Advisory Committee on Reactor Safeguards Docket Number:   (n/a)

Location:         teleconference Date:             Friday, September 9, 2022 Work Order No.:   NRC-2076                         Pages 1-127 NEAL R. GROSS AND CO., INC.

1 1

2 3

4                              DISCLAIMER 5

6 7  UNITED STATES NUCLEAR REGULATORY COMMISSIONS 8        ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 9

10 11          The contents of this transcript of the 12 proceeding of the United States Nuclear Regulatory 13 Commission Advisory Committee on Reactor Safeguards, 14 as reported herein, is a record of the discussions 15 recorded at the meeting.

16 17          This transcript has not been reviewed, 18 corrected, and edited, and it may contain 19 inaccuracies.

20 21 22 23 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

1 1                    UNITED STATES OF AMERICA 2                  NUCLEAR REGULATORY COMMISSION 3                                + + + + +

4                            698TH MEETING 5            ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 6                                    (ACRS) 7                                + + + + +

8                                   FRIDAY 9                          SEPTEMBER 9, 2022 10                                + + + + +

11                  The     Advisory             Committee met         via 12 videoconference at 1:00 p.m., Joy L. Rempe, Chairman, 13 presiding.

14 15 COMMITTEE MEMBERS:

16            JOY L. REMPE, Chairman 17            WALTER L. KIRCHNER, Vice Chairman 18            DAVID A. PETTI, Member-at-Large 19            RONALD G. BALLINGER, Member 20            VICKI M. BIER, Member 21            CHARLES H. BROWN, JR., Member 22            VESNA B. DIMITRIJEVIC, Member 23            GREGORY H. HALNON, Member 24            JOSE A. MARCH-LEUBA, Member 25            MATTHEW W. SUNSERI, Member NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309     www.nealrgross.com

2 1 ACRS CONSULTANTS:

2            DENNIS BLEY 3            STEPHEN SCHULTZ 4

5 DESIGNATED FEDERAL OFFICIAL:

6            CHRISTOPHER BROWN 7

8 9

10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433         WASHINGTON, D.C. 20009-4309     www.nealrgross.com

3 1                        P R O C E E D I N G S 2                                                                  1:00 p.m.

3                    CHAIRMAN REMPE:           Okay, it's 1:00 p.m. on 4 the East Coast, and we're back in session.                           And at 5 this time, I'd like to ask Member Ballinger to lead us 6 through the next topic.

7                    MEMBER     BALLINGER:               Thank   you,     Madam 8 Chairman.         The topics this afternoon are from SHINE 9 and the staff on cyber security, which is sprinkled 10 throughout the documents and Chapter 14 on technical 11 specifications.         Let's see.         The slides themselves, I 12 don't see any slides that are closed --

13                    CHAIRMAN REMPE:           Ron, your mic is not on.

14                    MEMBER BALLINGER:             Rewinding, thank you, 15 Madam Chair. And this afternoon we'll hear from SHINE 16 and     the   staff   on   cyber       security       and   Chapter       14 17 technical specifications.

18                    The schedule calls for a closed session if 19 needed.       I don't see any slides from either the staff 20 or SHINE that would be closed, so I suspect that 21 unless we make some -- part of the discussion results 22 in proprietary information being discussed, we will 23 not need to have a closed -- closed session.

24                    And let's see what else.                   I think that 25 pretty much -- pretty much does it.                       I'll think we'll NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309           www.nealrgross.com

4 1 do cyber security first, and it's up and the SHINE 2 folks are here.         So does the staff -- Josh, you want 3 to make any statement?

4                    MR. BORROMEO:             Sure, my name is Josh 5 Borromeo, I'm Chief of the NPUF Licensing Branch here 6 at the NRC.         So thank you, ACRS, for your continued 7 review on this project.             It's really important, and I 8 feel like we're working well together moving things 9 along.

10                    So today you'll hear about cyber security.

11 This is -- this is unique because it's the first time 12 we're applying cyber security to an NPUF.                     So this is 13 first time application of this.

14                    You'll also hear about tech specs today as 15 well.       The interesting thing about this part of the 16 review was we're merging the research test reactor 17 ANSI standard tech specs with the power reactor tech 18 specs.         So you'll hear aspects of that.

19                    And   then       the     last       thing that     we're 20 planning on -- well, SHINE is planning on discussing 21 today is software life cycle development.                       We wanted 22 to give you a head's up of where -- where that review 23 was going.

24                    The staff is still working on our safety 25 evaluation for that.               We're planning on presenting NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309         www.nealrgross.com

5 1 that at the October Subcommittee meeting, but we just 2 wanted to give you a head's up of a -- of a --

3                    MEMBER BALLINGER:               I think we have had 4 brief discussions on that in the past, right?

5                    MR. BORROMEO:             Yeah, yeah, so at the 6 Chapter 7 discussion, we touched on it.                     We'll touch 7 on it again today, and that'll -- that'll come after 8 the cyber discussion and the tech spec discussion.

9                    MEMBER BALLINGER:               And I just realized 10 that we are lacking a key participant in this. Member 11 Brown was here.

12                    MS. ANTONESCU: I will try to get in touch 13 with him, Ron.

14                    MEMBER BALLINGER:             Okay, thank you.

15                    MR. BORROMEO:         But that's all I have, and 16 thank you for --

17                    MEMBER BALLINGER:             Thank you. So I think 18 we should -- we should begin. And who's the presenter 19 for SHINE?

20                    MR. BARTELME:           Good afternoon, this is 21 Jeff Bartelme, I'll be -- I'll be presenting.

22                    MEMBER BALLINGER:             Oh, okay, all right, 23 okay.         Good enough.         All right, I think we can 24 proceed.

25                    MR. BARTELME:         Good afternoon again, this NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309       www.nealrgross.com

6 1 is Jeff Bartelme, SHINE's Director of Licensing, and 2 I'll be presenting on the cyber security plan.

3                    Just going to go over the outline here.

4 This       afternoon     we'll       be     discussion       requirements 5 related to the SHINE cyber security plan and SHINE's 6 consideration of cyber security through the design of 7 the SHINE facility.           Provide an overview of the SHINE 8 development plan.

9                    We'll discuss SHINE's approach to defining 10 consequences of concern.               Discuss SHINE's process for 11 identification of critical digital assets, or CDAs and 12 determination         of   their       associated         cyber   security 13 controls.         And then lastly we'll just touch on a 14 number of -- a couple of additional programmatic 15 considerations, which SHINE has incorporated into the 16 cyber security plan.

17                    In terms of requirements to develop plan, 18 there's       no   regulatory       requirement         for   a   medical 19 isotope production facility like SHINE to establish a 20 CDA-specific         cyber     security         plan,     nor   does       the 21 application guidance direct the development of such a 22 plan.         However, preventing or limiting unauthorized 23 physical and electronic access to digital assets has 24 been considered throughout the design of the SHINE 25 facility.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309         www.nealrgross.com

7 1                    Just to note a couple examples of these 2 considerations that are described in the licensing 3 basis.         PICS, the process integrated control system, 4 provides         information         to     the     facility     data       and 5 communications system via a one-way data diode such 6 that no inputs can be provides to the PICS from 7 offsite sources, as we described in the FSAR.

