Nuclear Power: Plants Have Upgraded Security, but the Nuclear
Regulatory Commission Needs to Improve Its Process for Revising
the Design Basis Threat (04-APR-06, GAO-06-555T).
The nation's commercial nuclear power plants are potential
targets for terrorists seeking to cause the release of
radioactive material. The Nuclear Regulatory Commission (NRC), an
independent agency headed by five commissioners, regulates and
oversees security at the plants. In April 2003, in response to
the terrorist attacks of September 11, 2001, NRC revised the
design basis threat (DBT), which describes the threat that plants
must be prepared to defend against in terms of the number of
attackers and their training, weapons, and tactics. NRC also
restructured its program for testing security at the plants
through force-on-force inspections (mock terrorist attacks). This
testimony addresses the following: (1) the process NRC used to
develop the April 2003 DBT for nuclear power plants, (2) the
actions nuclear power plants have taken to enhance security in
response to the revised DBT, and (3) NRC's efforts to strengthen
the conduct of its force-on-force inspections. This testimony is
based on GAO's report on security at nuclear power plants, issued
on March 14, 2006 (GAO-06-388).
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-06-555T
ACCNO: A50717
TITLE: Nuclear Power: Plants Have Upgraded Security, but the
Nuclear Regulatory Commission Needs to Improve Its Process for
Revising the Design Basis Threat
DATE: 04/04/2006
SUBJECT: Counterterrorism
Emergency preparedness
Homeland security
Independent regulatory commissions
Inspection
Nuclear facility security
Nuclear powerplant safety
Nuclear powerplants
Security threats
Strategic planning
Terrorism
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-06-555T
* Summary
* Background
* NRC's Process for Revising the DBT Was Generally Logical and
* NRC's Process for Revising Its DBT Was Generally Logical and
* Changes to the Threat Assessment Staff's Initial Recommendat
* Nuclear Power Plants Made Substantial Changes to Their Secur
* NRC Has Significantly Improved the Force-on-Force Inspection
* GAO Contact and Staff Acknowledgments
* GAO's Mission
* Obtaining Copies of GAO Reports and Testimony
* Order by Mail or Phone
* To Report Fraud, Waste, and Abuse in Federal Programs
* Congressional Relations
* Public Affairs
Testimony
Before the Subcommittee on National Security, Emerging Threats, and
International Relations, House Committee on Government Reform
United States Government Accountability Office
GAO
For Release on Delivery Expected at 2:00 p.m. EDT
Tuesday, April 4, 2006
NUCLEAR POWER
Plants Have Upgraded Security, but the Nuclear Regulatory Commission Needs
to Improve Its Process for Revising the Design Basis Threat
Statement of Jim Wells, Director Natural Resources and Environment
GAO-06-555T
Mr. Chairman and Members of the Subcommittee:
I am pleased to be here today to discuss our recent work on security of
the nation's 103 operating commercial nuclear power plants, located at 65
sites in 31 states. My testimony today is based on our report being
released today, entitled Nuclear Power Plants: Efforts Made to Upgrade
Security, but the Nuclear Regulatory Commission's Design Basis Threat
Process Should Be Improved ( GAO-06-388 ).1
As you know, nuclear power plants were among the targets considered in the
original plan for the September 11, 2001, terrorist attacks. Furthermore,
according to the Nuclear Regulatory Commission (NRC), which regulates and
oversees the safe operation and security of nuclear power plants, there
continues to be a general credible threat of a terrorist attack on the
nation's commercial nuclear power plants, in particular by al Qaeda and
like-minded Islamic terrorist groups. Such an attack could cause a release
of radioactive material and endanger public health and safety through
exposure to an elevated level of radiation.
To defend against a potential terrorist attack, NRC issues and enforces
security-related regulations and orders, and nuclear power plant licensees
implement security measures to meet NRC requirements. In particular, NRC
formulates a design basis threat (DBT)-the threat that plants must defend
against-and tests plants' ability to defend against the DBT. The DBT
characterizes the elements of a potential attack, including the number of
attackers, their training, and the weapons and tactics they are capable of
employing. NRC periodically reviews the potential terrorist threat to
determine whether to make changes to the DBT. Most recently, NRC revised
the DBT in April 2003 in response to the September 11 terrorist attacks.
After revising the DBT, NRC required nuclear power plant sites to submit
new security plans by April 29, 2004, for its review and approval and to
implement the security described in their new plans by October 29, 2004.
In November 2004, NRC began using its force-on-force inspection program to
test sites' ability to defend against the revised DBT. This program
employs mock terrorist attacks as the principal means to test the sites'
security.
