STATEMENT OF DAVID LOCHBAUM,
NUCLEAR SAFETY ENGINEER,
UNION OF CONCERNED SCIENTISTS
JUNE 5, 2002
On behalf of the Union of Concerned Scientists (UCS), it is my pleasure to appear before the Committee and express our support for both S.1586 and S.1746. We believe that these bills, if enacted, would significantly reduce the risk of radiological sabotage by lessening the probability that attempted sabotage will be successful and by lessening the consequences should sabotage be successful despite all protective measures.
My name is David Lochbaum. After obtaining a degree in nuclear engineering from The University of Tennessee in 1979, I worked more than 17 years in private industry, most of that time at operating nuclear power plants in Georgia, Alabama, Mississippi, Kansas, New Jersey, and Pennsylvania. I have been the Nuclear Safety Engineer for UCS since October 1996. UCS, established in 1969 as a non-profit, public interest group, seeks to ensure that all people have clean air, energy and transportation, as well as food that is produced in a safe and sustainable manner. UCS has worked on nuclear plant safety issues for nearly 30 years.
Some representatives of the nuclear industry claim that nuclear power plants are such hardened structures as to be virtually immune from attack. Other industry representatives assert that even a successful attack would not endanger the American public because radioactive material released from the sabotaged nuclear plant would so diluted within five miles as to preclude the need for either sheltering or evacuation. There would be no need for the security upgrades specified in the proposed legislation if either of these claims were valid.
Compelling circumstantial evidence creates more than reasonable doubt for the veracity of the industry's claims. Force-on-force tests of nuclear plant security administered by the Nuclear Regulatory Commission (NRC) since 1991 consistently demonstrated security capabilities below NRC’s minimum expectations nearly half of the time. Nuclear plants cannot be considered immune from attack when security forces, given up to six months advance warning of the precise test date, are unable to prevent simulated reactor core damage from a very, very small band of mock attackers. On at least two recent occasions, a single mock intruder successfully simulated the destruction of the equipment needed to cool the reactor. Nuclear plants cannot be considered immune from attack when security forces are unable to prevent a lone saboteur from triggering a reactor meltdown. In the past two years, I have attended numerous NRC public meetings where industry representatives contended that poor performance on a security test would not have occurred had an armed guard not taken a wrong turn while rushing to his or her response position. Again, nuclear plants cannot be considered immune from attack when a single mistake by a single guard means the difference between successful defense and reactor sabotage.
With respect to the potential consequences from the successful attack on a nuclear plant, the industry’s actions speak much louder than its rhetoric. If it were even close to being true that radioactivity releases would not endanger people living five miles or more away, then it would also be true that the nuclear power industry would not need federal liability protection. Representatives of the nuclear power industry testified before the Congress that the Price-Anderson Act needed to be renewed for existing plants and expanded to cover any new nuclear plants that are built. The industry’s need for Price-Anderson protection is an implicit concession that the offsite consequences from a nuclear plant accident/attack could be extremely serious.
It is our steadfast position that US nuclear plants are vulnerable to attack and that the consequences from a successful attack could be dire. It is further our position that all reasonable measures must be taken to lessen this risk. The proposed legislation in S.1586 and S.1746 represents reasonable steps that would reduce the probability of a successful attack and reduce the consequences following a successful attack. Thus, we support both bills and hope they become law.
Operation Safeguards and Response Unit
While all provisions of both bills have merit, the most valuable portion of the proposed legislation is Section 4 of S.1746 (the Nuclear Security Act of 2001). This section would amend Section 204 of the Energy Reorganization Act of 1974 (42 U.S.C. 5844) to create an Operation Safeguards and Response Unit within the NRC. Subsection (d)(3)(B) of the amended act requires the NRC to conduct force-on-force testing at each nuclear plant at least once every two years. Force-on-force tests are the best measure of the integrated capability of security fences, locked doors, intrusion detection equipment, access control barriers, and armed guards to defend the plant from attempted sabotage. Absent such performance demonstrations, security must be evaluated via piece-meal audits of the various physical protection elements.
