ML103510128: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
| Line 56: | Line 56: | ||
JAMES A. FITZPATRICK NUCLEAR POWER PLANT DOCKET NO. 50-333 The NRC staff is reviewing the submittal and has the following questions on the Cyber Security Plan (CSP) Section 4: Establishing, Implementing, and Maintaining the Cyber Security Program: | JAMES A. FITZPATRICK NUCLEAR POWER PLANT DOCKET NO. 50-333 The NRC staff is reviewing the submittal and has the following questions on the Cyber Security Plan (CSP) Section 4: Establishing, Implementing, and Maintaining the Cyber Security Program: | ||
RAI1: | RAI1: | ||
RAI Title: Defense-in-Depth Protective Strategies - Critical Digital Asset (CDA) Isolation Strategies Title 10 of the Code of Federal Regulations (10 CFR) Section 73.54(c)(2) requires the licensee to apply and maintain defense-in-depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks. Section 4.3, "Defense-in-Depth Protective Strategies," of the FitzPatrick CSP states in several instances when referring to protections which isolate or secure CDAs within various cyber security defensive levels, that the boundaries may be secured via "an air gap or deterministic one-way isolation device such as a data diode or hardware VPN [virtual private network]." | RAI | ||
==Title:== | |||
Defense-in-Depth Protective Strategies - Critical Digital Asset (CDA) Isolation Strategies Title 10 of the Code of Federal Regulations (10 CFR) Section 73.54(c)(2) requires the licensee to apply and maintain defense-in-depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks. Section 4.3, "Defense-in-Depth Protective Strategies," of the FitzPatrick CSP states in several instances when referring to protections which isolate or secure CDAs within various cyber security defensive levels, that the boundaries may be secured via "an air gap or deterministic one-way isolation device such as a data diode or hardware VPN [virtual private network]." | |||
Please clarify how hardware VPNs will sufficiently protect CDAs within defensive boundaries, including an explanation of the technical configurations that would enable it to mimic the capabilities of a deterministic one-way isolation device. | Please clarify how hardware VPNs will sufficiently protect CDAs within defensive boundaries, including an explanation of the technical configurations that would enable it to mimic the capabilities of a deterministic one-way isolation device. | ||
RAI2: | RAI2: | ||
RAI Title: Defense-in-Depth Protective Strategies - Protection of CDAs Associated with Emergency Preparedness Functions Section 73.54(a)(1) of 10 CFR requires that "The licensee shall protect digital computer and communication systems and networks associated with ... (iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions." | RAI | ||
==Title:== | |||
Defense-in-Depth Protective Strategies - Protection of CDAs Associated with Emergency Preparedness Functions Section 73.54(a)(1) of 10 CFR requires that "The licensee shall protect digital computer and communication systems and networks associated with ... (iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions." | |||
Section 4.3, "Defense in Depth Protective Strategies" of the FitzPatrick CSP, in describing its site defensive model, states that CDAs that "are not required to be within Level 4 due to their safety or security significance, and that perform security or Emergency Plan functions and security or Emergency Plan data acquisition or that perform safety monitoring, are within Level 3." Furthermore, the CSP states that "CDAs that are not required to be in at least Level 3 and that perform or support Emergency Plan functions are within Level 2." | Section 4.3, "Defense in Depth Protective Strategies" of the FitzPatrick CSP, in describing its site defensive model, states that CDAs that "are not required to be within Level 4 due to their safety or security significance, and that perform security or Emergency Plan functions and security or Emergency Plan data acquisition or that perform safety monitoring, are within Level 3." Furthermore, the CSP states that "CDAs that are not required to be in at least Level 3 and that perform or support Emergency Plan functions are within Level 2." | ||
Enclosure | Enclosure | ||
Revision as of 10:43, 6 December 2019
| ML103510128 | |
| Person / Time | |
|---|---|
| Site: | FitzPatrick  |
| Issue date: | 12/28/2010 |
| From: | Bhalchandra Vaidya Plant Licensing Branch 1 |
| To: | Entergy Nuclear Operations |
| vaidya B, NRR/Dorl/lpl1-1, 415-3308 | |
| References | |
| TAC ME4267 | |
| Download: ML103510128 (4) | |
Text
t-p.R REG U( UNITED STATES
.:;,v.... "'> NUCLEAR REGULATORY COMMISSION
",<i' ,,0'1'
....
tf (> WASHINGTON, D.C. 20555-0001
<l:
~
~
?;
0 December 28, 2010
~ ~
~o? +0
- 1<
Vice President, Operations Entergy Nuclear Operations, Inc.