1We also prepared a classified version of our report, which includes
additional details about the DBT and security at nuclear power plants that
NRC does not release to the public. For more information on NRC's
oversight of security at nuclear power plants, see GAO, Nuclear Regulatory
Commission: Preliminary Observations on Efforts to Improve Security at
Nuclear Power Plants, GAO-04-1064T (Washington, D.C.: Sept. 14, 2004); and
Nuclear Regulatory Commission: Oversight of Security at Commercial Nuclear
Power Plants Needs to Be Strengthened, GAO-03-752 (Washington, D.C.: Sept.
4, 2003).
The DBT does not represent the maximum size and capability of a terrorist
attack that is possible but, rather, NRC's assessment of the threat that
the nuclear power plants must at all times be prepared to defend against
"to ensure adequate protection of public health and safety." Furthermore,
NRC regulations do not require nuclear power plants to protect against
attacks by an "enemy of the United States," whether a foreign government
or other person.2 NRC originally included this provision in its
regulations in 1967 (prior to issuing the first DBT for nuclear power
plants). According to NRC officials, the provision was intended to address
the possibility that Cuba might launch an attack on a nuclear power plant
in Florida. In revising the DBT in April 2003, NRC did not use this
provision to exempt plants from defending against terrorist groups such as
al Qaeda but, rather, stated that a private security force (such as at a
nuclear power plant) cannot reasonably be expected to defend against all
threats-for example, airborne attacks. Importantly, NRC works with other
federal agencies to coordinate an integrated response to a terrorist
threat or attack on a nuclear power plant.
Our March 2006 report examined (1) the process NRC used to develop the
April 2003 DBT for nuclear power plants, (2) the actions nuclear power
plants have taken to enhance security in response to the revised DBT, and
(3) NRC's efforts to strengthen the conduct of its force-on-force
inspections. For the report, we reviewed documents detailing the process
NRC used to revise the DBT and interviewed the NRC commissioners and
staff. We also visited four nuclear power plant sites (one in each of the
four NRC regions) to observe the security enhancements that sites made to
address the revised DBT, and we reviewed a sample of NRC's baseline and
force-on-force inspection reports. GAO staff with security expertise
accompanied us on our visits in order to assist in our review of the
sites' security strategies. Finally, we observed a total of three
force-on-force inspections at two other sites. We performed our work from
November 2004 through January 2006 in accordance with generally accepted
government auditing standards.
20 C.F.R. S: 50.13.
Summary
NRC revised the DBT for nuclear power plants using a process that was
generally logical and well-defined. Specifically, trained threat
assessment staff made recommendations for changes based on an analysis of
demonstrated terrorist capabilities. To enhance the predictability and
consistency of its assessments and its recommendations to the NRC
commissioners for changes to the DBT, the NRC threat assessment staff
developed and used a comprehensive screening tool to analyze intelligence
information and to evaluate particular terrorist capabilities, or
"adversary characteristics," for inclusion in the DBT. The resulting DBT
requires plants to defend against a larger terrorist threat, including a
larger number of attackers, a refined and expanded list of weapons, and an
increase in the maximum size of a vehicle bomb. The revised DBT generally,
but not always, corresponded to the original recommendations of the threat
assessment staff. For example, the maximum number of attackers in the
revised DBT is based, in part, on the staff's analysis of the size of
terrorist cells worldwide. However, for other important elements of the
DBT, such as the weapons that attackers could use against a plant, the
final version of the revised DBT does not correspond to the staff's
original recommendations. We identified the following two principal
reasons for these differences:
o First, the threat assessment staff made changes to its initial
recommendations after obtaining feedback from stakeholders,
including the nuclear industry, on a draft of the DBT. A number of
the changes reflected industry objections to the draft. For
example, following meetings with industry, the staff decided not
to recommend including certain weapons in the list of adversary
characteristics that nuclear power plants should be prepared to
defend against. In its comments, the industry had pressed for NRC
to remove such adversary characteristics from the draft DBT. The
industry considered them to be prohibitively expensive to defend
against or to be representative of an enemy of the United States,
which is the responsibility of the government, rather than the
industry, to defend against. NRC officials told us the changes
resulted from further analysis of the intelligence data and the
reasonableness of required defensive measures rather than the
industry objections. Nevertheless, in our view, this situation
created the appearance that changes were made based on what
industry considered reasonable and feasible to defend against,
rather than an assessment of the terrorist threat.
o Second, in deciding on the revised DBT, the commissioners
largely supported the staff's recommendations but also made some
significant changes. These changes reflected their policy
judgments on what is reasonable for a private security force to
defend against. However, the commissioners did not identify
explicit criteria for what is and what is not reasonable for a
private security force to defend against, such as the cost of
defending against particular adversary characteristics. For
example, the commissioners decided against including two weapons
that the threat assessment staff had concluded could plausibly be
used against a U.S. nuclear power plant. Furthermore, instead of
providing a reason for its decision to remove these weapons, the
commission's voting record showed that individual commissioners
used differing criteria and emphasized different factors, such as
cost or practicality of defensive measures. We believe the absence
of reviewable criteria reduced the transparency of the
decision-making process. The absence of criteria also potentially
reduced the rigor of the decision-making process.
