Text

NEI 13-10, Revision 6, Cyber Security Assessment.
	ML17234A615
Person / Time
Site:	Nuclear Energy Institute
Issue date:	08/31/2017
From:	; Nuclear Energy Institute
To:	; Office of Nuclear Security and Incident Response
	CHARITY PANTALO
Shared Package
ML17234A613	List: ML17234A615; ML17234A616;
References
	NEI 13-10, Rev 6
	Download: ML17234A615 (183)
	v • d • e

NEI 13-10 [Revision 6]

Cyber Security Control Assessments August 2017

[BLANK PAGE]

NEI 13-10 [Revision 6]

Nuclear Energy Institute Cyber Security Control Assessments August 2017 Nuclear Energy Institute, 1201 F Street N. W., Suite 1100, Washington D.C. (202.739.8000)

[BLANK PAGE]

ACKNOWLEDGMENTS This document has been prepared by the nuclear power industry with input and guidance from the United States Nuclear Regulatory Commission. While many individuals contributed heavily to this document, NEI would like to acknowledge the significant leadership and contribution of the following individuals.

Executive sponsor:

James Meister Exelon Corporation Core project team:

Patrick Asendorf Tennessee Valley Authority Matthew Coulter Duke Energy Corporation Ronald Cowley Talen Energy Corporation Nathan Faith Exelon Corporation Pam Frey Talen Energy Corporation Glen Frix Duke Energy Corporation Jan Geib South Carolina Electric & Gas Company William Gross Nuclear Energy Institute Christopher Kelley Exelon Corporation Ken Levandoski Exelon Corporation Tony Lowry Ameren Missouri Jerry Mills Duke Energy Corporation Jay Phelps South Texas Project Nuclear Operating Company Don Robinson Dominion Generation Geoff Schwartz Entergy James Shank PSEG Services Corporation Manu Sharma Exelon Corporation Laura Snyder Tennessee Valley Authority Larry Tremonti DTE Energy Brad Yeates Southern Nuclear Operating Company Michael Zavislak Tennessee Valley Authority NOTICE Neither NEI, nor any of its employees, members, supporting organizations, contractors, or consultants make any warranty, expressed or implied, or assumes any legal responsibility for the accuracy or completeness of, or assumes any liability for damages resulting from any use of, any information, apparatus, methods, or process disclosed in this report, or warrants that such may not infringe privately owned rights.

[BLANK PAGE]

NEI 13-10 (Revision 6)

August 2017 EXECUTIVE

SUMMARY

When the methodology to address cyber security controls was developed in the template for the cyber security plan, the industry believed there would be small handfuls of digital assets (CDAs) that would require a cyber security assessment. However, NEI understands that plants, including those with no digital safety-related systems, have identified many hundreds if not thousands of CDAs. Included are assets that range from those directly related to operational safety and security to those that, if compromised, would have no direct impact on operational safety, security, or emergency response capabilities.

This guidance document was developed to streamline the process for addressing the application of cyber security controls to the large number of CDAs identified by licensees when conducting the analysis required by 10 CFR 73.54(b). The goal is to minimize the burden on licensees of complying with their NRC approved cyber security plan, while continuing to ensure that the adequate protection criteria of 10 CFR 73.54 are met.

i

NEI 13-10 (Revision 6)

August 2017

[BLANK PAGE]

ii

NEI 13-10 (Revision 6)

August 2017 TABLE OF CONTENTS 1 INTRODUCTION ............................................................................................................ 1

1.1 BACKGROUND

.................................................................................................................1 1.2 SCOPE 1 1.3 PURPOSE .........................................................................................................................1 2 USE OF THIS DOCUMENT ............................................................................................ 2 3 CONSEQUENCE ASSESSMENT OF CDAS.................................................................... 4 3.1 EP CDAS ........................................................................................................................5 3.2 BOP CDAS .....................................................................................................................5 3.3 INDIRECT CDAS .............................................................................................................7 3.4 DIRECT CDAS.................................................................................................................8 4 EP FUNCTION MAINTAINED THROUGH ALTERNATE MEANS .................................... 9 5 BASELINE CYBER SECURITY PROTECTION CRITERIA............................................. 11 5.1 BOP CDAS THAT COULD CAUSE A REACTOR SCRAM/TRIP ...................................12 6 CYBER SECURITY CONTROL ASSESSMENTS OF DIRECT CDAS ............................. 13 APPENDIX A - FIGURES ..................................................................................................A-1 APPENDIX B - TEMPLATE ...............................................................................................B-1 APPENDIX C - EXAMPLES .............................................................................................. C-1 APPENDIX D - DIRECT CDA CLASSES AND ASSESSMENTS ........................................ D-1 APPENDIX E - NEI 13-10 FREQUENTLY ASKED QUESTIONS ........................................ E-1 APPENDIX F - GUIDANCE FOR APPLICATION OF NEI 08-09 APPENDIX E CONTROLS TO INDIRECT, EP, AND BOP CDAS........................................................................... F-1 1 TABLE DESCRIPTION................................................................................................ F-1 2 USE OF THE TABLE ................................................................................................... F-2 iii

NEI 13-10 (Revision 6)

August 2017

[BLANK PAGE]

iv

NEI 13-10 (Revision 6)

August 2017 CYBER SECURITY CONTROL ASSESSMENTS 1 INTRODUCTION

1.1 BACKGROUND

Title 10 of the Code of Federal Regulations, Part 73, Physical Protection of Plants and Materials, Section 73.54, Protection of Digital Computer and Communication Systems and Networks, requires that licensees provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in 10 CFR 73.1.

10 CFR 73.54 requires that each licensee currently licensed to operate a nuclear power plant submit a cyber security plan (CSP) for Commission review and approval. Current applicants for an operating license or combined license must submit with or amend their applications to include a cyber security plan.

Further, 10 CFR 50.34(c)(2) states in part that Each applicant for an operating license for a utilization facility that will be subject to the requirements of 10 CFR 73.55 of this chapter must include a cyber security plan in accordance with the criteria set forth in 10 CFR 73.54 of this chapter. The Cyber Security Plan establishes the licensing basis for the Cyber Security Program.

The purpose of the Cyber Security Plan is to provide a description of how the requirements of 10 CFR 73.54, Protection of digital computer and communication systems and networks (Rule) are implemented.

Section 3.1.6 of the licensees CSP describes how that licensee addresses cyber security controls for digital assets that have been identified for protection against cyber attacks.

NEI 13-10 provides guidance licensees may use to streamline the process to address cyber security controls for CDAs consistent with the methodology described in CSP Section 3.1.6.

1.2 SCOPE This document provides guidance licensees may use to streamline the process for addressing the application of cyber security controls to those digital assets that a site specific analysis, performed in accordance with the requirements of 10 CFR 73.54 (b)(1),

determined require protection from cyber attacks up to and including the design basis threat as described in 10 CFR 73.1.

1.3 PURPOSE The purpose of this document is to provide guidance licensees may use to address cyber security controls for CDAs consistent with the methodology described in Section 3.1.6 of the Cyber Security Plan.

