Issuance of Amendment Cyber Security Plan Implementation Schedule (Tac No. MF4366)

ML15096A043
Person / Time
Site:	Fermi
Issue date:	05/07/2015
From:	Jennivine Rankin Plant Licensing Branch III
To:	Fessler P DTE Electric Company
Rankin J
References
TAC MF4366
Download: ML15096A043 (14)
v • d • e

Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 May 7, 2015 Paul Fessler Senior Vice President and Chief Nuclear Officer DTE Electric Company Fermi 2 - 210 NOC 6400 North Dixie Highway Newport, Ml 48166

SUBJECT:

FERMI 2 - ISSUANCE OF AMENDMENT RE: CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE (TAC NO. MF4366)

Dear Mr. Fessler:

The U.S. Nuclear Regulatory Commission has issued the enclosed Amendment No. 200 to Facility Operating License No. NPF-43 for the Fermi 2 facility. The amendment consists of changes to the facility operating license in response to your application dated July 2, 2014.

The amendment revises the schedule for full implementation of the cyber security plan (CSP) and revises Paragraph 2.E of Facility Operating License No. NPF-43 for Fermi 2, to incorporate the revised CSP implementation schedule.

A copy of our safety evaluation is also enclosed. The Notice of Issuance will be included in the Commission's biweekly Federal Register notice.

Docket No. 50-341

Enclosures:

1. Amendment No. 200 to NPF-43

2. Safety Evaluation cc w/encls: Distribution via ListServ Sincerely,

)-"\\~~2""--- -

Jehnivine K. Rankin, Project Manager Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 DTE ELECTRIC COMPANY DOCKET NO. 50-341 FERMI 2 AMENDMENT TO FACILITY OPERATING LICENSE Amendment No. 200 License No. NPF-43

1.

The U.S. Nuclear Regulatory Commission (the Commission) has found that:

A.

The application for amendment by the DTE Electric Company (DTE, the licensee) dated July 2, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in 10 CFR Chapter I; B.

The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C.

There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D.

The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.

The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

2.

Accordingly, the license is amended by changes as indicated in the attachment to this license amendment, and paragraph 2.E of Facility Operating License No. NPF-43 is hereby amended to read, in part, as follows:

The licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The Fermi 2 CSP was approved by License Amendment No. 185, as supplemented by License Amendment 200.

3.

This license amendment is effective as of its date of issuance and shall be implemented within 60 days. The full implementation of the CSP shall be in accordance with the implementation schedule submitted by the licensee on July 2, 2014, and approved by the NRC with this license amendment. All subsequent changes to the NRC-approved CSP implementation schedule will require NRC approval pursuant to 10 CFR 50.90.

Attachment:

Changes to the Facility Operating License Date of Issuance: May 7, 2015 FOR THE NUCLEAR REGULATORY COMMISSION avid L. Pelton, Chief Plant Licensing Branch 111-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

ATTACHMENT TO LICENSE AMENDMENT NO. 200 FACILITY OPERATING LICENSE NO. NPF-43 DOCKET NO. 50-341 Replace the following page of the Facility Operating License with the attached revised page.

The revised page is identified by amendment number and contains a marginal line indicating the area of change.

REMOVE INSERT D.

Exemptions from certain requirements of Appendices E and J to 10 CFR Part 50, are described in supplements to the SER. These include: (a) an exemption from the requirement of Section IV.F of Appendix E that a full participation *emergency planning exercise be conducted within one year before issuance of the first operating license for full power and prior to operation above five percent of rated power (Section 13.3 of SSER #6); (b) an exemption from the requirement of Paragraph lll.C.2(b) of Appendix J, the testing of the main steam isolation valves at the peak calculated containment pressure associated with the design basis accident (Section 6.2.7 of SSER #5); and (c) an exemption from the requirement of Paragraph lll.D.2(b)(ii) of Appendix J, the testing of containment air locks at times when containment integrity is not required (Section 6.2.7 of SSER #5).

These exemptions are authorized by law and will not endanger life or property or the common defense and security and are otherwise in the public interest.

Therefore, these exemptions are hereby granted pursuant to 10 CFR 50.12.

With the granting of these exemptions, the facility will operate, to the extent authorized herein, in conformity with the application, as amended, the provisions of the Act, and the rules and regulations of the Commission.

E.

The licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The plans, which contain Safeguards Information protected under 10 CFR 73.21, are entitled: "Fermi 2 Physical Security Plan, Security Training and Qualification Plan, and Safeguards Contingency Plan" submitted by letter dated September 9, 2004, and supplemented on October 7, 2004, and October 14, 2004, November 18, 2005, and May 18, 2006. The licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP),

including changes made pursuant to the authority of 10 CFR 50. 90 and 10 CFR 50.54(p). The Fermi 2 CSP was approved by License Amendment No. 185, as supplemented by License Amendment 200.

F.

Deleted G.

The licensees shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

Amendment No. ~

200

UNITED STAlES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 200 TO FACILITY OPERATING LICENSE NO. NPF-43 DTE ELECTRIC COMPANY FERMI 2 DOCKET NO. 50-341

1.0 INTRODUCTION

By application dated July 2, 2014 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML14183B528), the DTE Electric Company (DTE, the licensee) requested a change to the facility operating license (FOL) for Fermi 2. The proposed change would revise the date of Cyber Security Plan (CSP) Implementation Schedule Milestone 8 and Paragraph 2.E in the facility operating license. Milestone 8 of the CSP implementation schedule concerns the full implementation of the CSP.

Portions of the letter dated July 2, 2014, contain sensitive unclassified non-safeguards information and, accordingly, those portions are withheld from public disclosure in accordance with Title 10 of the Code of Federal Regulations (10 CFR), Section 2.390(d)(1 ).

2.0 REGULATORY EVALUATION

The U.S. Nuclear Regulatory Commission (NRC) staff reviewed and approved the licensee's existing CSP implementation schedule by License Amendment No. 185 to FOL No. NPF-43 for Fermi 2, concurrent with the incorporation of the CSP into the facility's current licensing basis.

The NRC staff considered the following regulatory requirements and guidance in its review of the license amendment request (LAR) to modify the existing CSP implementation schedule:

10 CFR 73.54, "Protection of digital computer and communication systems and networks," which states, in part:

Each [CSP] submittal must include a proposed implementation schedule.

Implementation of the licensee's cyber security program must be consistent with the approved schedule.

The license condition in the FOL Paragraph 2.E that requires the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP.

Review criteria provided by the NRC staff's internal memorandum, "Review Criteria for Title 1 O of the Code of Federal Regulations Part 73.54, Cyber Security Implementation Schedule Milestone 8 License Amendment Requests," dated October 24, 2013 (ADAMS Accession No. ML13295A467), to be considered for evaluating licensees' requests to postpone their CSP implementation date (commonly known as Milestone 8).

The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement of 10 CFR 73.54, that states, in part, "Implementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML110980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRC-approved CSP implementation schedule, thus, require prior NRC approval as required by 10 CFR 50.90.

3.0 TECHNICAL EVALUATION

3.1 Licensee's Requested Change The NRC staff issued Amendment No. 185 to FOL NPF-43 for Fermi 2 by letter dated July 28, 2011. This amendment approved the CSP and associated implementation schedule, and added a license condition requiring the licensee to fully implement and maintain the Commission-approved CSP. The implementation schedule was based on a template prepared by the Nuclear Energy Institute (NEI), which was transmitted to the NRC by letter dated February 28, 2011 (ADAMS Accession No. ML110600206.) By letter dated March 1, 2011, the NRC staff found the NEI template acceptable for licensees to use to develop their CSP implementation schedules (ADAMS Accession No. ML110070348). The licensee's proposed implementation schedule for the CSP identified completion dates and bases for the following eight milestones:

1) Establish the Cyber Security Assessment Team (CSAT);

2) Identify Critical Systems (CSs) and Critical Digital Assets (CDAs);

3) Install a deterministic one-way device between lower level devices and a firewall between higher level devices;

4) Implement the security control "Access Control For Portable And Mobile Devices";

5) Implement observation and identification of obvious cyber-related tampering to existing insider mitigation rounds;

6) Identify, document, and implement cyber security controls in accordance with "Mitigation of Vulnerabilities and Application of Cyber Security Controls" for CDAs that could adversely impact the design function of physical security target set equipment;

7) Ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented; and

8) Fully implement the CSP.

Currently, Milestone 8 of the licensee's CSP requires the licensee to fully implement the CSP by December 31, 2015. In its July 2, 2014, application, DTE requested to change the Milestone 8 completion date to December 31, 2017.

The licensee provided the following information pertinent to each of the criteria identified in the NRG guidance memorandum dated October 24, 2013 (ADAMS Accession No. ML13295A467).

1.

Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement.

The licensee stated that the CSP requirement requiring additional time to implement is CSP Section 3.1, "Analyzing Digital Computer Systems and Networks and Applying Cyber Security Controls." Additional time is needed for tasks including CDA assessment, design, planning, and scheduling of remediation activities, change management, and training.