Licensees of nuclear power plants have made substantial changes to
their security in response to the September 11, 2001, attacks and
the 2003 revisions to the DBT. At the sites we visited, these
actions included, for example, adding security barriers and
detection equipment, implementing new protective strategies,
enhancing access control, and hiring additional security officers.
In some cases, the sites went beyond what NRC required. For
example, one site added electronic intrusion detection equipment
to its outer perimeter, which was not required. According to NRC,
other sites implemented security enhancements similar to what we
saw at the sites we visited. Despite these considerable efforts,
it is too early to conclude that all sites are capable of
defending against the DBT because, as of March 30, 2006, NRC had
conducted force-on-force inspections at 27, or less than half, of
the 65 sites. According to NRC, sites have generally performed
well during force-on-force inspections, and the results of
baseline inspections show that sites have generally complied with
their security plans. However, a number of sites have experienced
problems and have not always met security requirements. Most
notably, we observed a force-on-force inspection at a site in
which the licensee's performance at the time was at best
questionable in its ability to defend against the DBT.
NRC has made a number of improvements to its force-on-force
inspection program. For example, NRC is implementing a schedule to
conduct the inspections more frequently at each site-every 3 years
rather than every 8 years-and has instituted measures to make the
inspections more realistic, such as using laser equipment to
better simulate the weapons that attackers and security officers
would likely employ during an actual attack on a nuclear power
plant. These improvements are important because, as we noted from
our observation of three force-on-force inspections and our review
of NRC reports on others, the inspections have the ability to
detect weaknesses in sites' protective strategies, which can then
be corrected. Nevertheless, in observing three inspections and
discussing the program with NRC officials, we noted issues in the
force-on-force program that warrant continued NRC attention. For
example, the level of security expertise and training among
controllers, who observe exercise participants to ensure the
safety and effectiveness of the exercises, was inconsistent.
Our report included two recommendations to address the
shortcomings in the process NRC used to revise the DBT. First, we
recommended that NRC assign responsibility for obtaining feedback
from the nuclear industry and other stakeholders on proposed
changes to the DBT to an office within NRC other than the threat
assessment section, thereby insulating the staff and mitigating
the appearance of undue industry influence on the threat
assessment itself. Second, we recommended that NRC develop
explicit criteria to guide the commissioners in their
deliberations to approve changes to the DBT. These criteria should
include setting out the specific factors and how they will be
weighed in deciding what is reasonable for a private guard force
to defend against. In addition, we recommended that NRC continue
to evaluate and implement measures to further strengthen the
force-on-force inspection program. In commenting on a draft of our
report, NRC commended our efforts to ensure that the report was
accurate and constructive. NRC also provided additional clarifying
comments pertaining to the process it used to revise the DBT for
nuclear power plants. For example, NRC requested that we revise
the report to explain that it made a deliberate decision to
develop the revised DBT while simultaneously seeking input from
stakeholders in order to expedite its response to the September
11, 2001 terrorist attacks. We revised the report accordingly.
NRC is an independent agency established by the Energy
Reorganization Act of 1974 to regulate the civilian use of nuclear
materials. It is headed by a five-member commission, with one
commission member designated by the President to serve as chairman
and official spokesperson. The commission as a whole formulates
policies and regulations governing nuclear reactor and materials
safety and security, issues orders to licensees, and adjudicates
legal matters brought before it. Security for commercial nuclear
power plants is addressed by NRC's Office of Nuclear Security and
Incident Response. This office develops policy on security at
nuclear facilities and is the agency's security interface with the
Department of Homeland Security (DHS), the intelligence and law
enforcement communities, the Department of Energy (DOE), and other
agencies. Within this office, the Threat Assessment Section
assesses security threats involving NRC-licensed activities and
develops recommendations regarding the DBT for the commission's
consideration.
The DBT for radiological sabotage applied to nuclear power plants
identifies the terrorist capabilities (or "adversary
characteristics") that sites are required to defend against. The
adversary characteristics generally describe the components of a
ground assault and include the number of attackers; the size of a
vehicle bomb; and the weapons, equipment, and tactics that could
be used in an attack. Other threats in the DBT include a
waterborne assault and the threat of an insider. The DBT does not
include the threat of an airborne attack.
Force-on-force inspections are NRC's performance-based means for
testing the effectiveness of nuclear power plant security
programs. These inspections are intended to demonstrate how well a
nuclear power plant might defend against a real-life threat. In a
force-on-force inspection, a professional team of adversaries
attempts to reach specific "target sets" within a nuclear power
plant that would allow them to commit radiological sabotage. These
target sets represent the minimum pieces of equipment or
infrastructure an attacker would need to destroy or disable in
order to commit radiological sabotage that results in an elevated
release of radioactive material to the environment. NRC also
conducts baseline inspections at nuclear power plants. During
these inspections, security inspectors examine areas such as
officer training, fitness for duty, positioning and operational
readiness of multiple physical and technical security components,
and the controls the licensee has in place to ensure that
unauthorized personnel do not gain access to the protected area.
