LIC-09-0092, License Amendment Request (Lar), Request for Approval of the Fcs/Oppd Cyber Security Plan

From kanterella
(Redirected from ML093210542)
Jump to navigation Jump to search

License Amendment Request (Lar), Request for Approval of the Fcs/Oppd Cyber Security Plan
ML093210542
Person / Time
Site: Fort Calhoun Omaha Public Power District icon.png
Issue date: 11/16/2009
From: Reinhart J
Omaha Public Power District
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
LIC-09-0092
Download: ML093210542 (12)
v  d  e


Text

Enclosures 2 and 3 to this letter contain sensitive information. Withhold from public disclosure under 10 CFR 2.390. Upon removal of Enclosures 2 and 3, this letter is decontrolled.

Employment with Equal Opportunity 444 South 16th Street Mall Omaha, NE 68102-2247 LIC-09-0092 November 16, 2009 U.S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC 20555-0001

REFERENCES:

1. Docket No. 50-285
2. Nuclear Energy Institute 08-09 [Rev. 3], Cyber Security Plan for Nuclear Power Reactors, dated September 2009

SUBJECT:

Fort Calhoun Station, Unit No. 1, License Amendment Request (LAR), Request for Approval of the FCS/OPPD Cyber Security Plan In accordance with the provisions of 10 CFR § 50.4 and § 50.90, the Omaha Public Power District (OPPD) is submitting a request for an amendment to the Renewed Facility Operating License (FOL) for Fort Calhoun Station (FCS), Unit No. 1. This proposed amendment requests NRC approval of the FCS/OPPD Cyber Security Plan, provides a proposed Implementation Schedule, and adds a sentence to the existing FOL physical protection license condition to require FCS/OPPD to fully implement and maintain in effect all provisions of the Commission approved Cyber Security Plan.

This proposed amendment conforms to the model application contained in Reference 2.

provides an evaluation of the proposed change and contains the following attachments:

Attachment 1 provides the existing FOL pages marked up to show the proposed change.

U. S. Nl,Jclear Regulatory Commission LI C-09-0092 Page 2

  • Attachment 2 provides the proposed FOL changes in final typed format. provides a copy of the FCS/OPPD Cyber Security Plan, which is a standalone document that will be incorporated by reference into the FCS/OPPD Security Plan upon approval. Enclosure 3 provides a proposed implementation schedule.

OPPD requests that Enclosures 2 and 3, which contain sensitive information, be withheld from public disclosure in accordance with 10 CFR 2.390.

In accordance with 10 CFR 50.91, a copy of this application, with attachments, is being provided to the designated State of Nebraska Official.

OPPD requests an implementation period of 90 days following NRC approval of the license amendment.

If you should have any questions regarding this submittal, please contact Mr. Bill Hansher at402-533-6894.

I declare under penalty of perjury that the foregoing is true and correct. Executed on November 16, 2009.

Je rey A. Reinhart

. Vice President - Evaluation of Proposed Change - FCS/OPPD Cyber Security Plan - Proposed Implementation Schedule cc:

E. E. Collins, NRC Regional Administrator, Region IV L. E. Wilkins, NRC Project Manager J. C. Kirkland, NRC Senior Resident Inspector Director of Consumer Health Services, Department of Regulation and Licensure, Nebraska Health and Human Services, State of Nebraska Enclosures 2 and 3 to this letter contain sensitive information. Withhold from public disclosure under 10 CFR 2.390. Upon removal of Enclosures 2 and 3, this letter is decontrolled.

LIC-09-0092 Page 1 Evaluation of Proposed Change Request for Approval of the FCS/OPPD Cyber Security Plan 1.0 Summary Description 2.0 Detailed Description 3.0 Technical Evaluation 4.0 Regulatory Evaluation 4.1 Applicable Regulatory Requirements / Criteria 4.2 Significant Hazards Consideration 5.0 Environmental Consideration 6.0 References ATTACHMENTS

- Mark-up of Facility Operating License (FOL) pages - FOL changes in final typed format

LIC-09-0092 Page 2 1.0

SUMMARY

DESCRIPTION The proposed license amendment request (LAR) includes the proposed Fort Calhoun Station (FCS) Unit No. 1/Omaha Public Power District (OPPD) Cyber Security Plan (Plan), an Implementation Schedule, and a proposed sentence to be added to the existing Facility Operating License (FOL) physical protection license condition.

