The comment period for the NRC’s draft Regulatory Issue Summary (RIS) on true identity verification requirements closed on June 15, 2020. The industry had asked for and received a 45-day extension from the original April 30 deadline to provide comments. As we previously reported, the draft RIS purports to “clarify” licensees’ requirements pursuant to 10 CFR § 73.56(d)(3) to verify the “true identity” of nonimmigrant foreign nationals who are granted unescorted access to nuclear power plants. Comments from the nuclear industry on the draft RIS strongly disagreed with the guidance and emphasized that the guidance “would substantially expand the existing requirement to verify the true identity of non-immigrant foreign nationals.” The industry suggests that the guidance should not be finalized because the draft RIS’s interpretation is unsupported by the language of the regulation and because the NRC did not conduct a backfit analysis under 10 CFR § 50.109. It remains to be seen, however, whether the NRC will be persuaded by the industry’s comments.
Read our recent LawFlash detailing the key takeaways for energy companies from the Coronavirus Aid, Relief, and Economic Security Act signed into law on March 27. Although the act does not expressly provide relief for energy companies, many of its provisions impact energy sector companies.
The NRC published notice of a draft Regulatory Issue Summary (RIS) (previously published in ADAMS) in the Federal Register on March 31. The draft RIS purports to “clarify” licensees’ requirements pursuant to 10 CFR § 73.56(d)(3) to verify the “true identity” of non-immigrant foreign nationals who are granted unescorted access to nuclear power plants. The NRC issued the RIS to “reinforce” its “expectation” that licensees verify that non-immigrant foreign employees have the correct visa category to perform assigned work inside the nuclear power plant protected area as part of the unescorted access process. Despite the NRC’s claim that the RIS does not transmit any new requirement, the NRC’s position, if unchanged, will likely require licensees to revise their procedures and provide additional training to unescorted access personnel regarding the NRC’s expectations for what is now required to confirm true identity or face additional regulatory scrutiny. The NRC requests in the Federal Register Notice that all comments on the draft RIS be submitted by April 30, 2020.
Nuclear Power Corporation of India Limited (NPCIL) announced on October 30 that the malware “Dtrack” had been found on the administrative network of the Kudankulam Nuclear Power Plant (KKNPP) in early September 2019. KKNPP is the largest nuclear power plant in India, equipped with two Russian-designed VVER pressurized water reactors, each with a capacity of 1,000 megawatts. Both reactor units feed southern India’s power grid.
On November 4, KKNPP issued a press release stating that its reactors are operating normally and emphasizing that all critical systems for KKNPP and other NPCIL plants are “air-gapped and impossible to hack.” The term “air-gapped” is often used in the cybersecurity context to describe isolated control processing technologies or systems that are not connected to the internet or external networks, and are therefore considered safe from cyberthreats.
The Nuclear Regulatory Commission’s (NRC’s) Assistant Inspector General for Audits issued a memorandum on August 20 on the status of recommendations based on the Office of Inspector General’s (OIG’s) Audit of NRC’s Cyber Security Inspections at Nuclear Power Plants (OIG-19-A-13). As previously reported on Up & Atom, OIG recommended that the NRC work to close the critical skill gap for future cybersecurity inspection staffing, and develop and implement cybersecurity performance measures for licensees to use to demonstrate sustained program effectiveness. Based on the NRC’s July 3, 2019, response, OIG has issued this status of recommendations.
Following the July 12, 2019, release of “Power Reactor Cyber Security Program Assessment,” the Nuclear Regulatory Commission’s (NRC’s) Director of Physical and Cyber Security Policy in the Office of Nuclear Security and Incident Response issued a memorandum to NRC Staff on August 6, 2019.
The memorandum provides guidance to Staff on next steps, but also cautions that when initiating changes to the Cyber Security Program they keep several points in mind. Specifically, the Director asks Staff to ensure that changes do not adversely impact other areas of the program; that guidance revisions are consistent and incorporated throughout all documents; that, where necessary, a backfit analysis is performed; and that no changes constitute an unreasonable risk to public health and safety.
The memorandum reminds Staff that their next step, per the assessment, is to present a draft action plan by September 20, 2019. The action plan should identify enhancements to the Cyber Security Program that promote regulatory efficiency and effectiveness, while continuing to provide for reasonable assurance of public health and safety and promote common defense and security. The memorandum also praises NRC Staff for its efforts in conducting the assessment.
We will continue to monitor developments for cybersecurity at the NRC.
The Nuclear Regulatory Commission (NRC) held a public meeting on August 8 to provide information and receive comments on the regulatory basis supporting the NRC’s rulemaking on physical security requirements for advanced reactors. The public meeting was the latest step in the NRC’s rulemaking process, which began on August 1, 2018, with the NRC Staff’s report to the Commission evaluating options for revising physical security regulations for advanced reactors. The Commission approved the NRC Staff’s proposed rulemaking plan on November 19, 2018. We previously reported on the NRC Staff’s report, the Commission’s Approval, and the publication of the regulatory basis for comment.
During the public meeting, NRC Staff summarized the regulatory basis and their recommendation for a limited-scope rulemaking. NRC Staff explained that the purpose of the rulemaking is to provide requirements and guidance for advanced reactor physical security and reduce the need for physical security exemptions—specifically from regulations requiring each site to have at least 10 armed responders for emergency security response (10 CFR § 73.55(k)(5)(ii)), and an on-site secondary alarm station to monitor potential issues (10 CFR § 73.55(i)(4)(iii)).
The Nuclear Regulatory Commission, by a 3-1 vote on August 7, agreed with the NRC Staff’s recommendation to discontinue a rulemaking on third-party arbitration of access authorization and fitness-for-duty determinations. The decision leaves admitted ambiguity, including a potential enforcement risk in the event that a licensee reinstates an individual’s revoked access authorization or a fitness-for-duty determination.
As we last reported on April 24, the NRC Staff recommended in SECY-19-0033 to withdraw a rulemaking begun in 2015 to revise the NRC’s regulations regarding whether a third-party arbitrator could review a licensee’s access authorization or fitness-for-duty decisions. In SRM-SECY-19-0033, the Commission agreed with that recommendation.