Danielle Brian, Executive Director
Project On Government Oversight (POGO)
Inadequate Security at Nuclear Power Plants
Senate Environment and Public Works Committee
Wednesday June 5, 2002
Mr. Chairman and Members of the Committee, POGO first began investigating security at nuclear facilities over sixteen months ago. We are an investigative organization that works with insiders in order to improve public policy. We have neither a pro- nor an anti-nuclear agenda. We began investigating the Department of Energy=s (DOE) nuclear weapons facilities because more than a dozen insiders B current and former DOE and contractor security officials, contractors with military experience who test and evaluate the security at these facilities, and members of various guard forces B came to us with grave concerns regarding inadequate security pre-September 11.
Just prior to September 11, we completed our report AU.S. Nuclear Weapons Complex: Security at Risk,@ concluding that our nation=s ten nuclear weapons facilities, which house nearly one thousand tons of weapons-grade plutonium and highly-enriched uranium, regularly fail to protect this material from mock terrorist attacks. Once security became a national priority, we briefed these alarming findings with the National Security Council, the Office of Homeland Security, the Pentagon Nuclear Command and Control staff, the staff of the Scowcroft End-to-End Review, the Office of Management and Budget, numerous Congressional Committees and Members, and at Rep. Chris Shays= request, the General Accounting Office.
Because of this work, guards from commercial nuclear power plants across the country began contacting POGO with similar concerns about inadequate security at the plants where they work. In April, POGO accompanied a group of nuclear power plant security guards to brief a dozen Congressional offices and Committee staff about their first hand concerns. We then began working with current and former Nuclear Regulatory Commission (NRC) security officials and contractors with military capabilities who test and evaluate security at commercial reactors. These people echo the same concerns about ongoing inadequate security at commercial nuclear power plants.
My testimony is based on the information and documents gathered from these insiders. Again, I believe it is important to emphasize that our sources of information are not Aanti-nuclear.@ In fact, most of them have worked in the nuclear energy field for most of their adult lives. We applaud the sponsors of Senate Bills 1586 and 1746, the ANuclear Security Act,@ for several important provisions contained in these bills.
The Design Basis Threat
Nuclear facilities are required to protect against a specified level of threat (known as the Design Basis Threat or DBT) from outside attackers and inside conspirators using a specific set of weapons. NRC=s current DBT is wholly inadequate and must be made more realistic. According to published sources including U.S. News and World Report, the NRC=s DBT requires protection against only three outside attackers with the help of one passive insider. This is absurd given the 19 terrorists involved in the highly coordinated, technologically advanced September 11 attack.
Rumors are that DOE will increase its DBT to approximately ten outside attackers and significantly upgrade the weaponry and tools that adversaries can be expected to use in an attack. However, although some in NRC have also recommended an increase to its DBT, there seems to be resistance within the senior ranks of the NRC to committing to making these improvements. There appears to be no justification for the NRC to have a less robust DBT for nuclear power plants than DOE has for nuclear weapons facilities. A successful attack on either a nuclear power plant or weapons facility would cause unfathomable damage to surrounding populations. We believe that the provisions in the ANuclear Security Act@ for a new and significantly upgraded DBT are absolutely essential.
In addition to the inadequate number of attackers to be protected against, the current DBT does not require protection against some of the most dangerous weapons that are available on the open market today, such as 50 caliber API sniper rounds that can penetrate hardened guard posts and vehicles, nor do they use simulated chemical or biological agents that would require the guard force to be trained with gas masks. Furthermore, performance tests do not employ diversionary tactics that are likely to be used during an attack, such as remote controlled explosives. POGO agrees with the Nuclear Security Act=s provisions that the new DBT include enhanced requirements for more realistic weapons, explosives, tools, and tactics, as well as more outside attackers and active inside collaborators.
Though the DBT is severely inadequate compared to what we now recognize as the threat, half the nuclear power plants cannot even protect against this current standard of three outside attackers. David Orrik, the head of the Operational Safeguards Response Evaluation (OSRE) program, testified before the House Commerce Committee on April 11, that in 46 percent of the force-on-force security tests:
Athe expert NRC team identified a significant weakness B significant being defined as the adversary team simulating sabotaging a target set, which would lead to core damage and in many cases, to a probable radioactive release. It is important to note that, even with adequate time for the plants to prepare and make themselves ready for the OSRE, that 46% still had a weakness in armed response.@
Let me caution the Committee B these tests are seriously dumbed down to favor the guard forces. The utilities are informed of an upcoming test six to ten months in advance giving them plenty of time to prepare, the guards are usually aware of the attack scenarios, the mock terrorists are allowed to be made up of the utilities= own management staff, and the weapons used in the tests are not nearly as dangerous as those that can easily be found on the open market.
