementation of its CSP until December 1, 2016, is reasonable for the following reasons: (i) the licensee's implementation of Milestones 1 through 7 provide mitigation for significant cyber-attack vectors for the most significant CDAs as discussed in the staff evaluation above; (ii) the scope of the work required to come into full compliance with the CSP implementation schedule was much more complicated than anticipated and not reasonably foreseeable when the CSP implementation scheduled was originally developed; and (iii) the licensee has reasonably prioritized and scheduled the work required to come into full compliance with its CSP implementation schedule. 3.4 Revision to License Condition By letter dated November 27, 2013, as supplemented by letter dated May 5, 2014, the licensee proposed to modify Paragraph 2.C.3 of Renewed FOL No. DPR-22 for MNGP, and Paragraph 2.C.(3) of Renewed FOL Nos. DPR-42 and DPR-60 for PINGP, Unit Nos. 1 and 2, respectively, which provides a license condition to require the licensee to fully implement and maintain in effect all provisions of the Commissioned-approved CSP. The revised license condition in Paragraph 2.C.3 of Renewed Facility Operating License No. DPR-22 for MNGP would state: NSPM shall fully implement and maintain in effect all provisions of the Commission-approved Northern States Power Company -Minnesota (NSPM) Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NSPM CSP was approved by License Amendment No. 166 and supplemented by License Amendment No. 186. The revised license condition in Paragraph 2.C.(3) of Renewed Facility Operating License No. DPR-42 for PINGP, Unit No. 1, would state: NSPM shall fully implement and maintain in effect all provisions of the Commission-approved Northern States Power Company -Minnesota (NSPM) Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NSPM CSP was approved by License Amendment No. 202 and supplemented by License Amendment No. 212. The revised license condition in Paragraph 2.C.(3) of Renewed Facility Operating License No. DPR-60 for PINGP, Unit No.2, would state: NSPM shall fully implement and maintain in effect all provisions of the Commission-approved Northern States Power Company -Minnesota (NSPM) Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54{p). The NSPM CSP was approved by License Amendment No. 189 and supplemented by License Amendment No. 200. Based on its review of the information in Section 3.0 of this safety evaluation and the modified license condition described above, the NRC staff concludes the proposed change is acceptable. | |||
-8-4.0 STATE CONSULTATION In accordance with the Commission's regulations, the Minnesota State official was notified of the proposed issuance of the amendment. The State official had no comments. 5.0 ENVIRONMENTAL CONSIDERATION These are amendments of 10 CFR Part 50 licenses that relate solely to safeguards matters, do not involve any significant construction impacts. These amendments are administrative changes to extend the date by which the licensee must have its cyber security plan fully implemented. Accordingly, these amendments meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12}. Pursuant to 10 CFR 51.22{b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendments. 6.0 CONCLUSION The NRC staff has concluded, based on the considerations discussed above, that: {1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner; (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations; and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public. Principal Contributor: John Rycyna, NSIR Date: November 28, 2014 K. Fili, et al. -2-A copy of our related safety evaluation is also enclosed. The Notice of Issuance will be included in the Commission's biweekly Federal Register notice. Docket Nos. 50-263, 50-282, and 50-306 | |||
===Enclosures:=== | |||
5. Amendment No. 186 to DPR-22 6. Amendment No. 212 to DPR-42 7. Amendment No. 200 to DPR-60 8. Safety Evaluation cc: Distribution via Listserv DISTRIBUTION: PUBLIC LPL3-1 r/f RidsNrrDorllpl3-1 Resource RidsRgn3MaiiCenter Resource RidsNrrPMPrairielsland Resource RidsNrrLAMHenderson Resource RidsOgcRp Resource RidsNrrPMMonticello Resource RidsNrrDoriDpr Resource RidsNsirDsp Resource RidsAcrsAcnw_MaiiCTR Resource RidsNrrDssStsb Resource J.Rycyna, NSIR ADAMS Accession No | |||
* ML 14239A257 .. | |||
Sincerely,IRA/ Scott P. Wall, Senior Project Manager Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation *via email dated 11/25/14 OFFICE NRR/DORL/LPL3-1 /PM NRR/DORL/LPL3-1 /PM N RR/DORL/LPL3-1 /LA NSIR/CSD/D NAME SWall TBeltz MHenderson RFelts DATE 10/22/2014 11/3/2014 10/27/2014 11/10/2014 OFFICE OGC* NRR/DORL/LPL3-1/PM NRR/DORL/LPL3-1 /PM NAME NStAmour DPelton SWall DATE 11/25/2014 11/28/2014 11/28/2014 OFFICIAL RECORD COPY}} |
Revision as of 17:37, 15 March 2018
ML14239A257 | |
Person / Time | |
---|---|
Site: | Monticello, Prairie Island |
