Security since September 11th20 May 2010
As the September 11, 2001 attacks on the World Trade Center and the Pentagon fade from memory, it becomes harder for regulators to justify and licensees to maintain the vigilant posture needed to protect nuclear plants from radiological sabotage. By Edwin S. Lyman
Those parties responsible for the intelligence and security failures that allowed a man with terrorist ties to board a US-bound jetliner on Christmas Day 2009 with an improvised explosive device should have heeded the words of U.S. Nuclear Regulatory Commission chairman Gregory Jaczko. In a speech a few weeks before the bombing attempt, Jaczko warned regulators from around the world of the dangers of becoming complacent in their mission of protecting public safety and security. But this is easier said than done.
For armed responders, whose primary responsibility is the tedious chore of remaining ready around the clock to respond to an assault that will probably never come, the lack of an apparent and immediate threat can be damaging to morale. And for plant owners, the absence of public pressure for change makes it easier to defer costly and cumbersome security upgrades. As a result, security at nuclear plants today, over eight years after the 11 September wake-up call, is still not at the level it needs to be.
Yet by all accounts the threat to critical infrastructure remains acute. Terrorist tactics worldwide continue to grow more sophisticated, as evidenced by astonishingly bold attacks on highly secure facilities in Pakistan, Afghanistan and Iraq. And Umar Abdulmutallab’s failed attempt to bomb a Northwest Airlines flight as it approached Detroit indicates that terrorists are once again turning their attention to domestic U.S. targets. It also demonstrates their capacity to adapt to and evade enhanced security measures.
Momentum for security upgrades is also slowed by those who sow doubt that radiological sabotage is in fact a serious concern. NRC Commissioner Dale Klein said in a television interview in 2008 that nuclear plants are robust structures that terrorists would not likely choose to attack. He added that if a plane were to strike a nuclear plant that “in general the plane would bounce off.” But the reality is far more complex.
Although experts may reasonably disagree about the likelihood of an attack on a nuclear plant, among engineers there should be no dispute regarding what could happen if attackers armed with explosives were able to gain access to vital plant areas. For every nuclear plant one can identify numerous ‘target sets’: sets of equipment that if all disabled or destroyed would result in damage to the fuel in the core or in the spent fuel pool. The chief goal of nuclear power plant protection is to prevent attackers from taking out an entire target set.
This job is challenging because the nuclear plants operating today in the U.S. were not designed with the potential for sabotage in mind and hence have design vulnerabilities that put greater burdens on operational security programmes. For one thing, they are excessively dependent on access to off-site power, which cannot be protected by plant personnel and can be easily disrupted in an attack. In addition, there is often inadequate separation between nominally independent safety systems, so that certain target sets contain only a single element and can be disabled from a single location. The need to deny access to all such sensitive areas is a significant challenge.
With regard to aircraft attack, after 11 September the Nuclear Energy Institute (NEI) quickly put out a study, conducted by the Electric Power Research Institute (EPRI), that purported to show that a jet attack on an nuclear plant would not pose any risk to the public. Also, the NRC commissioned U.S. national laboratories to conduct its own studies to assess the vulnerability of operating plants to aircraft attack. Although the results of the lab studies never became public, there are indications that they uncovered cause for concern. In a 2003 interview with the NRC Office of the Inspector General, former NRC Commissioner Edward McGaffigan related an incident in which industry officials requested that NRC “cool it” with regard to its vulnerability assessment work. According to the interview transcript, McGaffigan said that “we were moving too far ahead of everyone else … they [Dave Christian of Dominion and Marv Fertel of the NEI] were concerned about the results. Our results in our vulnerability studies, I think we knew by then, the 450 mile per hour 767 is not going to have the same results as they have put out in the public media … I think they were trying to slow our stuff down.”
NRC eventually issued two new rules to address aircraft impacts. The first rule required operating reactor licensees to develop procedures for taking certain actions in the event of notification of an aircraft threat and for coping with the possible loss of large areas of the plant due to explosions or fire. The second rule required new reactor applicants to assess the effects on their designs of the impact of a large commercial aircraft, and incorporate additional features if necessary to ensure that either the containment remains intact or the core remains undamaged.
For at least two new reactor design, the results of the aircraft impact analysis apparently revealed the need for design modifications . Analysis of the GE-Hitachi Advanced Boiling Water Reactor (ABWR) showed that even though the design basis aircraft would not perforate the reactor containment or cause shock-induced damage to systems within containment, it would perforate the reactor building and the control building. Because the ABWR reactor building houses the Reactor Core Isolation Cooling System (RCICS), which provides auxiliary feedwater and water for emergency core cooling, the ABWR had to be redesigned to include an ‘alternate feedwater injection system’ which would provide an additional independent water source in the event that all normal and emergency core cooling systems were lost.
