PLA-6832, Proposed Amendment No. 311 to License NPF-14 and Proposed Amendment No. 283 to License NPF-22: Changes to Cyber Security Implementation Schedule Milestones 3 and 6 PLA-6832

From kanterella
Revision as of 01:49, 30 April 2019 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
Jump to navigation Jump to search

Proposed Amendment No. 311 to License NPF-14 and Proposed Amendment No. 283 to License NPF-22: Changes to Cyber Security Implementation Schedule Milestones 3 and 6 PLA-6832
ML12122A011
Person / Time
Site: Susquehanna  Talen Energy icon.png
Issue date: 04/30/2012
From: Helsel J M
Susquehanna
To:
Document Control Desk, Office of Nuclear Reactor Regulation
Shared Package
ML121220017 List:
References
PLA-6832
Download: ML12122A011 (20)
v  d  e


Text

U.S. Nuclear Regulatory Commission Attn: Document Control Desk Mail Stop OP1-17 Washington, DC 20555 SUSQUEHANNA STEAM ELECTRIC STATION PROPOSED AMENDMENT NO. 311 TO LICENSE NPF-14 AND PROPOSED AMENDMENT NO. 283 TO LICENSE NPF-22: CHANGES TO CYBER SECURITY IMPLEMENTATION SCHEDULE MILESTONES 3 AND 6 PLA-6832 Docket Nos. 50-387 and 50-388

Reference:

(1) Letterfrom PPL (T. Rausch) to NRC Document Control Desk, "Susquehanna Steam Electric Station Proposed Amendment No. 306 to License NPF-14 and Proposed Amendment No. 277 to License NPF-22: Withdrawal and Resubmittal of R e quest for Approval of the PPL Susquehanna, LLC Cyber Security Plan" , dated July 22, 2010 (ML102150151).

(2) Letter from PPL (T. Rausch) to NRC Document Control Desk, "Susquehanna Steam Electric Station Response to Cyber Security Request for Additional Information" dated April4, 2011 (ML111020217).

(3) Letter from NRC (B. K. Vaidya) to PPL (T. Rausch), Susquehanna Steam Electric Station, Unit Nos. 1 and 2-Issuance of Amendment RE: Approval of PPL Susquehanna, LLC Cyber Security Plan (TAC Nos. ME4420 and ME4421), dated July 21, 2011 (ML11152A009).

PPL Susquehanna, LLC (PPL) submitted a request for an amendment to the Facility Operating Licenses (FOL) for Susquehanna Steam Electric Station, Units 1 and 2 in Reference (1) and supplemented the request in Reference (2). The request for amendment included the PPL Cyber Security Plan and the associated implementation schedule.

In Reference (3 ), the NRC approved and issued the requested amendments.

The amendment approval stated the following, "The implementation of the cyber security plan (CSP), including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee by letter July 22, 2010, as supplemented by letter dated April 4, 2011, and approved by the NRC staff with this license amendment.

All subsequent changes to the approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90." PPL is planning to implement the requirements of Implementation Schedule Milestone 3 Document Control Desk PLA-6832 and 6 in a slightly different manner than described in the approved Implementation Schedule.

Although no change to the Implementation Schedule dates is proposed, the changes to the description of the milestone activities is conservatively considered to be a change to the implementation schedule, and in accordance with the provisions of 10 CFR §50.4 and §50.90, PPL is submitting this request for an amendment to the Facility Operating Licenses (FOL) for Susquehanna Steam Electric Station, Units 1 and 2. The proposed amendments request NRC approval of the revised PPL Susquehanna, LLC Cyber Security Plan, revised Implementation Schedule and revised FOL Physical Protection license condition.

These proposed changes have been reviewed by both the Plant Operations Review Committee (PORC) and the Susquehanna Review Committee (SRC). Enclosure 1 provides an evaluation of the proposed change. Enclosure 1 also contains the following attachments:

  • Attachment 1 provides the existing FOL page for Unit 1 marked up to show the proposed change.
  • Attachment 2 provides the existing FOL page for Unit 2 marked up to show the proposed change. Enclosure 2 provides a copy of the revised PPL Susquehanna, LLC Cyber Security Plan Implementation Schedule.

The revisions to the wording of Milestones 3 and 6 represent revised regulatory commitments.

Enclosure 3 provides a copy of the revised PPL Susquehanna, LLC Cyber Security Plan. PPL requests that Enclosure 3, which contains security-related sensitive information, be withheld from pubic disclosure in accordance with 10 CFR 2.390. The proposed changes have been evaluated in accordance with 10 CFR 50.91(a)(1) using criteria in 10 CFR 50.92( c), and it has been determined that the changes involve no significant hazards consideration.

