Share This!
Text SizeAAA Share Email

Nuclear Plant Protection and Homeland Security

Dr. Edwin Lyman, a Senior Scientist in the UCS Global Security Program, prepared the following paper for a meeting of the Institute of Nuclear Materials Management in 2003.


Protection of U.S. critical infrastructure and hazardous facilities against terrorist attacks should be one of the fundamental missions of the new Department of Homeland Security (DHS).  Surprisingly, the Department's authority in this area is quite limited. Although the Homeland Security Act of 2002 creates a "Directorate of Information Analysis and Infrastructure Protection," the actual infrastructure protection activities of this division appear to be confined to conducting analyses, including vulnerability assessments and development of a comprehensive national plan. The DHS has no authority to actually implement the plan, but can only make recommendations "in coordination with other agencies of the Federal Government and in cooperation with State and local government agencies and authorities, the private sector, and other entities."

While development of a risk-informed, comprehensive plan for infrastructure protection is essential for a national strategy that apportions Federal resources appropriately and consistently across all sectors, the fact that DHS will have no power to implement and enforce its plan is problematic.  Agencies that now have regulatory authority for physical protection will continue to jealously guard their turf and are likely to remain resistant to DHS recommendations.

The Nuclear Regulatory Commission (NRC) is a good example. It has remained defiant in the face of widespread calls following the 9/11 attacks to significantly upgrade security requirements at nuclear power plants, arguing that nuclear plants are much better protected today than other hazardous facilities, such as EPA-regulated chemical plants.  The NRC opposed Congressional proposals to federalize nuclear plant security forces to standardize pay, benefits and training. The NRC has also refused to consider requiring measures to protect nuclear plants from 9/11-type airborne assaults, claiming that it is the responsibility of the Federal government, and not nuclear plant owners, to protect against "enemies of the United States."

These issues need to be evaluated in a government-wide review of how critical infrastructure should be protected in the post-9/11 era. DHS is the logical agency to conduct this review, but it must also be given the tools to overcome bureaucratic resistance. This paper discusses various mechanisms for a path forward that will genuinely increase public safety and security.


The shock with which Americans reacted to the September 11 attacks was a plain indication of the extent to which the United States had underestimated the severity of the terrorist threat to its critical infrastructure. The scale, the sophistication and the coordination of the al Qaeda assault shattered many long-held assumptions about the motivations and maximum credible capabilities of terrorists within the United States, calling into question the adequacy of physical protection and counterterrorism programs based upon these assumptions.[1]  Yet as horrific as the attacks on the World Trade Center and Pentagon were, attacks on other infrastructure targets—such as nuclear power plants and hazardous chemical facilities—have the potential to affect areas considerably beyond the attack site, causing significantly greater numbers of casualties and more severe economic and environmental impacts. In light of this threat, America's urban-industrial landscape, where hazardous facilities, densely populated areas, airports and major transportation routes are often situated in close proximity, now appears far more treacherous.   

Given the bewildering array of potential terrorist targets, there is a clear need for a systematic approach that can (1) classify targets according to attractiveness, vulnerability and consequences; (2) apportion physical security resources in order to achieve a uniform level of protection across the infrastructure; and (3) assess the effectiveness of protective measures against terrorist threats using a consistent methodology, such as "red-team" force-on-force exercises. Developing such an approach is one of the chief functions that was envisioned in the original White House proposal for the Department of Homeland Security, the Cabinet-level agency whose purpose is to reduce the vulnerability of US critical infrastructure to terrorist attack.[2]  However, this is easier said than done. Critical infrastructure protection today is provided by a hodgepodge of private security forces, state police, local law enforcement and the National Guard (when called to serve in its capacity as a state militia), the particular mix depending on the industry, state, region, threat level and available resources. Confidence in the effectiveness of these ad hoc security arrangements is more often based on qualitative judgment than rigorous testing or analysis. 

A particularly difficult task is the development of a method to quantify the consequences of attacks on different elements of the hazardous infrastructure and rank them with respect to severity. Consequence assessment is typically plagued with uncertainties and is unavoidably influenced by biases regarding the health and safety risks posed by nuclear power plants and other hazardous facilities. Also, the comparison and ranking of disparate health and safety endpoints from different types of facilities is a highly subjective exercise.

