Join
Search

The NRC’s Security Inspections at Nuclear Power Plants are Again under Attack

Bookmark and Share

As President Obama is preparing to attend the third Nuclear Security Summit in The Hague next week, the United States is playing the “do as I say, not as I do” game concerning protection of commercial nuclear facilities against terrorist attacks. 

The Nuclear Regulatory Commission (NRC), following the nuclear industry’s lead, is carrying out major changes that could fatally undermine the effectiveness of its “force-on-force” inspection regimen, perhaps the world’s most stringent program for conducting security oversight of commercial nuclear facilities. As the United States heads to the summit, it should lead by example and bolster the security of its nuclear facilities at home.

Instead, it is sending the wrong message by weakening its security requirements: reducing the number of tests that are conducted at each site and proposing to give more credit for tests that the plant owners conduct and grade themselves.

A similar effort at the Department of Energy (DOE) to decentralize security oversight under former Secretary Steven Chu contributed to a major security breach: the successful intrusion by three anti-war protesters into the Y-12 plant in Tennessee, the nation’s main storehouse of bomb-usable highly enriched uranium. DOE is now trying to undo that mistake.

Why are Tests Important?

(Source: NRC)

(Source: NRC)

Why is testing security performance with force-on-force (FOF) exercises essential? Because experience has shown that paperwork reviews of security plans cannot fully assess the actual, on-the-ground efficacy of security forces. The NRC requires facilities that are high-value terrorist targets be protected with “high assurance” against a “design basis threat” (DBT).  The DBT lays out the NRC’s assumptions about the general characteristics (weaponry, tactics, skills) of potential adversaries. For example, it requires nuclear power plants to be protected against an external attacking force (with the help of an insider) that seeks to damage safety systems and cause a Fukushima-type meltdown.

U.S. experience at both military and civil facilities has shown that simply complying with regulations and standards is not sufficient to prove that security plans will work in practice. Since the 1990s, the NRC has been conducting force-on-force testing as part of its security inspections at nuclear power plants. According to a brochure issued by the NRC in October 2013 titled “Protecting Our Nation,” FOF inspections are “an essential part of the oversight of the security of these facilities.”

FOF inspections routinely uncover security vulnerabilities that require prompt correction. In the years preceding the 9/11 attacks, U.S. nuclear plants failed roughly 50 percent of their exercises, meaning that the mock attackers were able to simulate damaging enough equipment to result in a meltdown. After 9/11, the NRC required plant owners to make security upgrades and strengthened its inspection of those upgrades, in part to comply with a 2005 congressional mandate to conduct FOF tests every three years. After the NRC revamped the program, nuclear plants have been failing at a rate of about 5 percent on average, with no significant downward trend in the failure rate yet apparent.

Considering the horrific consequences of a real security failure, this rate is still too high and indicates there is room for improvement. Now is not the time for the NRC to take the pressure off the industry to protect its nuclear plants.

The Nuclear Industry Hates FOF Tests

One thing that has become obvious from monitoring the force-on-force inspection program for years is the industry despises it. This is understandable—no one likes to take tests. And just like schoolchildren who complain that a test was unfair when they don’t do well, the industry has persistently raised questions about the test protocols to try to diminish the significance of poor performance.

From my discussions with NRC inspectors, it is apparent that preserving an element of surprise is one of the most important factors to ensure that FOF tests are able to accurately measure nuclear plants’ everyday security readiness. Of course, the exercises can never fully simulate a surprise attack: Nuclear plants must prepare for weeks before mock attacks so that they can be carried out safely. But there are aspects of a surprise FOF test that can help ensure the exercises are challenging. One important factor is the independence of the mock attack force. The attack force should be free to choose any attack scenario as long as it is consistent with the capabilities of the design basis threat, even if it employs those capabilities in new ways

The NRC also has to make sure that the attack force cannot collude with defending forces to “fix” the tests. It will be difficult for the agency to maintain the necessary separation if the mock attackers are made up of plant security force members, since there is a potential for conflict of interest.

In the first iteration of its FOF inspections in the 1990s, the NRC used actual members of the U.S. Army Special Forces (whom it referred to euphemistically as “subject matter experts”) as an integral part of the team that planned and carried out the mock attacks. But apparently they were too good at their jobs. After industry complaints, and a brief cancellation of the program, the industry proposed that the NRC replace the FOF inspections with a self-assessment program, in which the licensees themselves would staff and run the FOF drills and the NRC would be relegated to the role of a passive observer. This raised concerns among some NRC staff, who feared that this could whittle down the exercises to mere dog-and-pony shows in which the licensees would stage well-rehearsed performances for the NRC inspectors’ benefit.