NRC's policy is to conduct a baseline inspection at each site
every year, with the complete range of baseline inspection
activities conducted over a 3-year cycle. For both force-on-force
and baseline inspections, licensees are responsible for
immediately correcting or compensating for any deficiency in which
NRC concludes that security is not in accordance with the approved
security plans or other security orders.
The process by which NRC revised the DBT for nuclear power plants
was generally logical and well defined in that trained threat
assessment staff made recommendations for changes based on an
analysis of demonstrated terrorist capabilities. The NRC
commissioners evaluated the recommendations and considered whether
the proposed changes constituted characteristics representative of
an enemy of the United States, or were otherwise not reasonable
for a private security force to defend against. However, while the
final version of the revised DBT generally corresponded to the
original recommendations of the threat assessment staff, some
elements did not, which raised questions about the extent to which
the revised DBT represents the terrorist threat.
NRC made its 2003 revisions to the DBT for nuclear power plants
using a process that the agency has had in place since issuing the
first DBT in the late 1970s. In this process, NRC staff trained in
threat assessment use reports and secure databases provided by the
intelligence community to monitor information on terrorist
activities worldwide. (NRC does not directly gather intelligence
information but rather receives intelligence from other agencies
that it uses to formulate the DBT for nuclear power plants.) The
staff analyze this information both to identify specific
references to nuclear power plants and to determine what
capabilities terrorists have acquired and how they might use those
capabilities to attack nuclear power plants in the United States.
The staff normally summarize applicable intelligence information
and any recommendations for changes to the DBT in semiannual
reports to the NRC commissioners on the threat environment.
In 1999, the NRC staff began developing a set of criteria-the
adversary characteristics screening process-to decide whether to
recommend particular adversary characteristics for inclusion in
the DBT and to enhance the predictability and consistency of their
recommendations. The staff use initial screening criteria to
exclude from further consideration certain adversary
characteristics, such as those that would more likely be used by a
foreign military than by a terrorist group. For adversary
characteristics that pass the initial round of screening, the
threat assessment staff apply additional screening factors, such
as the type of terrorist group that demonstrated the
characteristic. For example, the staff consider whether an
adversary characteristic has been demonstrated by transnational or
terrorist groups operating in the United States, or by terrorist
groups that operate only in foreign countries. Finally, on the
basis of their analysis and interaction with intelligence and
other agencies, the staff decide whether to recommend that the
commission include the adversary characteristics in the DBT for
nuclear power plants. NRC's Office of Nuclear Security and
Incident Response, which includes the Threat Assessment Section,
reviews and endorses the threat assessment staff's analysis and
recommendations.
Terrorist attacks have generally occurred outside the United
States, and intelligence information specific to nuclear power
plants is very limited. As a result, one of the NRC threat
assessment staff's major challenges has been to decide how to
apply this limited information to nuclear power plants in the
United States. For example, one of the key elements in the revised
DBT, the number of attackers, is based on NRC's analysis of the
group size of previous terrorist attacks worldwide. According to
NRC threat assessment staff, the number of attackers in the
revised DBT falls within the range of most known terrorist cells
worldwide.3 NRC staff recommendations regarding other adversary
characteristics also reflected the staff's interpretation of
intelligence information. For example, the staff considered a
range of sizes for increasing the vehicle bomb in the revised DBT
and ultimately recommended a size that was based on an analysis of
previous terrorist attacks using vehicle bombs. Intelligence and
law enforcement officials we spoke with did not have information
contradicting NRC's interpretation regarding the number of
attackers or other parts of the NRC DBT but did point to the
uncertainty regarding the size of potential attacks and the
relative lack of intelligence on the terrorist threat to nuclear
power plants.
In addition to analyzing intelligence information, NRC monitored
and exchanged information with DOE, which also has a DBT for
comparable facilities that process or store radiological materials
and are, therefore, potential targets for radiological sabotage.4
However, while certain aspects of the two agencies' DBTs for
radiological sabotage are similar, NRC generally established less
rigorous requirements than DOE- for example, with regard to the
types of equipment that could be used in an attack. The DOE DBT
includes a number of weapons not included in the NRC DBT.