1

NEI 13-10 (Revision 6)

August 2017 2 USE OF THIS DOCUMENT The following method may optimize the use of the guidance in this document:

a) PRINT this document.

b) GATHER CDA-related information documented when implementing CSP Sections 3.1.3, 3.1.4, and 3.1.5.

c) PERFORM a consequence assessment of CDAs using the guidance in Section 3 of this document.

d) USE the guidance in Sections 3, 4, 5, and 6 of this document to divide the CDAs identified in Milestone 2 into categories, Emergency Preparedness (EP), Balance of Plant (BOP), Indirect, and Direct CDAs, for streamlining the application of cyber security controls to identified CDAs consistent with Section 3.1.6 of the CSP.

e) DOCUMENT the assessment and RETAIN the documents in accordance with the CSP.

In order to promote consistent implementation of the guidance, an implementing template and a series of worked examples have been developed. The examples intend to be both consistent with the guidance, and illustrative of the level of acceptable documentation. The template and examples are incorporated into Revision 1 to NEI 13-10. The body of Revision 1 was unchanged from Revision 0. The template and examples are incorporated as Appendices B and C, respectively.

Revision 2 to NEI 13-10 incorporates Section 6, Cyber Security Control Assessments of Direct CDAs and Appendix D. The guidance in Section 6 and Appendix D implements cyber security control assessments for Direct CDAs in a manner consistent with Section 3.1.6 of CSPs.

Revision 3 to NEI 13-10 builds on the guidance incorporated into Revision 2. Minor changes were made to the body of the document to: address an omission from Revision 2 in Section 6 regarding the use of the term access; to make it clear that the assessments provided in Appendix D do not cover all of the cyber security controls referenced in cyber security plans; and that this guidance may be used by licensees who have used RG 5.71 as a basis for their Cyber Security Plans. Finally, enhancements to the document were made to reflect lessons learned from early use of the document. These enhancements include removal of certain examples of Direct CDAs in Section 3.2 of Revision 2, introduction of a streamlining technique for certain balance-of-plant CDAs, corresponding clarifications to affected examples in Appendix C, and enhancements to the baseline controls for certain balance-of-plant CDAs to ensure consistency with the CIP Reliability Standards.

Revision 4 incorporates additional CDA classes and assessments into Appendix D, building on the work added in Revision 2. Conforming changes were made to the following Class A.1 control responses: D1.21 Third Party Products and Controls, and D3.21 Fail in Known (Safe) State.

2

NEI 13-10 (Revision 6)

August 2017 Revision 5 addresses lessons learned from a workshop conducted in 2016 that included industry and NRC observers. Revision 5 modified Section 3 to enhance clarity for assigning CDAs to categories. Tables 1 and 2 from Revision 4 were removed and the guidance contained in those tables was moved to body of the text. Figures 1 and 2 in Appendix A were used to develop a sample template in Appendix B. The BOP category was added to the example template in Appendix B. Changes to reflect the enhancements to Revision 5 were incorporated into the examples in Appendix C. Two additional Appendices were added.

Appendix E contains questions and answers based on lessons learned. Appendix F addresses NEI 08-09, Revision 6 programmatic controls for non-Direct CDAs.

Revision 6 addresses comments resulting from the NRCs review of NEI 13-10, Revision 5.

Those comments were provided to NEI by letter dated July 21, 2017 (Adams Accession Number: ML17179A266). The following three items were addressed in Revision 6:

1. Revision 6 was clarified regarding the term safety functions with respect to the identification of CDAs as Direct or Indirect. Conforming changes were made to questions 1 and 2 in Appendix E.

2. Question 6 of Appendix E was clarified to indicate that for limited capability devices, detection may be possible using existing administrative measures.

3. The template in Appendix B and examples in Appendix C were clarified to correctly reference the figures in Appendix A.

3

NEI 13-10 (Revision 6)

August 2017 3 CONSEQUENCE ASSESSMENT OF CDAS Section 3.1.6 of the CSP allows licensees to address the security controls provided in the CSP using alternate security controls if they provide at least the same protection as the required security controls. The Consequence Assessment provided in NEI 13-10 provides a method to assess alternate means of protecting low consequence CDAs (i.e., CDAs that are not Direct as described in NEI 13-10) from cyber attacks. The technical basis of the Consequence Assessment provided in this document is that the combination of the criteria for being a non-Direct CDA and the implementation of the resulting baseline cyber security controls provides equal protection as the protection provided by the required technical security controls in NEI 08-09.

Licensees may use the guidance detailed in this section to categorize low consequence CDAs into EP, BOP, or Indirect based on the potential consequence of a cyber compromise of the CDAs and to identify alternate security controls that are appropriate for the CDAs.

Any CDA that has not been determined to be a low consequence CDA is a Direct CDA.

Appendix D of this document provides examples of cyber assessments for certain Direct CDAs. A Consequence Assessment may result in the determination that certain baseline cyber security controls specified in Section 5 of this document, Baseline Cyber Security Protection Criteria, provide adequate cyber security protection for the CDA. The Consequence Assessment and the baseline requirements in Section 5 may be used as a means to address the alternative analysis requirements specified in Section 3.1.6 of the CSP.

The CDAs SSEP function and the evaluation of the potential impacts resulting from a cyber attack on the CDA may result in the CDA being qualified to be categorized as an EP, BOP or Indirect CDA rather than a Direct CDA. However, redundancy is not used as a factor in determining if a CDA is an EP, BOP, Indirect or Direct CDA.

CDAs which perform multiple SSEP functions must be evaluated in this Consequence Assessment based the most consequential category (i.e., Direct, then either Indirect, BOP, or EP).

Consistent with Section 4.4 and 4.5 of their CSPs, licensees will establish a program to ensure that CDAs are continuously protected from cyber attacks including implementing any necessary measures to address new vulnerabilities in accordance with the CSP.

NEI 13-10 provides guidance for addressing technical cyber security controls for CDAs. As a result, cyber security controls from Appendix D, Technical Cyber Security Controls, and selected cyber security controls from Appendix E, Operational and Management Cyber Security Controls, of NEI 08-09 are addressed in NEI 13-10. The remaining Appendix E operational and management controls must be addressed programmatically in accordance with Section 3.1.6 of the CSP for CDAs. Appendix F of NEI 13-10, Revision 6, provides a template to address the NEI 08-09, Appendix E, operational and management controls for CDAs not classified as Direct. Appendix F of NEI 13-10 describes the use of existing plant programs to address the NEI 08-09, Appendix E, controls for the non-Direct CDAs, consistent with CSP Section 3.1.6.

4

NEI 13-10 (Revision 6)

August 2017 3.1 EP CDAS EP CDAs are those CDAs that support licensees performance of EP functions and that have an independent alternate means of performing those functions. EP CDAs must meet the following criteria:

1. The CDA only supports an EP function and does not perform or support any other Safety, Important-to-Safety or Security function.

2. An Alternate Means assessment is performed in accordance with Section 4 of this document to demonstrate and document that an independent alternate means of performing the EP function will be available in sufficient time such that the compromise of the CDA would not adversely impact the licensees ability to perform that EP function.