Issue date: | 11/28/2014 |
From: | Wall S P Plant Licensing Branch III |
To: | Davison K K, Fili K D Northern States Power Co |
Scott Wall, NRR/DORL | |
References | |
TAC MF3165, TAC MF3166, TAC MF3167 | |
Download: ML14239A257 (26) | |
Text
Karen D. Fili Site Vice President Monticello Nuclear Generating Plant Northern States Power Company -Minnesota 2807 West County Road 75 Monticello, MN 55362-9637 November 28, 2014 Mr. Kevin Site Vice President Prairie Island Nuclear Generating Plant Northern States Power Company -Minnesota 1717 Wakonade Drive East Welch, MN 55089
SUBJECT: MONTICELLO NUCLEAR GENERATING PLANT, AND PRAIRIE ISLAND NUCLEAR GENERATING PLANT, UNITS 1 AND 2 -ISSUANCE OF LICENSE AMENDMENTS REGARDING CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE MILESTONES (TAC NOS. MF3165, MF3166, AND MF3167)
Dear Ms. Fili and Mr. Davison:
The U.S. Nuclear Regulatory Commission (NRC) has issued the enclosed Amendment Nos. 186, 212, and 200, to Renewed Facility Operating License Nos. DPR-22, DPR-42, and DPR-60 for the Monticello Nuclear Generating Plant (MNGP), and Prairie Island Nuclear Generating Plant (PINGP), Units 1 and 2, respectively. The amendments consist of changes to the facility operating licenses in response to your application dated November 27, 2013, as supplemented by letter dated May 5, 2014. The amendments revise the date of the Cyber Security Plan (CSP) Implementation Milestone 8 to December 1, 2016, and the existing operating license Physical Protection license condition regarding full implementation of the CSP.
K. Fili, et al. -2-A copy of our related safety evaluation is also enclosed. The Notice of Issuance will be included in the Commission's biweekly Federal Register notice. Docket Nos. 50-263, 50-282, and 50-306
Enclosures:
1. Amendment No. 186 to DPR-22 2. Amendment No. 212 to DPR-42 3. Amendment No. 200 to DPR-60 4. Safety Evaluation cc: Distribution via Listserv
Sincerely,Scott P. Wall, Senior Project Manager Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation NORTHERN STATES POWER COMPANY-MINNESOTA DOCKET NO. 50-263 MONTICELLO NUCLEAR GENERATING PLANT AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 186 Renewed License No. DPR-22 1. The Nuclear Regulatory Commission (the Commission) has found that: A. The application for amendment by Northern States Power Company -Minnesota (NSPM, the licensee), dated November 27, 2013, as supplemented by letter dated May 5, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in Title 10 of the Code of Federal Regulations (1 0 CFR) Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied. 2. Accordingly, the license is amended by changes to paragraphs 2.C.2 and 2.C.3 of Renewed Facility Operating License No. DPR-22. Paragraph 2.C.2 is hereby amended to read as follows: Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 186, are hereby incorporated in the license. NSPM shall operate the facility in accordance with the Technical Specifications. Enclosure 1
-2 -Paragraph 2.C.3 is hereby amended to read as follows: NSPM shall fully implement and maintain in effect all provisions of the Commission-approved Northern States Power Company-Minnesota (NSPM) Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NSPM CSP was approved by License Amendment No. 166 and supplemented by a License Amendment No. 186. 3. This license amendment is effective as of its date of issuance and shall be implemented within 90 days from the date of issuance.
Attachment:
Changes to the Renewed Facility Operating License No. DPR-22 Davi L. Pelton, Chief Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Date of Issuance: November 28, 2014 ATTACHMENT TO LICENSE AMENDMENT NO. 186 RENEWED FACILITY OPERATING LICENSE NO. DPR-22 DOCKET NO. 50-263 Replace the following pages of Renewed Facility Operating License DPR-22 with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the area of change. Remove Pages 3 4 Insert Pages 3 4
-3-2. Pursuant to the Act and 10 CFR Part 70, NSPM to receive, possess, and use at any time special nuclear material as reactor fuel, in accordance with the limitations for storage and amounts required for reactor operations, as described in the Final Safety Analysis Report, as supplemented and amended, and the licensee's filings dated August 16, 1974 (those portions dealing with handling of reactor fuel); 3. Pursuant to the Act and 10 CFR Parts 30, 40 and 70, NSPM to receive, possess, and use at any time any byproduct, source and special nuclear material as sealed neutron sources for reactor startup, sealed sources for reactor instrumentation and radiation monitoring equipment calibration, and as fission detectors in amounts as required; 4. Pursuant to the Act and 10 CFR Parts 30, 40 and 70, NSPM to receive, possess, and use in amounts as required any byproduct, source or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration or associated with radioactive apparatus or components; and 5. Pursuant to the Act and 10 CFR Parts 30 and 70, NSPM to possess, but not separate, such byproduct and special nuclear material as may be produced by operation of the facility. C This renewed operating license shall be deemed to contain and is subject to the conditions specified in the Commission's regulations in 10 CFR Chapter I and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission, now or hereafter in effect; and is subject to the additional conditions specified or incorporated below: 1 . Maximum Power Level NSPM is authorized to operate the facility at steady state reactor core power levels not in excess of 2004 megawatts (thermal). 2. Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 186 are hereby incorporated in the license. NSPM shall operate the facility in accordance with the Technical Specifications. 3. Physical Protection NSPM shall implement and maintain in effect all provisions of the Commission--approved physical security, guard training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Renewed License No. DPR-22 Amendment No. -1--tAfl:l 186
-4-Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p)(2). The combined set of plans which contain Safeguards Information protected under 10 CFR 73.21, are entitled: "Monticello Nuclear Generating Plant Physical Security, Training and Qualification, and Safeguards Contingency Plan," with revisions submitted through May 12, 2006. NSPM shall fully implement and maintain in effect all provisions of the Commission-approved Northern States Power Company -Minnesota (NSPM) Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NSPM CSP was approved by License Amendment No. 166 and supplemented by License Amendment No. 186. 4. Fire Protection NSPM shall implement and maintain in effect all provisions of the approved fire protection program as described in the Updated Safety Analysis Report for the facility and as approved in the SER dated August 29, 1979, and supplements dated February 12, 1981 and October 2, 1985, subject to the following provision: NSPM may make changes to the approved fire protection program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire. 5. Emergency Preparedness Plan NSPM shall follow and maintain in effect emergency plans which meet the standards of 10 CFR 50.47(b) and the requirements in 10 CFR 50, Appendix E, including amendments and changes made pursuant to the authority of 10 CFR 50.54(q). The licensee shall meet the requirements of 10 CFR 50.54(s), 50.54(t), and 50.54(u). 6. TMI Action Plan NSPM has satisfactorily met all TMI-2 Lessons Learned Category "A" requirements applicable to the facility. NSPM shall make a timely submittal in response to the letter dated October 31, 1980 regarding TMI requirements from Darrell G. Eisenhut, Director, Division of Licensing, Office of Nuclear Reactor Regulation to All Licensees of Operating Plants and Applicants for Operating Licenses and Holders of Construction Permits (NUREG-0737). 7. Repairs to the Recirculation System Piping The repairs to the recirculation system piping are approved and the unit is hereby authorized to return to power operation, subject to the following condition: Prior to the startup of Cycle 11 , NSPM shall submit by August 1 , 1983 for the Commission's review and approval, a program for inspection and/or modification of the recirculation system piping. Renewed License No. DPR-22 Amendment No. 166, 175, 186 NORTHERN STATES POWER COMPANY-MINNESOTA DOCKET NO. 50-282 PRAIRIE ISLAND NUCLEAR GENERATING PLANT, UNIT 1 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 212 Renewed License No. DPR-42 1. The Nuclear Regulatory Commission (the Commission) has found that: A. The application for amendment by Northern States Power Company -Minnesota (NSPM, the licensee), dated November 27, 2013, as supplemented by letter dated May 5, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in Title 10 of the Code of Federal Regulations (1 0 CFR) Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied. 2. Accordingly, the license is amended by changes to paragraphs 2.C.(2) and 2.C.(3) of Renewed Facility Operating License No. DPR-42. Paragraph 2.C.(2) is hereby amended to read as follows: Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 212, are hereby incorporated in the license. NSPM shall operate the facility in accordance with the Technical Specifications. Enclosure 2
-2-Paragraph 2.C.(3) is hereby amended to read as follows: NSPM shall fully implement and maintain in effect all provisions of the Commission-approved Northern States Power Company -Minnesota (NSPM) Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NSPM CSP was approved by License Amendment No. 202 and supplemented by a License Amendment No. 212. 3. This license amendment is effective as its date of issuance and shall be implemented within 90 days from the date of issuance.