In addition, Westinghouse has said it has changed its reinforced concrete shield building design to meet enhanced aircraft impact design standards. It is now working to licence a shield building made of steel-concrete composite and reinforced concrete. The NRC has rejected the new design and is requiring Westinghouse to make modifications and conduct tests to demonstrate that the novel structure will be able to perform its safety function.
With regard to protection against ground assaults, security at U.S. nuclear plants is better than it was prior to September 11. What isn’t clear is whether it is good enough. One key issue is the so-called design basis threat (DBT)–the specifics of the attacking force that plant licensees are required to protect against. It is well-known that the NRC DBT in the 1990s consisted of one team of three individuals, assisted by a single ‘passive’ insider who could provide plant-specific information but not participate in the assault . The nature of this threat had not significantly changed since the 1970s, when according to conventional wisdom any conspiracy consisting of greater than a few members would be detected by intelligence agencies, and terrorists were not believed to be willing to die for their cause. One of the few changes to the DBT occurred after the 1993 World Trade Center bombing, when the NRC required plants to also defend against a design-basis vehicle bomb.
These assumptions were shattered by the September 11 plot, which involved nearly 20 suicidal attackers, capable of operating in four independent teams, who were able to plan for months within the U.S. without being detected. The other new aspect of the attack was the use of hijacked jet aircraft: the DBT assumed attackers would only have access to land-based vehicles. These facts led NRC to undergo a reassessment of the DBT that took years to finalize. In 2003 NRC issued “orders” to all nuclear plants implementing a new DBT. However, the regulations also needed to be modified. In addition, in the 2005 Energy Policy Act Congress required the NRC to revise the DBT taking into account the September 11 attacks and other information. It took several more years before the new DBT rules became final (in March 2007). Over that time, attacks by insurgents overseas on fortified facilities demonstrated increasing tactical sophistication. For example, the April 2005 attack on the Abu Ghraib prison in Iraq involved multiple teams of attackers and vehicle bombs, diversions, use of improvised explosive devices on surrounding roads to isolate the facility, and use of rocket-propelled grenades (RPGs) and .50-caliber rifles, weapons capable of piercing armored guard towers.
Caught between the need to regain credibility with the public and the pressure of an industry lobbying hard for so-called ‘regulatory stability’ (that is, the status quo), NRC eventually developed a policy that established the DBT as what it believed to be the “largest reasonable threat against which a regulated private guard force should be expected to defend under existing law.”
According to U.S. government sources, the process resulted in a DBT requiring plants to defend against a larger terrorist threat, including a larger number of attackers, a refined and expanded list of weapons, and an increase in the maximum size of a vehicle bomb.
However, the NRC’s policy led to a revised DBT that fell far short of the intelligence community’s assessment of the actual threat to U.S. critical infrastructure (known as the postulated threat), a move that was criticized by other U.S. government agencies at the time. Although the exact number of attackers in the new DBT has not been made public, Time magazine reported in 2005 that the new number was “less than double the old figure and a fraction of the size of the [September 11] group” . Also, the General Accountability Office (GAO) that audits US government spending, revealed in 2006 that the NRC threat assessment staff had pared down the list of advanced weaponry it wanted to include in the DBT in the face of industry objections, and that the Commission further rejected two additional commonly available weapons . These excluded weapons are widely believed to be RPGs and .50-caliber sniper rifles . Based on its observations, the GAO urged the NRC to improve its DBT process “to remove the appearance that changes to the DBT were based on what the nuclear industry considered feasible to defend against rather than on an assessment of the terrorist threat itself.”
The Commission ultimately voted to not allow the NRC staff to consider ‘resource impacts’ on licensees when evaluating the addition of new adversary characteristics in the DBT. Even so, a significant gap remains between the threat that nuclear plants are required to protect against and the maximum threat that the intelligence community deems credible. At a January 2010 briefing, the director of NRC’s Office of Nuclear Security and Incident Response, Jim Wiggins, admitted that “it’s possible we are not in the right place” with regard to the DBT. The NRC and the industry assert that protection against so-called beyond-design-basis threats is the responsibility of government and not of private industry. But the U.S. government has only taken baby steps toward carrying out this responsibility, and it has not yet developed comprehensive protective strategies or identified the funding sources needed to implement them. As a result, nuclear plants remain vulnerable in the event of an attack by adversaries with capabilities greater than those defined in the DBT.