The bases for these determinations are included in Attachment

1. In accordance with 10 CFR 50.91, a copy of this application, with attachments, is being provided to the designated Commonwealth of Pennsylvania state official.

PPL requests this license amendment be effective as of its date of issuance.

Although this request is neither exigent nor emergency, your review and approval is requested prior to August 31, 2012. If you should have any questions regarding this submittal, please contact Mr. John L. Tripoli at (570) 542-3100. Document Control Desk PLA-6832 I declare under penalty of perjury that the foregoing is true and correct. Executed on:

Enclosures:

1. Evaluation of Proposed Change 2. PPL Susquehanna, LLC Cyber Security Plan Implementation Schedule 3. PPL Susquehanna, LLC Cyber Security Plan [Security-Related Withhold Under 10 CFR 2.390] Attachments to Enclosure 1: Facility Operating License No. NPF-14, Unit 1 (Mark-up)
2. Facility Operating License No. NPF-22, Unit 2 (Mark-up) cc: NRC Region I Mr. P. W. Finney, NRC Sr. Resident Inspector Mr. R. R. Janati, DEP/BRP Ms. C. Sanders, NRC Project Manager Enclosure 1 to PLA-6832 Evaluation of Proposed Change Request for Approval of the PPL Susquehanna, LLC Cyber Security Plan 1. Summary Description
2. Detailed Description
3. Technical Evaluation
4. Regulatory Evaluation 4.1 Applicable Regulatory Requirements I Criteria 4.2 Significant Hazards Consideration 4.3 Conclusion
5. Environmental Consideration
6. References ATTACHMENTS:

Attachment 1-Facility Operating License No. NPF-14, Unit 1 (Mark-up)

Attachment 2-Facility Operating License No. NPF-22, Unit 2 (Mark-up)

PPL EVALUATION Enclosure 1 to PLA-6832 Page 1 of7

Subject:

PPL Evaluation of Proposed Change to the Unit 1 and Unit 2 Request for Approval of the PPL Susquehanna, LLC Cyber Security Plan 1.

SUMMARY

DESCRIPTION The proposed license amendment request (LAR) includes the proposed changes to Implementation Schedule Milestones 3 and 6 and corresponding proposed changes to the PPL Susquehanna, LLC Cyber Security Plan and existing Facility Operating License (FOL) Physical Protection license conditions for both Unit 1 and Unit 2. 2. DETAILED DESCRIPTION In Reference 1, the PPL Susquehanna, LLC Cyber Security Plan and associated implementation schedule were approved by the NRC. Since the Cyber Security Plan Implementation Schedule contained in Reference 2 was utilized as a portion of the basis for the NRC safety evaluation provided by Reference 1, this proposed LAR includes:

1) the proposed change to the existing operating license condition for the Physical Protection license condition for PPL Susquehanna to reference the implementation schedule commitment changes, 2) the proposed revised Cyber Security Plan Implementation Schedule for Milestones 3 and 6, and 3) the proposed revised Cyber Security Plan. 3. TECHNICAL EVALUATION Milestone 3 Changes For non-security critical digital assets (CDAs), the current implementation schedule and cyber security plan describe deterministic devices between Layers 3 and 4 with firewalls between Layers 1 and 2 and between Layers 2 and 3. The proposed change to the cyber defensive strategy would install a deterministic data diode appliance between Layers 3 and 2 with firewalls between the other layers thus providing an increase in overall protection of Critical Digital Systems in Layers 3 and 4. The revised defensive strategy takes advantage of available technology that provides a better and more easily achievable technical solution, does not decrease the overall level of cyber security performance, and is an overall increase in protection for the critical digital systems and components.

Milestone 6 Changes Enclosure 1 to PLA-6832 Page 2 of7 In Reference 3, the Nuclear Energy Institute (NEI) transmitted to the NRC an implementation schedule template (ML 11 0600218) to aid compliance with the NRC cyber security regulations codified in 10 CFR 73.54 which was acknowledged in Reference 4 by the NRC. NEI engaged the industry in an effort to ensure that licensees submit an implementation schedule consistent with the template provided in Reference

3. PPL provided the requested implementation schedule in Reference 2 in accordance with the template which the NRC approved in Reference
3. During the industry's efforts to submit implementation schedules, for the reasons stated below, several other licensees clarified the implementation schedule Milestone 6 scope. Milestone 6 of the template regards the identification, documentation, and implementation of cyber security controls for CDAs by December 31, 2012. The other licensees clarified that Milestone 6 intended to address only the NEI 08-09, Revision 6, Appendix D, technical controls excluding the operational and management controls on the basis that implementing the technical controls for target set CD As provides a high degree of protection against cyber-related attacks that could lead to radiological sabotage.