Attachment:
Changes to the Renewed Facility Operating License No. DPR-42 FOR THE NUCLEAR REGULATORY COMMISSION ____ __ Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Date of Issuance: November 28, 2014 ATTACHMENT TO LICENSE AMENDMENT NO. 212 RENEWED FACILITY OPERATING LICENSE NO. DPR-42 DOCKET NO. 50-282 Replace the following pages of Renewed Facility Operating License No. DPR-42 with the attached revised pages. The revised page is identified by amendment number and contains a marginal line indicating the area of change. Remove Pages 3 4 Insert Pages 3 4
-3 -(3) Pursuant to the Act and 10 CFR Parts 30, 40 and 70, NSPM to receive, possess, and use at any time any byproduct, source and special nuclear material as sealed neutron sources for reactor startup, sealed sources for reactor instrumentation and radiation monitoring equipment calibration, and as fission detectors in amounts as required; (4) Pursuant to the Act and 10 CFR Parts 30, 40, and 70, NSPM to receive, possess and use in amounts as required any byproduct, source or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument and equipment calibration or associated with radioactive apparatus or components; (5) Pursuant to the Act and 10 CFR Parts 30 and 70, NSPM to possess but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility; (6) Pursuant to the Act and 10 CFR Parts 30 and 70, NSPM to transfer byproduct materials from other job sites owned by NSPM for the purpose of volume reduction and decontamination. C. This renewed operating license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter 1: Part 20, Section 30.34 of Part 30, Sections 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below: (1) Maximum Power Level NSPM is authorized to operate the facility at steady state reactor core power levels not in excess of 1677 megawatts thermal. (2) Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 212, are hereby incorporated in the renewed operating license. NSPM shall operate the facility in accordance with the Technical Specifications. (3) Physical Protection NSPM shall fully implement and maintain in effect all provisions of the Commission-approved physical security, guard training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains Renewed Operating License No. DPR-42 Amendment No. 212 I
-4 -Safeguards Information protected under 10 CFR 73.21, is entitled: "Prairie Island Nuclear Generating Plant Security Plan, Training and Qualification Plan, Safeguards Contingency Plan, and Independent Spent Fuel Storage Installation Security Program," submitted by letters dated October 18, 2006 and January 10, 2007, and as supplemented by letters dated March 18 and June 2, 2011, and approved by NRC Safety Evaluation dated August 16, 2011. NSPM shall fully implement and maintain in effect all provisions of the Commission-approved Northern States Power Company -Minnesota (NSPM) Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NSPM CSP was approved by License Amendment No. 202 and supplemented by License Amendment No. 212. (4) Fire Protection NSPM shall implement and maintain in effect all provisions of the approved fire protection program as described and referenced in the Updated Safety Analysis Report for the Prairie Island Nuclear Generating Plant, Units 1 and 2, and as approved in Safety Evaluation Reports dated February 14, 1978, September 6, 1979, April 21, 1980, December 29, 1980, July 28, 1981, October 27, 1989, and October 6, 1995, subject to the following provision: NSPM may make changes to the approved Fire Protection Program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire. (5) Additional Conditions The Additional Conditions contained in Appendix B, as revised through Amendment No. 206, are hereby incorporated into this license. NSPM shall operate the facility in accordance with the Additional Conditions. (6) Mitigation Strategy License Condition Develop and maintain strategies for addressing large fires and explosions and that include the following key areas: (a) Fire fighting response strategy with the following elements: 1. Pre-defined coordinated fire response strategy and guidance 2. Assessment of mutual aid fire fighting assets 3. Designated staging areas for equipment and materials 4. Command and control 5. Training of response personnel Renewed Operating License No. DPR-42 Amendment No. 212 I NORTHERN STATES POWER COMPANY-MINNESOTA DOCKET NO. 50-306 PRAIRIE ISLAND NUCLEAR GENERATING PLANT, UNIT 2 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 200 Renewed License No. DPR-60 1. The Nuclear Regulatory Commission (the Commission) has found that: A. The application for amendment by Northern States Power Company -Minnesota (NSPM, the licensee), dated November 27, 2013, as supplemented by letter dated May 5, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in Title 10 of the Code of Federal Regulations (1 0 CFR) Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied. 2. Accordingly, the license is amended by changes to paragraphs 2.C.(2) and 2.C.(3) of Renewed Facility Operating License No. DPR-60. Paragraph 2.C.(2) is hereby amended to read as follows: Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 200, are hereby incorporated in the license. NSPM shall operate the facility in accordance with the Technical Specifications. Enclosure 3
-2 -Paragraph 2.C.(3) is hereby amended to read as follows: NSPM shall fully implement and maintain in effect all provisions of the Commission-approved Northern States Power Company-Minnesota (NSPM) Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NSPM CSP was approved by License Amendment No. 189 and supplemented by a License Amendment No. 200. 3. This license amendment is effective as of its date of issuance and shall be implemented within 90 days from the date of issuance.