However, even if a logical approach for allocating security resources to each sector of the critical infrastructure could be developed, a mechanism for implementing such a plan does not now exist. To the extent that physical protection is regulated at all, the authority for a particular industry resides within the corresponding regulatory agency, and physical protection is typically executed by private security forces who report to site security managers. State governors can legally deploy the National Guard to augment protection at private sites, but there is little evidence that they are using this authority consistently from state to state or even within states. And there is no Federal force, civilian or military, that can be utilized to protect private infrastructure sites within the United States on a routine basis. The Posse Comitatus Act strictly limits the use of Federal armed forces in carrying out domestic law-enforcement activities, although Congress has enacted numerous exceptions (including one with a direct bearing on nuclear plant protection), and the law is currently under review. 

In creating the Department of Homeland Security (DHS), Congress gave DHS a mandate to coordinate an overhaul of the current regulatory patchwork of protection and establish a common framework across all sectors of the infrastructure.  However, Congress did not vest DHS with the authority that it would need to actually carry this daunting task through to completion.

The Homeland Security Act of 2002 creates a Directorate for Information Analysis and Infrastructure Protection that is tasked with the responsibility[3]

"(2) To carry out comprehensive assessments of the vulnerabilities of the key resources and critical infrastructure of the United States, including the performance of risk assessments to determine the risks posed by particular types of terrorist attacks within the United States (including an assessment of the probability of success of such attacks and the feasibility and potential efficacy of various countermeasures …).

(3) To integrate relevant information, analyses and vulnerability assessments (whether … provided or produced by the Department or others) in order to identify priorities for protective and support measures by the Department, other agencies [and] the private sector …

(5) To develop a comprehensive national plan for securing the key resources and critical infrastructure of the United States…

(6) To recommend measures necessary to protect the key resources and critical infrastructure of the United States in coordination with other agencies of the Federal Government and in cooperation with State and local government agencies and authorities, the private sector, and other entities."

Thus although DHS has the job of conducting and integrating vulnerability assessments across all sectors of the critical infrastructure, to be used in developing a comprehensive national protection plan, it can only make recommendations based on this analysis to other entities with real regulatory authority.  There is no statutory obligation for any other party to accept the recommendations of DHS.  DHS lacks the authority to issue legally binding orders and to enforce them through inspections and punitive actions, relegating its "infrastructure protection" function to an advisory role that other agencies are free to (and most likely will) ignore. 

Failing to provide DHS with this authority was not an inadvertent omission.  Earlier House and Senate versions of the Homeland Security Act (see, for example, S.2794) gave DHS the responsibility for "taking or seeking to effect necessary measures to protect the key resources and critical infrastructures in the United States," a provision that was watered down in the final version. 

The inability of DHS to enforce execution of its comprehensive national plan is a severe weakness in its founding statute.  Without such enforcement powers, DHS is not going to be able to overcome the bureaucratic resistance of the agencies with direct regulatory oversight of the critical infrastructure to intrusions on their turf. And without any budgetary authority, DHS will not have the resources to independently fund its plan. Thus the current, seat-of-the-pants approach to infrastructure protection is unlikely to be reformed unless DHS has a legal mandate not only to produce a plan but to fully implement it as well.

This paper will consider in particular the relationship between DHS and the Nuclear Regulatory Commission (NRC), which of all agencies regulating commercial facilities has the most fully developed regulatory structure for physical protection and therefore has the most to lose in a turf battle with DHS. 

Threats: Design Basis, Beyond Design Basis and Enemy of the State

DHS is the logical entity to address a deficiency in NRC's regulatory regime for the physical protection of commercial nuclear plants that has resulted in a serious gap in the current level of protection.  Resolution of this issue will require high-level interagency attention that it is not now receiving.

According to NRC regulations (10 CFR §73.55), NRC-licensed nuclear power plants must be provided with physical protection systems designed to protect against the design basis threat (DBT).  The DBT is a description of the characteristics of an adversary force seeking to cause a radiological sabotage event (or theft or diversion of special nuclear materials from Category I fuel cycle facilities).  Until recently, the DBT conformed to a set of very general, rather weak requirements (10 CFR §73.1), the majority of which were formulated in the late 1970s, based on what was believed to constitute a credible terrorist threat at the time.[4] 

The DBT is meant to characterize the threat posed by a subnational terrorist group.  At the other end of the spectrum, NRC regulations do not require nuclear plant licensees from having to protect their facilities from a military attack by a foreign power. The "enemy of the United States" provision, 10 CFR §50.13, exempts licensees from providing "design features or other measures for … protection against the effects of attacks and destructive acts, including sabotage, directed against the facility by an enemy of the United States, whether a foreign government or other person."