3. EP CDAs must meet all of the requirements defined in Section 4 of this document.

For EP CDAs, licensees may address the technical security controls provided in their CSP using the method provided in Section 3.1.6 of their CSP by documenting that the CDAs meet the EP CDA criteria described above and by implementing the baseline controls for EP CDAs as described in Section 5.

3.2 BOP CDAS BOP CDAs are those CDAs that were added to the scope of the cyber security rule during the resolution of FERC Order 706-B. The following language was included within licensee CSPs to include the balance-of-plant into the scope of 10 CFR 73.54:

Within the scope of NRCs cyber security rule at Title 10 of the Code of Federal Regulations (10 CFR) 73.54, systems or equipment that perform important to safety functions include structures, systems, and components (SSCs) in the balance of plant (BOP) that could directly or indirectly affect reactivity at a nuclear power plant and could result in an unplanned reactor shutdown or transient. Additionally, these SSCs are under the licensees control and include electrical distribution equipment out to the first inter-tie with the offsite distribution system.

NEI 10-04, Identifying Systems and Assets Subject to the Cyber Security Rule, Revision 2, provides guidance for identifying Critical Systems and CDAs. Section 5 of NEI 10-04 provides the following guidance, in the form of questions, for identifying important-to-safety Critical Systems:

1. Is this a non-safety related system whose failure could adversely impact any of the functions identified in the previous three Safety Systems questions?

2. Is this a non-safety related system that is part of the primary success path and functions or actuates to mitigate a transient that either assumes the failure of or 5

NEI 13-10 (Revision 6)

August 2017 presents a challenge to the integrity a fission product barrier?

3. Has operating experience or a probabilistic risk assessment shown that a non-safety related system function is significant to public health and safety?

4. Does the non-safety related system function to provide real-time or near-real-time plant status information to the operators for the safe operation of the plant during transients, and accidents?

5. Is this a structure, system, or component in the balance of plant that could directly or indirectly affect reactivity at a nuclear power plant and could result in an unplanned reactor shutdown or transient?

6. Is this a non-safety system required to maintain defense-in-depth and diversity requirements?

Question 5 was added to ensure licensees identify those BOP SSCs added to address FERC Order 706-B and to support meeting the commitment language in the CSP. Where a licensee answered YES to Question 5 and NO to the remaining NEI 10-04 questions, the associated CDAs can be identified as a BOP CDA for the purposes of NEI 13-10.

These screening questions identifies that, if compromised, the BOP CDA could not have an adverse impact to Safety functions because: (1) the current accident or other analysis bounds the failure of the BOP CDAs or systems; (2) the plant operators apply their training and operating experiences including manual operator actions to ensure that plant conditions caused by cyber compromise of the BOP CDA are maintained within safety limits; and, (3) the equipment that performs Safety functions are isolated from the BOP CDAs. Based on the above, a cyber compromise of BOP CDAs cannot lead to adverse impact to Safety CDAs or systems. Therefore, unlike the other non-direct CDAs, the time required to detect and mitigate the cyber compromise of BOP CDAs before adverse impact to safety CDAs or systems need not be determined.

Where a licensee answered YES to any of the other NEI 10-04 screening questions, associated CDAs should be screened for Indirect, as described below.

The language added to the CSPs (and reflected in Question 5) includes a broader set of BOP CDAs than those that are of interest to FERC (e.g., the CSP language includes assets that could cause a reactivity change or transient but not result in a reactor SCRAM/trip). BOP CDAs whose failure or cyber compromise could cause a reactor SCRAM/trip require additional security controls from NEI 08-09 Appendix D to be implemented where technically feasible, as specified in Section 5.1 of this document.

These controls are applied to align with NERC CIP requirements.

Some stations may choose to classify their BOP CDAs as members of the Indirect category; however, this will not alleviate the need to address the additional controls listed in Section 5.1 for BOP CDAs that are SCRAM/Trip initiators.

For BOP CDAs, licensees may comply with the requirements of Section 3.1.6 of their Cyber Security Plans by documenting that the CDA meets the criteria described above and implementing the baseline controls for BOP CDAs as described in Section 5.

6

NEI 13-10 (Revision 6)

August 2017 3.3 INDIRECT CDAS Indirect CDAs are those CDAs that cannot have an adverse impact on Safety or Security functions prior to their compromise or failure being detected and compensatory measures being implemented by a licensee.

Specifically, Indirect CDAs must meet the following criteria:

1. If compromised, would not have an adverse impact on Safety or Security functions.

2. Are not indicators/annunciators solely relied-on for making Safety or Security decisions.

3. The compromise of which can be detected, and compensatory measures taken, prior to an adverse impact to Direct CDAs or Safety or Security functions.

Provide analysis including the following to show the compromise can be detected and mitigated prior to adverse impact:

a) Determine and document the time period required, once an Indirect CDA has been compromised, for both detection and compensatory measures to be taken prior to an adverse impact to Safety and Security functions. The time period required may be based on existing analyses.

b) Document a method, and associated implementing procedures, for the detection of an Indirect CDA compromise and/or failure.

c) Document implementation strategies for compensatory measures to eliminate the adverse impact to Safety and Security functions in all operating modes.

d) Document the technical justification for how the detection activities and compensatory measures (i.e., Steps b and c above) for the Indirect CDA compromise and/or failure are sufficient and will occur within the time period determined by the licensee in Step a.

For the purposes of the Indirect screening, the following SSCs are considered to perform Safety functions: Safety-Related or Non-Safety-Related SSCs that are relied upon to remain functional during any plant conditions to ensure:

a. The integrity of the reactor coolant pressure boundary;

b. The capability to shut down the reactor and maintain it in a safe shutdown condition; or

c. The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures comparable to those referred to in 10 CFR 50.34(a)(1), 10 CFR 50.67(b)(2), or 10 CFR 100.11.

For Indirect CDAs, licensees may comply with the requirements of Section 3.1.6 of their Cyber Security Plans by documenting that the CDA meets the criteria described above and by implementing baseline controls for Indirect CDAs as described in Section 5.

7

NEI 13-10 (Revision 6)

August 2017 3.4 DIRECT CDAS In general, Direct CDAs are those CDAs that have not been determined to be Indirect, BOP or EP CDAs. Since the required security controls in NEI 08-09 are addressed for Direct CDAs, it is not necessary to show that a CDA is a Direct CDA. Licensees may use streamlining techniques, when applicable, for addressing the applicability of security controls to Direct CDAs. These include the use of common controls, inherited controls, and type assessments when such measures adequately address attack pathways and vectors associated with the Direct CDAs. These techniques can reduce the effort required for addressing protections for Direct CDAs.

In general, the term common control means a particular security control whose implementation provides a security benefit to multiple CDAs. The term inherited controls (technical) refers to a situation in which a CDA receives protection from technical security controls (or portions of security controls) that are developed and implemented elsewhere such as on another CDA. Finally, the term type assessment or grouping of CDAs refers to a situation in which multiple CDAs share substantially similar technical features, functions and capabilities. For type assessments, a single assessment is created noting the differences, if any, between the devices.

