Nuclear Power Corporation of India Limited (NPCIL) announced on October 30 that the malware “Dtrack” had been found on the administrative network of the Kudankulam Nuclear Power Plant (KKNPP) in early September 2019. KKNPP is the largest nuclear power plant in India, equipped with two Russian-designed VVER pressurized water reactors, each with a capacity of 1,000 megawatts. Both reactor units feed southern India’s power grid.

On November 4, KKNPP issued a press release stating that its reactors are operating normally and emphasizing that all critical systems for KKNPP and other NPCIL plants are “air-gapped and impossible to hack.” The term “air-gapped” is often used in the cybersecurity context to describe isolated control processing technologies or systems that are not connected to the internet or external networks, and are therefore considered safe from cyberthreats.

The Nuclear Regulatory Commission (NRC) and its Advisory Committee on Reactor Safeguards (ACRS) have been busy in recent weeks assessing issues related to the licensing of non-light water reactors (non-LWRs).

First, the NRC’s Division of Advanced Reactors transmitted a draft white paper titled “Non-Light Water Review Strategy” on September 30, 2019. As the title suggests, the white paper will “support the [NRC’s] review of applications for non-LWR designs submitted prior to the development of the technology-inclusive, risk-informed and performance-based regulatory framework . . . in 2027.” In so doing, the white paper describes both the contents of such applications and “an approach NRC staff may use to review the license basis information.”

Licensees are required to report certain medical events that meet the criteria defined in 10 CFR § 35.3045, Report and Notification of a Medical Event. Such reports allow the NRC to identify the causes of the events so as to prevent their recurrence and to notify other licensees so they can take action to prevent such events at their facilities. The NRC Staff and the Advisory Committee on the Medical Uses of Isotopes (ACMUI) perform annual reviews of medical event reports to identify trends, patterns, generic issues, and generic concerns, and to recognize any shortcomings related to specific equipment or procedures.

NRC Staff has made publicly available copies of Draft Regulatory Guide 1341, Standard Format and Content for Applications to Renew Nuclear Power Plant Operating Licenses, and a supporting Regulatory Analysis. Draft Regulatory Guide 1341 is intended to revise Regulatory Guide 1.188 (as Revision 2 thereto) to update references to other NRC license renewal guidance documents, and to expressly extend the guidance to applications for subsequent license renewal (SLR), i.e., the renewal of a reactor operating license for a second 20-year period, from 60 years to 80 years. The revised guidance document would provide applicants with a method to demonstrate compliance with the 10 CFR Part 54 requirements for both initial license renewal and SLR applications. Three SLR applications currently are under review by the NRC Staff, and others are expected to be submitted in the future.

The NRC will soon issue in the Federal Register a proposed rulemaking to amend the drug testing requirements of the Fitness for Duty (FFD) Program in 10 CFR Part 26. The proposed rule seeks to align the NRC’s drug testing requirements in Part 26 with the US Department of Health and Human Services’ (HHS’s) 2008 Mandatory Guidelines for Federal Workplace Drug Testing Programs (the 2008 Guidelines). The NRC is expected to publish the proposed rule in the coming weeks, but the draft rule with comments from the Commission is available, as well as the NRC Staff’s Draft Regulatory Analysis and Backfitting and Issue Finality.

The NRC last updated its drug testing requirements in March 2008, but HHS did not issue the 2008 Guidelines until November 2008. The NRC Staff decided to forgo another round of rulemaking to align Part 26 with the 2008 Guidelines in such close succession. Instead, the NRC Staff worked with the industry to institute a voluntary reporting system for FFD testing violations. The NRC Staff also began evaluating the effectiveness of the drug testing program changes implemented under the 2008 Guidelines. In February 2017, the NRC Staff sought Commission approval to publish a proposed rule to align the NRC’s FFD drug testing program with the 2008 Guidelines. The Commission approved this request in May 2019, subject to certain changes to the draft rule.

