ML103220454
| ML103220454 | |
| Person / Time | |
|---|---|
| Site: | Saint Lucie  |
| Issue date: | 11/17/2010 |
| From: | Anderson R L Florida Power & Light Co |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation, Office of Nuclear Security and Incident Response |
| References | |
| L-2010-254 | |
| Download: ML103220454 (13) | |
Text
Florida Power & Light Company, 6501 S. Ocean Drive, Jensen Beach, FL 34957 SECURITY RELATED INFORMATION WITHHOLD FROM PUBLIC DISCLOSURE UNDER 10 CFR 2.390 FPL November 17, 2010 L-2010-254 10 CFR 50.90 10 CFR 50.4 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001 RE: St. Lucie Units I and 2 Docket Nos. 50-335 and 50-389 Request for Approval of the St. Lucie/FPL Cyber Security Plan
References:
(1) FPL Letter L-2010-149 dated August 2, 2010, "Request for Approval of the St. Lucie/FPL Cyber Security Plan." (2) FPL Letter L-2010-213 dated September 27, 2010, "Notification Letter Designating St. Lucie Balance of Plant Systems within the Cyber Security Rule Scope." In Reference 1, and in accordance with the provisions of 10 CFR 50.4 and 10 CFR 50.90, Florida Power & Light (FPL) submitted a request for amendment to the Operating License (OL) for the St. Lucie Plant. This proposed amendment requested NRC approval of the St. Lucie/FPL Cyber Security Plan, provided an implementation schedule, and added a sentence to the existing OL Physical Protection license condition to require St. Lucie to fully implement and maintain in effect all provisions of the Commission approved Cyber Security Plan. It has since been determined that a revision to Section 2.1, "Scope and Purpose" of the submitted Plan is required.This change is considered an exception to NEI 08-09 Revision 6.Enclosure I of this submittal provides an evaluation of the proposed change and contains the following attachments:
- Attachment I provides the existing OL page marked up to show the proposed change.* Attachment 2 provides the proposed OL changes in final typed format.Enclosure 2 to this submittal provides the St. Lucie/FPL Cyber Security Plan with a revised version of Section 2.1 that clarifies the balance of plant structures, systems and components that are included in the scope of the cyber security program, as committed to in Reference
- 2. FPL requests that Enclosure 2, which contains sensitive information, be withheld from public disclosure in accordance with 10 CFR 2.390(d)(1).
These changes have been reviewed by the St. Lucie Plant Onsite Review Group. A copy of this submittal is also being sent to our appointed state official pursuant to 10 CFR 50.91.an FPL Group company L-2010-254 Page 2 of 2 If you have any questions or require additional information, please contact Eric Katzman, Licensing Manager, at (772) 467-7734.I declare under penalty of perjury that the foregoing is true and correct.Executed on Tc,-,C \ k1 WZv.Richard L. Anderson Site Vice President St. Lucie Plant Enclosure 1 -Evaluation of Proposed Change Attachment I -Proposed Facility Operating License Change (Mark-up)Attachment 2 -Proposed Facility Operating License Change (Re-typed)
Enclosure 2 -St. Lucie/FPL Cyber Security Plan cc: Mr. W. A. Passetti, Florida Department of Health (w/o Enclosure
- 2)
L-2010-254 Enclosure I Page 1 of I 1 ENCLOSURE
]Evaluation of Proposed Change Request for Approval of the St. Lucie/FPL Cyber Security Plan 1.0
SUMMARY
DESCRIPTION
2.0 DETAILED
DESCRIPTION
3.0 TECHNICAL
EVALUATION
4.0 REGULATORY EVALUATION
4.1 APPLICABLE
REGULATORY REQUIREMENTS/CRITERIA
4.2 SIGNIFICANT
HAZARDS CONSIDERATION
4.3 CONCLUSION
5.0 ENVIRONMENTAL
CONSIDERATION
6.0 REFERENCES
ATTACHMENTS:
Attachment I -PROPOSED FACILITY OPERATING LICENSE CHANGE (MARK-UP)Attachment 2 -PROPOSED FACILITY OPERATING LICENSE CHANGE (RE-TYPED)
L-2010-254 Enclosure I Page 2 of 1 1.0
SUMMARY
DESCRIPTION In Reference 1, FPL submitted a request for amendment to the Operating License (OL) for the St. Lucie Plant. This proposed amendment requested NRC approval of the St. Lucie/FPL Cyber Security Plan, provided an implementation schedule, and added a sentence to the existing OL Physical Protection license condition to require St. Lucie to fully implement and maintain in effect all provisions of the Commission approved Cyber Security Plan. It has since been determined that a revision to Section 2.1, "Scope and Purpose" of the submitted Plan is required.The change to Section 2.1 of the St. Lucie/FPL Cyber Security Plan clarifies the balance of plant structures, systems and components that are included in the scope of the cyber security program.This change also requires revision to the "Evaluation of Proposed Change," and the OL "Mark-up" and "Re-typed" pages submitted in Reference
1.2.0 DETAILED
DESCRIPTION This supplement revises the proposed LAR (Reference
- 1) that included three parts: the proposed Plan, an Implementation Schedule, and a proposed sentence to be added to the existing OL Physical Protection license condition to require St. Lucie to fully implement and maintain in effect all provisions of the Commission approved Cyber Security Plan as required by 10 CFR 73.54. Federal Register notice 74 FR 13926 issued the final rule that amended 10 CFR Part 73.The regulations in 10 CFR 73.54, "Protection of digital computer and communication systems and networks," establish the requirements for a cyber security program. This regulation specifically requires each licensee currently licensed to operate a nuclear power plant under Part 50 of this chapter to submit a cyber security plan that satisfies the requirements of the Rule.Each submittal must include a proposed implementation schedule and implementation of the licensee's cyber security program must be consistent with the approved schedule.