Attachment:
Changes to the Renewed Facility Operating License No. DPR-60 FOR THE NUCLEAR REGULATORY COMMISSION Da . Pe on, Chief Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Date of Issuance: November 28, 2014 ATTACHMENT TO LICENSE AMENDMENT NO. 200 RENEWED FACILITY OPERATING LICENSE NO. DPR-60 DOCKET NO. 50-306 Replace the following pages of Renewed Facility Operating License No. DPR-60 with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the area of change. Remove Pages 3 4 Insert Pages 3 4
-3 -(3) Pursuant to the Act and 10 CFR Parts 30, 40 and 70, NSPM to receive, possess, and use at any time any byproduct, source and special nuclear material as sealed neutron sources for reactor startup, sealed sources for reactor instrumentation and radiation monitoring equipment calibration, and as fission detectors in amounts as required; (4) Pursuant to the Act and 10 CFR Parts 30, 40, and 70, NSPM to receive, possess and use in amounts as required any byproduct, source or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument and equipment calibration or associated with radioactive apparatus or components; (5) Pursuant to the Act and 10 CFR Parts 30 and 70, NSPM to possess but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility; (6) Pursuant to the Act and 10 CFR Parts 30 and 70, NSPM to transfer byproduct materials from other job sites owned by NSPM for the purpose of volume reduction and decontamination. C. This renewed operating license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter 1: Part 20, Section 30.34 of Part 30, Sections 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below: (1) Maximum Power Level NSPM is authorized to operate the facility at steady state reactor core power levels not in excess of 1677 megawatts thermal. (2) Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 200, are hereby incorporated in the renewed operating license. NSPM shall operate the facility in accordance with the Technical Specifications. (3) Physical Protection NSPM shall fully implement and maintain in effect all provisions of the Commission-approved physical security, guard training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains Renewed Operating License No. DPR-60 Amendment No. 200 I
-4 -Safeguards Information protected under 10 CFR 73.21, is entitled: "Prairie Island Nuclear Generating Plant Security Plan, Training and Qualification Plan, Safeguards Contingency Plan, and Independent Spent Fuel Storage Installation Security Program," submitted by letters dated October 18, 2006 and January 10, 2007, and as supplemented by letters dated March 18 and June 2, 2011, and approved by NRC Safety Evaluation dated August 16, 2011. NSPM shall fully implement and maintain in effect all provisions of the Commission-approved Northern States Power Company -Minnesota (NSPM) Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NSPM CSP was approved by License Amendment No. 189 and supplemented by License Amendment No. 200. (4) Fire Protection NSPM shall implement and maintain in effect all provisions of the approved fire protection program as described and referenced in the Updated Safety Analysis Report for the Prairie Island Nuclear Generating Plant, Units 1 and 2, and as approved in Safety Evaluation Reports dated February 14, 1978, September 6, 1979, April 21, 1980, December 29, 1980, July 28, 1981, October 27, 1989, and October 6, 1995, subject to the following provision: NSPM may make changes to the approved Fire Protection Program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire. (5) Additional Conditions The Additional Conditions contained in Appendix B, as revised through Amendment No. 193, are hereby incorporated into this license. NSPM shall operate the facility in accordance with the Additional Conditions. (6) Mitigation Strategy License Condition Develop and maintain strategies for addressing large fires and explosions and that include the following key areas: (a) Fire fighting response strategy with the following elements: 1. Pre-defined coordinated fire response strategy and guidance 2. Assessment of mutual aid fire fighting assets 3. Designated staging areas for equipment and materials 4. Command and control 5. Training of response personnel (b) Operations to mitigate fuel damage considering the following: 1. Protection and use of personnel assets 2. Communications 3. Minimizing fire spread 4. Procedures for implementing integrated fire response strategy 5. Identification of readily-available pre-staged equipment 6. Training on integrated fire response strategy 7. Spent fuel pool mitigation measures Renewed Operating License No. DPR-60 Amendment No. 200 I SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 186 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-22 AND AMENDMENT NO. 212 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-42 AND AMENDMENT NO. 200 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-60 NORTHERN STATES POWER COMPANY-MINNESOTA MONTICELLO NUCLEAR GENERATING PLANT AND PRAIRIE ISLAND NUCLEAR GENERATING PLANT, UNITS 1 AND 2 DOCKET NOS. 50-263, 50-282 AND 50-306 1.0 INTRODUCTION By application dated November 27, 2013 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML 13333B674), as supplemented by letter dated May 5, 2014 (ADAMS Accession No. ML 14126A727), Northern States Power Company-Minnesota (NSPM, the licensee), doing business as Xcel Energy, Inc., submitted a request to amend Renewed Facility Operating License (FOL) Nos. DPR-22, DPR-42, and DPR-60, for the Monticello Nuclear Generating Plant (MNGP) and Prairie Island Nuclear Generating Plant (PINGP), Units 1 and 2, respectively. The proposed change would revise the date of Cyber Security Plan (CSP) Implementation Schedule Milestone 8 and the existing license condition in the FOLs. Milestone 8 of the CSP implementation schedule concerns the full implementation of the CSP. Portions of letters dated November 27, 2013, and May 5, 2014, contain sensitive unclassified non-safeguards information and those portions are withheld from public disclosure in accordance with the provisions of section 2.390(d)(1) of Title 10 of the Code of Federal Regulations (CFR). 2.0 REGULATORY EVALUATION The U.S. Nuclear Regulatory Commission (NRC) staff approved the existing CSP Implementation Schedule for MNGP by Amendment No. 166, and for PINGP, Units 1 and 2, by Amendment Nos. 202 and 189, in letters dated July 29, 2011 (ADAMS Accession Enclosure 4
-2 -Nos. ML 11186A992 and ML 11187A231, respectively), concurrent with the incorporation of the CSP into the facilities' current licensing bases. The NRC staff considered the following regulatory requirements and guidance in its review of the current license amendment requests to modify the existing CSP implementation schedule:
- 1 0 CFR 73.54, "Protection of digital computer and communication systems and networks," states: "Each [CSP] submittal must include a proposed implementation schedule. Implementation of the licensee's cyber security program must be consistent with the approved schedule."