How do teachers evaluate their students’ academic performance? Do they use a checklist to verify that students attend classes with textbooks, pencils, paper, and calculators? No, they use tests that demonstrate their students’ capabilities. Textbooks and class attendance are the pathway to knowledge while tests are the best measure of progress along that pathway. Likewise, security checklists show that a nuclear plant has gates, guards, and guns, but they provide little insight on how far the plant has progressed along the pathway to adequate security. Force-on-force tests demonstrate whether the desired performance objective of adequate security has been achieved. Frequent demonstration of adequate security performance is invaluable.
The NRC initiated force-on-force testing in 1991. Due to resource constraints, the NRC only tested each nuclear plant about once every eight years. UCS heard from many NRC staffers and nuclear plant workers that security capabilities ramped up at some nuclear plants in advance of the force-on-force tests and rapidly declined shortly afterwards. More frequent testing levels out the peaks and valleys and assures more consistent security capabilities.
Legislation directing the NRC to conduct frequent force-on-force tests ensures that the agency has the budget necessary to administer the tests. In July 1998, resource allocation issues prompted the NRC to cancel force-on-force testing. The ensuing public outcry reversed the NRC’s decision with testing re-instituted in fall 1998. This legislation ensures that nuclear facility security tests are not discarded at the next budget crisis.
This legislation also ensures that testing of nuclear facility security remains in the NRC's hands where it belongs. The nuclear industry has been campaigning to conduct the security tests themselves and to evaluate their performance on the tests. Nuclear facility security is too important to permit the equivalent of take-home tests that are self-graded. The industry’s consistently poor performance on security tests since 1991 does not warrant self-assessment in this vital area.
The very nature of nuclear plant security does not lend itself to industry self-assessment. The nuclear industry has successfully employed self-assessment in other areas. For example, requalification of control room operators is conducted by plant owners subject to audit by the NRC. The standards employed by the plant owners and the audit reports issued by the NRC are all publicly available for perusal by people living near the facility and by public-interest groups like UCS. In addition, NRC inspection reports covering control room operator performance during routine operations and during transient conditions are publicly available. This transparency makes it harder for self-assessments to cover up poor performance.
Conditions are significantly different when it comes to nuclear plant security. For obvious reasons, the public does not have the same access to either security standards or NRC audit reports. This necessary opaqueness makes it easier for self-assessment to cover up poor performance. The NRC must retain control over nuclear plant security tests to protect the public against inadequate security being masked by the self-assessment process.
Subsection (d)(3)(F) of the amended act requires the NRC to submit an annual report on force-on-force testing results to the Congress and the President. This annual report facilitates oversight of this important public health issue. This report also provides the American public with the "big picture" it deserves regarding nuclear facility security. The anxiety level in America following 09/11 about potential vulnerabilities of nuclear facilities to terrorist attack would have been significantly lessened had the Federal government been able to point to the information in this annual report as tangible evidence of security preparedness. People living near nuclear facilities that had performed well on robust security tests conducted by NRC would take comfort in that knowledge. People living near nuclear facilities that had not performed so well on security tests would also benefit, albeit in a different way. Anxiety about abstract security concerns would be replaced by more focused concerns. The ensuing discussions about actions taken to compensate for and correct problem areas would allay anxiety faster than press releases about hardened facilities and lack of credible threats against specific nuclear facilities.
Subsection (d)(4) of the amended act requires NRC in conjunction with FEMA and other Federal, State, and local agencies to exercise response to a radiological emergency at each nuclear facility at least once every three years. Appendix E to 10 CFR Part 50 currently requires a full-scale exercise of the emergency response plan for each nuclear power plant at least once every two years. UCS believes that the key difference between the existing requirement in Appendix E to 10 CFR Part 50 and the intent of subsection (d)(4) is emergency response to an act of radiological sabotage. The exercises conducted to satisfy 10 CFR 50 Appendix E simulate nuclear accidents that cause releases of radioactivity to the air and water. The emergency response to radiological sabotage would be similar, but it might be more complicated. For example, Federal, State, and local resources might be more challenged following a sabotage event because of the need to also provide protection of other potential targets in the region. In addition, protective measures of securing bridges and tunnels might impede evacuation efforts. Therefore, it seems prudent and reasonable to periodically assess whether emergency response plans for nuclear facilities can also handle acts of sabotage.
