ML12240A239

From kanterella
Revision as of 23:18, 11 November 2019 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Issuance of Amendment No. 192, Revise Physical Protection License Condition Related to Milestone 6 of the Cyber Security Plan Implementation
ML12240A239
Person / Time
Site: Grand Gulf Entergy icon.png
Issue date: 12/05/2012
From: Wang A
Plant Licensing Branch IV
To:
Entergy Operations
Wang A
References
TAC ME9113
Download: ML12240A239 (12)


Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 December 5, 2012 Vice President, Operations Entergy Operations, Inc.

Grand Gulf Nuclear Station P.O. Box 756 Port Gibson, MS 39150

SUBJECT:

GRAND GULF NUCLEAR STATION, UNIT 1 - ISSUANCE OF AMENDMENT RE: REVISE THE SCOPE OF CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE MILESTONE #6 (TAC NO. ME9113)

Dear Sir or Madam:

The U.S. Nuclear Regulatory Commission has issued the enclosed Amendment No. 192 to Facility Operating License No. NPF-29 for the Grand Gulf Nuclear Station, Unit 1. This amendment consists of changes to the Facility Operating License No. NPF-29 in response to your application dated June 27,2012.

The amendment revises the scope of Cyber Security Plan (CSP) Implementation Schedule Milestone #6 and paragraph 2.E of the facility operating license. The amendment modifies the scope of Milestone #6 to apply to the technical cyber security controls only. The operational and management controls, as described in Nuclear Energy Institute (NEI) 08-09, Revision 6, would be implemented concurrent with the full implementation of the cyber security program (Milestone #8). Thus, all CSP activities would be fully implemented by the completion date, currently identified in Milestone #8 of the licensee's CSP implementation schedule.

A copy of our related Safety Evaluation is also enclosed. The Notice of Issuance will be included in the Commission's next biweekly Federal Register notice.

Sincerely, c~\J~

Alan Wang, Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. 50-416

Enclosures:

1. Amendment No. 192 to NPF-29
2. Safety Evaluation cc w/encls: Distribution via Listserv

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 ENTERGY OPERATIONS, INC.

SYSTEM ENERGY RESOURCES, INC.

SOUTH MISSISSIPPI ELECTRIC POWER ASSOCIATION ENTERGY MISSISSIPPI. INC.

DOCKET NO. 50-416 GRAND GULF NUCLEAR STATION, UNIT 1 AMENDMENT TO FACILITY OPERATING LICENSE Amendment No. 192 License No. NPF-29

1. The Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment by Entergy Operations, Inc. (the licensee), dated June 27, 2012, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations setforth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

Enclosure 1

-2

2. Accordingly, the license is amended as indicated in the attachment to this license amendment and Paragraph 2.E of Facility Operating License No. NPF-29 is hereby amended to read as follows:

The licensee shall fully implement and maintain in effect all provision of the Commission-approved physical security, training and qualification, and safeguards contingency plans ihcluding amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The plans, which contain Safeguards Information protected under 10 CFR 73.21, are entitled: "Physical Security, Safeguards Contingency and Training and Qualification Plan," and were submitted to the NRC on May 18, 2006.

The licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The licensee's CSP was approved by License Amendment No. 186 as supplemented by a change approved by License Amendment No. 192.

3. This license amendment is effective as of its date of issuance and shall be implemented by December 31,2012.

FOR THE NUCLEAR REGULATORY COMMISSION Michael T. Markley, Chief Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the Facility Operating License No. NPF-29 Date of Issuance: December 5, 2012

ATTACHMENT TO LICENSE AMENDMENT NO. 192 FACILITY OPERATING LICENSE NO. NPF-29 DOCKET NO. 50-416 Replace the following page of the Facility Operating License No. NPF-29 with the attached revised page. The revised page is identified by amendment number and contains marginal lines indicating the areas of change.