The original motivation for this provision was to allow NRC to license the Turkey Point nuclear plant in South Florida without requiring the plant to provide protection against a Cuban missile attack. The underlying considerations for this rule included "the impracticality, particularly in the case of civilian industry, of anticipating accurately the nature of enemy attack and of designing defenses against it" and "the settled tradition of looking to the military to deal with this problem and the consequent sharing of its burdens by all citizens." While this rule is somewhat ambiguous as written, it is clear from the statements of consideration that it was meant to apply to military attacks launched by foreign powers utilizing the resources available to a nation.  

While it follows from this discussion that NRC licensees are responsible for protecting nuclear plants from subnational groups, and the military is responsible for protecting them from attacks by the armed forces of enemies of the United States, the regulations are silent as to who is responsible for the range of threats in between these extremes. As a result, it is not immediately obvious where al Qaeda falls in this classification.  While al Qaeda is (or at least was prior to the Afghan war) as organized and well-financed as a foreign army, its operations do not resemble foreign military attacks as much as domestic terrorist attacks.  Compared to military assaults, al Qaeda attacks have involved relatively small numbers of participants (the September 11 attack squad was roughly equivalent to a single Army platoon), required only modest resources, and utilized non-conventional means such as infiltration of US flight schools and the hijacking of US commercial airplanes.  Since these means were all "readily available in a purely domestic context," application of the precedent established by NRC in implementing a vehicle bomb protection rule in 1994 would suggest that the "enemy of the United States" rule does not apply to these types of attacks.[5]

Resolving this issue has been one of NRC's primary preoccupations in its 20-month-long effort to update the DBT following the September 11 attacks.  The characteristics of the September 11 attacking force—19 members organized into four independent teams and utilizing commercial jets as weapons—far exceeded the 10 CFR §73.1 DBT both quantitatively and qualitatively.  However, NRC staff attempts to obtain Commission approval for a significant upgrading of the DBT after September 11 languished as a result of nuclear industry pressure to block costly new regulations and a raging debate concerning the extent to which NRC could strengthen the DBT without running into "enemy of the United States" limitations.[6]  In January 2003, NRC finally released a draft of proposed additional adversary characteristics for comment by industry, other government agencies and other "stakeholders" cleared for access to safeguards information. 

In response, one utility executive argued that al Qaeda is clearly an "enemy of the United States" because President Bush declared that the September 11 attacks were "acts of war," and implied that NRC's proposed revision to the DBT violated 10 CFR §50.13 because its underlying justification was the September 11 attacks.[7]  The industry as a whole, through its chief lobbying organization, the Nuclear Energy Institute (NEI), also invoked the "enemy of the United States" provision to oppose specific adversary characteristics, an argument NEI first used long before September 11.  Stephen Floyd, a vice president of NEI, said in written testimony to Congress in March 2003 that "the adversaries [in the draft DBT] are credited with weaponries and capabilities that even law enforcement forces cannot protect against ... the proposed changes would require the nuclear industry to defeat a highly sophisticated attack force that reasonably would be characterized as an attack by an enemy of the United States."[8] 

In contrast to the industry position, nearly all other federal agencies that reviewed the NRC's draft DBT—agencies with access to intelligence information about the character of the actual threat faced by nuclear power plants—apparently believed that the proposal was inadequate. According to NRC Commissioner Edward McGaffigan, Jr.,

"…every other federal agency that reviewed the staff's proposed DBT, other than the FBI, felt there could be additional attributes in the DBT, but all of them declined to help us on where the line should be drawn between the primary responsibility of a regulated private sector guard force and the primary responsibility of government … the agencies instead answered what the overall threat might be, and in my personal view covered their bets so that they could never be accused of underestimating terrorists …"[9]

At the end of April 2003, nearly 20 months after the September 11 attacks, the NRC finally issued orders superseding the regulatory DBT specified in 10 CFR §73.1.  According to the NRC, "the [new] DBT represents the largest reasonable threat against which a regulated private guard force should be expected to defend under existing law."[10] Since the revised DBT is not publicly available, there is no way for the public to know how the various criticisms of the draft DBT were reconciled in the finished product. However, there are some clues regarding the severity of the DBT in comparison with the September 11 threat. 

In a speech by NRC Commissioner McGaffigan shortly before the new DBT was issued, he said that "the 'enemy of the State' regulation … was not meant to be construed as widely as the industry attempts to do today."[11]  Although this statement implies that NRC did not wholly endorse the industry position, NEI's change in tone after the final DBT was issued was noticeable.  In May 2003, Lynnette Hendricks of NEI said that "what [NRC] put out is fairly reasonable."[12]

Later in the same speech, Commissioner McGaffigan said that the new DBT was not "Ed Markey's DBT," a reference to legislation proposed by Rep. Edward Markey (D-MA) that would have upgraded the DBT to a level commensurate with the September 11 threat—that is, one that considers at least 20 attackers, multiple coordinated teams, several insiders and aircraft attack. 