Design Basis Threat
The second most valuable part of the proposed legislation is Section 3 of the Nuclear Security Act of 2001 which would amend Chapter 14 of the Atomic Energy Act of 1954 (42 U.S.C. 2201 et seq.) to add Section 170C, “Protection of Sensitive Nuclear Facilities Against the Design Basis Threat." Subsection (c)(1) requires the NRC to revise the design basis threat from its 1960s-vintage level to a more realistic level. The current design basis threat was promulgated by the NRC nearly 40 years ago and has not been substantively changed other than the addition of the vehicle bomb requirement in 1993/1994. [DAL1] Subsection (c)(1) requires the NRC, in consultation with the Assistant to the President for Homeland Security and other appropriate Federal, State, and local agencies to review the design basis threat every three years and revise it as applicable. Subsection (c)(2) requires the NRC to report to Congress on changes made to the design basis threat. These provisions ensure that the design basis threat remains at the Goldilocks' level — not too high, not too low, but just right.
Defining the design basis threat level appropriately is extremely important. The nuclear facility owner is responsible for protecting against an attack up to and including the design basis threat level. The Federal government is responsible for protecting the facility from larger threats. This division of responsibility is both necessary and practical. The owner of a nuclear power plant situated along our coasts cannot be expected to defend the facility against an enemy destroyer cruising offshore. Likewise, the Federal government cannot be expected to defend a privately owned nuclear power plant against sabotage by a handful of individuals or a small group of plant workers.
The initial upgrade of the design basis threat is warranted. Left unchanged, the current design basis threat requires the Federal government to protect Americans from radiological sabotage caused by a very small group of outside attackers or plant workers. It requires the Federal government to protect nuclear plants from a truck bomb of the size used by Timothy McVeigh in Oklahoma City. It's unrealistic to expect that the Federal government could adequately defend against such a small attacking force.
Subsections (d)(2)(B)(iv) and (d)(2)(B)(v) explicitly require security protection for spent fuel whether it is stored in wet-pools or dry casks. Highlighting the potential hazard from spent fuel, and the corresponding need for its protection, is very important. Since 1991, 0ver 300 force-on-force exercises have been administered by NRC at US nuclear power plants. None of those exercises ever tested the security protection for spent fuel. We are not suggesting that the spent fuel hazard is equivalent to the reactor hazard; rather that the spent fuel hazard is not negligible and must be appropriately protected. Thus, it is beneficial that this proposed legislation clearly establishes that the design basis threat applies to both the reactor and its spent fuel, thus making it more likely that both hazards will be adequately protected.
Potassium Iodide Stockpiles
Section 5 of the Nuclear Security Act of 2001 amends Section 170 of the Atomic Energy Act of 1954 (42 U.S.C. 2210) to require stockpiling of potassium iodide for the population with a 50-mile radius around each nuclear facility. The amendment additionally requires distribution plans to be developed to get the potassium iodide to people as expeditiously as possible in event of a nuclear accident/attack.
Potassium iodide does not provide immunity from all radioactivity that could be released following a nuclear accident/attack, but it does provide protection against thyroid damage caused by radioactive iodine (I-131). That potassium iodide has value is clearly demonstrated by the fact that it is distributed to nuclear plant workers and to Federal, State, and local personnel responding to the nuclear accident/attack. It would seem imprudent public policy not to provide equivalent protection for the innocent people living downwind of the facility.
According to the NRC, thirteen states currently stockpile potassium iodide for the people living within the emergency planning zone around nuclear power plants. The proposed legislation eliminates the inequity associated with some Americans being protected while many other Americans are not protected. The NRC protecting only some Americans makes about as much sense as the US Coast Guard requiring lifeboats on only some cruise ships. Given its low cost and long shelf life, it would seem exceedingly difficult for Federal, State, and local authorities to assure American victims that everything had been done to protect them from radiation if potassium iodide hadn't been stockpiled and distributed.