2.0 DETAILED DESCRIPTION The proposed LAR includes three parts: the proposed Plan, an Implementation Schedule, and a proposed sentence to be added to the existing FOL physical protection license condition to require FCS/OPPD to fully implement and maintain in effect all provisions of the Commission approved cyber security plan as required by 10 CFR § 73.54. Federal Register notice 74 FR 13926 issued the final rule that amended 10 CFR Part 73. The regulations in 10 CFR § 73.54, "Protection of digital computer and communication systems and networks,"

establish the requirements for a cyber security program. This regulation specifically requires each licensee currently licensed to operate a nuclear power plant under Part 50 of this chapter to submit a cyber security plan that satisfies the requirements of the Rule. Each submittal must include a proposed implementation schedule and implementation of the licensee's cyber security program must be consistent with the approved schedule. The background for this application is addressed by the NRC Notice of Availability published on March 27, 2009, 74 FR 13926 (Reference 1).

3.0 TECHNICAL EVALUATION

Federal Register notice 74 FR 13926 issued the final rule that amended 10 CFR Part 73. Cyber security requirements are codified as new § 73.54 and are designed to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks up to and including the design basis threat established by § 73.1(a)(1)(v). These requirements are substantial improvements upon the requirements imposed by EA-02-026 (Reference 2).

The NRC issued Regulatory Guide 5.71, "Cyber Security Programs for Nuclear Facilities" dated November 2009 (Pre-Decisional), which provides an approach the NRC staff deems acceptable for complying with the Commission's regulations for protecting digital computers, communications systems, and networks. Based on discussions with the NRC, it is anticipated that NEI 08-09, "Cyber Security Plan Template" (Reference 3) will be endorsed/approved by the NRC for use by licensees in development of their own cyber security plans.

This LAR includes the proposed Plan (Enclosure 2) that conforms to the template

LIC-09-0092 Page 3 provided in NEI 08-09. In addition, the LAR includes the proposed change to the existing FOL license condition for physical protection (Attachments 1 and 2).

Finally, the LAR contains the proposed Implementation Schedule (Enclosure 3) as required by 10 CFR § 73.54.

4.0 REGULATORY EVALUATION

4.1 APPLICABLE REGULATORY REQUIREMENTS / CRITERIA This LAR is submitted pursuant to 10 CFR § 73.54 which requires licensees currently licensed to operate a nuclear power plant under 10 CFR Part 50 to submit a Cyber Security Plan as specified in § 50.4 and § 50.90.

4.2 SIGNIFICANT HAZARDS CONSIDERATION The Omaha Public Power District (OPPD) has evaluated the proposed changes using the criteria in 10 CFR 50.92 and has determined that the proposed changes do not involve a significant hazards consideration. An analysis of the issue of no significant hazards consideration is presented below:

Criterion 1: The proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.

The proposed change is required by § 73.54 and includes three parts. The first part is the submittal of the Plan for NRC review and approval. The Plan conforms to the template provided in NEI 08-09 and provides a description of how the requirements of the Rule will be implemented at FCS. The Plan establishes the licensing basis for the Omaha Public Power District (OPPD)

Cyber Security Program for Fort Calhoun Station (FCS). The Plan establishes how to achieve high assurance that nuclear power plant digital computer and communication systems and networks associated with the following are adequately protected against cyber attacks up to and including the design basis threat:

1. Safety-related and important-to-safety functions,
2. Security functions,
3. Emergency preparedness functions including offsite communications, and
4. Support systems and equipment, which if compromised, would adversely impact safety, security, or emergency preparedness functions.