Inadequate Tests, Even after 9/11…

The 9/11 attacks partly derailed this effort and prompted the NRC to strengthen the FOF inspections and increase their frequency from one every eight years to one every three years. However, the NRC has downgraded the subject matter experts’ role in the current program, and the tests use an industry-run “composite adversary force” (CAF) instead. The NRC says that it avoids conflict of interest issues by requiring “a clear separation of functions between the CAF and plant security forces.”

Nevertheless, questions remain about whether the post-9/11 inspection program is as rigorous and independent as the earlier program. In addition, numerous other artificialities compromise the tests’ realism, including strict limitations on the role insiders could play in assisting in attack planning, and no requirement to consider simultaneous cyberattacks.

Unfortunately, the industry has never given up on the idea of substituting its own FOF drills for the NRC-run inspections, and now the NRC seems more open than ever to allowing this to happen. The Nuclear Energy Institute (NEI), the industry’s primary trade association, formed an “Alternate Approach to FOF Focus Group” in February 2013, which is promoting a very similar approach to the self-assessment program it proposed before the 9/11 attacks.

… and Maybe Worse to Come

In response to industry complaints, the NRC already has reduced the number of FOF exercises per inspection from three to two and is proposing to reduce it to only one by 2017. In exchange, the NRC will give more credit to licensee-run security drills and will observe one such drill in each inspection cycle. This is a slippery slope toward the industry’s ultimate goal: to take control of the process and eliminate the potentially embarrassing FOF exercises altogether. Even worse, the NRC commissioners have directed the staff to review the entire FOF program with an apparent eye toward weakening it even further.

On top of that, NRC commissioners are apparently questioning the agency’s policy that plant owners should immediately correct all security vulnerabilities detected during FOF inspections.

If the NRC continues on its current course, the potential for terrorists to trigger a Fukushima-like meltdown at a U.S. nuclear plant—already unacceptably large, in our view—will only increase.

More information on NRC and industry plans and UCS’s response can be found here.

Posted in: Nuclear Power Safety, Nuclear Terrorism Tags: , , ,

About the author: Dr. Lyman received his PhD in physics from Cornell University in 1992. He was a postdoctoral research scientist at Princeton University's Center for Energy and Environmental Studies, and then served as Scientific Director and President of the Nuclear Control Institute. He joined UCS in 2003. He is an active member of the Institute of Nuclear Materials Management and has served on expert panels of the Nuclear Regulatory Commission. His research focuses on security issues associated with the management of nuclear materials and the operation of nuclear power plants, particularly with respect to reprocessing and civil plutonium. Areas of expertise: Nuclear terrorism, proliferation risks of nuclear power, nuclear weapons policy

Support from UCS members make work like this possible. Will you join us? Help UCS advance independent science for a healthy environment and a safer world.

  • Dennis Donnelly

    The following quote from the above article seems to show that existing NRC requirements are
    sufficient to protect against successful terrorist attacks:

    “The NRC requires facilities that are high-value terrorist targets be protected with “high assurance” against a “design basis threat” (DBT). The DBT lays out the NRC’s assumptions about the general characteristics (weaponry, tactics, skills) of potential adversaries. For example, it requires nuclear power plants to be protected against an external attacking force (with the help of an insider) that seeks to damage safety systems and cause a Fukushima-type meltdown.”

    But there is an enormous hole in the existing “design basis threat” (DBT) as currently defined by
    the NRC. I have tried to point out this hole in my commentary to NUREG 2157, the Waste Confidence Generic Environmental Impact Statement, as quoted below. What this means is that
    no airborne attacks are considered in the ‘design basis threat’ by the NRC. As a result, there is
    no protection required by NRC, or implemented by nuclear plant operators, against such attacks.

    Dennis Donnelly
    56 Tulane Ave.
    Pocatello ID 83201

    Nov 27, 2013

    U.S. Nuclear Regulatory Commission

    Gentlemen,

    Please accept this comment on NUREG 2157, the Waste Confidence Generic
    Environmental Impact Statement, as follows.

    On page 4-85 of NUREG 2157 there is a reference to physical protection
    criteria as defined in 10 CFR 73.1 Purpose and Scope for the ‘Physical
    Protection of Plants and Materials.’

    I would point out that 10 CFR 73.1 omits airborne attacks, which would
    likely be the method of choice for any attacks in this century.
    The land-or-waterborne attacks that are defined in 10 CFR 73.1 for the
    scope or protection are the preferred methods of the 20th century.

    Please update the scope of the defined threats to include airborne
    attacks by drone, commandeered airliner, model airplane, helicopter,
    light aircraft (as kamikaze) and/or model helicopter.

    Unless you make just such a change to 10 CFR 73.1, NUREG 2157 is
    totally irrelevant to its intended purpose.

    Dennis Donnelly