Consider the following hypothetical situation. State X has two operating nuclear power plants. Plant A is located in the northern part of the state while Plant B is in the southeastern corner of the state. State X has not stockpiled potassium iodide, while State Y on its eastern border has done so. A serious accident at Plant B releases large amounts of radiation to the air necessitating both sheltering and evacuations. Residents in State Y living within the emergency planning zone are also provided potassium iodide. Residents in State X living within the emergency planning zone do not receive potassium iodide.
In all likelihood, the post-mortem for this accident would cause potassium iodide to be stockpiled in State X for the people within the emergency planning zone around Plant A. Federal and State X authorities would have a very tough time explaining why the people in State Y received greater protection. Parents in State X will never know whether their children's thyroid illnesses might have been prevented had they just been given a dollar's worth of potassium iodide like their friends with healthy kids over in State Y received. Enacting the proposed legislation will prevent this hypothetical situation from becoming a tragic reality.
Expanding the potassium iodide inventory to cover a 50-mile radius rather than a 10-mile radius decreases the likelihood that affected people will not be protected. No matter where the line is drawn, the question will remain about people living at N+1 miles. The 50-mile radius seems to be a reasonable compromise. Even if conditions affect people 60 or 70 miles downwind, the 50-mile inventory makes it more likely that potassium iodide can be redirected from people living 40 to 50 mile upwind to affected people downwind.
Carrying of Firearms by Nuclear Facility Security Forces
Section 1 of S.1586 would amend Chapter 14 of Title I of the Atomic Energy Act of 1954 (42 U.S.C. 2201 et seq.) to replace subsection k with a subsection authorizing security guards to carry firearms. Another subsection would be added to authorize security guards to make arrests, subject to limitations, of persons committing felonies or reasonably believed to have committed felonies. This legislation ensures security guards are properly equipped and authorized to carry out their protective assignments.
Federalization of the Nuclear Security Force
Section 3 of the Nuclear Security Act of 2001 would amend Chapter 14 of the Atomic Energy Act of 1954 (42 U.S.C. 2201 et seq.) to add Section 170C, “Protection of Sensitive Nuclear Facilities Against the Design Basis Threat." Subsection (b)(1) requires NRC to employ the nuclear security force at sensitive nuclear facilities. This provision is our least favorite part of the proposed legislation. Our concern is in having the NRC responsible both for providing security and for assessing whether security is adequate. It would seem to create at least organizational tension if not an outright conflict-of-interest for the NRC staff to do both.
Federalization of the nuclear security force provides gains to offset the conflict-of-interest concern. For example, subsection (e)(2)(A) requires the NRC to establish minimum qualification standards for members of the nuclear security force. Currently, the qualification standards for security personnel are established by the plant owners or the companies they've contracted with for security. Consequently, there's a very wide range of "minimum" qualification standards.
There is also a wide range of working conditions for security guards at nuclear plants. Security guards at some plants have told me about good working conditions. They get fair compensation and benefits and receive good initial and follow-up training. They reported security staffing levels sufficient to permit adequate coverage of all posts and to avoid fatigue associated with chronic overtime. Unfortunately, I have also heard from security guards complaining about poor training, defective equipment, insufficient staffing levels, low pay, lack of medical benefits, and other factors contributing to bad morale. Federalization is unlikely to make all security guards content all the time, but it should serve to narrow the gap between the guard forces at facilities where management recognizes their importance and the guard forces at facilities where management views them as undesired financial drains.
The periodic force-on-force testing conducted by the NRC as proposed in Section 4 of the Nuclear Security Act of 2001 could achieve the same positive gain as would result from Federalizing the nuclear security force. Plant owners who currently undervalue their security guards would likely have to change that outlook in order to attain the required performance levels on the two-year force-on-force tests.
