Issuance of Amendments Cyber Security Plan Implementation Schedule (CAC Nos. MF9656, MF9657, and MF9658; EPID: L-2017-LLA-0217)

ML17315A000
Person / Time
Site:	Indian Point
Issue date:	12/08/2017
From:	Richard Guzman Plant Licensing Branch 1
To:	Entergy Nuclear Operations
Guzman R, NRR/DORL/LPL1
References
CAC MF9656, CAC MF9657, CAC MF9658, EPID L-2017-LLA-0217
Download: ML17315A000 (22)
v • d • e

Text

t,t>.I\ AEGt,{

~,;,'- .,,,. UNITED STATES NUCLEAR REGULATORY COMMISSION

< / ~ *'..< 0 0

WASHINGTON, D.C. 20555-0001 a

• ~

..,. £'

C; December 8, 2017

+,:, ~o

• • 'lfde President, Operations Entergy Nuclear Operations, Inc.

Indian Point Energy Center 450 Broadway, GSB P.O. Box 249 Buchanan, NY 10511-0249

SUBJECT:

INDIAN POINT NUCLEAR GENERATING UNIT NOS. 1, 2 AND 3 -

ISSUANCE OF AMENDMENTS RE: CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE (CAC NOS. MF9656, MF9657, AND MF9658; EPID L-2017-LLA-0217)

Dear Sir or Madam:

The U.S. Nuclear Regulatory Commission (Commission) has issued the enclosed Amendment No. 60 to Provisional Operating License No. DPR-5 for Indian Point Nuclear Generating Unit No. 1, Amendment No. 286 to Facility Operating License No. DPR-26 for the Indian Point Nuclear Generating Unit No. 2, and Amendment No. 263 to Facility Operating License No. DPR-64 for the Indian Point Nuclear Generating Unit No. 3. The amendments consist of changes to the Cyber Security Plan Milestone 8 full implementation date in response to your application dated April 28, 2017, as supplemented by letters dated August 9, 2017; September 28, 2017; and October 26, 2017.

The amendments revise the Cyber Security Plan Milestone 8 full implementation date by extending the full implementation date from December 31, 2017, to December 31, 2018.

A copy of the related Safety Evaluation is enclosed. A Notice of Issuance will be included In the Commission's biweekly Federal Register notice.

Sincerely, Richard V. Guzman, Senior Project Manager Plant Licensing Branch I Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos.50-003, 50-247, and 50-286

Enclosures:

1. Amendment No. 60 to DPR-5

2. Amendment No. 286 to DPR-26

3. Amendment No. 263 to DPR-64

4. Safety Evaluation cc w/

Enclosures:

Distribution via Listserv

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 ENTERGY NUCLEAR INDIAN POINT 2, LLC ENTERGY NUCLEAR OPERATIONS INC.

DOCKET NO.50-003 INDIAN POINT NUCLEAR GENERATING UNIT NO. 1 AMENDMENT TO PROVISIONAL OPERATING LICENSE Amendment No. 60 License No. OPR-5

1. The U.S. Nuclear Regulatory Commission (NRC or the Commission) has found that:

A. The application for amendment by Entergy Nuclear Operations, Inc. {the licensee) dated April 28, 2017, as supplemented by letters dated August 9, 2017; September 28, 2017; and October 26, 2017, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

Enclosure 1

2. Accordingly, the license is hereby amended by changes to paragraph 3.d) of Facility Operating License No. DPR-5 as follows:

ENO shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The ENO CSP was approved by License Amendment No. 55, as supplemented by changes approved by License Amendment Nos. 57, 59, and 60.

3. This license amendment is effective as of the date of its issuance and shall be implemented within 30 days. The full implementation date of the Cyber Security Plan shall be in accordance with the implementation schedule submitted by the licensee on September 28, 2017, and approved by the NRC staff with this license amendment. All subsequent changes to the NRG-approved Cyber Security Plan implementation schedule will require NRG approval pursuant to 10 CFR 50.90.

FOR THE NUCLEAR REGULATORY COMMISSION

~uf!ltdC-Bruce A. Watson, Chief Reactor Decommissioning Branch Division of Decommissioning, Uranium Recovery and Waste Programs Office of Nuclear Material Safety and Safeguards Date of Issuance: Decenber 8, 2017

Attachment:

Changes to the Provisional Operating License

ATTACHMENT TO LICENSE AMENDMENT NO. 60 INDIAN POINT NUCLEAR GENERATING UNIT NO. 1 PROVISIONAL OPERATING LICENSE NO. DPR-5 DOCKET NO.50-003 Replace the following page of the Provisional Operating License with the attached revised page.

