Issuance of Amendment Concerning Extension of Cyber Security Milestone 8 (TAC No. MF5557)(L-14-421)

ML15133A502
Person / Time
Site:	Perry
Issue date:	06/10/2015
From:	Kimberly Green Plant Licensing Branch III
To:	Harkness E FirstEnergy Nuclear Operating Co
Eva Brown, NRR/DORL
References
TAC MF5557
Download: ML15133A502 (13)
v • d • e

Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 June 10, 2015 Mr. Ernest J. Harkness Site Vice President FirstEnergy Nuclear Operating Company Mail Stop A-PY-A290 P.O. Box 97, 10 Center Road Perry, OH 44081-0097

SUBJECT:

PERRY NUCLEAR POWER PLANT, UNIT NO. 1 - ISSUANCE OF AMENDMENT CONCERNING EXTENSION OF CYBER SECURITY MILESTONE 8 (TAC NO. MF5557)(L-14-421)

Dear Mr. Harkness:

The U.S. Nuclear Regulatory Commission (the Commission) has issued the enclosed Amendment No. 167 to Facility Operating License No. NPF-58 for the Perry Nuclear Power Plant (PNPP), Unit No. 1. This amendment extends the completion date for full implementation of PNPP Cyber Security Plan (CSP) in response to FirstEnergy Nuclear Operating Company's (FENOC's) application dated January 9, 2015, as supplemented by a letter dated May 6, 2015 (Agencywide Documents Access and Management System (ADAMS) Accession Nos. ML15009A264 and ML15127A202, respectively)). Portions of the letter dated January 9, 2015, contain sensitive unclassified non-safeguards information and those portions are withheld from public disclosure in accordance with Title 10 of the Code of Federal Regulations (10 CFR) 2.390(d)(1 ).

It should be noted that the NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by a licensee, particularly in light of the regulatory requirement at 10 CFR 73.54. Thus, any subsequent changes that FE NOC may request to the NRG-approved CSP implementation schedule will be submitted for prior NRC approval under 10 CFR 50.90.

E. Harkness A copy of the Safety Evaluation is also enclosed. The Notice of Issuance will be included in the Commission's next biweekly Federal Register notice.

Sincerely, Kimberly J. Green, Senior Project Manager Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. 50-440

Enclosures:

1. Amendment No. 167 to NPF-58

2. Safety Evaluation cc w/encls: Distribution via ListServ

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 FIRSTENERGY NUCLEAR OPERATING COMPANY FIRSTENERGY NUCLEAR GENERATION CORP.

OHIO EDISON COMPANY DOCKET NO. 50-440 PERRY NUCLEAR POWER PLANT. UNIT NO. 1 AMENDMENT TO FACILITY OPERATING LICENSE Amendment No. 167 License No. NPF-58

1. The U.S. Nuclear Regulatory Commission (the Commission) has found that:

A The application for license filed by FirstEnergy Nuclear Operating Company, et al., (the licensee, FE NOC) dated January 9, 2015, as supplemented by a letter dated May 6, 2015, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

Enclosure 1

2. Accordingly, the license is amended by changes to the Facility Operating License as indicated in the attachment to this license amendment, and paragraph 2.E of Facility Operating License No. NPF-58 is hereby amended to read as follows:

E. FENOC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (61 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Perry Nuclear Power Plant Physical Security Plan" Revision 2, submitted by letter dated May 18, 2006.

FENOC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The FENOC CSP was approved by License Amendment No. 158, and amended by License Amendment No. 167.

3. This license amendment is effective as of its date of its issuance and shall be implemented within 30 days of the date of issuance.

FOR THE NUCLEAR REGULA TORY COMMISSION

. el n, f Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the Facility Operating License Date of Issuance: June 1O, 2015

ATTACHMENT TO LICENSE AMENDMENT NO. 167 FACILITY OPERATING LICENSE NO. NPF-58 DOCKET NO. 50-440 Replace the following page of the Facility Operating License with the attached revised page.

The revised page is identified by amendment number and contains marginal lines indicating the areas of change.