- The licensees' FOLs include a license condition that requires the licensees to fully implement and maintain in effect all provisions of the Commission-approved CSP.
- In a publicly-available NRC memorandum dated October 24, 2013 (ADAMS Accession No. ML 13295A467), the NRC staff listed 8 criteria that it would consider during its evaluations of licensees' requests to postpone their cyber security programs implementation dates (commonly known as Milestone 8). The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that "[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML 11 0980538), implementation of the plan, including the key intermediate milestone dates and full implementation date, shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRC-approved CSP implementation schedule, thus, will require prior NRC approval pursuant to 10 CFR 50.90. 3.0 TECHNICAL EVALUATION 3.1 Licensee's Requested Change On July 29, 2011, the NRC issued Amendment No. 166 to Renewed FOL DPR-22 for MNGP, and Amendments Nos. 202 and 189 to Renewed FOLs DPR-42 and DPR-60 for PINGP, Units 1 and 2. The NRC staff also approved the licensee's CSP implementation schedule, as discussed in the safety evaluation issued with the amendments. The implementation schedule had been submitted by the licensee based on a template prepared by the Nuclear Energy Institute (NEI) (ADAMS Accession No. ML 11 0600218), which the staff found acceptable for licensees to use in developing their CSP implementation schedules (ADAMS Accession No. ML 11 0070348). The licensee's proposed implementation schedule for the CSP identified completion dates and bases for the following eight milestones: 1) Establish the Cyber Security Assessment Team (CSAT); 2) Identify Critical Systems (CSs) and Critical Digital Assets (CDAs);
-3 -3) Install a data diode device between lower level devices and higher level devices; 4) Implement the security control "Access Control For Portable And Mobile Devices"; 5) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds; 6) Identify, document, and implement technical cyber security controls in accordance with "Mitigation of Vulnerabilities and Application of Cyber Security Controls" for CDAs that could adversely impact the design function of physical security target set equipment; 7) Perform ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented; and 8) Fully implement the CSP. Currently, Milestone 8 of the NSPM CSP requires the licensee to fully implement the CSP by December 1, 2014. In its November 27, 2013, application, as supplemented by letter dated May 5, 2014, the licensee proposed to change the Milestone 8 completion date to December 1, 2016. The licensee's application addressed the eight criteria in the NRC's guidance memorandum dated October 24, 2013 (ADAMS Accession No. ML 13295A467). The licensee provided the following information pertinent to each of the criteria identified in the NRC guidance memorandum. 1) Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement. The licensee stated that the specific CSP requirement requiring additional time to implement is CSP Section 3.1.6, Mitigation of Vulnerabilities and Application of Cyber Security Controls. It also noted that most of the remaining actions require an outage for implementation. The licensee provided a list of additional activities required to implement the CSP requirements, such as resolution of NEI/NRC discussion on CDA scope/security controls, change management challenges, and implementation and training for all CSP required policies, procedures, and program enhancements 2) Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified. The licensee stated it had a project team of 12 fulltime-equivalent (FTE) staff, including six FTE certified qualified cyber security professionals. It noted a large number of factors contributing to major challenges with full implementation of Milestone 8. These challenges included the following:
- The large volume of effort associated with documentation of CDA assessment using deterministic process in CSP Section 3.1; and
-4 -* The lack of clarity concerning interpretation of security controls including the deterministic methodology in the CSP which could lead to inconsistent implementation of security controls. The licensee provided detailed justification for additional time to fully implement the CSP per Section 3.1, as follows:
- The likely scope changes concerning CDA identification and security controls resulting from ongoing discussions with NRC could require significant rework;
- The CDA assessment work is resource intensive. For example, the licensee has identified approximately 2300 CDAs, a number much larger than the original 400-500 that were estimated, resulting in the licensee underestimating the level of effort necessary to address security controls; and the licensee needs to increase resources to address the magnitude of work involved in each CDA assessment;
- Change management challenges and integration of cyber security controls is taking longer than expected due to impacts on the work control process and maintenance activities. For example, cyber security has proven challenging since it must be integrated into day-to-day plant operations, maintenance, engineering and procurement activities;
- The site training needs and schedules are normally established up to a year in advance and have to be presented to, and approved by, the NSPM Training Review Boards. Cyber security training adds a new burden on training resources that was not fully understood when the new cyber-related processes and procedures were first being developed. NSPM initially underestimated the level of effort and coordination needed to meet the requirements of NSPM's systematic approach to training process. Cyber security training needs can be accommodated outside of normal training cycles, but this adds an unanticipated burden on training resources; and
- Given the remaining amount of work needed to be completed by December 1, 2014, and the licensee's inability to find additional cyber security personnel with required nuclear industry background, the licensee is unable to meet the December 1, 2014 implementation date. 3) A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available. The licensee proposed a Milestone 8 completion date of December 1, 2016, and stated the revised Milestone 8 date will encompass additional refueling outages which will provide adequate time to plan and schedule the implementation of design changes identified as a result of the CDA assessments. The licensee further stated that the revised completion date will prevent costly rework, and that extending the Full Program Implementation date (Milestone 8) an additional two years allows the necessary time to fully integrate cyber controls into the plant processes, provide all the necessary training and change management, and reinforce behavior changes of the entire organization toward nuclear cyber security.