Facility Operating License Remove 16f 16f

(h) license condition shall expire upon satisfaction of in paragraph (f) provided that a visual of the steam dryer does not reveal any new unacceptable flaw or unacceptable flaw growth that is caused by D. The facility exemptions from certain requirements of ces A and J to 10 CFR Part 50 and from certain requirements of 10 CFR Part 100. These include: (a) exemption from General Design Criterion 17 of Appendix A until startup following the first refueling outage, for (1) the emergency override of the test mode for the Division 3 diesel (2) the second level undervoltage protection for the Division 3 diesel engine, and (3) the generator ground over current trip function for the Division 1 and 2 diesel generators (Section 8.3.1 of SSER #7) and (b) exemption from the of Paragraph III.D.2(b) (ii) of J for the containment airlock testing following normal door opening when containment integrity is not required (Section 6.2.6 of SSER #7). These exemptions are authorized by law and will not endanger life or property or the common defense and security and are otherwise in the public interest. In addition, by dated December 20, 1986, the Commission exempted licensees from 10 CFR 100.11(a) (1), insofar as it incorporates the definition of exclusion area in 10 CFR 100.3(a), until April 30, 1987 demonstration of authority to control all activities within the exclusion area (safety evaluation accompanying Amendment No. 27 to License (NPF-29). This exemption is authorized by law, and will not present an undue risk to the public health and and is consistent with the common defense and security. In addition, special circumstances have been found justifying the exemption.

Therefore, these are hereby granted pursuant to 10 CFR 50.12.

with the granting of these exemptions, the facility will operate, to the extent authorized herein, in with the application, as amended, the provisions of the Act and the rules and regulations of the Commission.

E. The licensee and maintain in effect all provision of the Commi ical security, training and qualification, and safeguards cont including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The plans, which contain Safeguards Information protected under 10 CFR 73.21, are entitled: *Physical Security, Safeguards Cont and Training and Qualification Plan,"

and were submitted to the NRC on May 18, 2006.

The licensee shall fully and maintain in effect all provisions of the Commis cyber security plan (CSP) ,

including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The licensee's CSP was approved by License Amendment No. 186 as supplemented by a approved by License Amendment No. 192.

16fAmendment No. ~~, +/-+a f +/-&6, ~, 192

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555*0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 192 TO FACILITY OPERATING LICENSE NO. NPF-29 ENTERGY OPERATIONS, INC .. ET AL.

GRAND GULF NUCLEAR STATION, UNIT 1 DOCKET NO. 50-416

1.0 INTRODUCTION

By application dated June 27, 2012 (Agencywide Documents Access and Management System (ADAMS) Accession No, ML12215A381), Entergy Operations, Inc. (Entergy, the licensee),

requested changes to the facility operating license for Grand Gulf Nuclear Station, Unit 1 (GGNS). The proposed change would revise the scope of Cyber Security Plan (CSP)

Implementation Schedule Milestone #6 and the existing license condition in the facility operating license. Milestone #6 of the CSP implementation schedule concerns the identification, documentation, and implementation of cyber security controls (technical, operational, and management) for critical digital assets (CDAs) related to target set equipment. Entergy is requesting to modify the scope of Milestone #6 to apply to the technical cyber security controls only. The operational and management controls, as described in Nuclear Energy Institute (NEI) 08-09, Revision 6, would be implemented concurrent with the full implementation of the cyber security program (Milestone #8). Thus, all CSP activities would be fully implemented by the completion date, identified in Milestone #8 of the licensee's CSP implementation schedule.

Portions of the letter dated June 27,2012, contain sensitive unclassified non-safeguards information and, accordingly, those portions are withheld from public disclosure.

2.0 REGULATORY EVALUATION

The U.S. Nuclear Regulatory Commission (NRC) staff reviewed and approved the licensee's existing CSP implementation schedule by License Amendment No. 186 dated July 27,2011 (ADAMS Accession No. ML111940165), concurrent with the incorporation of the CSP into the facility current licensing basis. The NRC staff considered the following regulatory requirements and guidance in its review of the current license amendment request to modify the existing CSP implementation schedule:

  • Title 10 of the Code of Federal Regulations (10 CFR) 73.54 states: "Each [CSP]

submittal must include a proposed implementation schedule. Implementation of Enclosure 2

-2 the licensee's cyber security program must be consistent with the approved schedule."

  • The licensee's facility operating license includes a license condition that requires the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP.
  • Amendment No. 186, dated July 27, 2011, which approved the licensee's CSP and implementation schedule, included the following statement: "The implementation of the cyber security plan (CSP), including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee on April 4, 2011, and approved by the NRC staff with this license amendment. All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90."

the NRC staff acknowledged that the cyber security implementation schedule template was "written generically and licensees that use the template to develop their proposed implementation schedules may need to make changes to ensure the submitted schedule accurately accounts for site-specific activities."