Remove License NPF-58 License NPF-58 Page 6 Page 6

D. FENOC is exempted from: 1) the requirements of Section lll.D.2(b)(ii), containment airlock testing requirements, Appendix J to 10 CFR Part 50, due to the special circumstance described in Section 6.2.6 of SER Supplement No. 7 authorized by 10 CFR 50.12(a)(2)(iii) and 2) the requirements of Section IV.F., Full Participation Exercise, of Appendix E to 10 CFR Part 50, due to the special circumstance described in the Exemption dated November 6, 1986. These exemptions are authorized by law, will not present an undue risk to the public health and safety, and are consistent with the common defense and security. The exemptions are hereby granted pursuant to 10 CFR 50.12. With the granting of these exemptions, the facility will operate, to the extent authorized herein, in conformity with the application, as amended, the provisions of the Act, and the rules and regulations of the Commission.

E. FE NOC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (61 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Perry Nuclear Power Plant Physical Security Plan" Revision 2, submitted by letter dated May 18, 2006.

FE NOC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The FENOC CSP was approved by License Amendment No. 158, and amended by License Amendment No.167.

F. Deleted G. The licensees shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1964, as amended, to cover public liability claims.

Amendment No. 167

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 167 TO FACILITY OPERATING LICENSE NO. NPF-58 FIRSTENERGY NUCLEAR OPERATING COMPANY FIRSTENERGY NUCLEAR GENERATION CORP.

OHIO EDISON COMPANY PERRY NUCLEAR POWER PLANT, UNIT NO. 1 DOCKET NO. 50-440

1.0 INTRODUCTION

By application dated January 9, 2015, as supplemented by a letter dated May 6, 2015 (Agencywide Documents Access and Management System (ADAMS) Accession Nos.

ML15009A265 and ML15127A202, respectively), the FirstEnergy Nuclear Operating Company (FENOC, the licensee) requested a change to the facility operating license (FOL) for Perry Nuclear Plant, Unit 1 (PNPP). The proposed change would revise the date of Cyber Security Plan (CSP) Implementation Schedule Milestone 8, and would accordingly modify the license condition in Paragraph 2.E of the FOL.

The supplemental letter dated May 6, 2015, did not expand the scope of the application as originally noticed, and did not change the U.S. Nuclear Regulatory Commission (NRC) staff's original proposed no significant hazards consideration determination.

2.0 REGULATORY EVALUATION

2.1 Background The NRC staff reviewed and approved the licensee's existing CSP implementation schedule in a letter dated August 29, 2011 (ADAMS Accession No. ML111920382), concurrent with the incorporation of the CSP into the facility's current licensing basis. Milestone 8 of the CSP implementation schedule concerns the full implementation of the CSP.

2.2 Regulations Section 73.54(a) to Title 10 to the Code of Federal Regulations (10 CFR) states that licensees must provide high assurance that digital computer and communication systems, and networks are adequately protected against cyber-attacks, up to and including the design basis threat described in 10 CFR 73.1. Pursuant to 10 CFR 73.54(a)(1 ), licensees must protect digital Enclosure 2

computer and communication systems and networks associated with: (i) safety-related and important-to-safety functions; (ii) security functions; (iii) emergency preparedness functions, including offsite communications; and (iv) support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions.

As further specified in 10 CFR 73.54(a)(2), these systems and networks must be protected from cyber attacks that would adversely impact the integrity or confidentiality of data and software; deny access to systems, services, or data; and adversely impact the operation of systems, networks, and associated equipment. Additionally, 10 CFR 73.54 requires licensees to submit a proposed implementation schedule, and further requires that implementation of the licensee's cyber security program be consistent with the approved schedule.

It should be noted that the NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that "[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." Thus all subsequent changes to the NRC-approved CSP implementation schedule will require submittal for prior NRC approval under 10 CFR 50.90.