The Nuclear Regulatory Commission’s (NRC’s) Assistant Inspector General for Audits issued a memorandum on August 20 on the status of recommendations based on the Office of Inspector General’s (OIG’s) Audit of NRC’s Cyber Security Inspections at Nuclear Power Plants (OIG-19-A-13). As previously reported on Up & Atom, OIG recommended that the NRC work to close the critical skill gap for future cybersecurity inspection staffing, and develop and implement cybersecurity performance measures for licensees to use to demonstrate sustained program effectiveness. Based on the NRC’s July 3, 2019, response, OIG has issued this status of recommendations.

Following the July 12, 2019, release of “Power Reactor Cyber Security Program Assessment,” the Nuclear Regulatory Commission’s (NRC’s) Director of Physical and Cyber Security Policy in the Office of Nuclear Security and Incident Response issued a memorandum to NRC Staff on August 6, 2019.

The memorandum provides guidance to Staff on next steps, but also cautions that when initiating changes to the Cyber Security Program they keep several points in mind. Specifically, the Director asks Staff to ensure that changes do not adversely impact other areas of the program; that guidance revisions are consistent and incorporated throughout all documents; that, where necessary, a backfit analysis is performed; and that no changes constitute an unreasonable risk to public health and safety.

The memorandum reminds Staff that their next step, per the assessment, is to present a draft action plan by September 20, 2019. The action plan should identify enhancements to the Cyber Security Program that promote regulatory efficiency and effectiveness, while continuing to provide for reasonable assurance of public health and safety and promote common defense and security. The memorandum also praises NRC Staff for its efforts in conducting the assessment.

We will continue to monitor developments for cybersecurity at the NRC.

In a June 25, 2019, letter to the Chairman of the US Nuclear Regulatory Commission (NRC), Senators John Barrasso and Mike Braun requested that the agency develop a Generic Environmental Impact Statement (GEIS) for the construction and operation of advanced reactors. The letter asserts that a GEIS “will be a critical step to facilitate the deployment of new nuclear technologies” and “will focus NRC’s licensing efforts on the most important safety issues, reduce NRC staff resources dedicated to environmental permitting, and align with Congressional and Executive Branch efforts to conduct environmental permitting reviews more efficiently.”

The Nuclear Regulatory Commission (NRC) held a public meeting on August 8 to provide information and receive comments on the regulatory basis supporting the NRC’s rulemaking on physical security requirements for advanced reactors. The public meeting was the latest step in the NRC’s rulemaking process, which began on August 1, 2018, with the NRC Staff’s report to the Commission evaluating options for revising physical security regulations for advanced reactors. The Commission approved the NRC Staff’s proposed rulemaking plan on November 19, 2018. We previously reported on the NRC Staff’s report, the Commission’s Approval, and the publication of the regulatory basis for comment.

During the public meeting, NRC Staff summarized the regulatory basis and their recommendation for a limited-scope rulemaking. NRC Staff explained that the purpose of the rulemaking is to provide requirements and guidance for advanced reactor physical security and reduce the need for physical security exemptions—specifically from regulations requiring each site to have at least 10 armed responders for emergency security response (10 CFR § 73.55(k)(5)(ii)), and an on-site secondary alarm station to monitor potential issues (10 CFR § 73.55(i)(4)(iii)).

The Nuclear Regulatory Commission, by a 3-1 vote on August 7, agreed with the NRC Staff’s recommendation to discontinue a rulemaking on third-party arbitration of access authorization and fitness-for-duty determinations. The decision leaves admitted ambiguity, including a potential enforcement risk in the event that a licensee reinstates an individual’s revoked access authorization or a fitness-for-duty determination.

As we last reported on April 24, the NRC Staff recommended in SECY-19-0033 to withdraw a rulemaking begun in 2015 to revise the NRC’s regulations regarding whether a third-party arbitrator could review a licensee’s access authorization or fitness-for-duty decisions. In SRM-SECY-19-0033, the Commission agreed with that recommendation.