Therefore, even after nuclear plants have revised their security plans and procedures to take into account the new DBT by NRC's October 2004 deadline, they will not in a position to repel attacks by adversaries with capabilities commensurate with those of the September 11 terrorists, but only those adversaries that the industry thinks it can protect against without having to spend a lot of money.  This is not a "design basis threat" but a "funding basis threat"—a term the General Accounting Office (GAO) recently used in reference to a similar threat reassessment taking place for National Nuclear Security Administration (NNSA) sites.[13] 

The fact that other agencies refused to address the question of where NRC should draw the line between private and government responsibility is not surprising, since it is fundamentally an artificial distinction without any meaning outside of NRC's peculiar regulatory constraints. A more functionally useful standard for the DBT would be the threat that a nuclear plant should be prepared to defend against at any time and without prior warning, based on the intelligence community's best judgment (with Commissioner McGaffigan's skepticism duly noted).  This is because, in the absence of specific information leading to an elevation of the threat level, private security forces are going to be the only ones in a position to defend nuclear plants at all times.  To the extent that the new DBT falls short of this standard, there is a gap in security that leaves nuclear plants dangerously vulnerable.  Yet without an entity that has the authority to develop an interagency "best estimate" for the radiological sabotage DBT and to implement a plan to provide for adequate defenses, there is little hope that this security gap will be closed any time soon.

Who Will Protect Against Design Basis Threats?

With the NRC's new limits on the obligations of private security forces in place, the government, and ultimately U.S. taxpayers, are left saddled with the responsibility for addressing the remaining security shortfalls at nuclear plants.  This responsibility has largely fallen on the shoulders of state and local law enforcement agencies, already overburdened with other homeland security duties and not necessarily equipped and trained to deal with the threats that nuclear plant security forces are unwilling or unable to handle themselves. 

The National Guard has also been called up by some state governors to assist in the protection of nuclear power plants at times of heightened threat after September 11.  However, this has led to arbitrary and inconsistent protection.  For instance, when the nation's threat advisory system went to Code Orange in March 2003, the governor of Alabama deployed the National Guard to the Brown's Ferry plant, operated by the Tennessee Valley Authority (TVA).  However, the governor of Tennessee did not order a similar deployment to TVA's Watts Bar and Sequoyah plants, although the latter is situated just north of the Alabama border and arguably is as much of a threat to the state of Alabama as is Brown's Ferry.[14]  The likelihood that this deployment was based on any rational decision, such as specific threat information, is low. 

Deployment of the National Guard could be better coordinated nationwide if it were called to Federal active duty, but it would then fall under the restrictions of the Posse Comitatus Act, as would domestic deployment of other Federal armed forces such as the Army or Marines.[15]  The Act would generally preclude these forces from carrying out law enforcement functions—that is, to play an active role in domestic defense of nuclear plants against any group short of a military power (e.g. an "enemy of the United States").

However, Congress passed an exemption to the Posse Comitatus Act in 1998 that could be interpreted as permitting the armed forces to provide nuclear plant protection under certain conditions.  Title 18, Section 831 of the US Code establishes penalties for the unlawful dispersal of nuclear byproduct material (defined as "any material containing any radioactive isotope created through an irradiation process"), and authorizes the use of military personnel in an "emergency situation" for conducting arrests, searches and seizures, and "such other activity as is incidental  … to the protection of persons and property" from conduct that violates this section.  In the provision, "emergency situation" is a circumstance (a) that poses a serious threat to the interests of the United States and (b) in which the law could not be enforced by civilians alone. Since successful sabotage of a nuclear power plant would certainly constitute unlawful dispersal of nuclear byproduct material, one can envision situations where this provision could be invoked to allow military defense of nuclear power plants. But it is unlikely that this provision could be interpreted to permit such defense to take place on a routine basis. Ultimately, Congress will have to determine the extent to which the Posse Comitatus Act should be modified to permit the armed forces to take part in defending domestic critical infrastructure against threats that fall short of an actual foreign invasion or domestic armed insurrection.