2.

Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.

The licensee stated that it is experiencing several challenges meeting the current implementation date for Milestone 8 and described the following specific challenges to justify requiring additional time. The licensee described that the CDA assessment work is resource intensive and stated the following:

Fermi 2 has identified over 1,000 CDAs. While some of these CDAs can be grouped to reduce assessment burden, completing assessments using the Section 3.1.6 methodology is resource intensive.

The large number of CDAs (over 1,000 at Fermi 2) has resulted in a significant level of effort to complete tabletop reviews and validation testing described in Section 3.1.5 of NEI 08-09, Revision 6.

The licensee also identified that the technical bases for required remediation activities need to be well-defined and provided a clear safety benefit, which would require additional time. The licensee stated the following:

Plant modifications must be carefully implemented to ensure they do not impact plant safety and operation.

CDA security control modifications are new to both plant personnel and equipment suppliers.

DTE has experienced challenges with cyber security equipment supplier's understanding of their own products and their limitations. These challenges have resulted in delays in the implementation of the CSP. Additionally, suppliers are releasing products that have not been adequately documented and tested, which results in corrective action investigations and potential regulatory compliance challenges.

In addition, the licensee described challenges that have been encountered during incorporation of Cyber Security Controls in the plant processes. The licensee provided the following as examples of some of the challenges:

Cyber security is challenging because it requires integration with daily plant operations, maintenance, engineering, and procurement activities.

Integration of cyber security controls is taking longer than expected due to impacts on the work control process and maintenance activities.

Cyber security for plant CDAs is new, and the security controls being implemented on the plant CDAs are new to Maintenance, System Engineering, and Operations. Modifications must be implemented with careful planning to ensure safe reliable operation of plant equipment. Before modifications are implemented, significant verification analysis and testing must be performed to minimize potential impacts to plant equipment.

Lastly, the licensee described how training requirements for new programs, processes, and procedures are more extensive than originally anticipated. The licensee stated the following:

Site training needs and schedules are normally established up to a year in advance and are presented to, and approved by, Fermi 2 training review committees. Cyber security training adds a new burden on training resources that was not fully understood when the new cyber-related processes and procedures were first being developed. Cyber security training needs can be accommodated outside of normal training cycles, but this adds an unanticipated burden on training resources.

3.

A proposed completion date for Milestone 8 is consistent with the remaining scope of work to be conducted and the resources available.

DTE is requesting a change to the Milestone 8 completion date from December 31, 2015, to December 31, 2017. The licensee stated that the additional time will be used to perform the following:

[C]omplete CDA assessments; define required remediation scope; develop final design modifications that address assessment gaps; plan and schedule modification installation and testing; revise assessment procedures; develop new program procedures to complete full implementation of the cyber security program; and complete training.

The revised implementation period also includes an additional refueling outage, which would provide sufficient time to plan and incorporate the necessary design changes identified as a result of the CDA assessments.

4.

An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall cyber security program in the context of milestones already completed.

The licensee stated the following:

Based on the cyber security implementation activities already completed and the progress of current implementation activities, Fermi 2 is secure and will continue to ensure that digital computer and communication systems and networks are adequately protected against cyber attacks during implementation of the remainder of the program by the proposed [Milestone) 8 date of December 31, 2017.

CSP actions taken to date will not be impacted by the proposed LAR. DTE has completed implementation of the interim milestones 1 thru 7 and continues to improve the protection provided via these interim milestone activities as further guidance and industry experience becomes available. The completed activities provide a high degree of protection against cyber security attacks while Fermi 2 implements the full program.

The licensee provided additional details about implementation of each milestone.

5.

A description of the licensee's methodology for prioritizing completion of work for critical digital assets associated with significant safety consequences and with reactivity effects in the balance of plant.

The licensee stated the following:

DTE's methodology for prioritizing [Milestone] 8 activities is based on installed configuration of the CDAs and considerations for safety, security, emergency preparedness, and Balance of Plant (BOP) consequences (continuity of power).

Priorities are generally assigned in the following order;

1. Safety-related and important-to-safety CDAs,

2. Security related CDAs,

3. Support system CDAs, control function CDAs, and BOP CDAs that affect power generation,

4. Emergency Preparedness CDAs, including offsite communications, and

5. Remaining BOP CDAs.

6.

A discussion of the licensee's cyber security program performance up to the date of the license amendment request.