James A. FitzPatrick Nuclear Power Plant P.O. Box 110 Lycoming, NY 10393
SUBJECT:
JAMES A. FITZPATRICK NUCLEAR POWER PLANT - REQUEST FOR ADDITIONAL INFORMATION REGARDING AMENDMENT APPLICATION FOR APPROVAL OF THE CYBER SECURITY PLAN (TAC NO. ME4267)
Dear Sir or Madam:
By letter dated July 15, 2010 (Agencywide Documents Access and Management System, Accession No. ML102000012), Entergy Nuclear Operations, Inc. (the licensee) resubmitted a request to amend the Facility Operating License (No. DPR-59) for James A. FitzPatrick Nuclear Power Plant (JAF). The licensee requested approval of the JAF Cyber Security Plan (CSP)
(ML102000013), provided a proposed CSP Implementation Schedule, and included a proposed revision to the Facility Operating License to incorporate the provisions for implementing and maintaining in effect the provisions of the approved CSP. The licensee's amendment request was based on a generic template developed by the Nuclear Energy Institute in concert with the industry.
The U.S. Nuclear Regulatory Commission (NRC) staff is reviewing the CSP and the proposed CSP Implementation Schedule and has determined that additional information is required to complete its technical review. The specific questions are found in the enclosed request for additional information (RAI).
Please contact me to schedule a telephone conference between the NRC staff and the licensee to ensure that the NRC staff concerns are clear to the licensee and also to obtain a firm commitment date for the response to the RAls.
Please contact me at (301) 415-3308 if you have any questions.
Sincerely, Q..\:~~
~
Bhalchandra K. Vaidya, Project Manager Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. 50-333
Enclosure:
RAI cc w/encl: Distribution via Listserv
REQUEST FOR ADDITIONAL INFORMATION REGARDING LICENSE AMENDMENT REQUEST FOR THE CYBER SECURITY PLAN ENTERGY NUCLEAR OPERATIONS, INC.
JAMES A. FITZPATRICK NUCLEAR POWER PLANT DOCKET NO. 50-333 The NRC staff is reviewing the submittal and has the following questions on the Cyber Security Plan (CSP) Section 4: Establishing, Implementing, and Maintaining the Cyber Security Program:
RAI1:
Title:
Defense-in-Depth Protective Strategies - Critical Digital Asset (CDA) Isolation Strategies Title 10 of the Code of Federal Regulations (10 CFR) Section 73.54(c)(2) requires the licensee to apply and maintain defense-in-depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks. Section 4.3, "Defense-in-Depth Protective Strategies," of the FitzPatrick CSP states in several instances when referring to protections which isolate or secure CDAs within various cyber security defensive levels, that the boundaries may be secured via "an air gap or deterministic one-way isolation device such as a data diode or hardware VPN [virtual private network]."
Please clarify how hardware VPNs will sufficiently protect CDAs within defensive boundaries, including an explanation of the technical configurations that would enable it to mimic the capabilities of a deterministic one-way isolation device.
RAI2:
Title:
Defense-in-Depth Protective Strategies - Protection of CDAs Associated with Emergency Preparedness Functions Section 73.54(a)(1) of 10 CFR requires that "The licensee shall protect digital computer and communication systems and networks associated with ... (iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions."
Section 4.3, "Defense in Depth Protective Strategies" of the FitzPatrick CSP, in describing its site defensive model, states that CDAs that "are not required to be within Level 4 due to their safety or security significance, and that perform security or Emergency Plan functions and security or Emergency Plan data acquisition or that perform safety monitoring, are within Level 3." Furthermore, the CSP states that "CDAs that are not required to be in at least Level 3 and that perform or support Emergency Plan functions are within Level 2."
Enclosure
-2 The CSP does not indicate which protective strategies will be implemented for CDAs that perform Emergency Preparedness functions. Please clarify: (1) the distinction between CDAs that perform Emergency Planning and Emergency Preparedness functions; and (2) which protective strategies will be implemented for CDAs that perform "emergency preparedness" functions.
ML103510128 (*) - No substantial change in the RAI Memo OFFICE LPL1-1/PM LPL1-1/LA NSIR/ISCPB/BC(*) LPL1-1/BC LPL1-1/PM NAME BVaidya SLittie CErlanQer NSalQado (RGuzman for) BVaidya DATE 12/28/10 12/27/10 12/14/10 12/28/10 12/28/10