8                    MEMBER BROWN:             This is Charlie Brown.

9 Would you back up and repeat that for me again?

10                    MR. BARTELME: Sure. PICS, or the process 11 integrated control system, provides --

12                    MEMBER BROWN:             Let me ask my question 13 maybe a little clearer. The architecture diagram that 14 I looked at has the, you know, your TRPS systems and 15 the other systems isolated with the HIPS system, and 16 it     sends     data   up     to     the   PICS.         Are those     data 17 communications         also       isolated         from   the   operating 18 systems?

19                    MS. KOLB:         This is Catherine Kolb.               Your 20 question is -- is it -- is the question are the TRPS 21 and ESFAS systems separated from the PICS?                           Is that 22 the --

23                    MEMBER BROWN:             Oh, no, I know they're 24 separated.         They hit -- the one-line diagrams of the 25 architecture that you showed, which was just fine, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309           www.nealrgross.com

8 1 okay, shows data going from about six different parts 2 of those systems, and with the little arrows that go 3 into the -- a box that's called the PICS, you know, 4 that's the process control stuff.

5                    And I just wondered if that was one-way 6 communication also at that point, that going into the 7 PICS general architecture, whatever it is.                           That was 8 my first question.

9                    MS. KOLB:         Yes,       this     is   Catherine.

10 Without,         you   know,       looking         at     the     diagram 11 specifically, there is communication from the TRPS and 12 ESFAS to the PICS.           There is some communication from 13 the PICS back to TRPS and ESFAS, you know, for -- for 14 different reasons.

15                    So it   does     --   it     doesn't     necessarily 16 communicate on the exact, you know, on the same -- on 17 the same variable in both directions.                           But the --

18 there is communication in both directions between 19 those systems.

20                    MEMBER BROWN: Okay, is that data, is that 21 hardwired stuff like switches to activate, or is that 22 literally instructions that are computer-driven?

23                    MS. KOLB:         The PICS system, you know, 24 without -- we're looking at the diagram that I think 25 you're         referring   to     right     now.         It   is   not     just NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309             www.nealrgross.com

9 1 hardwired switches.

2                  MEMBER BROWN:         Okay.

3                  MS. KOLB:       If there was an actuation in 4 the TRPS or ESFAS systems, the PICS would be used to 5 send       information,     you     know,       from   the   operator 6 interface in order to reset after an actuation.

7                  There is no mechanism for the TRPS or 8 ESFAS to do that independently without X.                     You know, 9 it -- I guess we, you know, we don't have all of the 10 right people in the room to discuss the details --

11                  MEMBER BROWN:         Okay, I got it.

12                  MS. KOLB:         TRPS       ESFAS   communication, 13 though.

14                  MR. GETCHIUS:           Charlie, this is Jamie 15 Getchius, Senior Licensing Engineer.

16                  MEMBER BROWN:         Yeah.

17                  MR. GETCHIUS:         If you're looking at that 18 diagram, the --

19                  MEMBER BROWN:         It's in my head right now, 20 I don't have it.

21                  MR. GETCHIUS: The lines that are shown in 22 red depict unidirectional communication.

23                  MEMBER BROWN:         Oh, that was --

24                  MR. GETCHIUS:         What is shown on the --

25                  MEMBER BROWN:           Yeah, they come out of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309         www.nealrgross.com

10 1 what's called the M -- MICM or something like that.

2 I've forgotten what, it's a communication module for 3 the HIPS system.           And those were -- used to be they 4 were unidirectional back when we looked at it in 5 another project, and that's why I was asking the 6 question.

7                  MR. GETCHIUS:               And     they   are     still 8 unidirectional.

9                  MEMBER BROWN:           Okay, that's fine.               The 10 next question I had, I just wanted to hit this before 11 you went on through the rest of it.                         In a previous 12 conversation, the -- I asked about the PICS, because 13 it wasn't really discussed in the previous meeting.

14 You know, that's separate subcommittee meeting.

15                  And   it     was     mentioned         that   the     PICS 16 operates with an ethernet run throughout the PICS, 17 overall PICS setup. And I guess my question there was 18 is that ethernet system connected to the internet and, 19 you know, exterior, or is it only feeds internal stuff 20 and stuff within the PICS itself.

21                  MS. RADEL:       This is Tracy.           The PICS is 22 not connected to any kind of external networks or --

23                  MEMBER BROWN:           Well, the ethernet is --

24 it's       an internal   network         only     and   not   connected 25 external to the plant.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309           www.nealrgross.com

11 1                MS. RADEL:       Correct.

2                MEMBER BROWN:         Okay.

3                MEMBER BALLINGER:               We have a separate 4 subcommittee meeting on PICS.

5                MEMBER BROWN:           I know that, but we're 6 talking about cyber security.                     This is not cyber 7 security,     but it's     how   you       communicate     with       the 8 system. And therefore it embodies it if they connect, 9 so I'm just trying to connect the dots to make sure I 10 understand the picture of where you're flowing through 11 with you, you know, with your presentation, that's 12 all.

13                Go ahead, I'll -- you've calibrated me, 14 and that's what I was looking for.                     Thank you.

15                MR. GETCHIUS:             Okay.         A couple other 16 examples describe the licensing basis.                     Rack-mounted 17 HIPS equipment is installed within locked cabinets.

18 And access to TRPS and ESFAS safety-related control 19 systems via the maintenance work station is password 20 protected, as described in 74 -- Subsection 745 of the 21 FSAR.

22                MEMBER BROWN:         But that maintenance work 23 station, from what I understand reading the other 24 document was that's not connected out exterior either.

25 That's a standalone operation that just connects back NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433         WASHINGTON, D.C. 20009-4309           www.nealrgross.com

12 1 into those systems.       Is that correct, is that correct 2 to understand?

3                MR. GETCHIUS:         That's correct.

4                MEMBER BROWN:         Okay, thank you.

5                MR. BARTELME:         All right, lastly physical 6 access to digital assets is controlled via the access 7 control strategy just described in the SHINE physical 8 security plan.

9                Following a regulatory audit of SHINE's 10 administrative and design controls for preventing or 11 limiting unauthorized physical and electronic access 12 to digital assets at the SHINE facility, the NRC staff 13 informed SHINE of the decision to impose via license 14 condition a requirement for SHINE to develop a CDA-15 specific cyber security plan and provided SHINE a 16 number of elements that the plan should consider, 17 including the sampling of elements shown on the -- on 18 the slide here.

19                The SHINE cyber security plan contains the 20 commitment for SHINE to establish, implement, and 21 maintain a cyber security program to detect, protect 22 against, and respond to a cyber attack capable of 23 causing a consequence of concern. Cyber security plan 24 documents the various, administrative, programmatic 25 controls to prevent or limit the unauthorized physical NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433       WASHINGTON, D.C. 20009-4309     www.nealrgross.com

13 1 and electronic access to CDAs.

