ML103550152
| ML103550152 | |
| Person / Time | |
|---|---|
| Site: | River Bend  |
| Issue date: | 12/21/2010 |
| From: | Wang A Plant Licensing Branch IV |
| To: | Burmeister B, Lorfing D Entergy Operations |
| Wang, A B, NRR/DORL/LPLIV, 415-1445 | |
| References | |
| TAC ME4369 | |
| Download: ML103550152 (2) | |
Text
From:
Wang, Alan Sent:
Monday, December 20, 2010 9:39 PM To:
BURMEISTER, BARRY M; David Lorfing (DLorfin@entergy.com)
Cc:
FOUNTAIN, WILLIAM J; Burkhardt, Janet; Lent, Susan
Subject:
RBS Cyber Security Plan (ME4639)
Dave and Barry, By letter dated November July 22, 2010 (Agencywide Documents Access and Management System, Accession No. ML102100188), Entergy Operations, Inc. (the licensee), resubmitted a request to amend the Facility Operating License No. 47) for River Bend Station (RBS), Unit 1.
The licensee requested approval of the RBS Cyber Security Plan (CSP), provided a proposed CSP Implementation Schedule, and included a proposed revision to the Facility Operating License to incorporate the provisions for implementing and maintaining in effect the provisions of the approved CSP. The licensee stated that the amendment request was based on a generic template developed by the Nuclear Energy Institute (NEI) in concert with the industry.
The U.S. Nuclear Regulatory Commission (NRC) staff has determined that the following additional information is needed for the NRC staff to complete our review of the CSP and the proposed CSP Implementation Schedule. This request was discussed with William Fountain of your staff on December 20, 2010, and it was agreed that a response would be provided by February 15, 2011. In addition, the licensee stated it would provide supplemental information regarding 1) scope of systems, 2) the implementation schedule, and 3) record retention. If circumstances result in the need to revise the requested response date, please contact me at (301) 415-1445 or via e-mail at Alan.Wang@nrc.gov.
The following requests for additional information (RAIs) are related to CSP Section 4, Establishing, Implementing, And Maintaining The Cyber Security Program.
RAI 1 Defense-in-Depth Protective Strategies - Critical Digital Asset (CDA) Isolation Strategies Title 10 of the Code of Federal Regulations (10 CFR) Section 73.54(c)(2) requires the licensee to apply and maintain defense-in-depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks. Section 4.3, Defense-in-Depth Protective Strategies, of the River Bend Station CSP states in several instances when referring to protections which isolate or secure CDAs within various cyber security defensive levels, that boundaries may be secured via an air gap or deterministic one-way isolation device such as a data diode or hardware VPN [virtual private network].
Please clarify how hardware VPNs will sufficiently protect CDAs within defensive boundaries, including an explanation of the technical configurations that would enable it to mimic the capabilities of a deterministic one-way isolation device.
RAI Defense-in-Depth Protective Strategies - Protection of CDAs Associated with Emergency Preparedness Functions Section 73.54(a)(1) of 10 CFR requires that The licensee shall protect digital computer and communication systems and networks associated with (iii) Emergency preparedness
functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions.
Section 4.3, Defense in Depth Protective Strategies of the River Bend Station CSP, in describing its site defensive model, states that CDAs that are not required to be within Level 4 due to their safety or security significance, and that perform security or Emergency Plan functions and security or Emergency Plan data acquisition or that perform safety monitoring, are within Level 3. Furthermore, the CSP states that CDAs that are not required to be in at least Level 3 and that perform or support Emergency Plan functions are within Level 2.
The CSP does not indicate which protective strategies will be implemented for CDAs that perform Emergency Preparedness functions. Please clarify: (1) the distinction between CDAs that perform Emergency Planning and Emergency Preparedness functions; and (2) which protective strategies will be implemented for CDAs that perform emergency preparedness functions.
Alan Wang Project Manager (River Bend Station)
Nuclear Regulatory Commission Division of Operating Reactor Licensing