3.0 TECHNICAL EVALUATION

3.1 Background Amendment No. 186 to Facility Operating License No. NPF-29 for GGNS was issued on July 27.2011. The NRC staff also approved the licensee's CSP implementation schedule, as discussed in the safety evaluation issued with the amendment. The implementation schedule had been submitted by the licensee based on a template prepared by NEI, which the NRC staff found acceptable for licensees to use to develop their CSP implementation schedules (ADAMS Accession No. ML110600218). The licensee's proposed implementation schedule for the cyber security program identified completion dates and bases for the following eight milestones:

1) Establish the Cyber Security Assessment Team (CSAT);
2) Identify Critical Systems and CDAs;
3) Install a deterministic one-way device between lower level devices and higher level devices;
4) Implement the security control "Access Control For Portable And Mobile Devices";
5) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds by incorporating the appropriate elements;

-3

6) Identify, document, and implement cyber security controls as per "Mitigation of Vulnerabilities and Application of Cyber Security Controls" for CDAs that could adversely impact the design function of physical security target set equipment;
7) Commence ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented; and
8) Fully implement the CSP.

3.2 Licensee's Proposed Change Currently, Milestone #6 of GGNS's CSP requires Entergy to identify, document, and implement cyber security controls for CDAs that could adversely impact the design function of physical security target set equipment by December 31, 2012. These cyber security controls consist of technical, operational, and management security controls. In its application dated June 27, 2012, Entergy proposed to modify Milestone #6 to change the scope of the cyber security controls due to be implemented on December 31, 2012, to include only the NEI 08-09, Revision 6, Appendix D technical security controls. Entergy proposed to amend its CSP to provide that operational and management security controls, identified in Milestone #6, will be fully implemented by a later date, which is the completion date identified in Milestone #8 of the CSP implementation schedule. The licensee stated that implementing the technical cyber security controls for target set CDAs provides a high degree of protection against cyber-related attacks that could lead to radiological sabotage. The licensee further stated that many of its existing programs are primarily procedure-based programs and must be implemented in coordination with the comprehensive cyber security program. The licensee also stated that the existing programs currently in place at GGNS (e.g., physical protection, maintenance, configuration management, and operating experience) provide sufficient operational and management cyber security protection during the interim period until the cyber security program is fully implemented.

3.3 Detailed Description of Changes Current paragraph 2.E of Facility Operating License NPF-29 states that The licensee shall fully implement and maintain in effect all provision of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The plans, which contain Safeguards Information protected under 10 CFR 73.21, are entitled: "Physical Security, Safeguards Contingency and Training and Qualification Plan," and were submitted to the NRC on May 18, 2006.

The licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The licensee's CSP was approved by License Amendment No. 186.

-4 Revised paragraph 2.E of Facility Operating License NPF-29 would state that The licensee shall fully implement and maintain in effect all provision of the Commission-approved physical security. training and qualification. and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The plans. which contain Safeguards Information protected under 10 CFR 73.21, are entitled: "Physical Security, Safeguards Contingency and Training and Qualification Plan," and were submitted to the NRC on May 18. 2006.

The licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The licensee's CSP was approved by License Amendment No. 186 as supplemented by a change approved by License Amendment No. 192.

3.4 NRC Staff Evaluation The intent of the cyber security implementation schedule was for licensees to demonstrate ongoing implementation of their cyber security program prior to full implementation, which is set for the date specified in Milestone #8. In addition to Milestone #6 and its associated activities, licensees will be completing six other milestones (Milestone #1 through #5 and Milestone #7) by December 31,2012. Activities include establishing a Cyber Security Assessment Team, identifying critical systems and CDAs, installing deterministic one-way devices between defensive levels, implementing access control for portable and mobile devices. implementing methods to observe and identify obvious cyber-related tampering, and conducting ongoing monitoring and assessment activities for target set CDAs. In the aggregate, the interim milestones demonstrate ongoing implementation of the cyber security program at GGNS.

The NRC staff has reviewed the licensee's evaluation of the proposed change in its submittal dated June 27, 2012, and concludes that by completing Milestone #1 through #5, Milestone #6 with implementation of technical controls to target set CDAs. and Milestone #7, GGNS will have an acceptable level of cyber security protection until full program implementation is achieved.

Technical cyber security controls include access controls, audit and accountability, CDA and communications protection, identification and authentication, and system hardening. These controls are executed by computer systems, as opposed to people, and consist of hardware and software controls that provide automated protection to a system or application. Implementation of technical cyber security controls promotes standardization, trust, interoperability. connectivity, automation, and increased efficiency. For these reasons, the NRC staff concludes that the licensee's approach is acceptable.