The revised page is identified by amendment number and contains marginal lines indicating the areas of change.

Remove Page Insert Page 3 3

5. Records of radioactivity measurements at on-site and off-site monitoring stations.

6. Records of facility tests and measurements performed pursuant to the requirements of the Technical Specifications.

d) ENO shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822), and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans' for the Indian Point Energy Center, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Physical Security, Training and Qualification, and Safeguards Contingency Plan, Revision 0," and was submitted by letter dated October 14, 2004, as supplemented by letter dated May 18, 2006.

ENO shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The ENO CSP was approved by License Amendment No. 55, as supplemented by changes approved by License Amendment Nos. 57, 59, and 60.

ENO has been granted Commission authorization to use "stand alone preemption authority" under Section 161A of the Atomic Energy Act, 42 U.S.C. 2201a with respect to the weapons described in Section II supplemented with Section Ill of Attachment 1 to its application submitted by letter dated August 20, 2013, as supplemented by letters dated November 21, 2013, and July 24, 2014, and citing letters dated April 27, 2011, and January 4, 2012. ENO shall fully implement and maintain in effect the provisions of the Commission-approved authorization.

1 The Training and Qualification Plan and Safeguards Contingency Plan are Appendices to the Security Plan.

Amendment No. 60

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, O.C. 20555-0001 ENTERGY NUCLEAR INDIAN POINT 2, LLC ENTERGY NUCLEAR OPERATIONS INC.

DOCKET NO. 50-247 INDIAN POINT NUCLEAR GENERATING UNIT NO. 2 AMENDMENT TO FACILITY OPERATING LICENSE Amendment No. 286 License No. DPR-26

1. The U.S. Nuclear Regulatory Commission (NRC or the Commission) has found that:

A. The application for amendment by Entergy Nuclear Operations, Inc. (the licensee) dated April 28, 2017, as supplemented by letters dated August 9, 2017; September 28, 2017; and October 26. 2017, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act) and the Commission's rules and regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

Enclosure 2

2. Accordingly, the license is amended by changes to paragraph 2.H of Facility Operating License No. DPR-26 as follows:

ENO shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The ENO CSP was approved by License Amendment No. 266, as supplemented by changes approved by License Amendment Nos. 279, 284, and 286.

3. This license amendment is effective as of the date of its issuance and shall be implemented within 30 days. The full implementation date of the Cyber Security Plan shall be in accordance with the implementation schedule submitted by the licensee on September 28, 2017, and approved by the NRG staff with this license amendment. All subsequent changes to the NRC*approved Cyber Security Plan implementation schedule will require NRC approval pursuant to 10 CFR 50.90.

FOR THE NUCLEAR REGULATORY COMMISSION

\

\. \~ - a '\_/~---

' " /V'V~~

I Jamel G. Danna, Chief Plant Licensing Branch I Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the Facility Operating License Date of Issuance: December a, 2017

ATTACHMENT TO LICENSE AMENDMENT NO. 286 INDIAN POINT NUCLEAR GENERATING UNIT NO. 2 FACILITY OPERATING LICENSE NO. DPR-26 DOCKET NO. 50-247 Replace the following page of the Facility Operating License with the attached revised page.

The revised page is identified by amendment number and contains marginal lines indicating the areas of change.

Remove Page Insert Page 5 5

Indian Point Energy Center, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Physical Security, Training and Qualification, and Safeguards Contingency Plan, Revision O," and was submitted by letter dated October 14, 2004, as supplemented by letter dated May 18, 2006.

ENO shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The ENO CSP was approved by License Amendment No. 266, as supplemented by changes approved by License Amendment Nos. 279, 284, and 286.

ENO has been granted Commission authorization to use "stand alone preemption authority" under Section 161A of the Atomic Energy Act, 42 U.S.C. 2201a with respect to the weapons described in Section II supplemented with Section Ill of Attachment 1 to its application submitted by letter dated August 20, 2013, as supplemented by letters dated November 21, 2013, and July 24, 2014, and citing letters dated April 27, 2011, and January 4, 2012. ENO shall fully implement and maintain in effect the provisions of the Commission-approved authorization.