In cases where a technical control cannot be implemented, a threat vector associated with the technical control exists, and the CDA is unable to inherit the associated protections from another CDA, an alternate control (including administrative controls if alternative technical security controls cannot be used to address the security controls) can be used to mitigate the associated risk. Section 3.1.6 of the CSP describes the criteria for the implementation of alternate security controls.

Section 6, Cyber Security Control Assessments of Direct CDAs and Appendix D of this document implements cyber security control assessments for Direct CDAs in a manner consistent with Section 3.1.6 of CSPs.

Redundancy should not be used as a factor in determining if a CDA is an Indirect, BOP, EP or Direct CDA.

Some examples of Direct CDAs:

Digital emergency diesel generator governor;

Digital turbine driven auxiliary feedwater pump governors;

RCS pressure instruments with control functions and/or input to the Reactor Protection System for initiation of a plant trip;

CDAs identified in accordance with Milestone 6; and

Security computer alarm station server(s).

8

NEI 13-10 (Revision 6)

August 2017 4 EP FUNCTION MAINTAINED THROUGH ALTERNATE MEANS As specified in Section 3.1.6 of licensees NRC-approved CSPs, a licensee has the flexibility to perform and document an analysis for the implementation of alternative controls and/or countermeasures for one or more of the corresponding cyber security controls enumerated in Appendices D and E of NEI 08-09, Revision 6. The alternative controls and/or countermeasures must eliminate threat/attack vector(s) associated with the cyber security controls, and provide at least the same degree of cyber security protection as the corresponding cyber security control. The licensee must perform and document an analysis for the use of alternative controls or countermeasures to address the cyber security controls as specified in Section 3.1.6 of the licensees NRC-approved CSPs. This guidance may be used for CDAs associated only with EP functions, and are not otherwise relied on for Safety-Related, Important-to-Safety, or Security functions.

Where an assessment determines that cyber attacks on CDAs associated with EP functions would not adversely impact the ability to implement the EP function, because licensees can detect the consequences of the potential cyber compromise of the CDA and initiate independent alternative means in time to prevent adverse impact to the EP functions that are supported by the CDAs, then the required technical security controls for the CDAs can be addressed by application of baseline security criteria as described in Section 5.

Changes to measures credited as providing an alternate method of maintaining the EP function must be subject to review (e.g., existing program reviews, procedure revision reviews, or use of configuration management) to ensure the changes would not challenge the adequacy of the alternate method.

The licensee must determine whether an alternative means allows the performance of the intended emergency response function despite cyber attacks. For EP CDAs with an alternative means, licensees may comply with the requirements of Section 3.1.6 of their Cyber Security Plans by implementing the following guidance:

1. Document alternate means available for performing the intended EP function, including offsite communications.

2. Document that one or more of the alternate means are administrative, non-digital, or if digital are adequately independent.

Note:

a. Two means would be considered adequately independent if they do not rely on equipment that if compromised by cyber attacks would adversely impact both means of performing the EP function (e.g., a PBX-based phone system vs.

satellite phones, data obtained by MET tower vs. data obtained through a weather service, data obtained from SPDS vs. received via fax, etc.).

9

NEI 13-10 (Revision 6)

August 2017

b. Administrative methods, including actions performed by personnel, can be considered as an alternate means provided they do not depend on identified CDA(s) for which controls have not been assessed.

3. Document how the equipment, that a compromise of the CDA would impact, is periodically checked to ensure the equipment is capable of performing its intended function and an appropriate response initiated, if needed. Specifically, document how a cyber attack that would prevent the EP-related equipment from performing its intended function would be detected and responded to prior to an adverse impact on the EP-related function during a radiological emergency.

Note:

a. Measures for detection and response may be technical, procedural, or administrative, and could include periodic functional or availability testing (e.g.,

existing periodic operability tests performed on plant systems or equipment). The measures in place must be performed at a frequency to ensure the ability to employ the alternate means in a timeframe sufficient to mitigate the adverse consequences of a cyber attack.

4. Document how appropriate facility personnel are trained to use the alternate method.

5. Implement and document the baseline cyber security protections (d, e, f, and g) as described in Section 5 of this document for the CDA.

10

NEI 13-10 (Revision 6)

August 2017 5 BASELINE CYBER SECURITY PROTECTION CRITERIA An assessment using the guidance in Section 3 permits licensees to demonstrate that alternative controls and countermeasures are sufficient to provide adequate protection of CDAs. For these CDAs, the baseline set of cyber security protections are sufficient to provide high assurance that the CDAs are adequately protected against cyber attacks up to and including the design basis threat as described in 10 CFR 73.1.

Where these baseline cyber security criteria are not met, the licensee must document and implement additional security controls to ensure adequate protections are in place for the CDA. These additional security controls are implemented using the methodology in CSP Section 3.1.6.

Changes to the baseline cyber security controls must be reviewed in accordance with the CSP to ensure the non-Direct CDAs remain adequately protected from cyber attacks.

Where a licensee chooses to credit these baseline cyber security controls for an Indirect, BOP, or EP CDA, the licensee must confirm these baseline minimum controls criteria are met. EP CDAs may be considered to be adequately protected from cyber attacks if baseline criteria d, e, f, and g are met. A BOP CDA or Indirect CDA may be considered to be adequately protected from cyber attacks if all of the following baseline criteria are met:

a) The CDA, as identified using the analysis set forth in Section 3 of this document, is located within a Protected or Vital Area or the cyber security controls in NEI 08-09, Appendix E, Section E.5 Physical and Operational Environment Protection, are addressed.

b) The CDA and any interconnected assets do not have wireless internetworking communications technologies.

c) The CDA and any interconnected assets are either air-gapped or isolated by a deterministic isolation device. In order to properly fulfill their SSEP function, some non-Direct CDAs are excluded from the requirement to be air-gapped or isolated by a deterministic isolation device. These CDAs include but may not be limited to:

1. Communication systems such as a PBX, Radio systems, or other devices whose SSEP function requires external communication. These communication systems and networks must not provide an attack pathway to isolated devices, systems, or networks.

2. Log aggregation and event correlation servers which reside outside the deterministic isolation device or which reside on the corporate business networks to fulfill the site wide aggregation, monitoring, and alerting functions.

11

NEI 13-10 (Revision 6)

August 2017 d) Use of portable media and mobile devices is controlled according to NEI 08-09 D.1.19 in order to ensure the CDA will not be compromised as a result of the use of portable media and mobile devices.

e) Changes to the CDA are evaluated and documented before implementation to ensure the following:

1. Baseline security criteria remain in place and effective.

2. No new pathways or vulnerabilities have been created.

3. No change to CDA would now make it Direct.

4. Threat and vulnerability notifications received from credible sources are screened, evaluated, mitigated and dispositioned in accordance with the CSP.

f) The CDA, or the interconnected equipment that would be affected by the compromise of the CDA, is periodically checked to ensure the equipment is capable of performing its intended function. These checks could include any routine check performed to determine the functional or operational availability of the equipment. The periodicity of checks must be sufficient to ensure detection and mitigation of cyber attacks prior to an adverse impact to any Safety, Security, or EP functions resulting from cyber attacks. Section 3.1.6(2)(d) of the CSP allows licensees to implement an alternate periodicity for security controls by documenting the basis for the alternate periodicity.

g) Ongoing Monitoring and Assessment is performed to ensure the security posture of the CDA is maintained by verifying that baseline security criteria remain in place.