-5 -4) An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall cyber security program in the context of milestones already completed. The licensee indicated it was secure based on the cyber security implementation activities already completed. The licensee completed the implementation of interim milestones 1 through 7 as required by December 31, 2012. The licensee provided the activities completed in each of the Milestones 1 through 7. The completed activities provide a high degree of protection against cyber security attacks while the licensee implements the full program. The activities address significant cyber-attack vectors and applied controls to the most significant CDAs. The additional time required to complete Milestone 8 will not impact the over-all effectiveness of the cyber security plan. Considering the cyber security plan currently in place and the completed Milestones 1 through 7, the extended Milestone 8 date will allow for completion of the CDA assessments and any remediation from previous assessments. 5) A description of the licensee's methodology for prioritizing completion of work for critical digital assets associated with significant safety consequences and with reactivity effects in the balance of plant. The licensee stated that its methodology for prioritizing Milestone 8 activities is centered on considerations for safety, security, emergency preparedness (EP) and Balance of Plant (continuity of power) consequences. The methodology is based on depth, installed configuration of the CDA and susceptibility to the five commonly identified threat vectors. Prioritization for CDA assessment begins with safety related CDAs and continues through lower priority non-safety and EP CDAs. 6) A discussion of the licensee's cyber security program performance up to the date of the license amendment request. The licensee stated that milestone 1 through 7 activities provide a high degree of protection against cyber security related attacks. A focused self-assessment was conducted in June 2013 and recommendations for improvement were placed in the licensee's corrective action program (CAP). Finally, a Nuclear Oversight audit and Quality Assurance surveillances have concluded that the licensee has an effective program. 7) A discussion of cyber security issues pending in the licensee's corrective action program. The licensee provided examples of cyber security issues in its corrective action program. 8) A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.
-6 -The licensee provided a discussion of completed modifications and pending modifications. 3.2 NRC Staff Evaluation The NRC staff evaluated the licensee's application using the regulatory requirements and the guidance set forth above. The NRC staff's evaluation is set forth below. The licensee indicated that completion of the activities associated with the CSP, as described in Milestones 1 through 7 and completed prior to December 31, 2012, provide a high degree of protection to ensure that the most significant digital computer and communication systems and networks associated with safety, security, and EP systems are already protected against attacks. It detailed activities completed for each milestone and noted that several elements of Milestone 8 have already been implemented or will be implemented by the original Milestone 8 date of December 1, 2014. The licensee provided details about the completed milestones and elements. The NRC staff finds that the licensee's sites are more secure after implementation of Milestones 1 through 7 because the activities the licensee has completed mitigate the most significant cyber-attack vectors for the most significant CDAs. Therefore, the NRC has reasonable assurance that full implementation of the CSP by December 1, 2016 will provide adequate protection of the public health and safety and the common defense and security. The licensee stated that the scope of actions required to fully implement its CSP were not anticipated when the implementation schedule was originally determined. The staff recognizes that CDA assessment work is much more complex and resource intensive than originally anticipated, in part due to the NRC expanding the scope of the cyber security requirements to include balance of plant. As a result, the licensee has a large number of additional tasks not originally considered when developing its CSP implementation schedule. Accordingly, the NRC staff finds that the licensee's request for additional time to implement Milestone 8 is reasonable given the unanticipated complexity, volume, and scope of the remaining work required to fully implement its CSP. The licensee proposed a Milestone 8 completion date of December 1, 2016. The licensee stated that changing the completion date of Milestone 8 allows for one additional refueling outage to methodically plan, implement, and test the required additions or changes and allows those additions or changes that require a design change to be performed. The licensee stated its methodology for prioritizing Milestone 8 activities is centered on considerations for safety, security, emergency preparedness, and balance-of-plant (continuity of power) consequences. The methodology is based on defense-in-depth, installed configuration of the CDA and susceptibility to the five commonly identified threat vectors. Prioritization for CDA assessment begins with safety related CDAs and continues through lower priority non-safety and EP CDAs. The NRC staff finds that based on the large number of digital assets described above and the limited personnel with the appropriate expertise to perform these activities, the licensee's methodology for prioritizing work on CDAs is appropriate. The NRC staff further finds that the licensees request to delay final implementation of the CSP until December 1, 2016, is reasonable given the complexity of the remaining unanticipated work and need to perform certain work during the scheduled refueling outage.