2                  As noted in this slide, SHINE defines a 3 CDA, or critical digital asset, as a digital asset for 4 which       no alternate     means       has     been   identified       to 5 prevent the associated consequence of concern.

6                  DR. BLEY:         Can I interrupt you?                 It's 7 Dennis Bley.       When you folks did this, do you have an 8 idea of how many critical digital assets you came up 9 with and how burdensome was this analysis?

10                  MR. BARTELME:           The analysis is ongoing.

11 We don't have that -- we're still working through the 12 CDA identification process.                 Don't have a number yet, 13 but burdensome, it's, you know, moderately burdensome.

14 There's a number of digital assets that I'm working 15 through the (audio interference) analysis.                         I think 16 more timely than we expected, but not --

17                  DR. BLEY:       And the rules NRC set up for 18 how you (audio interference) that's working pretty 19 well for you?

20                  MR. BARTELME:           I think, yeah, utilizing 21 the     guidance,   the     draft       guidance       for fuel     site 22 facilities       was   helpful       in,       you     know, in   working 23 through the process.

24                  DR. BLEY:       Okay, thanks.

25                  MEMBER HALNON:         This is Greg Halnon.             Can NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309         www.nealrgross.com

14 1 you explain just briefly how you came up with your 2 consequence of concern scenarios? I don't want you to 3 actually go into the consequence of concerns, but was 4 it a team effort, or was it a single effort, was it 5 the contractor, how did you that?

6                  MR. BARTELME:         We'll touch on that on the 7 next slide.

8                  MEMBER HALNON:           Oh, okay.

9                  MR. BARTELME:           To touch on there, SHINE 10 used the guidance of Draft Regulatory Guide DG-5062 11 and associated rulemaking documentation related to 12 cyber security at fuel site facilities to inform the 13 development of the SHINE cyber security plan.

14                  SHINE evaluated the fuel cycle facility-15 specific       guidance     and     incorporated       and   put       the 16 guidance into the SHINE cyber security plan in order 17 to satisfy the elements identified by the NRC staff as 18 needing to be addressed.

19                  Through the development of the SHINE cyber 20 security plan, SHINE held clarification calls and 21 public meetings with the NRC staff to ensure those 22 programmatic elements SHINE are proposing, such as the 23 SHINE-defined consequence of concern, planned audit 24 periodicities, and planned event tracking and event 25 reporting were adequately based on the guidance of DG-NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433         WASHINGTON, D.C. 20009-4309       www.nealrgross.com

15 1 5062       and   met   the   intent       of     the     planned   license 2 conditions to be imposed on SHINE.

3                    MEMBER BROWN:             This is the draft guide 4 that's currently under -- that hasn't been turned into 5 an official reg guide?               Or you're talking about Reg 6 Guide 5.71?

7                    MR. BARTELME:         It is not.         We were using 8 that June, June 20 -- or January 2017 draft.

9                    MEMBER BROWN:         Okay.

10                    MR. BARTELME: Pre-decisional markings on 11 that, yeah.

12                    MEMBER BROWN:         All right, so you all are 13 at least focusing in on their levels of security, or 14 I've forgotten what they call them, but the defense 15 ring?       You were using that as part of your planning?

16                    MR. BARTELME:           Not explicitly, though.

17 They had discussions with the NRC staff on sort of, 18 you know, the multilevel, you know, controls sets and 19 defense-in-depth, but.

20                    MEMBER BROWN:           That's what I'm talking 21 about.

22                    MR. BARTELME: Okay.

23                    MEMBER BROWN:             All right, sounds like 24 you're on that page anyway.                 All right, thank you.

25                    MR. BARTELME: As shown in the slide here, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309           www.nealrgross.com

16 1 SHINE-defined consequences of concern are adapted from 2 the       four types of consequences of concern for fuel 3 site facilities identified in Table C-1 of DG-5062.

4                  Consequences of concern have been adapted 5 to     the     relative     risk     of       the     SHINE   facility.

6 Adaptations include modifying the active and latent 7 safety consequences of concern to be relative to the 8 SHINE       safety criteria       in     lieu       of   the   Part       70 9 performance requirements considered in the DG-5062.

10                  And SHINE removed the latent security 11 consequence of concern from consideration as SHINE 12 does not possess classified information in relation to 13 the     operation   --   to     the   operation         of the     SHINE 14 facility.

15                  SHINE   uses     the     SHINE       safety   analysis 16 summary report to identify active and latent safety 17 consequences of concern in assessing the vulnerability 18 of the SHINE facility from the direct result of a 19 cyber attack or the result of a cyber attack in 20 conjunction with a secondary event.

21                  The use of the SHINE safety criteria in 22 assessing active and latent safety consequences of 23 concern provides a consistent consequence threshold 24 and an existing evaluation of facility response to 25 known hazards.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309           www.nealrgross.com

17 1                    SHINE uses the physical security plan to 2 identify latent safeguards consequences of concern 3 providing an existing evaluation of site security 4 strategies         credited       in   the       protecting     of   SNM       of 5 moderate strategic significance.

6                    The SHINE process for identifying CDAs 7 consisting of steps for a digital asset identification 8 and performance of an alternate means analysis and 9 ultimately the resulting determination of CDAs follows 10 the guidance for vital digital asset identification in 11 DG-5062.

12                    This   technical         evaluation       is   led       by 13 SHINE's safety analysis organization and supplemented 14 by responsible engineers of those systems containing 15 digital assets associated consequences of concern.

16                    As stated in the slide, the alternate 17 means analysis performed -- alternate means analysis 18 performed considers a function of the digital asset 19 associated         with   the     consequence           of   concern         to 20 determine whether -- determine when an alternate means 21 exists         to prevent     the     associated         consequence         of 22 concern.

23                    This alternate means (audio interference) 24 various potential alternate means, including physical 25 barriers,         existing     safety-related             controls,     other NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309           www.nealrgross.com

18 1 critical       digital   assets,         and     manual actions         as 2 candidates for credited alternate means.

3                  If an alternate means of protection is 4 identified for a digital asset, a brief description of 5 the alternate means is provided in the SHINE technical 6 evaluation.

7                  MEMBER MARCH-LEUBA:               This is Jose, can I 8 ask a question now?           Hello, can you hear me?

9                  MR. BARTELME:         Yes.

10                  MEMBER MARCH-LEUBA:             Yeah, okay, will the 11 cyber attack that will prevent production for the next 12 three months because it disables -- it does not 13 produce a consequence of concern, but prevents you to 14 delivering products for the next three months.                       Would 15 you consider that a critical digital asset?                     Did you 16 consider it?

17                  MR. BARTELME:         Based on the definition of 18 consequence of concern, that would not be defined as 19 a critical digital asset.

20                  MEMBER MARCH-LEUBA:             But in my mind, it's 21 not just a monetary consequence to the company, it's 22 a serious safety consequence to the hospitals that 23 rely on your product.             So I'm thinking whether you 24 would consider protection of the production of this 25 very important isotope sufficient to protect.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433         WASHINGTON, D.C. 20009-4309         www.nealrgross.com

19 1                DR. BLEY:       And this is Dennis Bley too, I 2 want to chime in with Jose on this one.                   I suspect by 3 orders of magnitude the possible health consequences 4 to the public from an interruption of service could 5 dwarf any radiological risk near the site.                     It seems 6 to me we're being remiss in not looking at that.