5.1 BOP CDAS THAT COULD CAUSE A REACTOR SCRAM/TRIP For BOP CDAs whose failure or cyber compromise could cause a reactor scram/trip, the following additional security controls from NEI 08-09 Appendix D are implemented where technically feasible (i.e., the CDA supports the technical functionality and features):

D.1.2, Account Management D.1.6, Least Privilege D.1.7, Unsuccessful Login Attempts D.4.1, Identification and Authentication Policies and Procedures D.4.3, Password Requirements D.5.5, Installing Operating Systems, Applications and Third-Party Software Updates 12

NEI 13-10 (Revision 6)

August 2017 6 CYBER SECURITY CONTROL ASSESSMENTS OF DIRECT CDAS Section 3.2, Direct CDAs, describes several streamlining techniques for performing cyber security control assessments. These techniques include the use of common controls, alternate controls, control inheritance, and type assessments.

Appendix D to this document implements type assessments for Direct CDAs. Appendix D provides a class description and a corresponding cyber security control assessment table for the class. The class description enumerates generic properties of a digital device relevant to addressing technical cyber security controls for devices having those properties. The class description also includes examples of digital devices in that class. The cyber security control assessment table addresses technical cyber security controls for the class. The assessment is provided in tabular format for ease of reference; however, the table may be incorporated into other tools at the licensees discretion.

Access- the term access as used in NEI 08-09 Rev. 6 Appendix D is defined as access to data, program code, logic or configuration settings within a CDA through a local or remote, machine or human interface that could result in an adverse impact to an SSEP function.

The cyber security control assessment table includes the following columns:

Control Number - the cyber security control number corresponding to NEI 08-09, Revision 6, Appendices D or E;

Control - the cyber security control name corresponding to NEI 08-09;

Common - the control may be implemented organizationally and applied to all CDAs;

Apply to CDA - licensee must address this control for the CDA or class;

Alternate - the cyber security control may be met through alternate means;

Not Applicable - the cyber security control is not applicable to the CDA; and,

Basis - provides a justification for the determination of control applicability (i.e.,

common, apply to CDA, alternate, or not applicable). The Basis column references or reproduces statements from the class document to support the justification. NOTE: cyber security control references in the Basis column of a specific assessment table are indices to those cyber security controls within that same assessment table.

The guidance in Appendix D of NEI 13-10 may be used as follows:

1) Determine the class for a given CDA using the CDAs technical documentation and the class description in Appendix D.

2) Use the Appendix D cyber security control assessment table for the class to identify those cyber security controls marked, Apply to CDA.

13

NEI 13-10 (Revision 6)

August 2017

3) Address the controls identified in Step 2, above, in accordance with CSP Section 3.1.6.

Documentation of how the class was determined in Step 1, above, and how the cyber security controls were addressed in Step 3, above, should be retained and available for inspection.

Once the class of a given CDA has been determined, that information may be shared among licensees. For example, if a licensee determines that a Rosemount 3153N digital transmitter is a Class A.1 device, that information may be shared with other licensees.

Because it may be the case that devices with the same make and model number may not be identical (i.e., some devices with the same make and model number may have differing digital capabilities), licensees should confirm their CDAs meet the class description.

14

NEI 13-10 (Revision 6)

August 2017 APPENDIX A - FIGURES Appendix A provides figures illustrating the guidance in Sections 3 and 4 of this document.

All Identified CDAs Do not use this flowchart without following the guidance in Section 3.

Enhance measures 3.0 4 5 to meet minimum Associated with CDAs Function Minimum cyber Yes Yes No cyber security that perform only an EP maintained through security criteria d, criteria or proceed function. alt. means e, f and g met to 3.2.

Determined by Section No 4 and Figure 2 Yes No Current measures are adequate to meet CSP Section 3.1.6 5.1 Implement 3.1 Can compromise Additional Controls Yes Yes BOP CDA cause Trip/ in section 5.1 where SCRAM technically feasible.

Yes No No 5 Enhance measures 3.2 3.2 Minimum cyber to meet minimum Yes Adverse impact Yes No Indirect CDA security criteria cyber security mitigated met criteria As described in No Section 5 No 3.3 Address cyber security controls Figure 1 - Consequence Assessment A-1

NEI 13-10 (Revision 6)

August 2017

[BLANK PAGE]

A-2

NEI 13-10 (Revision 6)

August 2017 Do not use this flowchart without following the guidance in Section 4.

Begin Implement Implement Document alternate detection and Implement alternate Appropriate Training means or proceed to response measures means or proceed to section 3.2 or proceed to sectin section 3.2 3.2 No No No No 4.2 4.0 One or more alt. 4.3 4.4 Function 4.1 means administrative, Detection and Appropriate maintained Yes Yes Alt. means Yes Yes non-digital, or response measures training through alt. documented adequately in place provided means independent No Yes No Answer: No on to 4 on Answer: Yes to 4 on Figure 1 Figure 1 Figure 2 - Alternative Means Assessment for EP A-3

NEI 13-10 (Revision 6)

August 2017

[BLANK PAGE]

A-4

NEI 13-10 (Revision 6)

August 2017 APPENDIX B - TEMPLATE Appendix B provides an example implementing template consistent with the guidance.

B-1

NEI 13-10 (Revision 6)

August 2017

[BLANK PAGE]

B-2

NEI 13-10 (Revision 6)

August 2017 CDA IMPACT ASSESSMENT FORM CDA Identification:

CDA Number: CDA

Description:

Additional CDA Numbers, IF performing assessment of grouped CDAs. Ensure you have documented criteria and technical basis for grouping CDAs:

Emergency Planning (EP) Consequence Assessment: (Steps 1.0 to 1.6)

Consequence Assessment (Reference Section 3 and Appendix A, Figure 1 - Consequence Assessment) 1.0 Figure 1, Box 3.0 Does CDA perform ONLY an EP-related or EP support systems and YES NO equipment?

Note: The following guidance may be used for CDAs associated with EP functions that are not otherwise also relied on for safety, important-to-safety, or security functions. For safety, important-to-safety, or security functions proceed to Step 3.0 If YES, document applicable 10 CFR 50.47 Planning Standard(s) the CDA supports below:

If YES, document applicable NUREG -0654 Section(s) the CDA supports below:

If YES, document the Emergency Planning function(s) the CDA supports below:

IF YES, THEN proceed Step 1.1 IF NO, THEN proceed to Step 2.0 1.1 Figure 2, Box 4.0 Are alternate means available for performing the intended EP YES NO function, including offsite communications? (as specified by Section 4)? Document basis for YES or NO answer:

IF YES, THEN proceed to Step 1.2 IF NO, THEN proceed to Step 3.0 1.2 Figure 2, Box 4.2 Are one or more of the alternate means administrative, non-digital, or YES NO B-3

NEI 13-10 (Revision 6)

August 2017 if digital is it adequately independent? Document basis for YES or NO answer:

Note:

1.) Two means would be considered adequately independent if they do not rely on equipment that if compromised by cyber attacks would adversely impact both means of performing the EP function (e.g., a PBX-based phone system vs.

satellite phones, data obtained by MET tower vs. data obtained through a weather service, data obtained from SPDS vs. received via fax, etc.).