Part one of the proposed change is designed to achieve high assurance that the systems are protected from cyber attacks. The Plan itself does not require any plant modifications. However, the Plan does describe how plant modifications, which involve digital computer systems are reviewed to provide high assurance of adequate protection against cyber attacks, up to and including the design

LIC-09-0092 Page 4 basis threat as defined in the Rule. The proposed change does not alter the plant configuration, require new plant equipment to be installed, alter accident analysis assumptions, add any initiators, or affect the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected. The first part of the proposed change is designed to achieve high assurance that the systems within the scope of the Rule are protected from cyber attacks and has no impact on the probability or consequences of an accident previously evaluated.

The second part of the proposed change is an Implementation Schedule. The third part renumbers and adds a sentence to the existing FOL license condition for physical protection. Both of these changes are administrative and have no impact on the probability or consequences of an accident previously evaluated.

Therefore, it is concluded that this change does not involve a significant increase in the probability or consequences of an accident previously evaluated.

Criterion 2: The proposed change does not create the possibility of a new or different kind of accident from any accident previously evaluated.

The proposed change is required by § 73.54 and includes three parts. The first part is the submittal of the Plan for NRC review and approval. The Plan conforms to the template provided by NEI 08-09 and provides a description of how the requirements of the Rule will be implemented at FCS. The Plan establishes the licensing basis for the FCS/OPPD Cyber Security Program for FCS. The Plan establishes how to achieve high assurance that nuclear power plant digital computer and communication systems and networks associated with the following are adequately protected against cyber attacks up to and including the design basis threat:

1. Safety-related and important-to-safety functions,
2. Security functions,
3. Emergency preparedness functions including offsite communications, and
4. Support systems and equipment which if compromised, would adversely impact safety, security, or emergency preparedness functions.

Part one of the proposed change is designed to achieve high assurance that the systems within the scope of the Rule are protected from cyber attacks. The Plan itself does not require any plant modifications. However, the Plan does describe how plant modifications involving digital computer systems are reviewed to provide high assurance of adequate protection against cyber attacks, up to and including the design basis threat defined in the Rule. The proposed change does not alter the plant configuration, require new plant equipment to be installed, alter accident analysis assumptions, add any initiators, or affect the function of plant

LIC-09-0092 Page 5 systems or the manner in which systems are operated, maintained, modified, tested, or inspected. The first part of the proposed change is designed to achieve high assurance that the systems within the scope of the Rule are protected from cyber attacks and does not create the possibility of a new or different kind of accident from any previously evaluated.

The second part of the proposed change is an Implementation Schedule. The third part renumbers and adds a sentence to the existing FOL license condition for physical protection. Both of these changes are administrative and do not create the possibility of a new or different kind of accident from any previously evaluated.

Therefore, the proposed change does not create the possibility of a new or different kind of accident from any previously evaluated.

Criterion 3: The proposed change does not involve a significant reduction in a margin of safety.

The proposed change is required by § 73.54 and includes three parts. The first part is the submittal of the Plan for NRC review and approval. The Plan conforms to the template provided by NEI 08-09 and provides a description of how the requirements of the Rule will be implemented at FCS. The Plan establishes the licensing basis for the OPPD Cyber Security Program for FCS.

The Plan establishes how to achieve high assurance that nuclear power plant digital computer and communication systems and networks associated with the following are adequately protected against cyber attacks up to and including the design basis threat:

1. Safety-related and important-to-safety functions,
2. Security functions,
3. Emergency preparedness functions including offsite communications, and
4. Support systems and equipment which if compromised, would adversely impact safety, security, or emergency preparedness functions.

Part one of the proposed change is designed to achieve high assurance that the systems within the scope of the Rule are protected from cyber attacks. Plant safety margins are established through Limiting Conditions for Operation, Limiting Safety System Settings and Safety Limits specified in the Technical Specifications. Because there is no change to these established safety margins, the proposed change does not involve a significant reduction in a margin of safety.

The second part of the proposed change is an Implementation Schedule. The third part adds a sentence to the existing FOL license condition for physical protection. Both of these changes are administrative and do not involve a

LIC-09-0092 Page 6 significant reduction in a margin of safety.

Therefore, the proposed change does not involve a significant reduction in a margin of safety.