-7-3.3 Technical Evaluation Conclusion The NRC staff concludes that the licensee's request to delay full implementation of its CSP until December 1, 2016, is reasonable for the following reasons: (i) the licensee's implementation of Milestones 1 through 7 provide mitigation for significant cyber-attack vectors for the most significant CDAs as discussed in the staff evaluation above; (ii) the scope of the work required to come into full compliance with the CSP implementation schedule was much more complicated than anticipated and not reasonably foreseeable when the CSP implementation scheduled was originally developed; and (iii) the licensee has reasonably prioritized and scheduled the work required to come into full compliance with its CSP implementation schedule. 3.4 Revision to License Condition By letter dated November 27, 2013, as supplemented by letter dated May 5, 2014, the licensee proposed to modify Paragraph 2.C.3 of Renewed FOL No. DPR-22 for MNGP, and Paragraph 2.C.(3) of Renewed FOL Nos. DPR-42 and DPR-60 for PINGP, Unit Nos. 1 and 2, respectively, which provides a license condition to require the licensee to fully implement and maintain in effect all provisions of the Commissioned-approved CSP. The revised license condition in Paragraph 2.C.3 of Renewed Facility Operating License No. DPR-22 for MNGP would state: NSPM shall fully implement and maintain in effect all provisions of the Commission-approved Northern States Power Company -Minnesota (NSPM) Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NSPM CSP was approved by License Amendment No. 166 and supplemented by License Amendment No. 186. The revised license condition in Paragraph 2.C.(3) of Renewed Facility Operating License No. DPR-42 for PINGP, Unit No. 1, would state: NSPM shall fully implement and maintain in effect all provisions of the Commission-approved Northern States Power Company -Minnesota (NSPM) Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The NSPM CSP was approved by License Amendment No. 202 and supplemented by License Amendment No. 212. The revised license condition in Paragraph 2.C.(3) of Renewed Facility Operating License No. DPR-60 for PINGP, Unit No.2, would state: NSPM shall fully implement and maintain in effect all provisions of the Commission-approved Northern States Power Company -Minnesota (NSPM) Cyber Security Plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54{p). The NSPM CSP was approved by License Amendment No. 189 and supplemented by License Amendment No. 200. Based on its review of the information in Section 3.0 of this safety evaluation and the modified license condition described above, the NRC staff concludes the proposed change is acceptable.
-8-4.0 STATE CONSULTATION In accordance with the Commission's regulations, the Minnesota State official was notified of the proposed issuance of the amendment. The State official had no comments. 5.0 ENVIRONMENTAL CONSIDERATION These are amendments of 10 CFR Part 50 licenses that relate solely to safeguards matters, do not involve any significant construction impacts. These amendments are administrative changes to extend the date by which the licensee must have its cyber security plan fully implemented. Accordingly, these amendments meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12}. Pursuant to 10 CFR 51.22{b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendments. 6.0 CONCLUSION The NRC staff has concluded, based on the considerations discussed above, that: {1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner; (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations; and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public. Principal Contributor: John Rycyna, NSIR Date: November 28, 2014 K. Fili, et al. -2-A copy of our related safety evaluation is also enclosed. The Notice of Issuance will be included in the Commission's biweekly Federal Register notice. Docket Nos. 50-263, 50-282, and 50-306
Enclosures:
5. Amendment No. 186 to DPR-22 6. Amendment No. 212 to DPR-42 7. Amendment No. 200 to DPR-60 8. Safety Evaluation cc: Distribution via Listserv DISTRIBUTION: PUBLIC LPL3-1 r/f RidsNrrDorllpl3-1 Resource RidsRgn3MaiiCenter Resource RidsNrrPMPrairielsland Resource RidsNrrLAMHenderson Resource RidsOgcRp Resource RidsNrrPMMonticello Resource RidsNrrDoriDpr Resource RidsNsirDsp Resource RidsAcrsAcnw_MaiiCTR Resource RidsNrrDssStsb Resource J.Rycyna, NSIR ADAMS Accession No
- ML 14239A257 ..
Sincerely,IRA/ Scott P. Wall, Senior Project Manager Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation *via email dated 11/25/14 OFFICE NRR/DORL/LPL3-1 /PM NRR/DORL/LPL3-1 /PM N RR/DORL/LPL3-1 /LA NSIR/CSD/D NAME SWall TBeltz MHenderson RFelts DATE 10/22/2014 11/3/2014 10/27/2014 11/10/2014 OFFICE OGC* NRR/DORL/LPL3-1/PM NRR/DORL/LPL3-1 /PM NAME NStAmour DPelton SWall DATE 11/25/2014 11/28/2014 11/28/2014 OFFICIAL RECORD COPY