I. Deleted per Arndt. 133, 7-6-88.

J. Deleted per Arndt. 133, 7-6-88.

K. ENO shall implement and maintain in effect all provisions of the NRG-approved fire protection program as described in the Updated Final Safety Analysis Report for the facility and as approved in Safety Evaluations Reports dated November 30, 1977, February 3, 1978, January 31, 1979, October 31, 1980, August 22, 1983, March 30, 1984, October 16, 1984, September 16, 1985, November 13, 1985, March 4, 1987, January 12, 1989, and March 26, 1996. ENO may make changes to the NRG-approved fire protection program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.

L. Deleted per Amendment 238 M. Deleted per Amendment 238 N. Mitigation Strategy License Condition The licensee shall develop and maintain strategies for addressing large fires and explosions and that include the following key areas:

Amendment No. 286

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 ENTERGY NUCLEAR INDIAN POINT 3, LLC ENTERGY NUCLEAR OPERATIONS INC.

DOCKET NO. 50-286 INDIAN POINT NUCLEAR GENERATING UNIT NO. 3 AMENDMENT TO FACILITY OPERATING LICENSE Amendment No. 263 License No. DPR-64

1. The U.S. Nuclear Regulatory Commission (NRC or the Commission) has found that:

A The application for amendment by Entergy Nuclear Operations, Inc. (the licensee) dated April 28, 2017, as supplemented by letters dated August 9, 2017; September 28, 2017; and October 26, 2017, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act) and the Commission's rules and regulations set forth in 10 CFR Chapter I;.

B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (l) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

Enclosure 3

• 2.

2. Accordingly, the license is amended by changes to paragraph 2.G of Facility Operating License No. DPR-64 as follows:

ENO shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The ENO CSP was approved by License Amendment No. 243, as supplemented by changes approved by License Amendment Nos. 254, 260, and 263.

3. This license amendment is effective as of the date of its issuance and shall be implemented within 30 days. The full implementation date of the Cyber Security Plan shall be in accordance with the implementation schedule submitted by the licensee on September 28, 2017, and approved by the NRC staff with this license amendment. All subsequent changes to the NRG-approved Cyber Security Plan implementation schedule will require NRG approval pursuant to 10 CFR 50.90.

FOR THE NUCLEAR REGULATORY COMMISSION

/--, --- '

\ *,.  :

". Ov1---i__,. v \ / ~ - - -

/

James G. Danna, Chief Plant Licensing Branch I Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the Facility Operating License Date of Issuance: December a, 2017

ATIACHMENT TO LICENSE AMENDMENT NO. 263 INDIAN POINT NUCLEAR GENERATING UNIT NO. 3 FACILITY OPERATING LICENSE NO. DPR-64 DOCKET NO. 50-286 Replace the following page of the Facility Operating License with the attached revised page.

The revised page is identified by amendment number and contains marginal lines indicating the areas of change.

Remove Page Insert Page 4 4

G. ENO shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822), and to the authority of 10 CFR 50.90 and CFR 50.54(p). The combined set of plans 1 for the Indian Point Energy Center, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Physical Security, Training and Qualification, and Safeguards Contingency Plan, Revision O," and was submitted by letter dated October 14, 2004, as supplemented by letter dated May 18, 2006.

ENO shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The ENO CSP was approved by License Amendment No. 243, as supplemented by changes approved by License Amendment Nos. 254, 260, and 263.

ENO has been granted Commission authorization to use "stand alone preemption authority" under Section 161A of the Atomic Energy Act, 42 U.S.C. 2201a with respect to the weapons described in Section II supplemented with Section Ill of Attachment 1 to its application submitted by letter dated August 20, 2013, as supplemented by letters dated November 21, 2013, and July 24, 2014, and citing letters dated April 27, 2011, and January 4, 2012. ENO shall fully implement and maintain in effect the provisions of the Commission-approved authorization.

H. ENO shall implement and maintain in effect all provisions of the approved Fire Protection Program as described in the Final Safety Analysis Report for Indian Point Nuclear Generating Unit No. 3 and as approved in NRC fire protection safety evaluations (SEs) dated September 21, 1973, March 6, 1979, May 2, 1980, November 18, 1982, December 30, 1982, February 2, 1984, April 16, 1984, January 7, 1987, September 9, 1988, October 21, 1991, April 20, 1994, January 5, 1995, and supplements thereto, subject to the following provision:

ENO may make changes to the approved Fire Protection Program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.