The background for this application is addressed by the NRC Notice of Availability published on March 27, 2009, 74 FR 13926 (Reference 2).3.0 TECHNICAL EVALUATION Federal Register notice 74 FR 13926 issued the final rule that amended 10 CFR Part 73. Cyber security requirements are codified as new 10 CFR 73.54 and are designed to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks up to and including the design basis threat established by §73. l(a)(1)(v).
These requirements enhance upon the requirements imposed by EA-02-026 (Reference 3).This supplement includes the proposed change to the existing OL condition for "Physical Protection" (Attachments I and 2), as well as the revised proposed Plan (Enclosure
- 2) that conforms to the template provided in NEI 08-09 Revision 6, with the following exceptions:
L-2010-254 Enclosure I Page 3 of 11 Definition of cyber attack In lieu of the use of the definition of"cyber attack" in NEI 08-09 Revision 6, the following definition of"cyber attack" will be used, "Any event in which there is reason to believe that an adversary has committed or caused, or attempted to commit or cause, or has made a credible threat to commit or cause malicious exploitation of a Critical Digital Asset." According to the June 7, 2010 letter to NEI (Reference 4), the NRC staff has found this definition to be acceptable.
Emergency preparedness 10 CFR 73.54 requires protecting digital computer and communication systems and networks associated with emergency preparedness (EP) functions, including offsite communications.
The EP functions within the scope of the Plan are those functions which support implementation of the Risk Significant Planning Standards* (RSPSs) as defined in NRC Inspection Manual Chapter 0609, Appendix B. The RSPSs are the subset of EP Planning Standards, defined in 10 CFR 50.47(b), which play the greatest role in protecting public health and safety. In terms of importance, this approach aligns the selected EP functions with other system functions which are"Safety-Related" or "Important-to-Safety." 10 CFR 73.56(b)(ii) requires that any individual whose duties and responsibilities permit the individual to take actions by electronic means, either on site or remotely, that could adversely impact the licensee's emergency preparedness be subject to an access authorization program.However, some systems, or portions of systems, which perform a RSPS-related EP function may be located in offsite locations not under the control of the licensee and/or not staffed by licensee personnel.
Similarly, there may be system components that are normally installed, modified or maintained by non-licensee personnel (e.g., a telecommunications company technician, and employee of a State agency, etc.).Therefore the systems, and portions of systems, to be protected from cyber attack in accordance with 10 CFR 73.54(a)(1)(iii) must;1. Perform a RSPS-related EP function, and 2. Be within the licensee's complete custody and control.* The RSPSs are 10 CFR 50.47(b)(4), (5), (9), and (10), including the related sections of Appendix E to 10 CFR Part 50. 10 CFR 50.47(b)(10) has two aspects that are of differing risk-significance.
Only the portion dealing with the development of protective action recommendations (PARs) is integral to protection of public health and safety and is considered to be an RSPS.Senior nuclear management Senior nuclear management is defined as the Vice President accountable for nuclear plant security.
The NEI 08-09 template defines this position as accountable for nuclear plant operation.
The position of Vice President accountable for nuclear plant security better reflects the duties and responsibilities of the St. Lucie/FPL Cyber Security Plan.
L-2010-254 Enclosure I Page 4 of II Balance of Plant Systems within Scope The following paragraph is added to Section 2.1 "Scope and Purpose," to clarify the balance of plant structures, systems and components that are included in the scope of the cyber security program, "The scoping provisions of 10 CFR 73.54 encompass certain Structures, Systems, and Components (SSCs) in the Balance of Plant (BOP). Specifically, included among the systems to be protected are those SSCs in the BOP out to the first inter-tie with the offsite distribution system whose compromise could result in a reactor scram or transient."