7                MS. RADEL:       So this is Tracy.           You know, 8 obviously,     the   --   meeting       the     patient   needs       is 9 incredibly important to us, and we will be protecting, 10 you know, protecting assets and our ability to meet 11 those patients' needs.

12                But as far as, you know, the definition of 13 critical digital assets and you know, protection of 14 health and safety of the public, it's been a focus on 15 those direct consequences from the facility versus 16 downstream supply chain, you know, potential impacts.

17                We certainly do consider those aspects in 18 how we -- how we design the facility for reliability 19 and meeting our customer needs and the patient needs.

20                DR. BLEY:       I want to speak maybe to the 21 staff rather than you.             You're following the rules 22 exactly as you see them, but I want to take the staff 23 back       to the   1960s,       when       NRC   considered         no 24 environmental hazards and ended up in a court case 25 where NRC was essentially directed to include that in NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433         WASHINGTON, D.C. 20009-4309         www.nealrgross.com

20 1 the future.

2                This strikes me as of the same nature, and 3 I think the staff, and maybe the staff in consultation 4 with the Commission, ought to perhaps reconsider how 5 they're thinking about that in this case.

6                MEMBER MARCH-LEUBA: I mean, in defense of 7 SHINE, I'm pretty sure they're going to protect all 8 the equipment from cyber attack.                 I mean, even if you 9 have an office, a shipping office somewhere in the 10 middle of Washington, you protect your computers.

11                I'm concerned that these guys that are 12 attacking you are very smart and they'll always find 13 the weak link.       And this is one that is obvious.

14 Anyway, we put it on the record.

15                MR. BARTELME:           Continue, lastly, if no 16 alternate means of protection is identified for a 17 digital asset associated with the a consequence of 18 concern, the digital asset is determined to be a CDA 19 and appropriate cyber security controls are identified 20 for protection of the CDA.

21                MEMBER BALLINGER:             Let me make sure that 22 I understand what Dennis is saying.                   What -- we're 23 talking basically about two consequences of concern 24 definitions, one related to the rules as they're 25 written, the other related to the consequences of the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433       WASHINGTON, D.C. 20009-4309         www.nealrgross.com

21 1 cessation of the product on the customer.                       But that's 2 a -- that's a very different thing, right?

3                    DR. BLEY: It's very different, but to me, 4 the analogy with environmental harm is a pretty good 5 one. And you know, the Commission and the staff might 6 say they have no justification in law for this.                                 I 7 think they need to look at that, I'm not a lawyer.

8                    But of -- when you look at potential 9 consequences of this facility, that strikes me as 10 maybe the biggest consequence that can accrue.                             And 11 the Committee advises the Commission, not just checks 12 to see that all the rules are being carried out.

13                    MEMBER HALNON: Dennis, this is Greg. The 14 other analogy that bring more clear is the power-15 producing portion of the nuclear power plants were put 16 under cyber controls because of the critical nature of 17 maintaining         base     load     power,         especially     during 18 emergency situations.

19                    So sort of the same thing, is it going to 20 reduce the ability to make power.                         That's going to 21 affect         the   public       in   a     certain       adverse       way, 22 henceforth, it deserves some level of protection.

23                    DR. BLEY: Yeah, I almost brought that one 24 up, Greg, I agree with you completely.                       But I think 25 these two examples kind of clearly show that if we're NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309         www.nealrgross.com

22 1 thinking about consequences, there are other ones 2 besides direct radiological consequences that are of 3 great concern to the public, society, the government.

4                    MEMBER BALLINGER: But to pull that string 5 a little further with respect to the -- to a power 6 plant output, the grid is --

7                    PARTICIPANT:         Point, because --

8                    MEMBER BALLINGER:               So that what you're 9 saying is, is that if this were the only facility that 10 can supply the product in a timely manner, that's one 11 thing.         And I don't know that that's the case or not.

12                    DR. BLEY:           Well,       Ron,   the     grid's 13 resilient, but despite that, over the last 40 years, 14 there have been some very significant ties together 15 taking parts of the grid down that have had massive 16 consequences.

17                    MEMBER HALNON:           Right, but you're making 18 the point, is that there are other power plants that 19 could compensate for a loss of a single nuclear power 20 plant, but there's no other isotope facilities that 21 can make up for the loss of this isotope.

22                    MEMBER     MARCH-LEUBA:               There   will       be.

23 They're building some in the Netherlands.

24                    CHAIRMAN REMPE:             Well, okay, let's pull 25 the string another way.                   We used to get, in more NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309           www.nealrgross.com

23 1 recent years, we used to get the moly-99 up from 2 Canada or some place, right.

3                But there -- at one point, weren't we ever 4 getting it from a place in the U.S., and we get other 5 isotopes. I know at HER they have used it for isotope 6 production.

7                Are we going to start, you know, saying 8 that all isotopes for medical use are so important 9 that all of the facilities need to be considered and 10 have special requirements?

11                MEMBER MARCH-LEUBA:               Well, if you have to 12 -- if you get -- if you get a cancer and you're 13 waiting for your CAT scan for -- or the PET scan, you 14 consider it very important.

15                CHAIRMAN REMPE:           Yeah, I just am thinking 16 that, you know, I don't know.                 I --

17                MEMBER MARCH-LEUBA:               In a sense, SHINE is 18 a victim of their own success.                     I mean, they're so 19 good.

20                CHAIRMAN REMPE:               But what, okay, what 21 about maintenance?         If it takes it out, it's not a 22 cyber security attack, what if they can't do their 23 maintenance in a timely fashion?

24                MEMBER MARCH-LEUBA:                 Let me give you an 25 example, okay.     So they have some filtering beds for NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433       WASHINGTON, D.C. 20009-4309         www.nealrgross.com

24 1 -- to clean up the tritium so the accelerator can work 2 properly.     If I -- and that's not a safety concern.

3 If I gain control to that, access to that controller, 4 I can mess up their beds so the tritium cannot be 5 cleaned up.

6                So it   has     no,     absolutely     no   millirem 7 exposure whatsoever, but the plant is down.

8                CHAIRMAN       REMPE:         There   may   be     other 9 reasons we don't know yet that the plants go offline 10 for three months because of something or other that 11 didn't quite work as expected.                   So I'm not sure --

12 this is a can of worms.

13                MEMBER HALNON: Well, it's a can of worms, 14 but it's not a can of worms for SHINE.                   It's whether 15 or not we want to lay another regulatory requirement 16 on top of it.     And the NRC has decided not to or staff 17 had decided not to.

18                MEMBER MARCH-LEUBA:               I think, I mean, my 19 -- in the letter, we should recommend to the staff 20 that they need to look at it.                 I mean, we're raising 21 it as a question, we don't have a solution.                   But this 22 is a function of society, producing moly-99 of such 23 importance that keeping it up and running is important 24 to society.