The NRC staff also recognizes that full implementation of operational and management cyber security controls in accordance with requirements of the GGNS CSP will be achieved with full implementation of the GGNS cyber security program by the date set in Milestone #8. That is, all required elements for the operational and management cyber security controls in accordance

- 5 with the GGNS CSP will be implemented in their entirety at the time of full implementation of the CSP.

The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that "[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC staff explained in its letter to all operating reactor licensees dated May 9,2011 (ADAMS Accession No. ML110980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRC-approved CSP implementation schedule, thus, will require prior NRC approval pursuant to 10 CFR 50.90.

3.5 Summary Based on its review of the licensee's submissions, the NRC staff concludes that the proposed changes to Milestone #6 of the licensee's CSP implementation schedule are acceptable. The NRC staff also concludes that, upon full implementation of the licensee's cyber security program, the requirements of the licensee's CSP and 10 CFR 73.54 will be met. Therefore, the NRC staff concludes that the proposed changes are acceptable.

4.0 REGULATORY COMMITMENT In its letter dated June 27,2012, Entergy made the following regulatory commitment:

Entergy will implement Milestones 1, 2, 3, 4, 5, and 7 described in Attachment 4 of letter dated April 4,2011 (GNRO-2011/00020), and the revised Milestone 6 in Attachment 4 of this submittal.

The NRC staff coneludes that reasonable controls for the implementation and for subsequent evaluation of proposed changes pertaining to the above regulatory commitment are best provided by the licensee's administrative processes, including its commitment management program. The above regulatory commitment does not warrant the creation of regulatory requirements (items requiring prior NRC approval of subsequent changes).

5.0 STATE CONSULTATION

In accordance with the Commission's regulations, the Mississippi State official was notified of the proposed issuance of the amendment. The State official had no comments.

6.0 ENVIRONMENTAL CONSIDERATION

This amendment relates solely to safeguards matters and does not involve any significant construction impacts. The Commission has previously issued a proposed finding that the amendment involves no significant hazards consideration, and there has been no public comment on such finding published in the Federal Register on September 11, 2012 (77 FR 55872).

Accordingly, the amendment meets the eligibility criteria for categorical exclusion set forth in

-6 10 CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.

7.0 CONCLUSION

The NRC staff has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributors: T. Harris, M. Coflin Date: December 5, 2012

December 5,2012 Vice President, Operations Entergy Operations, Inc.

Grand Gulf Nuclear Station P.O. Box 756 Port Gibson, MS 39150

SUBJECT:

GRAND GULF NUCLEAR STATION, UNIT 1 -ISSUANCE OF AMENDMENT RE: REVISE THE SCOPE OF CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE MILESTONE #6 (TAC NO. ME9113)

Dear Sir or Madam:

The U.S. Nuclear Regulatory Commission has issued the enclosed Amendment No. 192 to Facility Operating License No. NPF-29 for the Grand Gulf Nuclear Station, Unit 1. This amendment consists of changes to the Facility Operating License No. NPF-29 in response to your application dated June 27,2012.

The amendment revises the scope of Cyber Security Plan (CSP) Implementation Schedule Milestone #6 and paragraph 2.E of the facility operating license. The amendment modifies the scope of Milestone #6 to apply to the technical cyber security controls only. The operational and management controls, as described in Nuclear Energy Institute (NEI) 08-09, Revision 6, would be implemented concurrent with the full implementation of the cyber security program (Milestone #8). Thus, all CSP activities would be fully implemented by the completion date, currently identified in Milestone #8 of the licensee's CSP implementation schedule.

A copy of our related Safety Evaluation is also enclosed. The Notice of Issuance will be included in the Commission's next biweekly Federal Register notice.

Sincerely, IRAJ Alan Wang, Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. 50-416

Enclosures:

1. Amendment No. 192 to NPF-29
2. Safety Evaluation cc w/encls: Distribution via Listserv DISTRIBUTION:

PUBLIC RidsNrrLAJBurkhardt Resource MCoflin, NSIR/DSP/CSIRB LPLIV r/f RidsNrrPMGrandGulf Resource THarris, NSIR/DSP/CSIRB RidsAcrsAcnw_MailCTR Resource RidsNsirDsp Resource TWengert, NRR/DORL RidsNrrDorlDpr Resource RidsOgcRp Resource JPoole, NRR/DORL RidsNrrDorlLpl4 Resource RidsRgn4MailCenter Resource

  • SE memo dated E NRRlLPL4/PM NRRlLPL4/LA DSP/CSIRB/BC OGC NLO AWang JBurkhardt CErlanger BMizuno 11/14/12 11/8/12 8/21112 11/16/12 OFFICIAL RECORD COPY