If the armed forces cannot legally provide routine protection against beyond-design-basis threats in the absence of war, the government will need to develop another mechanism to provide such protection.  Various Congressional proposals have been floated since September 11 to address this problem, but none were entirely satisfactory and none have become law. One proposal called for federalizing nuclear plant security forces (modeled after the federalization of airport security screeners after September 11). This could result in greater consistency from site to site, as well as standardized and improved training, pay and benefits for private security officers. A federalized guard force would also be able to provide greater flexibility to adjust its strength rapidly to changes in the threat level. However, the bill would have made the Federal guards NRC employees, which was not the best solution. This proposal was dropped in the face of vehement opposition from NRC and NEI.  A later version of the bill proposed the establishment of Federal counterterrorism teams that would be deployed at nuclear plants during times of increased threat, but this approach would only work if timely and accurate advance warning of an attack could be assured. The most recent version of this legislation fails to substantively address the issue at all. 


In order to ensure that U.S. nuclear plants are provided with adequate protection against terrorist attack, Congress should give the Department of Homeland Security the authority to:

1.  Oversee an interagency effort to define the maximum credible terrorist threat to nuclear plants, based on intelligence information and not financial or practical considerations;

2.  Assess the extent of the need for Federal resources, to supplement, replace or train private security forces at nuclear plants. This assessment should consider issues such as the sufficiency of the new NRC DBT in relation to the actual threat; the capability of industry to provide adequate and consistent training, pay and benefits to private guard forces; the capacity of private security forces to adjust rapidly to changes in the threat level; and the need for defenses against aircraft attack, which would almost certainly require operation by the armed forces or individuals with experience and highly specialized training; 

3.  Determine the best approaches for providing the needed Federal resources and identify the steps necessary for implementing them, such as amending the Posse Comitatus Act; creating a Federal force of civilian nuclear plant security officers; or developing a centralized training and certification program for private nuclear security guards; 

4.  Consult the American public about the degree to which it is willing to support the provision of Federal resources for the protection of private nuclear facilities, both in terms of the expenditure of tax dollars that would serve as a subsidy to the nuclear industry and in terms of the human resources required, such as an expansion of the armed forces to support homeland security duties; then determine the nuclear industry's share of responsibility for physical protection based on what the U.S. taxpaying public, and not the industry itself, is willing to spend;

5.  Implement the plan; conduct "red team" force-on-force inspections to verify compliance; and take enforcement actions if necessary. 


1.  E. Lyman and A. Kuperman, "A Reevaluation of Physical Protection Standards for Irradiated HEU Fuel," Proceedings of the 24th International Meeting on Reduced Enrichment for Research and Test Reactors (RERTR)," Bariloche, Argentina, November 2002.

2.  White House Office of Homeland Security, "National Strategy for Homeland Security," July 2002, p. 15-19.

3.  H.R. 5005, Homeland Security Act of 2002, Title II, "Information Analysis and Infrastructure Protection, Subtitle A, Sec. 201(d). 

4.  Lyman and Kuperman (2002), op cit.

5.  U.S. Nuclear Regulatory Commission, "Georgians Against Nuclear Energy (GANE) Brief in Response to CLI-02-04 Regarding NEPA Requirement to Analyze Insider Sabotage and Malevolent Acts for [the] Plutonium Fuel (MOX) Factory at Savannah River Site," February 27, 2002. 

6.  D. Hirsch, D. Lochbaum and E. Lyman, "The NRC's Dirty Little Secret," Bulletin of the Atomic Scientists, May/June 2003, p. 44. 

7.  C.W. Mueller, Ameren Corporation, "Adversary Attributes for Radiological Sabotage," letter to R. Zimmermann, NRC, February 14, 2003.

8.  Jeff Beattie, "Nuke Industry Protests NRC Security Plan," Energy Daily, March 20, 2003.

9.  NRC Commissioner Edward McGaffigan, personal communication, May 16, 2003.

10. US NRC, letter from Chairman Nils Diaz to Senator Chuck Hagel, May 9, 2003.

11.  NRC Commissioner Edward McGaffigan, Jr., Remarks to the 2003 NRC Regulatory Information Conference (RIC), April 17, 2003. 

12.  Jim Morris, Dallas Morning News, May 20, 2003.

13. General Accounting Office, "Nuclear Security:  DOE Faces Security Challenges in the Post September 11, 2001, Environment," statement of Robin S. Nazarro before the Subcommittee on National Security, Emerging Threats and International Relations, House Committee on Government Reform, June 24, 2003. 

14. Council of State Governments, Trends Alert: Emerging Issues Summary, March 2003, p. 13;

15. John R. Brinkerhoff, "The Posse Comitatus Act and Homeland Security," Journal of Homeland Security (2002). 

Powered by Convio
nonprofit software