Based on the above, OPPD concludes that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and accordingly, a finding of no significant hazards consideration is justified.

4.3 CONCLUSION

In conclusion, based on the considerations discussed above: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner; (2) such activities will be conducted in compliance with the Commission's regulations; and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

5.0 ENVIRONMENTAL CONSIDERATION

The proposed amendment establishes the licensing basis for a Cyber Security Program for FCS and will be a part of the physical security plan. This proposed amendment will not involve any significant construction impacts. Pursuant to 10 CFR 51.22(b)(12), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.

6.0 REFERENCES

1. Federal Register Notice, Final Rule 10 CFR Part 73, Power Reactor Security Requirements, published on March 27, 2009, 74 FR 13926
2. EA-02-026, Order Modifying Licenses, Safeguards and Security Plan Requirements, issued February 25, 2002
3. Nuclear Energy Institute 08-09 [Rev. 3], Cyber Security Plan for Nuclear Power Reactors, dated September 2009

LIC-09-0092, Attachment 1 Page 1 Proposed Facility Operating License Change (Mark-Up)

(4)

Pursuant to the Act and 10 CFR Parts 30, 40 and 70, to receive, possess, and use in amounts as required any byproduct, source, or special nuclear material without restriction to chemical or physical form for sample analysis or instrument calibration or when associated with radioactive apparatus or components; (5)

Pursuant to the Act and 10 CFR Parts 30 and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by operation of the facility.

3.

This renewed license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter 1: Part 20, Section 30.34 of Part 30, Section 40.41 of Part 40, Section 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

A. Maximum Power Level Omaha Public Power District is authorized to operate the Fort Calhoun Station, Unit 1, at steady state reactor core power levels not in excess of 1500 megawatts thermal (rate power).

B. Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 263, are hereby incorporated in the license. Omaha Public Power District shall operate the facility in accordance with the Technical Specifications.

C. Security and Safeguards Contingency Plans (1) The Omaha Public Power District shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The plans, which contain Safeguards Information protected under 10 CFR 73.21, are entitled: "Fort Calhoun Station Security Plan, Training and Qualification Plan, Safeguards Contingency Plan," submitted by letter dated May 19, 2006.

(2) The Omaha Public Power District shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan submitted by letter dated November 16, 2009 and withheld from public disclosure in accordance with10 CFR § 2.390.

Renewed Operating License No. DPR-40 Amendment No. 263

LIC-09-0092, Attachment 2 Page 1 Proposed Facility Operating License Change (Re-Typed)

(4)

Pursuant to the Act and 10 CFR Parts 30, 40 and 70, to receive, possess, and use in amounts as required any byproduct, source, or special nuclear material without restriction to chemical or physical form for sample analysis or instrument calibration or when associated with radioactive apparatus or components; (5)

Pursuant to the Act and 10 CFR Parts 30 and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by operation of the facility.

3.

This renewed license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter 1: Part 20, Section 30.34 of Part 30, Section 40.41 of Part 40, Section 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

A. Maximum Power Level Omaha Public Power District is authorized to operate the Fort Calhoun Station, Unit 1, at steady state reactor core power levels not in excess of 1500 megawatts thermal (rate power).

B. Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 263, are hereby incorporated in the license. Omaha Public Power District shall operate the facility in accordance with the Technical Specifications.

C. Security and Safeguards Contingency Plans (1) The Omaha Public Power District shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The plans, which contain Safeguards Information protected under 10 CFR 73.21, are entitled: "Fort Calhoun Station Security Plan, Training and Qualification Plan, Safeguards Contingency Plan," submitted by letter dated May 19, 2006.

(2) The Omaha Public Power District shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan submitted by letter dated November 16, 2009 and withheld from public disclosure in accordance with10 CFR § 2.390.

Renewed Operating License No. DPR-40 Amendment No. 263

Retrieved from "https://kanterella.com/w/index.php?title=LIC-09-0092,_License_Amendment_Request_(Lar),_Request_for_Approval_of_the_Fcs/Oppd_Cyber_Security_Plan&oldid=5307796"