25                CHAIRMAN REMPE:           Maybe the NSA should run NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433         WASHINGTON, D.C. 20009-4309         www.nealrgross.com

25 1 a couple of these facilities, it might be cheaper.

2                MEMBER BALLINGER:             They are funding.

3                CHAIRMAN REMPE:             Then we should put a 4 regulation in just because another one might come 5 online and it's not so important.

6                MEMBER BALLINGER: We have discovered it's 7 another reason why I would -- why I like to be on this 8 committee, learn something every day.

9                MEMBER KIRCHNER:             I mean, one could take 10 this argument for a nuclear power plant.                 This is not 11 just for cable-ized grid, but for averted admissions.

12 But there has to be a line somewhere, I mean, and I 13 think the line here, it's a good point.                 Obviously a 14 very important societal benefit to this operating.

15 But at some point, you have to draw --

16                MEMBER HALNON: Well, I would say however, 17 we're in that situation right today.                 Right, because 18 they're not producing.

19                MEMBER BALLINGER: Remember, when Congress 20 considered the rule, the law supporting this, that 21 argument was made.

22                MEMBER HALNON:         Yeah, but what I'm saying 23 is that loss of the grid is an emergency.               And if loss 24 of moly-99 is an emergency from the SHINE facility, 25 we're in one right now.         So, and we're surviving.               So NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433       WASHINGTON, D.C. 20009-4309         www.nealrgross.com

26 1 there is an alternate means available.                     Therefore, it 2 wouldn't even --

3                    MEMBER MARCH-LEUBA:             Once SHINE come into 4 the operation, they're going to displace the other 5 sources because they'll be more efficient.                       So those 6 other conveyances are going to disappear.

7                    Anyway, I'm sorry I brought it up, but 8 it's important that we protect everything, not just 9 the two or three that come up for this analysis.                           And 10 I'm sure SHINE will protect everything.

11                    MEMBER BALLINGER: Josh, I don't think you 12 expected this line of question.

13                    MR. BORROMEO:           No, this took off in a 14 different direction than what I was thinking, but it 15 is a Friday afternoon.               No, but I mean, this seems 16 like       a   broader   concern,         right,       and we   certainly 17 understand it.

18                    MEMBER BALLINGER:             Okay, can we continue?

19                    MR. BARTELME:           Yep.       As stated on the 20 previous slide, no alternate means of protection is 21 identified for a digital asset associated with a 22 consequence of concern.               Appropriate cyber security 23 controls are identified for protection of the CDA.

24                    Utilizing the framework for control is 25 offered NIST's special publication 853.                           CDAs are NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309         www.nealrgross.com

27 1 analyzed and multilayered cyber security control sets 2 are tailored to each CDA.

3                    Implementing         procedures,         identify       and 4 document the cyber security controls applicable to the 5 identified CDAs.         Implementing procedures document in 6 part the configuration and operating environment for 7 the CDAs.         Measures taken to address the performance 8 specifications associated with the identified cyber 9 security controls and the verification process for 10 cyber security controls.

11                    MEMBER HALNON:           And Jeff, this is Greg 12 again.         Was there any or is it in your process that 13 you come across a digital asset that you just don't 14 want to make a CDA that you would put an alternate 15 means in relative to either a procedure or some other 16 means of either monitoring or controlling?

17                    MR. BARTELME:         The approach for assessing 18 alternate means is more, I think more of a top-down 19 approach.           We   assess       if     the       digital   asset       is 20 associated with a consequence of concern, is there an 21 alternate means of protecting that digital asset.

22                    Less so of, you know, this is a critical 23 digital that we don't want to protect, let's determine 24 an alternate means.             We haven't really sort of gone 25 more that thought of approach it.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309         www.nealrgross.com

28 1                  MEMBER HALNON:           Okay, so you haven't --

2 you haven't, for lack of better terms, downgraded any 3 CDAs to just asset, digital assets based on putting 4 new or a different design or alternate means of place 5 yet.       I mean, is that on the table, though, to do that 6 if down the road you see something that you're not 7 sure you want to make a CDA?

8                  MR. BARTELME:           Yeah, per the, you know, 9 the programmatic guides, if, you know, SHINE could 10 establish a not yet existing alternate means for a CDA 11 and then the technical evaluation would be -- would be 12 updated to reflect that, just what new alternate means 13 is or that developed alternate means for that -- what 14 had previously been a CDA.

15                  MEMBER     HALNON:           Okay,   and   one     last 16 question.       In taking credit for operator actions, at 17 the end, will you be doing an aggregate analysis to 18 ensure that the operators are not overloaded with too 19 many required actions as an -- as a potential cyber 20 attack?

21                  MR. BARTELME:           We've not, you know, not 22 got to that point of sort of cataloging or sort of, 23 you know, looking in the aggregate of the alternate 24 means. I don't know that we have any manual -- manual 25 actions identified at this point right now. You know, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309         www.nealrgross.com

29 1 right now my understanding we have not identified any 2 manual actions that are being credited as alternate 3 means.

4                    MEMBER HALNON: Okay, I would encourage at 5 the end of this to do some kind of aggregate analysis 6 to make sure that, given a cyber attack, you're not 7 overloading         one   control         system,         one,   you     know, 8 expectations of something, or especially the operators 9 that respond to the.

10                    MR. BARTELME:           Thank you.         Lastly, the 11 SHINE cyber security plan also provides for these 12 additional programmatic controls offering temporary 13 compensatory         measures.               Temporary         compensatory 14 measures are implemented.

15                    It is determined that a cyber security 16 controls -- or determined that cyber security controls 17 are         not   meeting         their         defined       performance 18 specifications         while       new     controls       are   developed, 19 tested, and implemented.

20                    Documentation           is       created       for       each 21 compensatory measure that describes how the measure 22 will           effectively         address           the     performance 23 specifications of the cyber security control.

24                    For   configuration             management,         SHINE 25 implements a facility-wide configuration management NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309           www.nealrgross.com

30 1 program, which includes cyber security considerations.

2 Specific cyber security considerations and approval or 3 disapproval of conclusions will be included in the 4 documentation related to changes to a CDA.

5                  Periodic review.             Periodic review of the 6 cyber security plan occurs at least every 36 months.

7 The review includes an audit of the effectiveness and 8 adequacy of the cyber security program, including, you 9 know,       roles, responsibilities,               requirements,       and 10 management commitments to the program.

11                  Changes made to implementing procedures.

12 Use of alternate means in defense of our protection 13 for digital assets.             SHINE cyber security incident 14 response capability.             And configuration management.

15                  Define these deficiencies and remediation 16 actions resulting from the periodic review are tracked 17 via SHINE's corrective action program.

18                  In terms of event reporting, SHINE informs 19 the NRC Operations Center at the time of making an 20 event-based notification, as prescribed in Sections 21 5(A)(2) and 5(A)(3) of the technical specifications 22 that the event is the result of a cyber attack.

23                  If it's later discovered that a previously 24 reportable event was a result of a cyber attack, SHINE 25 notifies the NRC Operations Center within one hour of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309         www.nealrgross.com

31 1 discovery that the previously reported event was the 2 result of a cyber attack.