I. (DELETED) Arndt. 205 2/27/01 J. (DELETED) Arndt. 205 2/27/01 K. (DELETED) Arndt. 49 5-25-84 L. (DELETED) Arndt. 205 2/27 /01 1

The Training and Qualification Plan and Safeguards Contingency Plan are Appendices to the Security Plan.

Amendment No. 263

\.~,o..fl REGt,1 _ UNITED STATES NUCLEAR REGULATORY COMMISSION

/~o,, ' 00 WASHINGTON, DC. 20555-0001

~

~

"'~-i.,;, ~o~

• • • • ' SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 60 TO PROVISIONAL OPERATING LICENSE NO. DPR-5 AMENDMENT NO. 286 TO FACILITY OPERATING LICENSE NO. DPR-26 AMENDMENT NO. 263 TO FACILITY OPERATING LICENSE NO. DPR-64 ENTERGY NUCLEAR INDIAN POINT 2, LLC ENTERGY NUCLEAR INDIAN POINT 3, LLC AND ENTERGY NUCLEAR OPERATIONS, INC.

INDIAN POINT NUCLEAR GENERATING UNIT NOS. 1, 2, AND 3 DOCKET NOS.50-003 50-247 AND 50-286

1.0 INTRODUCTION

By application dated April 28, 2017,' as supplemented by letters dated August 9, 2017; 2 September 28, 2017; 3 and October 26, 2017, 4 Entergy Nuclear Operations Inc. (Entergy, the licensee) submitted a license amendment request (LAR) requesting a change to the Provisional Operating License for Indian Point Nuclear Generating Station Unit No. 1 (Indian Point 1) and the Facility Operating Licenses (FOLs) for Indian Point Generating Unit Nos. 2 and 3 (Indian Point 2 and Indian Point 3). The proposed changes would revise the date of the Cyber Security Plan (CSP) implementation schedule Milestone 8 and update the associated license conditions in the licenses. Milestone 8 of the CSP implementation schedule concerns the full implementation of the CSP.

The supplemental letters dated August 9, 2017; September 28, 2017; and October 26, 2017, provided additional information that clarified the application, did not expand the scope of the application as originally noticed, and did not change the U.S. Nuclear Regulatory Commission (NRC or the Commission) staff's original proposed no significant hazards consideration determination as published in the Federal Register on July 18, 2017 (82 FR 32880).

Portions of the letters dated August 9, 2017, and September 28, 2017 contain sensitive, unclassified, non-safeguards information, and those portions are withheld from public disclosure in accordance with the provisions of Title 10 of the Code of Federal Regulations (10 CFR)

Section 2.390, "Public inspections, exemptions, requests for withholding," paragraph (d)(1).

1 Agencywide Documents Access and Management System (ADAMS) Accession No. ML17129A612 2

ADAMS Accession No. ML17228A044 3

ADAMS Accession No. ML17277A140 4

ADAMS Accession No. ML17307A043 Enclosure 4

2.0 BACKGROUND

The NRC staff initially reviewed and approved the licensee's original CSP implementation schedule by License Amendment No. 55 to Provisional Operating License No. DPR-5 for Indian Point 1, Amendment No. 266 to FOL No. DPR-26 for Indian Point 2, and Amendment No. 243 to FOL No. DPR-64 for Indian Point 3, dated August 2, 2011, 5 concurrent with the incorporation of the CSP into the facilities' current licensing bases. Subsequently, the NRG staff also reviewed and approved by license amendment two extensions to the original full implementation date.

The first extension approval extended the full implementation date to June 30, 2016, 6 and the second extension approval extended the full implementation date to December 31, 2017. 7 Following an NRG onsite audit of the Indian Point Energy Center (IPEC) CSP implementation process conducted on July 10, 2017, and 11, 2017, the licensee revised its LAR to simplify its proposed approach used to present the Milestone 8 partial implementation schedule. 8 As stated in the August 9, 2017 letter:

The revised presentational approach specifically identifies the Critical Digital Assets (CDAs) planned for completion of the Milestone 8 actions by the partial implementation completion date, and also identifies those CDAs proposed for deferral of the Milestone 8 actions to the full implementation completion date.

