21st Annual Report, July 1, 2010—June 30, 2011
Preface | Executive Summary | Memoriam for William Conway
Volume I TOC | Volume II TOC | PG&E Response | Contact | DCISC Home Page
21st Annual Report, Volume I, Section 4.18, Plant Security
Note: because of the sensitive nature of nuclear plant security, only limited information can be presented in this public report.
4.18.1 Overview and Previous Activities
The DCISC has previously reviewed plant security in fact-finding meetings by reviewing security performance measures and by reviewing plant audits and NRC inspections of the Security Program. Additionally, there have been overviews of the Security Program in DCISC public meetings.
The DCISC reviews and NRC inspects these measures. The DCISC monitors and assesses current security measures and expected modifications to determine whether there may be negative effects on plant safety during normal operation and maintenance and emergency response during off-normal conditions.
The DCISC did not review DCPP Security-related items during the previous reporting period because the NRC has tightened its rules on plants granting access to Security-related information. The DCISC’s interest and scope of review was limited to the effects of Security-related barriers and procedures on nuclear and operational safety rather than Security itself.
4.18.2 Current Period Activities
4.18.2 Current Period Activities
The DCISC reviewed the following security-related items during the current reporting period:
- Safety/Security Interface
- Cyber Security
DCPP Safety/Security Interface Program
In March 2010 the NRC published its regulation 10CFR73.58, “Safety/Security Interface Requirements for Nuclear Power Reactors,” which stated:
- Each operating nuclear power reactor licensee with a license issued under part 50 or 52 of this chapter shall comply with the requirements of this section.
- The licensee shall assess and manage the potential for adverse effects on safety and security, including the site emergency plan, before implementing changes to plant configurations, facility conditions, or security.
- The scope of changes to be assessed and managed must include planned and emergent activities (such as, but not limited to, physical modifications, procedural changes, changes to operator actions or security assignments, maintenance activities, system reconfiguration, access modification or restrictions, and changes to the security plan and its implementation).
- Where potential conflicts are identified, the licensee shall communicate them to appropriate licensee personnel and take compensatory and/or mitigative actions to maintain safety and security under applicable Commission regulations, requirements, and license conditions.
To provide guidance on implementation NRC issued Regulatory Guide (RG) 5.74, “Managing the Safety/Security Interface,” dated June 2009, stating, “This guide describes a method that the staff of the U.S. Nuclear Regulatory Commission (NRC) considers acceptable for licensees to assess and manage changes to safety and security activities so as to prevent or mitigate potential adverse effects that could negatively impact either plant safety or security.” DCPP performed a plant-wide review of procedures and processes to identify any gaps that existed to meet the RG requirements. There were 33 procedures changed to either remove the gaps or enhance the procedure in meeting the RG.
DCPP Procedure OM11.ID7, “Safety/Security Interface Program,” dated November 1, 2010 identifies management controls and processes used to establish and maintain an effective interface between nuclear safety and site security. The procedure instructs Design Engineering, Projects, and Security to involve all others in any modifications or changes to the plant physical configuration and procedures. The procedure includes a detailed and comprehensive checklist for each proposed modification or procedure that has potential security or safety impacts.
The procedure addresses the following:
- Plant Modifications
- Procedure Changes and Emergency Plan Changes
- Emergent Operational Conditions and Maintenance Activities
- Changes to Security Plans
- Safety/Security Programmatic Reviews
The procedure appeared satisfactory to control the safety/security interface at DCPP.
There was an apparent negative interaction between security and safety that occurred during the recent plant alert on June 23, 2010 that resulted from a CARDOX release. During this alert, off-site fire personnel and their equipment were delayed in passing through security screening. The reason for the delay was that the Alert had been ended at the time that the off-site fire personnel arrived, and thus the plant could not use expedited vehicle screening methods that they would have if the Alert had still been in effect. While the safety significance of the security delay was very small because the Alert had ended, the off-site personnel were concerned because the delay affected their ability to return promptly to their stations if they had been called to respond to a fire. This Alert served as a learning experience, and the plant has addressed these issues in their procedures to prevent a reoccurrence.
DCPP has developed a satisfactory procedure and process for controlling the safety/security interface in accordance with recent NRC regulations. The DCISC will follow up in mid-2011 to review the plant’s implementation. The recent plant Alert provided an opportunity to test the capability of the security system to screen incoming off-site fire personnel and equipment. Lessons were learned that have resulted in changes to screening procedures.
Note: Because of the sensitivity of this subject, i.e., security-related, the following is only a general description of DCPP Cyber Security.
Because of the potential for a cyber attack on a U.S. nuclear power plant, the NRC issued 10CFR73.54, “Protection of Digital Computer and Communication Systems and Networks,” in March 2009 to establish cybersecurity requirements for the following plant functions:
- Safety and important to safety functions
- Security Systems
- Emergency Preparedness Functions
- Support systems
This typically includes all systems that use plant data, including Protection Systems, Safety Systems, Non-safety Systems, Physical Access Control System, and systems unrelated to plant data, such as personnel work scheduling and timekeeping, inventory control. The regulation addresses interconnections among digital systems, including pathways for errors and malfeasance, interactions between digital systems and the plant, including new kinds of failures and spurious actuations not addressed in traditional safety analyses.
NRC then issued Regulatory Guide 5.71, “Cyber Security for Nuclear Facilities,” providing implementation guidance, and the Nuclear Energy Institute (NEI) issued NEI 0809, “Cyber Security Plan Template.” These documents established guidance for acceptable cyber security plans utilizing the defense-in-depth strategy.
DCPP submitted its Cyber Security Plan and implementation schedule to NRC in a License Amendment Request (LAR) on April 4, 2011. Two projects have been initiated to implement the plan: 1. Cyber Security Program Implementation, and 2. Plan Data Network Isolation. Cyber Security implementation is to have performed the following by end-of-year 2012:
- Assemble Cyber Security Assessment Team and perform walkdowns and tabletop discussions
- Identify critical systems and critical digital assets
- Isolate the plant data network
- Control portable media devices
- Include Cyber Security tampering in security records
- Implement Cyber Security controls on selected critical digital assets
DCPP expects to have fully implemented its Cyber Security Program, including plan modifications, maintenance and operations procedure changes and plant training by December 31, 2015.
DCPP appears to have an effective program plan and project team to design and implement its Cyber Security Program as required in NRC regulations. The DCISC will follow this effort periodically.
4.18.3 Conclusions and Recommendations
- DCPP appears to have an effective program for maintaining its safety/security interface and satisfactory plans and resources to implement its cyber-security program. The DCISC will follow up on both of these during the next reporting period.