3                MEMBER   BALLINGER:             Okay, this   is     Ron 4 Ballinger. In looking through all of the documents 5 related to this and actually discussing, we've had --

6 we had discussions with something along these lines 7 when we had our visit recently.

8                I may be a little paranoid, but I think 9 that we're almost in never-never land when it comes to 10 cyber security and that a periodic review every 36 11 months just doesn't seem -- that's a -- that's a long 12 time for cyber.

13                And I'm wondering whether or not somebody 14 maybe should consider kind of an ongoing, maybe you're 15 doing it, kind of an ongoing, I'm not sure what you 16 would call it, evaluation, if you will.

17                MEMBER MARCH-LEUBA:               I kind of disagree 18 with you. I mean, they're talking about plan, not the 19 --

20                MEMBER BALLINGER:             Oh, the plan, okay.

21                MEMBER MARCH-LEUBA:               Not the cyber -- I 22 mean, obviously they're going to be -- there's going 23 to be somebody in the plan that is cognizant of this 24 topic, and they're going to implement on the patches 25 and all the good stuff to make sure they stay on.                       So NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433       WASHINGTON, D.C. 20009-4309         www.nealrgross.com

32 1 I think the plan doesn't need to change more than 2 every three years.

3                MEMBER BALLINGER:               Okay, so there is a 4 mechanism by which there's an ongoing --

5                MEMBER MARCH-LEUBA:               There better be.

6                MEMBER BALLINGER:             Yeah, yeah.

7                MEMBER     MARCH-LEUBA:               You have       your 8 antivirus, it continuously monitor.

9                MR. BARTELME:         Yeah, and, you know, broad 10 responsibility within SHINE.               But you know, we've got 11 our IT team and others that are constantly saying --

12 staying aware of the threat environment and, you know, 13 making any changes to implementing procedures or plan 14 documents as need by.

15                The 36-month required is just sort of 16 that, you know, really not to exceed timeframe, and 17 the expectation is that we will be auditing the 18 effectiveness of the plan at a more frequent basis 19 than that.

20                MEMBER BALLINGER:               Okay, I'm just, I'm 21 kind of a layman here in that every time I start my 22 cellphone up in the morning, there's a notification 23 that there's like ten apps that need upgrading.

24                MR. BARTELME: There's always plenty of 25 fixes.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433       WASHINGTON, D.C. 20009-4309         www.nealrgross.com

33 1                MEMBER MARCH-LEUBA:             And that -- and that 2 won't happen in the plan because it's not connected to 3 internet.

4                MEMBER BALLINGER:             Okay. All right, all 5 right.

6                MEMBER MARCH-LEUBA:               It has to be done.

7 Let me -- well, we're on tangents, we all think cyber 8 security has been an internet attack, because I can do 9 it from the comfort of my kitchen in Bulgaria, but 10 there are many other vectors to use for cyber security 11 attacks.

12                The obvious one is USB drives.                 But you 13 have pulse -- like the famous hard drive that is 14 manufactured in a foreign country and it comes with a 15 flaw in firmware.         Does the plan include all those 16 unusual controls, non-internet controls?

17                MR. BARTELME:           Yeah, without, you know, 18 having not identified the specific cyber security 19 controls, you know, for each CDA, you know, the 20 technical evaluation doesn't have that level of detail 21 right now.

22                But you know, with the NIST, you know, 23 NIST -- NIST guidance and in discussions we've had 24 internally, there will be -- where -- where portable 25 media is required to be brought into the -- brought NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433       WASHINGTON, D.C. 20009-4309         www.nealrgross.com

34 1 into the facility for any software updates or whatnot 2 for a digital asset, you know, there are -- there 3 would be considerations for -- for checking that in 4 the chain of custody thereafter to ensure we don't 5 introduce a vulnerability.

6                  MEMBER MARCH-LEUBA:               Yeah, my experience 7 is with UF-6 enrichment facilities.                     And you get shot 8 on site if they see with you two things: a bucket that 9 can contain water and produce a criticality event, or 10 a USB drive.       Literally, they -- that thing cannot be 11 seen within five miles of the -- of the fence.

12                  Your cyber security plan should include 13 non-standard attack vectors.                 You have to think about 14 the possible scenarios that bad guy can attack you.

15 And don't go paranoid, but be cognizant of all those 16 ways that they can get you.                 Thank you.

17                  MEMBER BALLINGER:             That NIST document has 18 a lot of.

19                  MR. BARTELME:           And then lastly, event 20 tracking.       Within 24 hours of the discovery, SHINE 21 records       and   tracks       to   resolution         any   failure, 22 compromise, discovered vulnerability or degradation 23 that results in a decrease in effectiveness of a cyber 24 security control or a cyber attack that compromises 25 the CDA associated with a consequence of concern.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309         www.nealrgross.com

35 1                  That's the end of the presentation.                     Any 2 additional questions on the cyber security plan?

3                  MEMBER   KIRCHNER:             Jeff,   this   is     Walt 4 Kirchner.       This is kind of -- kind of a clear field or 5 blank sheet of paper thinking.                       Thank you for the 6 visit, or your colleagues for the visit to your 7 facility       last month.         I   was     impressed   with       the 8 facility.

9                  And given the importance of your product, 10 which we talked about earlier in this discussion, and 11 guaranteeing,       you     know,       the     reliability     of     the 12 facility to meet the demand, is there a way to just 13 put an air gap on this facility?

14                  What I mean by an air gap is just do not 15 run     anything   in,   and     anything         that   goes   out       is 16 unidirectional diode-protected. Do you really need to 17 bring the internet into this facility?                     Or certainly 18 within the -- well, both.

19                  I'm trying to think where the line is for 20 seismic and other external threat production.                       But is 21 it feasible to air gap the facility and then things 22 like Jose just mentioned are then where you spend your 23 effort?       To isolate this, make it an island unto 24 itself?

25                  MS. KOLB:       Yeah, this is Catherine Kolb.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433         WASHINGTON, D.C. 20009-4309         www.nealrgross.com

36 1 The equipment, the systems that, you know, directly 2 control plant equipment do have those unidirectional 3 capabilities, right.               So that then they're an axis 4 from the outside if we're, you know, transmitting 5 things to servers for data retention and things.

6                    But you know, as to completely air gapping 7 the facility, I mean, our document control system in, 8 you know, company-wide.               Some people at headquarters 9 need to be able to use it as well as the people in the 10 facility.           So   you       know,       email   for   internal 11 communications.

12                    So it's not practical for us to air gap, 13 you know, some of the business software that we have, 14 you know, for day-to-day email communication and data 15 control.

16                    MEMBER KIRCHNER:           But that's what I worry 17 about.         Those become the vulnerabilities.               I'm trying 18 to think about it in a way that limits your effort in 19 cataloging all the CDAs by trying to isolate the 20 facility as much as possible.

21                    Do you, you know, does corporate a couple 22 of blocks away, where we had lunch, do they really 23 need to be having any input into the plant?                     They can 24 get the data coming out.               But I'm just thinking about 25 it philosophically in a way that makes you, well.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309         www.nealrgross.com

37 1                    MS. KOLB:       No, we --

2                    MEMBER KIRCHNER:             As possible to resist 3 cyber events.

4                    MS. KOLB:       No, as Jeff talked about, you 5 know, we've considered, we're considering, you know, 6 different aspects of this and your point is well-7 taken.         But.