This simplified approach replaces the approach described in Section 2.0 of the Reference 1 LAA.

In its September 28, 2017, letter, the licensee revised the proposed Milestone 8 full implementation date from December 31, 2022, to December 31, 2018. As stated in the September 28, 2017, letter:

The purpose of this letter is to revise the Milestone 8 full implementation commitment date previously provided in Attachment 3 of the Reference 1 LAR.

Entergy has reassessed its progress toward completing the IPEC CSP Milestone 8 actions and determined that the expected completion date can be improved upon. Accordingly, the previous request to extend the Milestone 8 full implementation completion date to December 31, 2022 is not needed, and Entergy now proposes a one year extension of the completion date to December 31, 2018.

In its October 2, 2017, letter, the licensee submitted additional information in response to the NRC staff's request for additional information (RAI) dated October 23, 2017. 9

3.0 REGULATORY EVALUATION

The NRC staff considered the following regulatory requirements and guidance in its review of the current LAR to modify the existing CSP implementation schedule:

5 ADAMS Accession No. ML11152A027 6

ADAMS Accession No. ML14316A526 7

ADAMS Accession No. ML16064A215 8

See NRC staff audit summary dated September 17, 2017, ADAMS Accession No. ML17245A001 9

ADAMS Accession No. ML17296A235

• 10 CFR Section 73.54, "Protection of digital computer and communication systems and networks," which states, in part:

Each [CSP] submittal must include a proposed implementation schedule.

Implementation of the licensee's cyber security program must be consistent with the approved schedule.

• The licensee's operating license includes a license condition that requires the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP.

• In NRG Memorandum, "Review Criteria for Title 10 of the Code of Federal Regulations Part 73.54, Cyber Security Implementation Schedule Milestone 8 License Amendment Requests," dated October 24, 2013, 10 the NRC staff lists criteria it considers in evaluating a licensee's request to postpone a cyber security program implementation date (commonly known as Milestone 8).

The NRG staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that states, "Implementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRG staff explained in its letter to all operating reactor licensees dated May 9, 2011, 11 the implementation of the plan, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. Alt subsequent changes to the NRG-approved CSP implementation schedule, will require prior NRG approval as in 10 CFR 50.90, "Application for amendment of license, construction permit, or early site permit."

4.0 TECHNICAL EVALUATION

4.1 Licensee's Requested Change Amendment Nos. 55, 266, and 243 to DPR-5 for Indian Point 1, DPR-26 for Indian Point 2, and DPR-64 for Indian Point 3, were issued on August 2, 2011. The NRG staff also approved the licensee's CSP implementation schedule, as discussed in the safety evaluation issued with the amendments. The implementation schedule had been submitted by the licensee based on a template prepared by the Nuclear Energy Institute, which the NRG staff found acceptable for licensees to use to develop their CSP implementation schedules. 12 The licensee's proposed implementation schedule for the cyber security program identified completion dates and bases for the following eight milestones:

1) Establish the Cyber Security Assessment Team;

2) Identify Critical Systems and CDAs;

3) Implement installation of a deterministic one-way device between lower level devices and higher level devices; 10 ADAMS Accession No. ML13295A467 11 ADAMS Accession No. ML110980538 12 ADAMS Accession Nos. ML110070348 and ML110600218

4) Implement the security control ~Access Control For Portable And Mobile Devices";

5) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds by incorporating the appropriate elements;

6) Identify, document, and implement technical cyber security controls in accordance with Mitigation of Vulnerabilities and Application of Cyber Security Controls for CDAs that could adversely impact the design function of physical security target set equipment;

7) Commence ongoing monitoring and assessment activities for those target-set CDAs whose security controls have been implemented; and

8) Full implementation of the CSP for all safety, security, and emergency preparedness functions.

Currently, Milestone 8 of the Entergy CSP requires the licensee to fully implement the CSP by December 31, 2017. In its April 28, 2017, application, Entergy proposed to change the Milestone 8 completion date to December 31, 2022, and the supplemental letter dated September 28, 2017, proposed to change the Milestone 8 completion date to December 31, 2018.

The licensee provided the following information pertinent to each of the criteria identified in the NRG guidance memorandum dated October 24, 2013:

1) Identification of the specific requirement or requirements of the CSP that the licensee needs additional time to implement.