2.) Administrative methods, including actions performed by personnel, can be considered as an alternate means provided they do not depend on identified CDA(s) for which controls have not been assessed.

IF YES, THEN proceed to Step 1.3 IF NO, THEN proceed to Step 3.0 1.3 Figure 2, Box 4.1 Is the alternate means documented? (as described in Section 4). YES NO Document basis for YES or NO answer:

Note: The alternate means must be documented in a plant plan, policy, or implementing procedure.

IF YES, THEN proceed to Step 1.4 IF NO, THEN remediate or go to Step 3.0 1.4 Figure 2, Box 4.3 Is the equipment that a compromise of the CDA would impact YES NO periodically checked to ensure the equipment is capable of performing its intended function and an appropriate response initiated, if needed? (as described in Section 4).

Document basis for YES or NO answer.

Note:

1.) Specifically, a cyber attack that would prevent the EP-related equipment from performing its intended function can be detected and responded to prior to an adverse impact on the EP-related function during a radiological emergency.

2.) Measures for detection and response may be technical, procedural, or administrative, and could include periodic functional or availability testing (e.g., existing periodic operability tests performed on plant systems or equipment).

The measures in place must be performed at a frequency to ensure the ability to employ the alternate means in a timeframe sufficient to mitigate the adverse consequences of a cyber attack.

IF YES, THEN proceed to Step 1.5 IF NO, THEN remediate or go to Step 3.0 1.5 Figure 2, Box 4.4 Are appropriate facility personnel trained to use the alternate method? YES NO (as described in Section 4)? Document basis for YES or NO answer:

IF YES, THEN proceed to Step 1.6 IF NO, THEN remediate or go to Step 3.0 1.6 Figure 1, Box 5 Are baseline cyber security protection criteria d, e, f, and g in place? YES NO (as described in Section 5)? Ensure each of the following baseline criteria are met.

d. Document how portable media and mobile devices are controlled according to NEI 08-09 D.1.19 in order to ensure the CDA will not be compromised as a result of the use of portable media and mobile devices.

B-4

NEI 13-10 (Revision 6)

August 2017

e. Document how changes to the CDA are evaluated and documented before implementation to ensure the following:

1. Baseline security criteria remain in place and effective.

2. No new pathways or vulnerabilities have been created.

3. No change to CDA would now make it Direct.

4. Threat and vulnerability notifications received from credible sources are screened, evaluated, mitigated and dispositioned in accordance with the CSP.

f. Document how the CDA, or the interconnected equipment that would be affected by the compromise of the non-Direct CDA, is periodically checked to ensure the equipment is capable of performing its intended function. These checks could include any routine check performed to determine the functional or operational availability of the equipment. The periodicity of checks must be sufficient to ensure detection and mitigation of cyber attacks prior to an adverse impact to SSEP functions resulting from cyber attacks. Document the actions taken to periodically ensure equipment is capable of performing its intended function.

g. Document how ongoing Monitoring and Assessment is performed to ensure the security posture of the CDA is maintained by verifying that baseline security criteria remain in place.

IF YES, THEN current measures are adequate to meet IF NO, THEN remediate or go to Step 3.0 Section 3.1.6 of the Cyber Security Plan.

B-5

NEI 13-10 (Revision 6)

August 2017 Balance of Plant (BOP) CDA Consequence Assessment: (Steps 2.0 to 2.1) 2.0 Figure 1, Box 3.1 Is the CDA a BOP CDA as described in Section 3.2? Document the YES NO CDAs function and the basis for YES or NO answer.

Note: BOP CDAs include only those CDAs where added to program to meet FERC Order 706-B. Refer to section 3.2 of NEI 13-10 for criteria.

IF YES, THEN proceed to Step 2.1 IF NO, THEN proceed to Step 3.0 2.1 Figure 1, Box 5.1 Can a compromise of the CDA cause a reactor SCRAM/Trip? YES NO If YES IF YES, Implement these additional controls (when technically feasible):

D.1.2, Account Management D.1.6, Least Privilege D.1.7, Unsuccessful Login Attempts D.4.1, Identification and Authentication Policies and Procedures D.4.3, Password Requirements D.5.5, Installing Operating Systems, Applications and Third-Party Software Updates Proceed to Step 3.2 If NO Proceed to Step 3.2 Indirect CDA Consequence Assessment: (Steps 3.0 to 3.2) 3.0 Figure 1, Box 3.2 Is the CDA an indirect CDA as described in Section 3.3? Document YES NO the CDAs function and the basis for YES or NO answer.

Note: Indirect CDAs include only those CDAs that meet all three of the following criteria:

1. If compromised, would not have a near-term adverse impact on Safety or Security functions.

2. Are not indicators/annunciators solely relied-on for making Safety or Security decisions.

3. The compromise of which can be detected, and compensatory measures taken, prior to an adverse impact to direct CDAs or Safety or Security functions. Provide analysis including the following to show the compromise can be detected and mitigated prior to adverse.

IF YES, THEN proceed to Step 3.1 IF NO, THEN proceed to Step 4.0 Figure 1, Box 3.2 Adverse Impact Mitigated - Has the licensee determined, 3.1 YES NO documented, and implemented the following:

Determine and document the time period required, once an indirect CDA has been compromised, for both

a. detection and compensatory measures to take place prior to an adverse impact to Safety and Security functions. The time period required may be based on existing analyses.:

B-6

NEI 13-10 (Revision 6)

August 2017 Document a method, and associated implementing procedures, for the detection of an indirect CDA b.

compromise and/or failure within the minimum time period.

Document implementation strategies for compensatory measures to eliminate the adverse impact to direct c.

CDAs or Safety or Security functions in all operating modes.

Document the technical justification for how the detection activities and compensatory measures (i.e., Steps b

d. and c above) for indirect CDA compromise and/or failure are sufficient and will occur within the minimum time period determined by the licensee in Step a.

IF YES, THEN proceed to Step 3.2 IF NO, THEN proceed to Step 4.0 Figure 1, Box 5 Are the baseline Cyber Security protections described in Section 5 of 3.2 YES NO NEI 13-10 in place for the CDA? Ensure each of the following baseline criteria are met.

a. Document that the CDA, as identified using the analysis set forth in Section 3.1 or 3.2 of this document, is located within a Protected or Vital Area or the cyber security controls in NEI 08-09, Appendix E, Section E.5 Physical and Operational Environment Protection, are addressed.

b. The CDA and any interconnected assets do not have wireless internetworking communications technologies.