Inclusion of such weapons in the NRC DBT for nuclear power plants
would have required plants to take substantial additional security
measures. Furthermore, DOE included other capabilities in its DBT
that are not included in the NRC DBT. Despite these differences,
both agencies used similar intelligence information to derive key
aspects of their DBTs. For example, both DOE and NRC based the
number of attackers on intelligence on the size of terrorist
cells, and DOE officials told us they used intelligence similar to
NRC's to derive the number of attackers. Likewise, DOE and NRC
officials provided us with similar analyses of intelligence
information on previous terrorist attacks using vehicle bombs. DOE
and NRC officials also told us that most vehicle bombs used in
terrorist attacks are smaller than the size of the vehicle bomb in
NRC's revised DBT.
While NRC followed a generally logical and well-defined process to
revise the DBT for nuclear power plants, two aspects of the
process raised a fundamental question-the extent to which the DBT
represents the terrorist threat as indicated by intelligence data
compared with the extent to which it represents the threat that
NRC considers reasonable for the plants to defend against. These
two aspects were (1) the process NRC used to obtain stakeholder
feedback on a draft of the DBT and (2) changes made by the
commissioners to the NRC staff's recommended DBT.
With regard to the first aspect, the process NRC used to obtain
feedback from stakeholders, including the nuclear industry,
created the appearance of industry influence on the threat
assessment regarding the characteristics of an attack. NRC staff
sent a draft DBT to stakeholders in January 2003, held a series of
meetings with them to obtain their comments, and received written
comments. NRC specifically sought and received feedback from the
nuclear industry on what is reasonable for a private security
force to defend against and the cost of and time frame for
implementing security measures to defend against specific
adversary characteristics. During this same period, the threat
assessment staff continued to analyze intelligence information and
modify the draft DBT.
In its written comments on the January 2003 draft DBT, the Nuclear
Energy Institute (NEI), which represents the nuclear power
industry, objected to a number of the adversary characteristics
the NRC staff had included. Subsequently, the NRC staff made
changes to the draft DBT, which they then submitted to the NRC
commissioners.5 The changes made by the NRC staff-in particular,
the size of the vehicle bomb and list of weapons that could be
used in an attack-reflected some (but not all) of NEI's
objections. For example, NEI wrote that some sites would not be
able to protect against the size of the vehicle bomb proposed by
NRC because of insufficient land for installation of vehicle
barrier systems at a necessary distance. Instead, NEI agreed that
it would be reasonable to protect against a smaller vehicle bomb.
Similarly, NEI argued against the inclusion of certain weapons
because of the cost of protecting against the weapons. NEI wrote
that such weapons (as well as the vehicle bomb size initially
proposed by the NRC staff) would be indicative of an enemy of the
United States, which sites are not required to protect against
under NRC regulations. In its final recommendations to the
commissioners, the NRC staff reduced the size of the vehicle bomb
to the amount NEI had proposed and removed a number of weapons NEI
had objected to. On the other hand, NRC did not make changes that
reflected all of the industry's objections. For example, NRC staff
did not remove one particular weapon NEI had objected to, which,
according to NRC's analysis, has been a staple in the terrorist
arsenal since the 1970s and has been used extensively worldwide.
With regard to the commissioners' review and approval of the NRC
staff's recommendations, the commissioners largely supported the
staff's recommendations but also made some significant changes
that reflected policy judgments. Specifically, the commissioners
considered whether any of the recommended changes to the DBT
constituted characteristics representative of an enemy of the
United States, which sites are not required to protect against
under NRC regulations. In approving the revised DBT, the
commission stated that nuclear power plants' civilian security
forces cannot reasonably be expected to defend against all
threats, and that defense against certain threats (such as an
airborne attack) is the primary responsibility of the federal
government, in coordination with state and local law enforcement
officials. Based on such considerations, the commission voted to
remove two weapons the NRC staff had recommended for inclusion in
the revised DBT based on its threat assessment. However, the
document summarizing the commission's decision to approve the
revised DBT did not provide a reason for excluding these weapons.
For example, the commission did not indicate whether its decision
was based on criteria, such as the cost for nuclear power plants
to defend against an adversary characteristic or the efforts of
local, state, and federal agencies to address particular threats.
In our view, the lack of such criteria reduced the transparency of
the commission's decisions to make changes to the threat
assessment staff's recommendations.
The four nuclear power plant sites we visited made substantial
changes in response to the revised DBT, including measures to
detect, delay, and respond to the increased number of attackers
and to address the increased vehicle bomb size. These security
enhancements were in addition to other measures licensees
implemented-such as stricter requirements for obtaining physical
access to nuclear power plants-in response to a series of security
orders NRC issued after September 11, 2001. According to NEI, as
of June 2004, the cost of security enhancements made since
September 11, 2001, for all sites amounts to over $1.2 billion.
To enhance their detection capabilities, the four sites we visited
installed additional cameras throughout different areas of the
sites and instituted random patrols in the owner-controlled
areas.6 Furthermore, the sites we visited installed a variety of
devices designed to delay attackers and allow security officers
more time to respond to their posts and fire upon attackers. The
sites generally installed these delay devices throughout the
protected areas as well as inside the reactor and other buildings.