The licensee stated in its LAR dated April 28, 2017, as amended by the supplemental letter dated September 28, 2017, that it requests full implementation of CSP requirements per Milestone 8 be rescheduled from December 31, 2017, to December 31, 2018. Attachment 5 to the supplemental letter dated September 28, 2017, provides the identified IPEC CDAs that are proposed to have their Milestone 8 assessment and remediation actions deferred to the revised December 31, 2018, commitment date.

2) Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.

The response to Criterion 2 was modified per the licensee's RA! response letter dated October 26, 2017. The licensee commits to completion of the remaining Milestone 8 actions by December 31, 2018. Furthermore, partial implementation of Milestone 8 has already been accomplished and the remaining CDAs do not pose a significant impact on the effectiveness of the overall CSP.

3) A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.

The response to Criterion 3 was modified per the licensee's RAI response letter dated October 26, 2017. The licensee stated in its letter that the proposed completion date for Milestone 8 is December 31, 2018. By this date, as committed in the supplemental letter dated September 28, 2017, full implementation of the IPEC CSP for all safety, security, and emergency preparedness functions will be achieved.

4) An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall CSP in the context of milestones already completed.

The licensee stated in its LAR dated April 28, 2017, the impact of the requested additional implementation time on the effectiveness of the overall cyber security program is considered to be very low, because the interim milestone already completed have resulted in a high degree of protection of safety-related, important-to-safety, and security CDAs against threat vectors associated with external connectivity (both wired and wireless); and portable digital media and devices.

5) A description of the licensee's methodology for prioritizing completion of work for COAs associated with significant safety consequences and with reactivity effects in the balance of plant.

The licensee stated in its LAR dated April 28, 2017, CDAs are plant components that are subject to the maintenance prioritization and normal work management process which places the highest priority on apparent conditions adverse to quality in system, structure, and component design function and related factors such as safety risk and nuclear defense-in-depth, as well as threats to continuity of electric power generation in the balance-of-plant.

6) A discussion of the licensee's CSP performance up to the date of the LAR.

The licensee stated in its LAR dated April 28, 2017, no compromise of safety, security, or emergency preparedness function by cyber means has been identified. As documented in the NRC's letter dated October 21, 2015, 13 an NRC inspection at IPEC of Entergy's compliance with Milestones 1 through 7 was concluded on October 2, 2015, and findings were designated as having very low safety significance (green non-cited, granted enforcement discretion).

Additionally, a problem identification and resolution sample inspection 14 was concluded on March 2, 2017, and the one finding was designated as having very low safety significance (green non-cited).

13 Indian Point Nuclear Generating Units 2 and 3 - Temporary Instruction 2201/004, "Inspection of Implementation of Interim Cyber Security Milestone 1-7," Reports 05000247/2015405 and 05000286/2015405," ADAMS Accession No. ML15295A050 14 Indian Point Nuclear Generating Units 2 and 3 - Problem Identification and Resolution Cyber Security Inspection Report 05000247/2017405 and 05000286/2017405," dated March 27, 2017, ADAMS Accession No. ML17087A047

• 6*

7) A discussion of cyber security issues pending in the licensee's corrective action program.

The licensee stated in its LAR dated April 28, 2017, there are no cyber security issues that would constitute a threat to proper GOA function or that would call into question cyber security program effectiveness that are currently pending in the corrective action program.

8) A discussion of modifications completed to support the CSP and a discussion of pending cyber security modifications.

The licensee provided a discussion of completed modifications and pending modifications.

Modifications completed include those required to deterministically isolate level 3 and level 4 CDAs, as required by nuclear cyber security implementation schedule interim Milestone 3.

Pending cyber security modifications include infrastructure upgrades such as to the security intrusion and event monitoring, intrusion detection system, antivirus, and various other software solutions.

4.2 NRG Staff Evaluation The NRC staff evaluated the licensee's application, as supplemented, using the regulatory requirements and guidance cited in Section 3.0 of this safety evaluation. The licensee indicated that completion of the activities associated with the CSP, as described in Milestones 1 through 7, and completed prior to December 31, 2012, provide a degree of protection to ensure that the most significant digital computer and communication systems and networks associated with safety, security, or emergency preparedness systems are protected against cyber attacks. The licensee detailed the activities completed for each milestone and noted that some elements of Milestone 8 will be implemented by the previous commitment date, December 31, 2017.