Despite their clear artificiality and imperfections that favor the guard forces, force-on-force performance tests are still the best test of the performance of a guard force in protecting key targets at a nuclear facility. This is the key issue that cannot be forgotten B can the guard force protect the
integrity of the reactor and the spent fuel pools from a suicidal terrorist attack? The statistics say no. How much worse would those statistics be if the DBT accurately represented the very real and sophisticated threat we know we are now facing?
The mindset of both the utilities and the NRC is far too compliance-oriented B rather than performance tested. Our security guards are regularly told that security upgrades are unnecessary because the utility is already in Acompliance@ with NRC regulations. In other words, if a checklist of requirements for detection, delay, and response is met B to include such items as a double-fence, alarms, a certain number of guards B the facility is deemed secure. However, performance tests repeatedly reveal that despite this Acompliance@ with requirements, physical security and the guard forces cannot stop terrorists from causing catastrophic damage to the reactor. This institutionalized bureaucratic complacency may be the biggest impediment to adequate security.
A post-September 11 example of this phenomenon is that armed guards are now required to accompany all visiting trucks coming onto the site. We are told, there is often no extra guard available, and therefore, a guard is required to leave his post uncovered to accompany the truck. In these cases, the facility may be in compliance with this new requirement, yet guards are concerned that there is a hole in their defensive posture.
Spent Fuel Pools are Security=s Poor Stepchild
The NRC has never tested a power plant guard force=s ability to protect spent fuel pools B possibly the prime target of a terrorist attack. In October of 2000 the NRC started to recognize the problem of spent fuel fires in a study of the effects of accidents. However, in 100 pages of analysis, they never considered sabotage by terrorists. The NRC needs to create a target/assets list prioritized by importance.
Several spent fuel pools at nuclear power plants across the country are only 50 yards from the double fence line. In a terrorist attack, the initial strike would likely be extraordinarily violent, fast, and with a significant level of human carnage. According to Sandia National Lab=s ABarrier Technology Handbook,@ it is estimated that a terrorist could penetrate the fence line and breach a door or side of a secured building in less than 60 seconds. We encourage the NRC to immediately recognize spent fuel pools as a primary terrorist target.
We have been advised by military Special Forces sources of specific and obvious vulnerabilities at most nuclear power plants that I would be happy to discuss with Senators or staff. I am uncomfortable, however, outlining them in public testimony.
To explain in general terms, a certain type of explosive, which a terrorist could carry on his back, would allow him to blow a sizeable hole in the reinforced concrete bottom or wall of the spent fuel pool. At nuclear plants that have boiling water reactors (BWR) B about one-third of the existing
reactors are BWRs B things could be even worse. These reactors have the spent fuel pools above ground. In these cases, a certain kind of explosive could even be launched from outside the fence line
into the side of the pool. According to an unclassified study by Brookhaven National Lab, under certain conditions, the pool would start draining immediately, which could result in the immediate release of high-levels of radiation, quickly turning into an uncontrolled radioactive fire, and the plant could do nothing effective about it.
The Nuclear Security Act does require a plan to increase security of these spent fuel pools. In the meantime, we would encourage the addition of barriers and delay mechanisms to supplement security until the spent fuel is placed in dry casks underground.
Inadequate Training and Weaponry
Guards from several of the power plants have registered complaints with POGO about inadequate training as well. For example, one facility hired a new class of guards after September 11. The vast majority of the new recruits had never fired a gun before. During their training, they were limited to firing 96 rounds with their handgun, and far fewer with their shotguns. Two guards quit after two months on the job believing they couldn=t protect the plant in the case of a terrorist attack. They told POGO, and other guards have admitted to NRC inspectors, that their training is so inadequate, in the face of a real terrorist attack, many guards would use their guns simply to protect themselves while they escaped from the plant. Other guards with decades of experience protecting nuclear power plants bemoaned the lack of training outside the classroom, as well as the lack of modern tactical training. For example, their firearms training requires only that they be capable of standing and hitting a stationary target 25 yards away B they have no training shooting on the run at a moving target.
Additionally, the guard forces at nuclear power plants are severely out-gunned. Even the NRC=s DBT assumes that attackers will be armed with automatic weapons and explosives, yet many guard forces around the country are equipped only with shotguns and revolvers. We understand that the NRC is working with the Committee on legislative language to address this discrepancy.
Security Tests: More Often and More Robust
NRC=s virtually defunct Operational Safeguards Response Evaluation (OSRE) program conducts force-on-force tests using mock attackers only once every eight years at each plant. According to the nuclear power plant security guards and NRC inspectors we have interviewed, this eight-year hiatus creates a woeful lack of focus on security between tests. According to the guards with whom we have been working, because the tests are announced so far in advance, the utility management has time to quickly invest in security training consultants to improve their posture and chances of success. The guards advise us that after OSRE force-on-force tests, th security posture regularly returns to a bare minimum.
POGO agrees with the Nuclear Security Act=s provision to require that such tests occur no less than every two years to ensure that heightened standards remain in effect. POGO additionally recommends that the utility only be given 24- to 36-hour notice and that the utility be required to freeze in place the guard force to be tested at the moment of notification, rather than being allowed to call in the youngest or most capable guards.