Sites also enhanced their ability to respond to an attack by
constructing bullet-resistant structures at various locations in
the protected area or within buildings, increasing the minimum
number of security officers defending the sites at all times, and
expanding the amount of training provided to them. (See fig. 1 for
an example of a bullet-resistant structure.) According to NRC,
other sites took comparable actions to defend against the revised
DBT.
Figure 1: Example of a Bullet-Resistant Structure
In addition to adding measures designed to detect, delay, and
respond to an attack, the licensees at the four sites we visited
installed new vehicle barrier systems to defend against the larger
vehicle bomb in the revised DBT. In particular, the licensees
designed comprehensive systems that included sturdy barriers to
(1) prevent a potential vehicle bomb from approaching the sites
and (2) channel vehicles to entrances where security officers
could search them for explosives and other prohibited items. The
vehicle barrier systems either completely encircled the plants
(except for entrances manned by armed security officers) or formed
a continuous barrier in combination with natural or manmade
terrain features, such as bodies of water or trenches, that would
prevent a vehicle from approaching the sites.
In general, the four sites we visited all implemented a
"defense-in-depth" strategy, with multiple layers of security
systems that attackers would have to defeat before reaching vital
areas or equipment and destroying or disabling systems sufficient
to cause an elevated release of radiation off site. The sites
varied in how they implemented these measures, primarily depending
on site-specific characteristics such as topography and on the
degree to which they planned to interdict attackers within the
owner-controlled area and far from the sites' vital area, as
opposed to inside the protected area but before they could reach
the vital equipment. For example, one site with a predominantly
external strategy installed an intrusion detection system in the
owner-controlled area so that security officers would be able to
identify intruders as early as possible. The site was able to
install such a system because of the large amount of open,
unobstructed space in the owner-controlled area. In contrast,
security managers at another site we visited described a
protective strategy that combined elements of an external strategy
and an internal strategy. For example, the site identified "choke
points"-locations attackers would need to pass before reaching
their targets-inside the protected area and installed
bullet-resistant structures at the choke points where officers
would be waiting to interdict the attackers. NRC officials told us
that licensees have the freedom to design their protective
strategies to accommodate site-specific conditions, so long as the
strategies satisfy NRC requirements and prove successful in a
force-on-force inspection.
In addition to the security enhancements we observed, security
managers at each site described ways in which they had exceeded
NRC requirements and changes they plan to make as they continue to
improve their protective strategies. For example, security
managers at three of the sites we visited told us the number of
security officers on duty at any one shift exceeded the minimum
number of security officers that NRC requires be dedicated to
responding to attacks. Similarly, in at least some areas of the
sites, the new vehicle barrier systems were farther from the
reactors and other vital equipment than necessary to protect the
sites against the size of vehicle bomb in the revised DBT.
Despite the substantial security improvements we observed at the
four sites we visited, it is too early to conclude, either from
NRC's force-on-force or baseline inspections, that all nuclear
power plant sites are capable of defending against the revised DBT
for the following two reasons:
o First, as of March 30, 2006, NRC had completed force-on-force
inspections at 27 of the 65 sites, and it is not planning to
complete force-on-force inspections at all sites until 2007, in
accordance with its 3-year schedule. NRC officials told us that
plants have generally performed well during force-on-force
inspections. However, we observed a force-on-force inspection at
one site in which the site's ability to defend against the DBT was
at best questionable. The site's security measures appeared
impressive and were similar to those we observed at other sites.
Nevertheless, some or all of the attackers were able to enter the
protected area in each of the three exercise scenarios.
Furthermore, attackers made it to the targets in two of the
scenarios, although the outcomes of the two scenarios were called
into question by uncertainties regarding whether the attackers had
actually been neutralized before reaching the targets. As a
result, NRC decided to conduct another force-on-force inspection
at the site, which we also observed. The site made substantial
additional security improvements-at a cost of $37 million,
according to the licensee-and NRC concluded after the second
force-on-force inspection that the site had adequately defended
against a DBT-style attack.
o Second, we noted from our review of 18 baseline inspection
reports and 9 force-on-force inspection reports that sites have
encountered a range of problems in meeting NRC's security
requirements. NRC officials told us that all sites have
implemented all of the security measures described in their new
plans submitted in response to the revised DBT. However, 12 of the
18 baseline inspection reports and 4 of the 9 force-on-force
inspection reports we reviewed identified problems or items
needing correction. For example, during two different baseline
inspections, NRC found (1) an intrusion detection system in which
multiple alarms were not functioning properly, making the entire
intrusion detection system inoperable, according to the site, and
(2) three examples of failure to properly search personnel
entering the protected area, which NRC concluded could reduce the
overall effectiveness of the protective strategy by allowing the
uncontrolled introduction of weapons or explosives into the
protected area. According to NRC, the licensees at these two
sites, as well as at the other sites where NRC inspection reports
noted other problems, took immediate corrective actions.