Document how wireless networking is addressed for the CDA.

c. The CDA and any interconnected assets are either air-gapped or isolated by a deterministic isolation device. In order to properly fulfill their SSEP function, some indirect CDAs are excluded from the requirement to be air-gapped or isolated by a deterministic isolation device. These CDAs include:

1. Communication systems such as a PBX, Radio systems, or other devices whose SSEP function requires external communication. These communication systems and networks must not provide an B-7

NEI 13-10 (Revision 6)

August 2017 attack pathway to isolated devices, systems, or networks.

2. Log aggregation and event correlation servers which reside outside the deterministic isolation device or which reside on the corporate business networks to fulfill the site wide aggregation, monitoring, and alerting functions.

d. Document how portable media and mobile devices are controlled according to NEI 08-09 D.1.19 in order to ensure the CDA will not be compromised as a result of the use of portable media and mobile devices.

e. Document how changes to the CDA are evaluated and documented before implementation to ensure the following:

1. Baseline security criteria remain in place and effective.

2. No new pathways or vulnerabilities have been created.

3. No change to CDA would now make it Direct.

4. Threat and vulnerability notifications received from credible sources are screened, evaluated, mitigated and dispositioned in accordance with the CSP.

f. Document how the CDA, or the interconnected equipment that would be affected by the compromise of the non-Direct CDA, is periodically checked to ensure the equipment is capable of performing its intended function. These checks could include any routine check performed to determine the functional or operational availability of the equipment. The periodicity of checks must be sufficient to ensure detection and mitigation of cyber attacks prior to an adverse impact to SSEP functions resulting from cyber attacks. Document the actions taken to periodically ensure equipment is capable of performing its intended function.

g. Document how ongoing Monitoring and Assessment is performed to ensure the security posture of the CDA is maintained by verifying that baseline security criteria remain in place.

If The current Cyber Security controls are adequate to meet the Cyber Security Plan, Section 3.1.6.

YES END ASSESSMENT HERE.

B-8

NEI 13-10 (Revision 6)

August 2017 Remediate to meet the baseline Cyber Security protection criteria described in Section 5 OR proceed to step If NO 4.0 This is a Direct CDA. Address cyber security controls in accordance with Section 3.1.6 of the licensees 4.0 Cyber Security Plan.

Outstanding Action Tracking: YES NO Note: Insert here any outstanding actions required to satisfactorily complete this assessment.

CYBER SECURITY ASSESSMENT TEAM APPROVAL Initiator:

Name (Signature)

Reviewer:

Name (Signature)

Other Review (as applicable):

Name (Signature)

Final Approval:

Name (Signature)

B-9

NEI 13-10 (Revision 6)

August 2017

[BLANK PAGE]

B-10

NEI 13-10 (Revision 6)

August 2017 APPENDIX C - EXAMPLES Appendix C provides examples intended to be both consistent with the guidance, and illustrative of the level of acceptable documentation.

C-1

NEI 13-10 (Revision 6)

August 2017

[BLANK PAGE]

C-2

NEI 13-10 (Revision 6)

August 2017 EXAMPLE: EMERGENCY CALL-OUT SYSTEM CDA Identification:

CDA Number: ECOS CDA

Description:

Emergency Call-Out System Additional CDA Numbers, IF performing assessment of grouped CDAs. Ensure you have documented criteria and technical basis for grouping CDAs:

Call-out CDA #1 Call-Out CDA #2 The criteria for grouping the above CDAs are provided in plant procedure Doc XXXX Emergency Planning (EP) Consequence Assessment: (Steps 1.0 to 1.6)

Consequence Assessment (Reference Section 3 and Appendix A, Figure 1 - Consequence Assessment) 1.0 Figure 1, Box 3.0 Does CDA perform ONLY an EP-related or EP support systems and YES NO equipment?

Note: The following guidance may be used for CDAs associated with EP functions that are not otherwise also relied on for safety, important-to-safety, or security functions. For safety, important-to-safety, or security functions proceed to Step 3.0 If YES, document applicable 10 CFR 50.47 Planning Standard(s) the CDA supports below:

10 CFR 50.47 (b)(2) - On-shift facility licensee responsibilities for emergency response are unambiguously defined, adequate staffing to provide initial facility accident response in key functional areas is maintained at all times, timely augmentation of response capabilities is available and the interfaces among various onsite response activities and offsite support and response activities are specified.

If YES, document applicable NUREG -0654 Section(s) the CDA supports below:

Section II.B - Onsite Emergency Organization If YES, document the Emergency Planning function(s) the CDA supports below:

10 CFR 50.47 (b)(2) - Addresses NUREG -0654 Section II.B.5 requirement for licensee to augment on-shift capabilities within a short period after declaration of an emergency.

Licensee must be able to augment on-shift capabilities within a short period after declaration of an emergency and establish procedures for alerting, notifying, and mobilizing emergency response personnel and provisions for alerting or activating emergency personnel in each response organization. Each organization shall provide for timely activation and staffing of the facilities and centers described in the plan. (Applicable for emergency call-out systems/assets.)

IF YES, THEN proceed Step 1.1 IF NO, THEN proceed to Step 2.0 C-3

NEI 13-10 (Revision 6)

August 2017 1.1 Figure 2, Box 4.0 Are alternate means available for performing the intended EP YES NO function, including offsite communications? (as specified by Section 4)? Document basis for YES or NO answer:

On Site Notification:

Hi Comm Owner Controlled Notification System (OCANS)

Backup Method - Use of vehicular PA system or Bullhorn Off Site Notification:

ECOS - Notification of other plant personnel who are offsite is achieved by the Shift Manager/delegate activating an automatic call out system EP 292 Emergency Call Out Backup Method - Energy Systems Operations Center staff call out to ERO member IF YES, THEN proceed to Step 1.2 IF NO, THEN proceed to Step 3.0 1.2 Figure 2, Box 4.2 Are one or more of the alternate means administrative, non-digital, or YES NO if digital is it adequately independent? Document basis for YES or NO answer:

Note:

1.) Two means would be considered adequately independent if they do not rely on equipment that if compromised by cyber attacks would adversely impact both means of performing the EP function (e.g., a PBX-based phone system vs.

satellite phones, data obtained by MET tower vs. data obtained through a weather service, data obtained from SPDS vs. received via fax, etc.).

2.) Administrative methods, including actions performed by personnel, can be considered as an alternate means provided they do not depend on identified CDA(s) for which controls have not been assessed.

On- Site Notification:

Hi-Com System - Non Digital The Hi-Comm System provides both party-to-party and paging announcement capabilities. It is a single-channel page/party system with speakers and hand-sets located throughout the plant. Hi Comm system is a Gaitronics analog system.

And Owner Controlled Area Notification System (OCANS) - Digital The Owner Controlled Area Notification System (OCANS) uses the Plant Radio System and speakers located throughout the plant site.