The licensee stated the following:

Interim CSP milestones 1 through 7 actions were successfully completed by December 31, 2012. DTE continues to improve the protection provided via these interim milestone activities as further guidance and industry experience become available. These actions provide a high degree of protection against cyber security related attacks while full program actions to provide defense-in-depth protection are in progress.

The licensee provided a discussion of two self-assessments that verified that CSP Milestones 1 through 7 were adequately implemented, and a Nuclear Quality Assurance Audit that verified that the CSP implementation to date is adequate. Program deficiencies discovered through these audits were tracked in the Corrective Action Program (CAP), and subsequently corrected.

7.

A discussion of cyber security issues pending in the licensee's CAP.

The licensee stated the following:

Fermi 2 uses the site Corrective Action Program (CAP) to document cyber issues in order to trend, correct, and improve the Fermi 2 Cyber Security Program. The CAP database documents and tracks, from initiation through closure, CSP required actions including issues identified during on-going program assessment activities. Adverse trends are monitored for program improvement and addressed via the CAP process.

The licensee provided examples of CSP activities currently tracked in the CAP.

8.

A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.

The licensee provided a brief discussion of completed and pending modifications.

3.2

NRC Staff Evaluation

The NRC staff has evaluated the licensee's application using the regulatory requirements and guidance discussed in Section 2.0 of this safety evaluation. The NRC staff's evaluation is below.

The licensee stated in its application that the large number of CDAs (over 1,000) is a primary reason that an extension is needed for the Milestone 8 implementation date. The NRC staff has had extensive interaction with the nuclear industry since licensees first developed their CSP implementation schedules. Based on this interaction, the NRC staff recognizes that CDA assessment work is much more complex and resource-intensive than originally anticipated, and that, consequently, the implementation requires a large number of additional tasks not originally considered. There are implementation challenges caused by the need to address security controls for each CDA. Thus, the NRC staff concludes that the licensee will not be able to fully implement its CSP by December 31, 2015. Delaying final implementation of the CSP will provide the time required to complete the implementation safely and thoroughly.

In addition, the NRC staff finds that the licensee is using the tools at its disposal to prioritize, implement, verify, and improve the CSP. The licensee's application describes a functioning CAP, and demonstrates that the licensee's progress toward full implementation is adequate.

Based on the licensee's effective use self-assessments and audits in conjunction with the CAP, there is evidence that the impact of the requested additional implementation time on the overall CSP will be sufficiently managed.

3.3 Technical Evaluation Conclusion

The NRC staff concludes that the licensee's request to delay full implementation of its CSP until December 30, 2017, is acceptable for the following reasons: (i) the licensee's implementation of Milestones 1 through 7 provides mitigation for cyber attacks; and (ii) the scope of the work required to come into full compliance with the CSP implementation schedule was much more than anticipated and not reasonable foreseeable when the CSP implementation schedule was originally developed; and (iii) the licensee is utilizing tools to sufficiently manage the impact of the requested additional implementation time on the overall CSP.

3.4 Revision to License Condition 2.E By letter dated July 2, 2014, the licensee proposed to modify Paragraph 2.E of FOL No. NPF-43, which includes a license condition to require the licensee to fully implement and maintain in effect all provisions of the NRG-approved CSP.

The current license condition in Paragraph 2.E of FOL No. NPF-43 for Fermi 2 states, in part:

The licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Fermi 2 CSP was approved by License Amendment No. 185.

The license condition in Paragraph 2. E of FOL No. NPF-43 for Fermi 2 would state, in part:

The licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Fermi 2 CSP was approved by License Amendment No. 185, as supplemented by License Amendment 200.

4.0 STATE CONSULTATION

In accordance with the Commission's regulations, the Michigan State official was notified of the proposed issuance of the amendment. The State official had no comments.

5.0 ENVIRONMENTAL CONSIDERATION

This is an amendment to a 10 CFR Part 50 license that relates solely to safeguards matters and does not involve any significant construction impacts. This amendment is an administrative change to extend the date by which the licensee must have its CSP fully implemented.

Accordingly, this amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of this amendment.

6.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributor: John Rycyna, NSIR Date: May 7, 2015

ML15096A043 OFFICE DORL/LPL3-1 /PM DORL/LPL3-1 /PM DORL/LPL3-1/LA NSIR/CSD/DD NAME ADietrich JRankin MHenderson RFelts DATE 03/31/2015 04/13/2015 04/09/2015 04/22/2015 OFFICE OGC DORL/LPL3-1 /BC DORL/LPL3-1 /PM NAME JMaltese DPelton JRankin DATE 04/30/2015 05/07/2015 05/07/2015