NRC has made a number of improvements to the force-on-force
inspection program, several of which address recommendations we
made in our September 2003 report on NRC's oversight of security
at commercial nuclear power plants. We had made our
recommendations when NRC was restructuring the force-on-force
program to provide a more rigorous test of security at the sites
in accordance with the DBT, which was also under revision. For
example, we recommended that NRC conduct the inspections more
frequently at each site, use laser equipment to better simulate
attackers' and security officers' weapons, and require the
inspections to make use of the full terrorist capabilities stated
in the DBT. Actions NRC has taken that satisfy these
recommendations include conducting the exercises more frequently
at each site (every 3 years rather than every 8 years), and NRC so
far is on track to complete the first round of force-on-force
inspections on schedule, by 2007. Furthermore, NRC is using laser
equipment to simulate weapons, and the attackers in the
force-on-force exercise inspections that we observed used key
adversary characteristics of the revised DBT, including the number
of attackers, a vehicle bomb, a passive insider, and explosives.
Nevertheless, we identified issues in the force-on-force
inspection program that could affect the quality of the
inspections and that continue to warrant NRC's attention. For
example, the level of security expertise and training among
controllers-individuals provided by the licensee who observe each
security officer and attacker to ensure the safety and
effectiveness of the exercise-varied in the force-on-force
inspections we observed. One site used personnel with security
backgrounds while another site used plant employees who did not
have security-related backgrounds but who volunteered to help. In
its force-on-force inspection report for this latter site, NRC
concluded that the level of controller training contributed to the
uncertain outcome of the force-on-force exercises, which resulted
in NRC's conducting a second force-on-force inspection at the
site.
Furthermore, we noted that the force-on-force exercises end when a
site's security force successfully stops an attack. Consequently,
at sites that successfully defeat the mock adversary force early
in the exercise scenario, NRC does not have an opportunity to
observe the performance of sites' internal security-that is, the
strategies sites would use to defeat attackers inside the vital
area. When we raised this issue, NRC officials appeared to
recognize the benefit of designing the force-on-force inspections
to test sites' internal security strategies but said that doing so
would require further consideration of how to implement changes to
the force-on-force inspections. Based on our observations of three
force-on-force inspections, other areas where NRC may be able to
make further improvements included the following:
o ensuring the proper use of laser equipment;
o varying the timing of inspection activities, such as the
starting times of the mock attacks, in order to minimize the
artificiality of the inspections;
o ensuring the protection of information about the planned
scenarios for the mock attacks so that security officers do not
obtain knowledge that would allow them to perform better than they
otherwise would; and
o providing complete feedback to licensees on NRC inspectors'
observations on the results of the force-on-force exercises.
Mr. Chairman, this completes my prepared statement. I would be
happy to respond to any questions you or the other Members of the
Subcommittee may have at this time.
For further information about this testimony, please contact me at
(202) 512-3841 (or at [email protected]). Raymond H. Smith, Jr.
(Assistant Director), Joseph H. Cook, Carol Herrnstadt Shulman,
and Michelle K. Treistman made key contributions to this
testimony.
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in
meeting its constitutional responsibilities and to help improve
the performance and accountability of the federal government for
the American people. GAO examines the use of public funds;
evaluates federal programs and policies; and provides analyses,
recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
The fastest and easiest way to obtain copies of GAO documents at
no cost is through GAO's Web site ( www.gao.gov ). Each weekday,
GAO posts newly released reports, testimony, and correspondence on
its Web site. To have GAO e-mail you a list of newly posted
products every afternoon, go to www.gao.gov and select "Subscribe
to Updates."
The first copy of each printed report is free. Additional copies
are $2 each. A check or money order should be made out to the
Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are
discounted 25 percent. Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM
Washington, D.C. 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax:
(202) 512-6061
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail:
[email protected] Automated answering system: (800) 424-5454 or
(202) 512-7470
Gloria Jarmon, Managing Director, [email protected] (202) 512-4400
U.S. Government Accountability Office, 441 G Street NW, Room 7125
Washington, D.C. 20548
Paul Anderson, Managing Director, [email protected] (202)
512-4800 U.S. Government Accountability Office, 441 G Street NW,
Room 7149 Washington, D.C. 20548
Background
NRC's Process for Revising the DBT Was Generally Logical and Well Defined, but
Some Changes Were Not Clearly Linked to an Analysis of the Terrorist Threat
NRC's Process for Revising Its DBT Was Generally Logical and Well Defined
3In this report, "terrorist cell" refers only to terrorists who
participate in an attack, not those who support but do not participate in
an attack.