4.0 REGULATORY EVALUATION
4.1 APPLICABLE
REGULATORY REQUIREMENTS/CRITERIA This LAR is submitted pursuant to 10 CFR 73.54 which requires licensees currently licensed to operate a nuclear power plant under 10 CFR Part 50 to submit a Cyber Security Plan as specified in 10 CFR 50.4 and 10 CFR 50.90.4.2 SIGNIFICANT HAZARDS CONSIDERATION St. Lucie/FPL has evaluated whether or not a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of amendment," as discussed below: 1. Does the proposed amendment involve a significant increase in the probability or consequences of an accident previously evaluated?
Response:
No.The proposed amendment incorporates a new requirement in the Facility Operating License to implement and maintain a Cyber Security Plan as part of the facility's overall program for physical protection.
Inclusion of the Cyber Security Plan in the Facility Operating License itself does not involve any modifications to the safety-related structures, systems or components (SSCs). Rather, the Cyber Security Plan describes how the requirements of 10 CFR 73.54 are to be implemented to identify, evaluate, and mitigate cyber attacks up to and including the design basis cyber attack threat, thereby achieving high assurance that the facility's digital computer and communications systems and networks are protected from cyber attacks. The Cyber Security Plan will not alter previously evaluated Final Safety Analysis Report (FSAR) design basis accident analysis assumptions, add any accident initiators, or affect the function of the plant safety-related SSCs as to how they are operated, maintained, modified, tested, or inspected.
Therefore, the proposed amendment does not involve a significant increase in the probability or consequences of an accident previously evaluated.
- 2. Does the proposed amendment create the possibility of a new or different kind of accident from any accident previously evaluated?
Response:
No.
L-2010-254 Enclosure I Page 5 of 11 The proposed amendment provides assurance that safety-related SSCs are protected from cyber attacks. Implementation of 10 CFR 73.54 and the inclusion of a plan in the Facility Operating License do not result in the need for any new or different FSAR design basis accident analysis.It does not introduce new equipment that could create a new or different kind of accident, and no new equipment failure modes are created. As a result, no new accident scenarios, failure mechanisms, or limiting single failures are introduced as a result of this proposed amendment.
Therefore, the proposed amendment does not create a possibility for an accident of a new or different type than those previously evaluated.
- 3. Does the proposed amendment involve a significant reduction in a margin of safety?Response:
No.The margin of safety is associated with the confidence in the ability of the fission product barriers (i.e., fuel cladding, reactor coolant pressure boundary, and containment structure) to limit the level of radiation to the public. The proposed amendment would not alter the way any safety-related SSC functions and would not alter the way the plant is operated.
The amendment provides assurance that safety-related SSCs are protected from cyber attacks. The proposed amendment would not introduce any new uncertainties or change any existing uncertainties associated with any safety limit. The proposed amendment would have no impact on the structural integrity of the fuel cladding, reactor coolant pressure boundary, or containment structure.
Based on the above considerations, the proposed amendment would not degrade the confidence in the ability of the fission product barriers to limit the level of radiation to the public.Therefore, the proposed change does not involve a significant reduction in a margin of safety.Based on the above, St. Lucie/FPL concludes that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and accordingly, a finding of no significant hazards consideration is justified.
4.3 CONCLUSION
In conclusion, based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3)the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.5.0 ENVIRONMENTAL CONSIDERATION The proposed amendment establishes the licensing basis for a Cyber Security Program for St.Lucie Plant and will be a part of the Physical Security Plan. This proposed amendment will not involve any significant construction impacts. Pursuant to 10 CFR 51.22(c)(12) no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.
L-2010-254 Enclosure 1 Page 6 of 11
6.0 REFERENCES
- 1. FPL Letter L-2010-149 dated August 2, 2010, "Request for Approval of the St.Lucie/FPL Cyber Security Plan." 2. Federal Register Notice, Final Rule 10 CFR Part 73, "Power Reactor Security Requirements," published on March 27, 2009, 74 FR 13926.3. EA-02-026, "Issuance of Order for Interim Safeguards and Security Compensatory Measures," issued February 25, 2002.4. Letter to C. Earls, NEI from NRC, "Nuclear Energy Institute 08-09, "Cyber Security Plan Template, Rev. 6,'"" dated June 7, 2010. (ML101550052)
L-2010-254 Enclosure I Page 7 of 11 ENCLOSURE 1 ATTACHMENT 1 PROPOSED FACILITY OPERATING LICENSE CHANGE (MARK-UP)
L-2010-254 Enclosure 1 Page 8 of 11 Proposed Facility Operating License Change (Mark-Up)Insert the following text within each of the current Facility Operating Licenses, license condition 3.F, Physical Protection, and after its existing text: FPL shall fully implement and maintain in effect all provisions of the Commission-approved St. Lucie/FPL Cyber Security Plan submitted by letter L-2010-149 dated August 2, 2010, and supplemented by letter L-2010-254 dated November 17, 2010, and withheld from public disclosure in accordance with 10 CFR § 2.390.