The NRC staff finds that I PEC is more secure after implementation of Milestones 1 through 7 because the completed activities mitigate the most significant cyber attack vectors for the most significant CDAs. The full implementation of the CSP would provide security controls; provide defense-in-depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks; mitigate the adverse effects of cyber attacks; and ensure that the functions of CDAs are not adversely impacted due to cyber attacks as required by 10 CFR 73.54(c). Entergy has provided reasonable assurance that extending full implementation of the CSP until December 31, 2018, does not minimize the effectiveness of the CSP because Milestones 1 through 7, and the completion of the Milestone 8 assessment and remediation actions for the security system, a subset of the safety-related, and a subset of the important to safety CDAs by December 31, 2017, will further strengthen the protection against common threat vectors.

The NRC staff finds the request for 1 additional year to complete the remaining Milestone 8 work is reasonable based on Entergy's partial implementation of Milestone 8 and that the remaining CDAs do not pose a significant impact on the effectiveness of the overall CSP.

4.3 Licensee Commitments By letter dated September 28, 2017, the licensee made the following regulatory commitments:

• Full implementation of the IPEC Cyber Security Plan for all safety, security, and emergency preparedness functions will be achieved.

• Completion date: No later than December 31, 2018.

The NRG staff concludes that reasonable controls for the implementation and for subsequent evaluation of proposed changes pertaining to the above regulatory commitments are best provided by the licensee's administrative processes, including its commitment management program.

4.4 NRC Staff Technical Evaluation Conclusion Based on its review of the licensee's submittal, the NRC staff concludes that the licensee's request to change full implementation of its CSP until December 31, 2018, is acceptable for the following reasons: (i) the licensee has sufficiently demonstrated that its cyber security program adequately protects the most significant of critical digital assets against cyber attacks for a limited 1-year extension; and (ii) extending full implementation of the CSP until December 31, 2018, does not minimize the effectiveness of the CSP because Milestones 1 through 7, and the completion of the Milestone 8 assessment and remediation actions for the security system, a subset of safety-related and important to safety CDAs by December 31, 2017, will further strengthen the protection against common threat vectors. Therefore, the NRC staff finds the proposed changes acceptable.

5.0 STATE CONSULTATION

In accordance with the Commission's regulations, the New York State official was notified of the proposed issuance of the amendments on November 8, 2017. The State official had no comments.

6.0 ENVIRONMENTAL CONSIDERATION

These amendments relate solely to safeguards matters and do not involve any significant construction impacts. These amendments are administrative changes to extend the date by which the licensee must have its CSP fully implemented. The Commission has previously issued a proposed finding that the amendments involve no significant hazards consideration, and there has been no public comment on such finding (82 FR 32880, July 18, 2017).

Accordingly, the amendments meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendments.

7.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above, that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributor: Catherine Allen, NSIR Date: December 8, 2017

SUBJECT:

INDIAN POINT NUCLEAR GENERATING UNIT NOS. 1, 2 AND 3 -

ISSUANCE OF AMENDMENTS RE: CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE (CAC NOS. MF9656, MF9657, AND MF9658; EPID L-2017-LLA-0217) DATED DECEMBER 8, 2017 DISTRIBUTION:

PUBLIC RidsACRS_MailCTR Resource RidsNrrDorllpl1 Resource RidsNrrDraAplb Resource RidsNrrDssStsb Resource RidsNrrLALRonewicz Resource RidsNrrPMlndianPoint Resource RidsRgn1MailCenter Resource RidsNmssDuwpRDB Resource JBeardsley, NSIR CAiien, NSIR Klawson-Jenkins, NSIR CDeMessieres, NRA ADAMS Access1on No.: ML17315AOOO *b e-ma1*1 OFFICE NRR/DORULPL 1/PM NRR/DORULPL 1/LA NSIR/DPCP/CSB/BC*

NAME RGuzman LRonewicz JBeardslev DATE 11/13/2017 11/13/2017 11/15/2017 OFFICE OGC-NLO* NMSS/DUWP/RDB/BC NRR/DORULPL 1/BC NAME PJehle BWatson /JClements for) JOanna DATE 11/22/2017 11/27/2017 12/7/2017 OFFICE NRR/DORULPL1/PM NAME RGuzman DATE 12/8/2017 OFFICIAL RECORD COPY