Furthermore, these other licensees justified that existing licensee programs that are currently in place (e.g., physical protection, maintenance and work management, configuration management, and operational experience, etc.) provide a high degree of operational and management protection during the interim period until such time that the full Cyber Security Program is implemented.

The clarification maintains alignment with the intent of the template as submitted for NRC approval in Reference

3. The NRC found the clarification of intent to Milestone 6 scope for other licensees to be acceptable, and issued Safety Evaluations to plants whose implementation schedule incorporated the clarification.

In Reference 2, PPL previously submitted the implementation schedule without articulating the clarification to the scope of Milestone

6. Milestone 6 was intended to focus the efforts on the application of applicable security controls to those CD As that are part of a target set or could impact the proper functioning of target set equipment.

Implementation of operational and management controls for a subset of CD As related to target sets midway through the evaluation of all CD As is impracticable and provides no demonstrable safety benefit. Based on the above justification and the fact that this clarification has already been approved for the other licensees, PPL is requesting this license amendment in order to clarify that the cyber security controls being identified, documented, and implemented in Milestone 6 for target sets are the technical cyber security controls and existing plant programs are sufficient to satisfy the Milestone 6 operational and management controls referenced in the PPL Susquehanna LLC Cyber Security Plan in the interim until full Program implementation.

Enclosure 1 to PLA-6832 Page 3 of7 In conclusion, existing programs at PPL currently in place (e.g., physical protection, maintenance and work management, and configuration management, operational experience, etc.) provide sufficient operational and management protection during the interim period until such time that the full Cyber Security Program is implemented.

The cyber security controls to be identified, documented, and implemented in Milestone 6 of the revised Cyber Security Plan Implementation Schedule (Enclosure

2) are the technical cyber security controls excluding the operational and management controls for target sets referenced in the PPL Susquehanna LLC Cyber Security Plan that will be completed following evaluation of the remaining CD As and implemented with full Cyber Security Program implementation.
4. REGULATORY EVALUATION 4.1 Applicable Regulatory Requirements I Criteria This license amendment request is submitted pursuant to 10 CFR §50.4 and §50.90. 4.2 Significant Hazards Consideration PPL has evaluated the proposed changes using the criteria in 10 CFR 50.92 and has determined that the proposed changes do not involve a significant hazards consideration.

An analysis of the issue of no significant hazards consideration is presented below. (1) Does the proposed amendment involve a significant increase in the probability or consequences of an accident previously evaluated?

Response:

No. Milestone 3 The proposed amendment changes some details of the architecture to be used to provide protection against cyber attacks at Susquehanna.

The proposed modification to the cyber security architecture is an overall increase in protection for the critical digital systems and components.

The proposed change to the cyber security plan and cyber security architecture does not alter accident analysis assumptions, add any initiators, or affect the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected.

Since the proposed modification is an overall increase in protection, the performance capability of the structures, systems, and components relied upon to mitigate the consequences of postulated accidents are not adversely affected and there is no adverse impact on the probability or consequences of an accident previously evaluated.

Milestone 6 Enclosure 1 to PLA-6832 Page 4 of7 The proposed amendment would clarify the scope of the controls to be implemented for target set equipment by December 31, 2012. The clarification to the Cyber Security Plan Implementation Schedule is administrative in nature. This change does not alter accident analysis assumptions, add any initiators, or affect the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected.

The change does not require any plant modifications, which affect the performance capability of the structures, systems, and components relied upon to mitigate the consequences of postulated accidents and has no impact on the probability or consequences of an accident previously evaluated.

Overall Conclusion Therefore, the proposed change does not involve a significant increase in the probability or consequences ofan previously evaluated.

(2) Does the proposed amendment create the possibility of a new or different kind of , accident from any accident previously evaluated?

Response:

No. Milestone 3 The proposed amendment changes some details of the architecture to be used to provide protection against cyber attacks at Susquehanna.

The proposed modification to the cyber security architecture is an overall increase in protection for the critical digital systems and components.

This change to the cyber security architecture does not result in the need for any new or different FSAR design basis accident analysis.

In addition, the change does not introduce new equipment that could create a new or different kind of accident and no new equipment failure modes are created. Since the proposed modification to the cyber security architecture is an overall increase in protection for the critical digital systems and components, the change does not adversely affect the function of any related sse as to how they are operated, maintained, modified, tested or inspected.

As a result, no new accident scenarios, failure mechanisms, or limiting single failures are introduced, and the change does not create the possibility of a new or different kind of accident from any accident previously evaluated.