L-2010-254 Enclosure I Page 9 of II ENCLOSURE I ATTACHMENT 2 PROPOSED FACILITY OPERATING LICENSE CHANGE (RE-TYPED)
UNIT I DPR-67 UNIT 2 NPF-16 L-2010-254 Enclosure I Page 10 of I I-4-E. Fire Protection FPL shall implement and maintain in effect all provisions of the approved fire protection program as described in the Updated Final Safety Analysis Report for the facility (The fire protection program and features were originally described in FPL submittals L-83-514 dated October 7, 1983, L-83-227 dated April 12, 1983, L-83-261 dated April 25, 1983, L-83-453 dated August 24, 1983, L-83-488 dated September 16, 1983, L-83-588 dated December 14, 1983, L-84-346 dated November 28, 1984, L-84-390 dated December 31, 1984, and L-85-71 dated February 21, 1985) and as approved by NRC letter dated July 17, 1984, and supplemented by NRC letters dated February 21, 1985, March 5, 1987, and October 4, 1988, subject to the following provision:
FPL may make changes to the approved fire protection program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.F. Physical Protection The licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provision of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).
The combined set of plans, which contains Safeguards Information protected under 10 CFR 73.21, is entitled: "Florida Power and Light &FPL Energy Seabrook Physical Security Plan, Training and Qualification Plan and Safeguards Contingency Plan -Revision 3," submitted by letter dated May 18, 2006. FPL shall fully implement and maintain in effect all provisions of the Commission-approved St. Lucie/FPL Cyber Security Plan submitted by letter L-2010-149 dated August 2, 2010, and supplemented by letter L-2010-254 dated November 17, 2010, and withheld from public disclosure in accordance with 10 CFR § 2.390.G. Mitigation Strategy License Condition Develop and maintain strategies for addressing large fires and explosions and that include the following key areas: (a) Fire fighting response strategy with the following elements: 1. Pre-defined coordinated fire response strategy and guidance 2. Assessment of mutual aid fire fighting assets 3. Designated staging areas for equipment and materials 4. Command and control 5. Training of response personnel (b) Operations to mitigate fuel damage considering the following:
- 1. Protection and use of personnel assets 2. Communications
- 3. Minimizing fire spread 4. Procedures for implementing integrated fire response strategy 5. Identification of readily-available pre-staged equipment Renewed License No. DPR-67 Revised by letter dated October 24, 2008 L-2010-254 Enclosure 1 Page 1l of 11-5-F. Physical Protection The licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provision of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.5 4 (p). The combined set of plans, which contains Safeguards Information protected under 10 CFR 73.21, is entitled: "Florida Power and Light &FPL Energy Seabrook Physical Security Plan, Training and Qualification Plan and Safeguards Contingency Plan -Revision 3," submitted by letter dated May 18, 2006. FPL shall fully implement and maintain in effect all provisions of the Commission-approved St. Lucie/FPL Cyber Security Plan submitted by letter L-2010-149 dated August 2, 2010, and supplemented by letter L-2010-254 dated November 17, 2010, and withheld from public disclosure in accordance with 10 CFR § 2.390.G. Before engaging in additional construction or operational activities which may result in a significant adverse environmental impact that was not evaluated or that is significantly greater than that evaluated in the Final Environmental Statement dated April 1982, FPL shall provide written notification to the Office of Nuclear Reactor Regulation.
H. DELETED 1. FPL shall notify the Commission, as soon as possible but not later than one hour, of any accident at this facility which could result in an unplanned release of quantities of fission products in excess of allowable limits for normal operation established by the Commission.
J. FPL shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.K. The use of ZIRLOTM clad fuel at St. Lucie Unit 2 will be subject to the following restrictions:
FPL will limit the fuel duty for St. Lucie Unit 2 to a baseline modified Fuel Duty Index (mFDI) of 600 with a provision for adequate margin to account for variations in core design (e.g., cycle length, plant operating conditions, etc).This limit will be applicable until data is available demonstrating the performance of ZIRLOTM cladding at Combustion Engineering 16x 16 plants.FPL will restrict the mFDI of each ZIRLOTM clad fuel pin to 110 percent of the baseline mFDI of 600.Renewed License No. NPF-16 Revised by letter dated October 24, 2008