Homeland Security’s role
The Department of Homeland Security (DHS), a cabinet-level agency, was created in the aftermath of 11 September and charged with reducing the vulnerability of U.S. critical infrastructure to terrorist attack. The 2003 Homeland Security Presidential Directive 7 (HSPD-7) instructed DHS to “… work with the Nuclear Regulatory Commission … to ensure the necessary protection of … commercial nuclear reactors.” Thus DHS appears to have been given an independent oversight role with regard to protection of nuclear power plants against both design basis and beyond-design-basis threats. Moreover, DHS, not NRC, would appear to be the logical entity to determine where the line between the two threats should be set. Since this decision is in effect a policy judgment that determines the extent to which the public would have to subsidize protection for privately-owned nuclear facilities, it should be consistent across all critical infrastructure sectors, and not vary according to the policies of individual regulatory agencies.
Unfortunately, while the statute creating DHS gave it the mandate to make recommendations to other agencies regarding the protection of the critical infrastructure, it did not give DHS the authority to overrule the decisions of any regulatory agency or to develop its own mandatory requirements. As a result, the role of DHS in nuclear plant security has been limited to offering advice to NRC–advice that NRC is free to ignore .
DHS, in carrying out its mandate under HSPD-7, undertook a series of security assessments called “comprehensive reviews” (CRs) at 65 U.S. nuclear plant sites from 2005 to 2007. According to DHS, this programme provided a “vehicle for discussion with stakeholders on potential enhancements to security in and around the sites.” DHS then established a project known as the Comprehensive Review Outcome Working Network to “follow up on the approximately 1,800 potential enhancements identified during Nuclear Sector CRs,” and claims that the process has resulted in “tangible security improvements” .
However, there is little public information about this programme and it is unclear whether it has resulted in any real improvements to security at nuclear plants beyond measures already needed for compliance with NRC DBT regulations. One publicly disclosed example of a nuclear plant security enhancement proposed by DHS does not give confidence in the process . In August 2003, DHS proposed to pay for the installation of a waterborne barrier device at the Millstone plant in the state of Connecticut to protect the water intake structure. However, the plant licensee, Dominion Nuclear, rejected the offer, presumably because it did not want to pay for its maintenance. NRC itself did not intervene, asserting that such protection was not necessary to meet its regulatory requirements.
Simply having strong security standards on the books is not enough to ensure that nuclear plants are adequately protected. Security plans must be tested to verify that they will actually work. NRC has long recognized that the gold standard for such verification is the “force-on-force” (FOF) exercise.
FOF exercises involve simulated combat between mock adversary teams with DBT capabilities and nuclear plant security forces. The adversaries attempt to destroy an entire target set’s worth of equipment and hence cause significant damage to the reactor core or to spent fuel in wet storage, and plant security officers try to prevent the adversaries from achieving their goal.
Prior to the 11 September attacks, NRC conducted a FOF programme at power reactors known as the Operational Safeguards Response Evaluation (OSRE). It is public information that nearly 50% of plant sites failed to prevent destruction of a target set by the three-person team that represented the DBT at that time . In addition, the adversary teams were also able to penetrate reactor containment on multiple occasions, essentially guaranteeing a large radiological release to the environment would occur following core damage. This was the case even though plant management were notified of impending OSREs months in advance – a luxury they would not have in the event of a real attack. But the OSRE programme was not a regulatory requirement, and failures were not considered violations subject to enforcement actions, so the NRC had limited authority to correct the problems the tests revealed.
Following 11 September, the NRC took a number of steps to improve plant security performance, including more rigorous standards for training and qualification of armed response officers. The FOF testing programme was made mandatory and the NRC increased the frequency of the exercises, now considered to be regulatory inspections, from every eight to every three years. And at first glance, these measures appear to be yielding improvements. Even though the DBT has increased, NRC has reported that out of 24 FOF inspections conducted in 2008, the latest year for which data is available, there were two failures of armed security personnel to protect target sets. This is a failure rate of about 10%, assuming that the two failures occurred at different sites. While better than a failure rate of 50%, anything greater than zero is arguably still too high, given the potential consequences of such a failure.
However, the FOF failure rate alone paints an overly rosy picture of the overall security posture at nuclear plants. This is because some plants may only just barely succeed, a fact that is not visible in the grading system. Such performance is problematic because in the event of a real attack with beyond-design-basis elements, the plant defensive strategy may not have sufficient margin to withstand the more severe challenge. To more precisely reflect plant security performance, the NRC staff began developing a proposal in 2009 to develop a more detailed security grading system that would also take into account margin to failure and other related issues. It remains to be seen whether industry will accept this change without objection, as some grades are likely to be lower under the new system.