Currently, the mock terrorists and the attack scenarios to be tested are chosen by the utilities. The mock terrorists can be county or state police, the utility=s own training staff, or even their own utility management staff B the very people who have a stake in ensuring success. With all due respect to these people, and as genuine as they may be in trying to test the physical security of the facility, none of them are trained to have the mindset or skills of highly trained terrorists. POGO recommends the use of military Special Forces units that are already trained to act as the adversarial team in force-on-force tests.
According to the guards, they know within an hour or two when a test will take place and what part of the plant the mock terrorists will attack. They tell us that contrary to the full-page ads in the Washington Post and other newspapers, they do not normally wear flack jackets or their communications gear, nor do they carry their semi-automatic weapons. Sometimes, the guards are more than a football field=s distance away from their weapons and flack jackets. However, when the mock attack is about to take place, the guards are magically wearing their flack jackets and communications gear and have their weapons in hand. Even more troubling is the fact that, at one-third of nuclear power plants, the guards only have access to shotguns, and they are locked up at a central location. In case of a real attack, the guards would have to go to that location, unlock the cabinet, get their shotguns and protective gear, and return to their post. By that time, the terrorists would have achieved their goals and caused catastrophic damage. Ongoing, limited-scope performance tests should regularly be testing the timelines for terrorist access to critical components.
If the facility fails a performance test, the Nuclear Security Act requires re-testing every six months until it passes. We would recommend, immediately calling in a well-armed and trained National Guard unit as compensatory action to supplement security until the facility passes a new OSRE test.
We have learned from anti-terrorism experts that the worst enemy of any guard force is the daily grind of nothing happening. Guards are only human. A simple way to combat this problem is to add unannounced checks by the NRC to security testing. Fast food chains and the Postal Service frequently use a Amystery shopper@ to use a false ID or exploit some other weakness. Because the guards know a Amystery shopper@ may be in their midst at any time, they remain more alert. This would be a very low cost tool that would significantly supplement security.
We recognize that federalizing the security force is a contentious issue. POGO believes that the same goals can be accomplished through far more vigorous federal oversight, along with upgraded training, compensation, and authority granted to security forces.
Currently, security guards who are risking their lives are among the lowest compensated employees at many plants. Pay scales and first responder benefits for security forces, including life and disability insurance, should be commensurate with those accorded to local police and fire departments. We cannot expect our security guards to give their all when we do not fairly provide for them in the event that they are injured while performing this dangerous and important job. Also, people working at nuclear power plants, including NRC and utility employees as well as contractor and subcontractor employees, should be given whistleblower protections. In the current climate of fear and whistleblower retaliation, it has been our experience that people have been deterred from coming forward with important information that could help fix security problems. The Paul Revere Act, introduced in the House, and soon to be introduced in the Senate, would strengthen whistleblower rights and extend them to federal contractor employees.
We applaud the introduction of Senate Bill 1586 that recognizes that security forces do not have enough authority to carry out their mission. Currently, guards are prohibited from using deadly force unless an intruder wields a gun, or they feel their life or the life of someone else is in danger, in accordance with state law. In other words, if an attacker jumps over the fence with a backpack and runs towards the reactor building or spent fuel pool, the guard can only attempt to chase down the attacker. We have been told of an instance when an NRC inspector observed a guard follow a mock terrorist during a force-on-force drill as he destroyed critical target sets in the reactor complex. When asked why he wasn=t doing anything to stop him, the guard explained that he didn=t have the authority to shoot an intruder who was only destroying property. The NRC has been trying to resolve this conflict for years. This legislation must remedy this obvious failure.
Local law enforcement and first responders should also be given clearance to receive safeguard information so they can better coordinate emergency response plans. Currently, local law enforcement and first responders, in many cases, do not have adequate familiarity with the layout of critical areas of the plant that is necessary to respond to an emergency.
If there is any expanded role for the federal government, it should be providing independent oversight, rather than management of security. Robust and credible federal oversight is absolutely key to adequate security at both the nuclear power plants and nuclear weapons facilities. POGO has already recommended taking the security oversight function out of DOE, and we strongly recommend the same for NRC. NRC has historically been altogether too compliant with industry=s wishes. For example, recently agreeing to industry=s demands to replace OSRE with industry self-assessments of security was totally irresponsible. History has shown that the critical job of security oversight cannot be adequately performed from within these agencies. Therefore we suggest that a small independent Office of Nuclear Security be created, perhaps housed in the Office of Homeland Security, or perhaps as an independent agency reporting to the Congress and President. Its purpose would be to provide oversight over and test the security of both government and commercial nuclear facilities.
We would be happy to assist you and your staff as you work to refine these pieces of legislation, as well as making some of our inside sources available to you so that you can learn from their first-hand experiences.