4For further information on the DOE DBT, see GAO, Nuclear Security: DOE's
Office of the Under Secretary for Energy, Science and Environment Needs to
Take Prompt, Coordinated Action to Meet the New Design Basis Threat,
GAO-05-611 (Washington, D.C.: July 15, 2005); and Nuclear Security: DOE
Needs to Resolve Significant Issues before It Fully Meets the New Design
Basis Threat, GAO-04-623 (Washington, D.C.: Apr. 27, 2004).
Changes to the Threat Assessment Staff's Initial Recommendations Were Not
Clearly Linked to an Analysis of the Terrorist Threat
5The NRC staff submitted their final draft DBT to the commissioners for
their review and approval in April 2003, together with a summary of
stakeholder comments.
Nuclear Power Plants Made Substantial Changes to Their Security to Address the
Revised DBT, but NRC Inspections Have Uncovered Problems
6The owner-controlled area refers to the land and buildings within the
site boundary that the owner can limit or allow access to for any reason.
The protected area is within the owner-controlled area and requires a
higher level of access control. The vital area contains the sites' vital
equipment, the destruction of which could directly or indirectly endanger
public health and safety through exposure to radiation.
NRC Has Significantly Improved the Force-on-Force Inspection Program, but
Challenges Remain
GAO Contact and Staff Acknowledgments
(360681)
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
GAO's Mission
Obtaining Copies of GAO Reports and Testimony
Order by Mail or Phone
To Report Fraud, Waste, and Abuse in Federal Programs
Congressional Relations
Public Affairs
www.gao.gov/cgi-bin/getrpt? GAO-06-555T .
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Jim Wells at (202) 512-3841 or
[email protected].
Highlights of GAO-06-555T , a testimony before the Subcommittee on
National Security, Emerging Threats, and International Relations,
Committee on Government Reform, House of Representatives
April 4, 2006
NUCLEAR POWER
Plants Have Upgraded Security, but the Nuclear Regulatory Commission Needs
to Improve Its Process for Revising the Design Basis Threat
The nation's commercial nuclear power plants are potential targets for
terrorists seeking to cause the release of radioactive material. The
Nuclear Regulatory Commission (NRC), an independent agency headed by five
commissioners, regulates and oversees security at the plants. In April
2003, in response to the terrorist attacks of September 11, 2001, NRC
revised the design basis threat (DBT), which describes the threat that
plants must be prepared to defend against in terms of the number of
attackers and their training, weapons, and tactics. NRC also restructured
its program for testing security at the plants through force-on-force
inspections (mock terrorist attacks). This testimony addresses the
following: (1) the process NRC used to develop the April 2003 DBT for
nuclear power plants, (2) the actions nuclear power plants have taken to
enhance security in response to the revised DBT, and (3) NRC's efforts to
strengthen the conduct of its force-on-force inspections. This testimony
is based on GAO's report on security at nuclear power plants, issued on
March 14, 2006 (GAO-06-388).
What GAO Recommends
In its March 2006 report, GAO recommended that NRC improve its process for
making changes to the DBT and evaluate and implement measures to further
strengthen its force-on-force inspection program.
NRC revised the DBT for nuclear power plants using a process that was
generally logical and well-defined. Specifically, trained threat
assessment staff made recommendations for changes based on an analysis of
demonstrated terrorist capabilities. The resulting DBT requires plants to
defend against a larger terrorist threat, including a larger number of
attackers, a refined and expanded list of weapons, and an increase in the
maximum size of a vehicle bomb. Key elements of the revised DBT, such as
the number of attackers, generally correspond to the NRC threat assessment
staff's original recommendations, but other important elements do not. For
example, the NRC staff made changes to some recommendations after
obtaining feedback from stakeholders, including the nuclear industry,
which objected to certain proposed changes, such as the inclusion of
certain weapons. NRC officials said the changes resulted from further
analysis of intelligence information. Nevertheless, GAO found that the
process used to obtain stakeholder feedback created the appearance that
changes were made based on what the industry considered reasonable and
feasible to defend against rather than on what an assessment of the
terrorist threat called for.
Nuclear power plants made substantial security improvements in response to
the September 11, 2001, attacks and the revised DBT, including security
barriers and detection equipment, new protective strategies, and
additional security officers. It is too early, however, to conclude that
all sites are capable of defending against the DBT because, as of March
30, 2006, NRC had conducted force-on-force inspections at 27, or less than
half, of the 65 nuclear power plant sites.
NRC has improved its force-on-force inspections-for example, by conducting
inspections more frequently at each site. Nevertheless, in observing three
inspections and discussing the program with NRC, GAO noted potential
issues in the inspections that warrant NRC's continued attention. For
example, a lapse in the protection of information about the planned
scenario for a mock attack GAO observed may have given the plant's
security officers knowledge that allowed them to perform better than they
otherwise would have. A classified version of GAO's report provides
additional details about the DBT and security at nuclear power plants.
*** End of document. ***