Section 13.6.6, of NUREG-0800, provides the review criteria for CSP security plans. In a letter dated October 24, 2013 (ADAMS Accession No. ML13295A467), the NRC staff listed criteria to consider during evaluations of licensees' requests to postpone their cyber security program implementation date (commonly known as Milestone 8). The criteria in the guidance are as follows:

1. Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement.

2. Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.

3. A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.

4. An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall cyber security program in the context of milestones already completed.

5. A description of the licensee's methodology for prioritizing completion of work for critical digital assets associated with significant safety consequences and with reactivity effects in the balance of plant.

6. A discussion of the licensee's cyber security program performance up to the date of the license amendment request.

7. A discussion of cyber security issues pending in the licensee's corrective action program.

8. A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.

3.0 TECHNICAL EVALUATION

3.1 Extension Request As discussed above, on August 29, 2011, the NRC staff approved the licensee's CSP implementation schedule, which was based on an NEI [Nuclear Energy Institute] template submitted in a letter dated February 28, 2011 (ADAMS Accession No. ML110600206). In Section 2.0 of the January 9, 2015, submittal, the licensee indicated completion of the first seven milestones of the Cyber Security Implementation Plan as of December 31, 2012. It was identified that on-going monitoring and time-based periodic actions provide continuing program performance monitoring. This monitoring combined with these interim milestones, ensure that PNPP is, and will continue to be, secure; and that digital computer and communication systems, and networks are adequately protected against cyber-attacks during implementation of the full program.

Milestone 8 of the licensee's CSP requires FENOC to fully implement the CSP by July 1, 2015.

FENOC requested to change the Milestone 8 completion date to December 31, 2017, to allow for support of required design changes and provide additional time to appropriately prioritize work. The licensee identified that additional time would be needed to implement certain activities in Section 3.1, "Analyzing Digital Computer Systems and Networks and Applying Cyber Security Control," of the CSP. More specifically, the licensee indicated that additional time would be needed to complete critical digital asset (CDA) assessment work which is resource intensive, as well as remediation activities, which must be carefully considered, change management challenges, and training on new programs, processes and procedures.

In Section 3.0 of the January 9, 2015, submittal, the licensee noted there is a large volume of effort associated with documentation of the assessment and analysis for the 1300 CDAs given the amount of rework that has been identified. The licensee indicates that new tasks are being added to normal maintenance activities, which require significant verification, analysis and testing to ensure no adverse impact to plant equipment. Additionally, the CDA assessment process requires careful consideration of remediation activities given that security controls modifications are unique and new to the plant and suppliers and proposed modifications to the plant have to be evaluated to ensure that the modifications do not adversely impact plant safety and operation.

The licensee stated that its methodology for prioritizing Milestone 8 activities is centered on considerations of safety, security, emergency preparedness (EP), and balance of plant (BOP)

(continuity of power) consequences. The methodology is based on defense in depth, installed configuration of the CDA, and susceptibility to commonly identified threat vectors. Prioritization for CDA assessment begins with safety-related CDAs and continues through the lower priority nonsafety and EP CDAs:

• safety-related CDAs;

• important to safety CDAs (including BOP CDAs that directly impact continuity of power) and control system CDAs;

• physical security CDAs; and,

• nonsafety-related CDAs and EP CDAs.

The licensee stated PNPP uses the existing corrective action program (CAP) to document all cyber issues in order to trend, correct, and improve the cyber security program. Conditions adverse to quality are captured in the CAP database and tracked from initiation through closure. Adverse trends are monitored for program improvement and addressed via the CAP process.

3.2 NRC Staff Evaluation The NRC staff has evaluated the licensee's application using the regulatory requirements and the guidance identified above. The NRC staff's evaluation is below:

The NRC staff finds that the actions the licensee noted as being required to implement CSP Section 3, Analyzing Digital Computer Systems and Networks, and Section 4, Establishing, Implementing and Maintaining the Cyber Security Program, are reasonable as discussed below.