Back-up Method Use of vehicular PA system or Bullhorn - Non- Digital Off-Site Notification:

Emergency Call-Out System (ECOS) - Digital, ECSO is under the control of Dialogic Communications Corporation (DCC)

The plant utilizes DCC "Communicator!NXT" as the primary Emergency Call-Out System (ECOS) for emergency staff augmentation. This off-site system has two locations, one in TN (primary) and the other in AZ (back-up). The C-4

NEI 13-10 (Revision 6)

August 2017 ECOS system can be activated in two ways, via telephone or computer via the Internet.

The back-up Call-Out method is adequately independent. It uses administrative corporate phone system at the corporate Systems Operation Center located at headquarters. The administrative phone system is under the control of the local telephone company.

IF YES, THEN proceed to Step 1.3 IF NO, THEN proceed to Step 3.0 1.3 Figure 2, Box 4.1 Is the alternate means documented? (as described in Section 4). YES NO Document basis for YES or NO answer:

Note: The alternate means must be documented in a plant plan, policy, or implementing procedure.

The Call-Out assets are documented in the RERP Plan and RERP Procedures EP-290 Emergency Notifications, EP-292 Emergency Call Out Backup Method, and the RERP Telephone directory (including Attachment A).

IF YES, THEN proceed to Step 1.4 IF NO, THEN remediate or go to Step 3.0 1.4 Figure 2, Box 4.3 Is the equipment that a compromise of the CDA would impact YES NO periodically checked to ensure the equipment is capable of performing its intended function and an appropriate response initiated, if needed? (as described in Section 4).

Document basis for YES or NO answer.

Note:

1.) Specifically, a cyber attack that would prevent the EP-related equipment from performing its intended function can be detected and responded to prior to an adverse impact on the EP-related function during a radiological emergency.

2.) Measures for detection and response may be technical, procedural, or administrative, and could include periodic functional or availability testing (e.g., existing periodic operability tests performed on plant systems or equipment).

The measures in place must be performed at a frequency to ensure the ability to employ the alternate means in a timeframe sufficient to mitigate the adverse consequences of a cyber attack.

Procedures EP-290 Emergency Notifications and EP-292, Emergency Call-Out Backup Method document the primary and backup methods for initiating and verifying an emergency call-out. The equipment used to initiate call-out is exercised periodically during scheduled drills and events to ensure it is capable of performing its intended design function. The potential compromise or failure of the call-out system is bounded by the aforementioned procedures which require an operator to initiate the backup call-out process as documented in EP-292 when the primary call-out process cannot be successfully completed in accordance with EP-290.

Performance Tracking (PT) Event XX11 - Perform Activation of the Emergency Call Out System. Performed once a quarter, any time during the quarter.

PT Event XX37 - Perform ECOS Knowledge Assessment of SOC Personnel. Performed every two years as a table top drill for the backup call out method EP-292 PT Event PX52 - Verify the Emergency Call Out List is up to Date. Performed every 180 days.

PT Event AG41 - perform Hi Comm hand set checks - performed quarterly Call-Out equipment is used during the various RERP drills scheduled throughout the year and functionality is tested during the drills.

IF YES, THEN proceed to Step 1.5 IF NO, THEN remediate or go to Step 3.0 C-5

NEI 13-10 (Revision 6)

August 2017 1.5 Figure 2, Box 4.4 Are appropriate facility personnel trained to use the alternate method? YES NO (as described in Section 4)? Document basis for YES or NO answer:

EVENT XX37 - Perform ECOS Knowledge Assessment of SOC Personnel. Performed every two years as a table top drill for the backup call out method EP-292 Nuclear Generation Selection, Training and Qualification Program Description QP-ER-665 describes the ERO roles that require initial and requalification for Course Plan CP-ER-831 RERP - Emergency Notifications that includes training on RERP Call Out methods including entry conditions that require the use of back up methods. Call-out assets are used during the various RERP drills scheduled throughout the year.

IF YES, THEN proceed to Step 1.6 IF NO, THEN remediate or go to Step 3.0 1.6 Figure 1, Box 5 Are baseline cyber security protection criteria d, e, f, and g in place? YES NO (as described in Section 5)? Ensure each of the following baseline criteria are met.

d. Document how portable media and mobile devices are controlled according to NEI 08-09 D.1.19 in order to ensure the CDA will not be compromised as a result of the use of portable media and mobile devices.

The use of portable media and mobile devices (PMMD) is controlled according to NEI 08-09 D.19 as specified by the MMA23 Control of Digital Tools program.

e. Document how changes to the CDA are evaluated and documented before implementation to ensure the following:

5. Baseline security criteria remain in place and effective.

6. No new pathways or vulnerabilities have been created.

7. No change to CDA would now make it Direct.

8. Threat and vulnerability notifications received from credible sources are screened, evaluated, mitigated and dispositioned in accordance with the CSP.

Changes to the Call-Out system assets under licensee/plant control are required to be completed in accordance with procedure MES02 Design Configuration Management and the RERP Plan is evaluated for impact in accordance with procedure MLS08 Licenses, Plans and Programs as required by 10CFR 50.54(Q).

f. Document how the CDA, or the interconnected equipment that would be affected by the compromise of the non-Direct CDA, is periodically checked to ensure the equipment is capable of performing its intended function. These checks could include any routine check performed to determine the functional or operational availability of the equipment. The periodicity of checks must be sufficient to ensure detection and mitigation of cyber attacks prior to an adverse impact to SSEP functions resulting from cyber attacks. Document the actions taken to periodically ensure equipment is capable of performing its intended function.

Procedure EP-290 Emergency Notifications documents operator initiation and verification for the emergency call-out process. When the operator is unable to successfully complete and verify the call-out process within the documented or analyzed timeframe using the primary system, EP-290 directs the operator to utilize the C-6

NEI 13-10 (Revision 6)

August 2017 backup call-out process in accordance with EP-292 Emergency Call-Out Backup Method to preclude an adverse impact to the call-out function. The primary and backup call-out methods are tested as part of scheduled EP drills and exercises.

The plant also conducts the following check to ensure that ECOS is operate properly including that the ECOS is not compromised:

Performance Tracking (PT) Event XX11 - Perform Activation of the Emergency Call Out System. Performed once a quarter, any time during the quarter.

PT Event XX37 - Perform ECOS Knowledge Assessment of SOC Personnel. Performed every two years as a table top drill for the backup call out method EP-292 PT Event PX52 - Verify the Emergency Call Out List is up to Date. Performed every 180 days.

PT Event AG41 - Perform Hi Comm Hand Set Checks - performed quarterly Call Out equipment is used during the various RERP drills scheduled throughout the year and functionality is tested during the drills.

g. Document how ongoing Monitoring and Assessment is performed to ensure the security posture of the CDA is maintained by verifying that baseline security criteria remain in place.

The Call-Out system is classified as a CDA and managed under the companys Cyber Security Plan (CSP) and program.

Cyber Security is included in Nuclear Quality Assurance Audits of the Physical Security Program. RERP (EP) is audited by Nuclear Quality Assurance.

IF YES, THEN current measures are adequate to meet IF NO, THEN remediate or go to Step 3.0 Section 3.1.6 of the Cyber Security Plan.

C-7