Milestone 6 Enclosure 1 to PLA-6832 Page 5 of7 The proposed amendment would clarify the scope of the controls to be implemented for target set equipment by December 31, 2012. The clarification to the Cyber Security Plan Implementation Schedule is administrative in nature. This clarification does not result in the need for any new or different FSAR design basis accident analysis.

In addition, the clarification does not introduce new equipment that could create a new or different kind of accident, and no new equipment failure modes are created. Finally, the clarification does not affect the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected.

As a result, no new accident scenarios, failure mechanisms, or limiting single failures are introduced as a result of this proposed amendment.

Therefore, the proposed amendment does not create the possibility of a new or different kind of accident from any accident previously evaluated.

Overall Conclusion Therefore, the proposed change does not create the possibility of a new or different kind of accident from any accident previously evaluated.

(3) Does the proposed amendment involve a significant reduction in a margin of safety? Response:

No. Milestone 3 The proposed amendment changes some details of the architecture to be used to provide protection against cyber attacks at Susquehanna.

The proposed modification to the cyber security architecture is an overall increase in protection for the critical digital systems and components.

Plant safety margins are established through limiting conditions for operation, limiting safety system settings, and safety limits specified in the technical specifications.

Since the proposed modification to the cyber security architecture is an overall increase in protection for the critical digital systems, there is no adverse change to these established safety margins as result of the proposed modification, and the proposed change does not involve a significant reduction in a margin of safety.

Milestone 6 Enclosure 1 to PLA-6832 Page 6 of7 The proposed amendment would clarify the scope of the controls to be implemented for target set equipment by December 31, 2012. Plant safety margins are established through limiting conditions for operation, limiting safety system settings, and safety limits specified in the technical specifications.

The clarification to the Cyber Security Plan Implementation Schedule is administrative in nature. Because there is no change to these established safety margins as result of this clarification, the proposed change does not involve a significant reduction in a margin of safety. Overall Conclusion Therefore, the proposed change does not involve a significant reduction in a margin of safety. Based on the above, PPL concludes that the proposed changes present no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and accordingly, a finding of "no significant hazards consideration" is justified.

4.3 Conclusion In conclusion, based on the considerations discussed above: ( 1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner; (2) such activities will be conducted in compliance with the Commission's regulations; and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public. 5. ENVIRONMENTAL CONSIDERATION The proposed amendment establishes the licensing basis for a Cyber Security Program for PPL Susquehanna, Units 1 and 2 and will be a part of the Physical Security Plan. This proposed amendment will not involve any significant construction impacts. Pursuant to 10 CFR 51.22(b)(12) no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.

6. REFERENCES Enclosure 1 to PLA-6832 Page 7 of7 1. NRC letter to PPL, Susquehanna Steam Electric Station, Unit Nos. 1 and 2-Issuance of Amendment RE: Approval of PPL Susquehanna, LLC Cyber Security Plan (TAC Nos. ME4420 and ME4421), dated July 21,2011 (ML 11152A009).
2. PPL letter to NRC, "Susquehanna Steam Electric Station Response to Cyber Security Request for Additional Information," dated April 4, 2011 (ML111020217).
3. Letter from Chris Earls (NEI) to Richard P. Correia (NRC), Template for the Cyber Security Plan Implementation Schedule, dated February 28, 2011 (ML110600211).
4. Letter from Richard P. Correia (NRC) to Chris Earls (NEI), Template for the Cyber Security Plan Implementation Schedule, dated March 1, 2011 (ML 11 0070348).

Attachment 1 to Enclosure 1 Facility Operating License No. NPF-14, PPL Susquehanna Unit 1 Mark-Up J, psig the The

  • * .* ,t,:* *_,_.*

t, O.J\? e.tl CFR of

28. :

Attachment 2 to Enclosure 1 Facility Operating License No. NPF-22, PPL Susquehanna Unit 2 Mark-Up E.

bfl-\(:tV\St tJo. )()(>( F. i1 50.59.

Enclosure 2 to PLA-6832 PPL Susquehanna, LLC Cyber Security Plan Implementation Schedule

Guidance on Cyber Security Plan Implementation Schedule Cyber Security Plan Implementation Schedule 2

3 4 5 Guidance on Cyber Security Plan Implementation Schedule 7 Guidance on Cyber Security Plan Implementation Schedule Guidance on Cyber Security Plan Implementation Schedule

Retrieved from "https://kanterella.com/w/index.php?title=PLA-6832,_Proposed_Amendment_No._311_to_License_NPF-14_and_Proposed_Amendment_No._283_to_License_NPF-22:_Changes_to_Cyber_Security_Implementation_Schedule_Milestones_3_and_6_PLA-6832&oldid=1551634"