Many other aspects of security are not captured by FOF inspections. One of these is fatigue. After the September 11 attacks, licensees sought to meet greater short-term security demand largely through increased overtime of the existing security officers, some working up to six 12-hour shifts a week. This interim approach eventually became the norm as managers remained reluctant to hire and train larger numbers of new security personnel in the face of an uncertain threat, leading to exhaustion and damaged morale in many cases. Prodded by the non-profit Project on Government Oversight (POGO), which had collected numerous case studies of overworked security guards, the NRC eventually proposed a rule to limit working hours for security staff. But it took the NRC over five years to put meaningful limits into effect, and in the interim more evidence of fatigue problems emerged. In 2007, a whistleblower provided a TV station with footage of security officers sleeping on duty at Exelon’s Peach Bottom plant in Pennsylvania, ultimately causing Exelon to fire Wackenhut Nuclear Services, the security contractor for Peach Bottom and its nine other nuclear plants.
The new restrictions that went into effect in 2008 would essentially limit security officers working 12-hour shifts to 48 hours per week under ordinary circumstances. However, higher limits for security outage periods and liberal waivers for emergencies reduce the beneficial effect of the new rules.
It remains to be seen whether the attempted aircraft bombing on Christmas Day 2009 represents the beginning of a new wave of threats by al-Qaeda against U.S. domestic infrastructure targets. If so, it is troubling to note that nuclear plants are still not fully prepared to defend against the last wave. The latest indication of this is a recent flurry of requests by nearly half of all U.S. nuclear plant licensees for exemptions from the 31 March 2010 deadline for compliance with NRC’s new security rules. For instance, the Tennessee Valley Authority has asked for extensions of more than two years for its fleet. If NRC grants these requests, the tenth anniversary of the 11 September will come and go before all U.S. nuclear plants have completed the required security upgrades. Unless the industry stops its foot-dragging and works more efficiently with regulators to promptly increase security as needed, there is little hope that plant defences will be able to keep ahead of the rapidly evolving terrorist threat.
Edwin S. Lyman, senior staff scientist, Union of Concerned Scientists, 1825 K St. NW, Ste. 800, Washington, DC 20006-1232.
|The industry responds|
Utilities respond to specific criticisms raised by Lyman.
"Security requirements issued by the Nuclear Regulatory Commission after 9/11 have been met at the TVA nuclear plants and the fluid nature of potential threats are continually addressed through information exchange and training. TVA is implementing the security updates that the NRC issued in May 2009 and a number of these updates will be completed by the implementation date of 31 March 2010.
"Like numerous other U.S. nuclear utilities, TVA requires additional time to completely implement certain elements of these security updates. TVA's extension request ensures that any unforeseeable delays would not require another extension."
- U.S. Nuclear Regulatory Commission, Office of the Inspector General, Case No. 04-141, Report of Interview, December 17, 2003, p. 59. NRC FOIA-2008-0312. Contact us for a copy of this file
- South Texas Project Nuclear Operating Company, "Application to Amend the Design Certification for the U.S. Advanced Boiling Water Reactor (public version)," U7-C-STP-NRC-090070, June 30, 2009.
- U.S. Nuclear Regulatory Commission, NRC Approves Changes to the Design Basis Threat and Issues Orders for Nuclear Power Plants to Further Enhance Security, press release 03-053, April 29, 2003.
- Mark Thompson, "Are These Towers Safe?" Time, June 20, 2005, pp. 34-48.
- U.S. Government Accountability Office, "Nuclear Power Plants: Efforts Made to Upgrade Security, but the Nuclear Regulatory Commission" Design Basis Threat Process Should Be Improved, GAO-06-388, March 2006.
- U.S. Government Accountability Office, "Nuclear Security: DOE and NRC Have Different Security Requirements for Protecting Weapons-Grade Material From Terrorist Attacks," GAO-07-1197R, September 11, 2007, p. 2.
- Edwin S. Lyman, "Nuclear Plant Protection and the Homeland Security Mandate," 44th Annual Meeting of the Institute of Nuclear Materials Management, Phoenix, AZ, July 13-17, 2003.
- Craig Conklin, Department of Homeland Security, testimony before the U.S. House of Representatives Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, September 14, 2009, p. 8.
- Edwin S. Lyman and David Lochbaum, "Protecting Vital Targets: Nuclear Power Plants," in Homeland Security: Protecting America's Targets, Volume III (Critical Infrastructure) (James J. F. Forest, ed.), Praeger Security International, Westport, CT, 2006, pp. 157-173.
- Open letter to Nuclear Regulatory Commission Chairman Diaz on the proposed Design Basis Threat from Danielle Brian, Project on Government Oversight (POGO), 21 February 2006, http://www.pogo.org/pogo-files/letters/nuclear-security-safety/nss-npp-20060221.html.
- Letter from Nils J. Diaz, Chairman, Nuclear Regulatory Commission, to Congressman Edward Markey, April 22, 2005. Contact us for a copy of this file
- D. Orrik, "Differing Professional View Regarding NRC Abandoning its Only Counter-Terrorism Programme," memorandum to S. Collins, Nuclear Regulatory Commission, August 7, 1998.