8                    MEMBER KIRCHNER:           Email is a convenience.

9 Email is also a distraction.                   Email is -- it's useful 10 for exchanging information, maybe.

11                    So I'm just saying that to the extent that 12 you     can   eliminate     things       coming       via internet         in 13 particular, as well as control access, then it makes 14 the robustness of your cyber security plan not just 15 with paper but the actual physical protections --

16                    MEMBER MARCH-LEUBA:                 I think that what 17 they're doing, they're creating an island protection 18 system. And it's -- and their unidirectional diode is 19 really good.         Trying to isolate the business part, I 20 mean, you have to be able to track the UPS truck that 21 brings you there.

22                    MEMBER KIRCHNER:             Yeah.

23                    MEMBER MARCH-LEUBA:               You have to be able 24 to order lunch from the restaurant next door.                             So --

25                    MEMBER KIRCHNER:             Do you?       Do you?

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433             WASHINGTON, D.C. 20009-4309           www.nealrgross.com

38 1                    MS. KOLB: Our engineering team is located 2 in Headquarters, which is not inside the fence. So we 3 -- I think we do need to be -- because people in the 4 plant do need to be able to communicate with people 5 that are in the Headquarters building.

6                    MEMBER MARCH-LEUBA:               Yeah, my concern is 7 eventually you need to have one guy that is paranoid 8 and is in charge of this. And everybody thinks of the 9 internet because that's what we think about.

10                    But   I'm     worrying         about   an instrument 11 technician         that   has     to   go     calibrating     stuff       and 12 carries an iPod with him.               And that iPod is connected 13 to everything inside to do the calibration.                         You've 14 got to make sure that iPod is sanitized before it goes 15 anywhere.

16                    USB drives, we all know about them now, 17 but there are other portable media. You have to worry 18 about everything.           Okay.

19                    MEMBER BIER:       Just one example.         I was in 20 a classified meeting a couple of weeks ago where I was 21 told that anybody wearing a Bluetooth hearing aid 22 would need to remove it before entering the classified 23 space.         So.

24                    CHAIRMAN REMPE:           Sign language?

25                    MEMBER BIER:         I don't know.       Fortunately NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309         www.nealrgross.com

39 1 I think it didn't come up in that case.

2                    MEMBER MARCH-LEUBA:                 In classified, we 3 spend the money and we -- and we really -- you know, 4 all of the cables, yeah, that might get classified how 5 you do it.         But everything is regarded, absolutely.

6                    MEMBER BALLINGER:               This whole topic is 7 fascinating and almost depressing sometimes.                               But 8 okay, are there other questions from the members on 9 this presentation?

10                    Okay, so we need to shift to the staff's 11 presentation.         And would you like to go away for 15 12 minutes and then redo your presentation in light of 13 the previous questions, or would you like to just keep 14 on going?

15                    MR. BORROMEO:         We'll just keep on going, 16 we'll do our best.

17                    MEMBER BALLINGER:             Okay.

18                    MR. WARNER:       All right, then I guess it's 19 my turn.         Good afternoon, my name is Dan Warner, I'm 20 in the Cyber security Branch in the Division of 21 Physical and Cyber security Policy in the Office of 22 Nuclear Security Incident Response.                       And I have been 23 responsible for the review of cyber security for 24 SHINE.         Next slide, please.

25                    So kind of going back to where we came NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309         www.nealrgross.com

40 1 from.       In September 2019, the Commission issued Staff 2 Requirements       Memorandum       SRM-18-0063         for   non-power 3 production in the utilization facilities intending to 4 possess or use a Category II quantity of special 5 nuclear material for production of moly-99.

6                  In the SRM, the Commission approved the 7 staff's approach for addressing cyber security at 8 these facilities through development of appropriate 9 license conditions based on the facility's operating 10 license application.           SHINE is the first applicant to 11 submit a license application that is subject to the 12 requirements of this SRM.

13                  So as far as how we went about developing.

14 So staff reviewed the proposed rulemaking on cyber 15 security for fuel cycle facilities and developed a 16 similar for use of SHINE and similar facilities.

17                  And   just       as       a     note,   just         for 18 clarification, I think there might have been a little 19 bit of confusion earlier.               The draft guide that Jeff 20 was discussing, DG-5062, is actually the draft guide 21 for nuclear fuel facilities that goes along with the 22 fuel cycle facility rulemaking.                     And that is what we 23 were presenting as references that they could use when 24 developing their cyber security plan.

25                  Staff provided SHINE feedback to consider NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309         www.nealrgross.com

41 1 when identifying applicable consequences of concern, 2 which       are events   that     occur       as   a result     of     the 3 compromise of a critical digital asset that have the 4 potential to adversely impact public health and safety 5 or common defense and security.

6                    Staff   reviewed       the     SHINE   application, 7 determined if there was adequate protections for CDAs 8 that could result in a consequence of concern.

9                    During our review, staff reviewed the 10 final safety analysis report for discussions of cyber 11 security with a focus on safety systems.                             Several 12 sections         discussed       protections           for   the     highly 13 integrated       protection       system       platform     for     safety 14 systems.

15                    FSAR Chapter 7, Section 7422 identifies 16 protections with design criteria that target solution 17 vessel reactivity protection system, and Section 7522 18 as similar design criteria for the engineered safety 19 feature actuation system.

20                    Both of these sections               include criterion 21 three that identifies the TRPS and ESFAS systems will 22 incorporate         design     or   administrative           controls         to 23 prevent and limit unauthorized physical and electronic 24 access to critical digital assets.

25                    Also in the FSAR, FSAR Section 74532, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309           www.nealrgross.com

42 1 title Cyber security Design Features, includes the 2 information on a defensive system architecture, which 3 includes       features       such       as       one-way   isolated 4 communication, outside safety systems, maintenance 5 work station access only when a module is out of 6 service, and no capability for remote access to the 7 safety system.

8                  In FSAR Section 74533, Access Control, it 9 identifies several features that are used to restrict 10 access,       including       physical           keys   to     prevent 11 unauthorized use, locked cabinets for rack matter 12 equipment       with       administrative             key     control, 13 modification or replacement of the field programmable 14 gate arrays are restricted when installed in the HIPS 15 chassis.         And     the     FPGA       modules     only       allow 16 modifications of set points and tunable parameters 17 that may require periodic modification.

18                  We   also       reviewed         as   part   of       the 19 application review process the physical security plan.

20 We reviewed it to see if there's any information 21 related to cyber security for the security systems.

22 And then we performed a cyber security audit.

23                  Staff conducted a regularly -- regulatory 24 audit with SHINE to gather more information regarding 25 cyber security.       SHINE identified CDA access controls NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433         WASHINGTON, D.C. 20009-4309         www.nealrgross.com

43 1 and protected features from the FSAR, but indicated 2 there was no specific cyber security program at SHINE.