As detailed above, the proposed legislation contains many provisions that individually and collectively improve nuclear facility security. The only element potentially missing from the proposed legislation is adequate protection against insider sabotage. Subsection (c)(1)(A)(iv) of the proposed amendment to Chapter 14 of the Atomic Energy Act of 1954 (42 U.S.C. 2201 et seq.) outlined in Section 3 of the Nuclear Security Act of 2001 requires the NRC to revise the design basis threat to include several nuclear workers assisting in an attack. Subsection (b)(2) requires the NRC to “develop and implement a security plan for each sensitive nuclear facility to ensure the security of all sensitive nuclear facilities against the design basis threat.” UCS recommends that the Committee consider strengthening the proposed language by revising it to explicitly incorporate the following items, obtaining a firm commitment from the NRC to include these items as appropriate in the security plans, or providing clear guidance on expectations regarding these items in the Committee reports accompanying the bills:
ú Two-person rule for vital areas: Authorized individuals typically gain entry to vital areas within nuclear facilities using computerized access cards. An authorized individual could thus enter vital area(s) alone and tamper with safety equipment. Adoption of the two-person rule for vital area entry would eliminate the opportunity for a single person acting alone to attempt sabotage.
ú In-plant security cameras: The majority of security cameras in use today at nuclear facilities protect against unauthorized intrusion to the site. Fewer security cameras are deployed inside the facility to protect against sabotage. Installation of additional security cameras within the nuclear facility would provide greater protection against sabotage by workers.
ú Security guard accompanying visitors in vital areas: Under certain conditions, a single authorized individual can escort five visitors into vital areas without being accompanied by a security guard. These visitors have had no background investigations other than a perfunctory check using the social security numbers they provide. The potential exists for an insider to arrange for the external attackers to enter the facility as visitors and then escort them into vital areas. Requiring all visitors into vital areas to be accompanied by a security guard provides substantive protection against this threat.
ú 50.59 screenings for insider sabotage: 10 CFR 50.59 requires proposed modifications to nuclear facilities and planned changes to procedures to be reviewed for possible erosion of safety margins. Safety margin reductions must be approved in advance by the NRC. But these 50.59 screenings do not specifically require an evaluation of whether the changes provide insiders with greater opportunities for sabotage. For example, a temporary configuration during a refueling outage may reduce response time to less than that available when the plant is operating. The insider may elect to attempt sabotage during this vulnerable period. If this vulnerability was identified, it would be possible to compensate for it by posting a security guard by essential equipment during the temporary alignment. Requiring 50.59 screenings to explicitly assess insider sabotage provides substantive protection against this threat.
ú Compensation for longer testing/inspection intervals: In recent years, the NRC has allowed plant owners to lengthen the interval between tests and inspections of safety equipment. The reductions in testing/inspection frequencies have been justified using actual experience of component failure rates. Longer testing/inspection intervals—particularly when their schedules are readily available—provide insiders with ample opportunities to plan and execute a campaign of tampering with safety equipment over time with the aim of disabling all mitigating and containment systems when sabotage is ultimately attempted. These opportunities should be lessened by the NRC (a) recognizing that equipment tests and inspections also guard against sabotage and therefore intervals must not be solely based on observed failure rates, or (b) requiring random tests/inspections to be conducted if the intervals are solely based on observed failure rates.
ú Providing operators with anti-sabotage training: The NRC's Generic Fundamentals Examination Question Bank for boiling water reactor (BWR) operator license candidates has 959 pages of questions while the NRC's Generic Fundamentals Examination Question Bank for pressurized water reactor (PWR) operator license candidates has 977 pages of questions Not a single one of the literally hundreds of questions directly deals with how to defend the plant from an insider attempting radiological sabotage. Operator candidates receive classroom instruction and control room simulator training on how to cope with postulated pipe breaks, pump failures, and power outages. Licensed operators receive annual retraining on these subjects. Training operator candidates and licensed operators on how to respond to scenarios such as an insider attempting to take over the control room or an insider manipulating switches from the remote shutdown panel would supplement the skills they develop to handle non-sabotage emergencies.
In summary, UCS supports both S.1586 and S.1746 and hope that both bills become law. If only one part of the bills became law, we'd prefer that it be the part requiring the NRC to conduct force-on-force security tests at each nuclear facility at least once every two years. If only one part of the bills didn't become law, we'd least miss the part Federalizing the nuclear security forces.
Nuclear Safety Engineer
Union of Concerned Scientists