Assessment of Cyber Security Program Draft Temporary Instruction (Ti) Performed at Palo Verde Nuclear Generating Station

ML15205A360
Person / Time
Site:	Palo Verde
Issue date:	07/24/2015
From:	Pick G A NRC/RGN-IV/DRS/EB-2
To:	Clark J A, Westreich B C Office of Nuclear Security and Incident Response, Division of Reactor Safety IV
References
Download: ML15205A360 (6)
v • d • e

Text

July 24, 2015 MEMORANDUM TO: Barry C. Westreich, Director Cyber Security Directorate Office of Nuclear Security and Incident Response

THRU: Jeffrey A. Clark, Deputy Director

/RA/ Division of Reactor Safety

FROM: Gregory A. Pick, Chief /RA/ Engineering Branch 2 Division of Reactor Safety

SUBJECT:

ASSESSMENT OF CYBER SECURITY PROGRAM DRAFT TEMPORARY INSTRUCTION (TI) PERFORMED AT PALO VERDE NUCLEAR GENERATING STATION

Region 4 collaborated with your staff to assess draft Temporary Instruction (TI) 2201/XXX, "Inspection of the Cyber Security Program Required by 10 CFR 73.54." The Nuclear Regulatory Commission (NRC) drafted this TI specifically to facilitate review and assessment of licensees' full implementation of their cyber security programs. Full implementation dates vary among the licensees and the full implementation inspections are expected to be conducted no earlier than December 2017.

Arizona Public Service volunteered to facilitate our assessment of the draft TI at their Palo Verde Nuclear Generating Station. The objectives of the draft TI assessment were to:

1. Evaluate and verify the draft TI resource estimates;

2. Assess the effectiveness of the draft TI to evaluate a licensee in meeting the NRC's Cyber Security Rule, Title 10, Code of Federal Regulations (CFR), Part 73, Section 54, "Protection of Digital Computer and Communication Systems and Networks;" and

3. Capture insights regarding the industry's assessment and application of cyber security controls.

Region 4 conducted this draft TI assessment in a manner similar to normal team inspections with one exception. The team did not perform an on-site information gathering visit. The team CONTACT: Eduardo Uribe, DRS/EB2 (817) 200-1534 UNITED STATES NUCLEAR REGULATORY COMMISSION REGION IV 1600 E. LAMAR BLVD ARLINGTON, TX 76011-4511

leader coordinated the information requested through a formal request letter and several coordinating telephone calls.

The schedule of related activities, assessment team composition and the list of NRC and industry observers is summarized below:

TI Assessment Activities

• Information gathering via mail May 11, 2015

• In-office Prep Week May 18 - June 19, 2015, as time allowed

(nominally one week)

• On-site TI Assessment June 22 - 25, 2015 TI Assessment Team

• Eduardo Uribe, Reactor Inspector (Lead)

• Nnaerika Okonkwo, Reactor Inspector

• Tim Shaw, Cyber Security Contractor

• Alan Konkal, Cyber Security Contractor Palo Verde Key Participants

• Fred Swirlbul

• Sandra Bittner

• Al Atkinson NRC Observers

• Barry Westreich, Office of Nuclear Security and Incident Response

• Ralph Costello, Office of Nuclear Security and Incident Response

• Rodney Fanner, Region II

• Mario Fernandez, Office of Nuclear Security and Incident Response

• Alan Dahbur, Region III

• Greg Pick, Region IV

• Andrea True, Technical Training Center

• George Simonds, Cyber Security Contractor Industry Observers

• Bill Gross, Nuclear Energy Institute

• Nathan Faith, Exelon Corporation

• Bob Lubert, First Energy Corporation

• Scott Burns, First Energy Corporation

• Philip Prugnerola, Nextera Energy, Inc.

• Alex Bond, Ameren

• Miranda Tan, Pacific Gas and Electric Company

• Jan Wilkins, Southern Nuclear Operating Company

• Tim Bailey, Wolf Creek Generating Station

The draft TI procedure resource estimate required a team composed of two NRC inspectors with two contractors on-site for two weeks of the inspection. The assessment team performed four of the four draft required samples during the one week assessment to validate the resource estimate. Because Palo Verde Nuclear Generating Station had received their TI 2201/004, "Inspection of Implementation of Interim Cyber Security Milestones 1-7," the assessment team did not inspect requirements that related to Milestones 1-7. The team exercised four elements of the draft TI to maximize the evaluation and to identify potential areas for adjustment. Overall, the assessment team concluded that the draft TI provided appropriate guidance. The assessment team will request additional resources to ensure that the inspection objectives are achievable.