3 For cyber security of physical security assets, SHINE 4 only identified access of controls.

5                    After the audit, we decided to issue a set 6 of requests for additional information to SHINE based 7 on the feedback received at the audit. We looking for 8 information regarding the design, administrative, and 9 programmatic controls that the SHINE cyber security 10 plan will provide.

11                    And also included how consequences of 12 concern       will   be   identified,           how   CDAs   will       be 13 determined,         how   cyber       security         controls will       be 14 applied, and other programmatic controls to ensure the 15 cyber security program is documented and maintained.

16                    Staff reviewed the SHINE application and 17 then held the regulatory audit, followed by issuing a 18 set of RAIs to gather sufficient information to make 19 a determination.         Staff determined additional program 20 elements were required to ensure adequate protection 21 at     the   SHINE   facility       and       developed   a list       of 22 important cyber security program elements applicable 23 to SHINE.

24                    Staff developed the license condition to 25 address         these   additional           program     elements       and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309         www.nealrgross.com

44 1 determined the issuance of a SHINE operating license 2 as conditioned in part by the license condition will 3 not be inimicable to common defense and security or to 4 the health and safety of the public.                   And therefore, 5 meets the requirements of 10 CFR 5057, A(6).

6                  So for the license condition, the licensee 7 must have a CSP that describes how the facility's 8 cyber security program provides reasonable assurance 9 that digital computer and communication systems and 10 networks       are adequately         protected       against     cyber 11 attacks.       This is similar to the approach followed in 12 10 CFR 7354.

13                  The licensee may make a change to the CSP 14 provided that the cyber security program elements in 15 the license condition and the performance objection of 16 the CSP remain met.

17                  And then just one last note, the intent is 18 to review the cyber security plan as part of the 19 inspection process once a -- once a facility is doing 20 the pre-operational inspections and then afterwards.

21                  CHAIRMAN REMPE: So this is Joy, and I had 22 a question.       And again, maybe this is what's normally 23 done, but I was stumbling over the beginning of the 24 last paragraph of the draft SE where you had, The 25 licensee may not make a change that would decrease the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433         WASHINGTON, D.C. 20009-4309         www.nealrgross.com

45 1 effectiveness of the CSP without a prior approval of 2 the Commission.

3                The beginning of your slides, when you 4 Commission,       you're         talking           about   the       five 5 Commissioners, are you talking about the five or 6 however many Commissioners are on the Commission at 7 the time, have to approve any changes, or is it the 8 staff?

9                MR. WARNER:       It is the staff, but that is 10 the     standard wording       that       is     used when   we     are 11 incorporating those.           However, that wording has been 12 removed after consultation with OGC, so that now it 13 basically is just they may make a change as long as it 14 doesn't -- as long as the performance objectives of 15 the plan remain met.

16                CHAIRMAN REMPE: Oh, okay. So the version 17 that we reviewed for this meeting, unless I grabbed 18 the wrong one, is no longer the version that exists 19 that we're supposed to be reviewing?                         Because I 20 thought it got it from the website not too long ago.

21                MEMBER BALLINGER:             We have a new FSAR.

22                CHAIRMAN REMPE:           But this is the SE.

23                MR. BORROMEO: So we transmitted the small 24 tweak from OGC, oh, a little bit ago, a week, couple 25 weeks ago, so.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433         WASHINGTON, D.C. 20009-4309         www.nealrgross.com

46 1                    CHAIRMAN REMPE:           Okay, I -- barely -- I 2 may have grabbed a version that's not what Chris told 3 me to review, and I don't know how that happened. But 4 it's happened before.

5                    MR. BORROMEO:         Yeah, we'll make sure you 6 get the correct version.               I mean, the -- that was one 7 change that we made, and there were some other small 8 tweaks based off OGC feedback after that.

9                    MEMBER BIER:         Another question, this is 10 Vicki Bier.         You had said that you plan to review the 11 cyber         security   program         again       at the   time       of 12 operational commissioning, or whatever the term is.

13 Is that a commitment that staff will review at that 14 time, or is it one of a long list of things that staff 15 might review at that time?

16                    MR. BALAZIK:           This       is Mike   Balazik, 17 Project Manager for SHINE at the NRC.                       That's a --

18 it's an inspection           module that we've identified that 19 we will review for the pre-operational readiness.

20 We've identified I'd say about a dozen modules, and 21 cyber security is one of them.

22                    So there's no, I guess there's no might in 23 it.       That is our inspection plan to look at cyber 24 security in the implementation of the program.

25                    MEMBER BIER:         Thank you.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309         www.nealrgross.com

47 1                  MEMBER BALLINGER:               We just, apparently 2 there's a bit of confusion of the version of the SE 3 that we have, and we're trying to sort that out.                           We 4 may have the current, not the current-current.

5                  CHAIRMAN REMPE: Well, maybe I grabbed the 6 right one and it changed.

7                  MR. BORROMEO:               Yeah,   this   is     Josh 8 Borromeo, Chief of the NPUF Licensing Branch.                         We --

9 OGC -- we're continuing to work with OGC to get a 10 dialogue on these.         OGC provided some feedback on it.

11 We made some small tweaks, so we'll get you the right 12 version.       But there was a substantive changes to the 13 one that you have versus the on that you'll see.

14                  CHAIRMAN REMPE:             But my concern that I 15 tripped over has       gone away is the other answer to my 16 question.       Thank you.

17                  MEMBER MARCH-LEUBA:               And this morning we 18 were       chastising   one     of   our     members   for     putting 19 revision numbers on the documents.

20                  MEMBER KIRCHNER:             Ron, may I ask kind of 21 a generic question. Dan, this is Walt Kirchner. I've 22 -- so this guidance that the applicant's following, 23 SHINE is following, basically derives the first order 24 from what you apply with the -- to the fuel cycle 25 facility.

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433         WASHINGTON, D.C. 20009-4309         www.nealrgross.com

48 1                  So looking at the SHINE facility from what 2 you know, how many -- you know, they have a lot of 3 plumbing, a lot of actuators and so on.                   Much of this 4 is obviously going to be modern, so it's going to be 5 digital in one way or other.

6                  How many critical digital assets do you 7 think they'll have? Or do you put them into families?

8                  MR. WARNER: At this point, I can't answer 9 that question.       Part of the reason we did it this way 10 is we wanted to ensure that a solid program was being 11 set up that would then be used to address the CDAs.

12 As far as how many are going to be included, I can't 13 say at this point.

14                  MEMBER     KIRCHNER:               How many     do     you 15 typically have in a fuel cycle facility?

16                  MR. WARNER:           I'm not sure, I haven't 17 worked on a fuel cycle review.                     And actually, there 18 hasn't been a review of that since the proposed 19 rulemaking.       It's still before the Commission.

20                  MEMBER KIRCHNER: It just seems to me that 21 there         are a   lot       of     digital-actuated         valves, 22 controllers, motors, pumps.

23                  MEMBER BROWN:           Might have a revision on 24 what you're looking at.                 There's a lot of (audio 25 interference).

NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433           WASHINGTON, D.C. 20009-4309         www.nealrgross.com