The licensee indicated that completion of the activities associated with the CSP, as described in Milestones 1 through 7 and completed prior to December 31, 2012, provide a high degree of protection against cyber security attacks. It detailed activities completed for each milestone, and provided details about the completed milestones and elements. The NRC staff finds that the licensee's site is much more secure after implementation of Milestones 1 through 7 because the activities the licensee completed mitigate the most significant cyber attack vectors for the most significant CDAs.

The licensee stated that additional time is needed to conduct modifications and change management planning activities and execution. The staff recognizes that CDA assessment work is much more complex and resource intensive than originally anticipated, in part, due to the NRC expanding the scope of the cyber security requirements to include balance of plant.

As a result, the licensee has a large number of additional tasks not originally considered when developing its CSP implementation schedule. The staff finds that the licensee's request to delay full implementation of the CSP until December 31, 2017 is reasonable given the complexity and volume of the remaining unanticipated work.

The licensee stated that changing the completion date of Milestone 8 will provide sufficient time to methodically plan and schedule the implementation of the required design changes as well as provide time to prioritize work activities to avoid rework and scope changes. The NRC staff recognizes that CDA assessment work is much more complex and resource intensive than originally anticipated and that the licensee has a large number of additional tasks not originally considered when developing its CSP implementation schedule. The licensee has provided sufficient information to conclude that there are implementation issues with the large number of CDAs and the need to address security controls for each. Given this information, the NRC staff finds that the licensee's request to delay full implementation of the CSP until December 31, 2017 is reasonable given the complexity and volume of the remaining unanticipated work.

Therefore, the NRC staff finds that implementation of Milestones 1 through 7 provides significant protection against cyber attacks in the interim; that the licensee's explanation of the need for additional time is compelling, and that it is acceptable for FENOC to delay full implementation of the CSP until December 31, 2017. The NRC staff also finds that, upon full implementation of the licensee's cyber security program, the requirements of the licensee's CSP and 10 CFR 73.54 will be met. Therefore, the NRC staff finds the proposed change acceptable.

3.3 Technical Evaluation Conclusion The NRC staff concludes that the licensee's request to delay full implementation of its CSP until December 31, 2017 is reasonable for the following reasons: (i) the licensee's implementation of Milestones 1 through 7 provides mitigation for significant cyber attack vectors for the most significant CDAs as discussed in the staff evaluation above and (ii) the scope of the work required to come into full compliance with the CSP implementation schedule was much more complicated than anticipated and not reasonably foreseeable when the CSP implementation schedule was originally developed.

3.4 Revision to License Condition In its January 9, 2015 application, the licensee proposed to modify the license condition in Paragraph 2.E of its FOL to reflect the NRC staff's approval of an extension of the implementation date for completion of the CSP.

The license condition in Paragraph 2.E of the operating license is modified as follows:

E. FENOC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (61 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Perry Nuclear Power Plant Physical Security Plan," Revision 2, submitted by letter dated May 18, 2006.

FENOC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The FENOC CSP was approved by License Amendment No. 158, and amended by License Amendment No. 167.

4.0 STATE CONSULTATION

In accordance with the Commission's regulations, the appropriate Ohio State official was notified of the proposed issuance of the amendment. The State official had no comments.

5.0 ENVIRONMENTAL CONSIDERATION

This licensing action is an amendment to a 10 CFR Part 50 license that relates solely to safeguards matters, and does not involve any significant construction impacts. This amendment is an administrative change to extend the date by which the licensee must have its cyber security plan fully implemented. Accordingly, this licensing action meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12). The Commission has previously issued a proposed finding that this amendment involves no significant hazards consideration and there has been no public comment on such finding (80 FR 18658; April 7, 2015). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of this amendment.

6.0 CONCLUSION

The NRC staff has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributor: J. Rycyna, NSIR Date of issuance: June 1O, 2015

ML15133A502

• via memo **via email OFFICE LPL3-2/PM LPL3-2/LA NSIR/CSD* OGC- NLO LPL3-1/BC LPL3-1/PM NAME EBrown SRohrer RFelts JHull** DPelton KGreen DATE 5/14/2015 5/14/2015 4/22/2015 6/03/2015 6/09/2015 6/10/2015