Observations relative to the three objectives were

1) Objective: Evaluate and verify the draft TI resource estimates.

The team concluded that the composition of the inspection team will require one additional inspector to perform and complete review of inspection material. During this assessment, the team recognized that the volume of documentation required for the cyber security program implementation was greater than anticipated. The team also concluded that an information gathering trip is needed for preparation of the inspection. This will serve a critical need of understanding the approach the licensee implemented while applying controls to the critical digital assets.

The team selected four critical systems.

The team exercised all requirements of the draft TI void any requirements germane to Milestones 1-7. The omission of Milestone 1-7 requirements is consistent with the draft TI as it provides guidance to not

necessarily inspect requirements that were inspected during a previous Milestone 1-7 inspection. In order to inspect four systems with critical digital assets (consistent with the draft requirements) along with Milestone 1-7 requirements, the team concludes that two weeks of direct inspection effort per site will require a team composition of three inspectors and two contractors. The team noted that because the licensee was several months away from full implementation there were some cyber security controls that were not yet established and others that required additional assessment.

2) Objective: Assess the effectiveness of the draft TI to evaluate a licensee in meeting the NRC's Cyber Security Rule, Title 10, Code of Federal Regulations (CFR), Part 73, Section 54, "Protection of Digital Computer and Communication Systems and

Networks."

The team determined that the draft TI provides appropriate guidance to assess whether a licensee has established and implemented an approved cyber security program in accordance with the regulatory requirements of 10 CFR 73.54. The team noted the draft TI was performance based, sampled a representative cross section of

cyber security program requirements, and was focused on verifying adequacy of several significant cyber security controls. Significant cyber security controls were identified with an asterisk (*) in the draft TI. The team concluded that the many of the significant controls are programmatic and are generically applied to most of the critical digital assets throughout the plant.

3) Objective: Capture insights regarding the industry's assessment and application of cyber security controls.

The team identified three insights that challenge inspection of full implementation of a licensee's cyber security program:

a) Palo Verde's methodology for implem enting the cyber security program requirements was implemented ahead of industry guidance. It became very clear to the team that the methodology used to apply controls will vary from site-to-site. Also, because this is a new program being implemented in varied fashions across the industry, additional resources and time will be required to gain knowledge for each licensee's cyber security program to be inspected by completing an information gathering trip.

b) Adequate documentation of critical digital asset assessments and evaluations of cyber security controls by the licensee were not in all cases consistent with neither the cyber security plan nor Nuclear Energy Institute (NEI) 13-10, "Cyber Security Control Assessments." This licensee indicated that it has not begun to finalize full implementation because guidance streamlining full implementation has not been completed in NEI 13-10. A new revision to NEI 13-10 is being drafted currently. The team identified several inadequate justifications for not applying controls as required of the licensee and industry. The team explained, on multiple occasions, that the team performing the inspection will be looking for records explaining why controls were not applied. A solution to this issue will be the development of a template for information requests as part of the inspection plan.

c) To gain additional insights the team recommends that another pilot be conducted at a licensee that is greater than 50 percent completed with their implementation and that has followed the NEI 13-10 process.

Arizona Public Service Company and industry representatives were receptive to the NRC assessment team's perspective regarding the draft TI guidance and requirements as well as their interpretation of existing cyber security guidance and regulatory documents for nuclear power plants. The results of this assessment highlight continued communication between your staff and the industry cyber security working group as beneficial. To the extent possible, documented NRC positions and basis of cyber security requirements will assist the industry in their readiness and inspectors' ability to complete an objective full implementation TI.

ML15205A360 SUNSI Review: GAP ADAMS Yes No Publicly Available Non-Publicly Available Non-Sensitive Sensitive Keyword: RGN-002 OFFICE DRS:EB2 DRS:EB2 DRS:EB2 DD:DRS NAME EUribe NOkonkwo GPick JClark SIGNATURE /RA/ Email /RA/ /RA/ DATE 7/20/15 7/20/15 7/22/15 7/24/15 Memo to Barry C. Westreich from Gregory A. Pick, dated July 24, 2015

SUBJECT:

ASSESSMENT OF CYBER SECURITY PROGRAM DRAFT TEMPORARY INSTRUCTION (TI) PERFORMED AT PALO VERDE NUCLEAR GENERATING STATION

Distribution via email

T. Vegel, DRS, RIV J. Clark, DRS, RIV G. Pick, DRS, RIV E. Uribe, DRS, RIV J. Rogge, DRS, RI S. Shaeffer, DRS, RII R. Daley, DRS, RIII R. Costello, NSIR R. Felts, NSIR