Share This!
Text SizeAAA Share Email

Nuclear Reactor Security

The United States has 104 nuclear power plants[1] and 37 non-power reactors licensed by the Nuclear Regulatory Commission (NRC) to operate in the United States. Another 20 nuclear power plants have been permanently shut down and are in various stages of decommissioning.[2] Federal regulations are intended to protect the public from harm caused by exposure to radioactive material released by sabotage of any US nuclear reactor. But Americans face undue risk because these security regulations are not consistently enforced and because the regulations underestimate the terrorism threat. Practical measures must be taken to reduce the sabotage risk.

What is the danger?

Nuclear reactors split uranium and plutonium atoms to produce energy. The majority of smaller atoms formed when atoms split are unstable. These unstable atoms emit radiation to become stable. Radiation is a health hazard because it can damage or destroy cells within the human body. Damaged cells can induce cancers years later or pass the damage along to future generations. Dead cells can trigger infections or incapacitate organ functions.

The primary concern is the fuel within the nuclear reactor and the spent fuel stored onsite after its removal from the nuclear reactor. The fuel, whether inside the nuclear reactor or not, must be cooled to prevent damage from overheating. If the fuel is damaged, government studies report that the radioactive material released from either the reactor[3] or the onsite spent fuel[4] can kill and injure tens of thousands of people living within 500 miles and render large regions uninhabitable for long periods.

What are the security regulations?

Existing security regulations are intended to protect against intentional fuel damage from (a) a small group of skilled and well-armed outsiders aided by one insider, (b) a single insider acting alone, and (c) a 4-wheel drive land vehicle bomb[5]. Collectively, these are termed the Design Basis Threat for nuclear reactors.

How is conformance with the security regulations verified?

Nuclear reactor owners are required, as an explicit condition of the operating license issued by the NRC, to follow all applicable regulations including the security regulations much as licensed drivers are required to adhere to the Motor Vehicle Code. Owners use security procedures augmented by internal audits to comply with the regulations. In addition, the NRC periodically conducts independent audits.

What are the force-on-force security tests?

The NRC began conducting force-on-force tests at operating nuclear power plants in 1991 with its Operational Safeguards Response Evaluation (OSRE) program. In an OSRE test, mock intruders challenge physical protection (i.e., intrusion detection systems, locked doors, etc.) as well as the security guard force. The mock intruders attempt to simulate disabling enough equipment to cause damage to the fuel in the nuclear reactor. The NRC conducts an OSRE test at each site about once every eight years.

The NRC will begin a pilot program of force-on-force tests administered by the nuclear plant owners themselves in November 2001. This Safeguards Performance Assessment (SPA) program calls for NRC-observed force-on-force tests to be conducted at each site once every three years.

What are the force-on-force security test results?

The NRC discontinued its OSRE program in 1998 after having only tested 57 of the 68 nuclear power plant sites. The OSRE tests at 27 of the 57 sites tested revealed significant weaknesses indicating "that a real attack would have put the nuclear reactor in jeopardy with the potential for core damage and a radiological release."[6]

The NRC reinstated its OSRE program later in 1998 due to the resulting outcry from the public and Capitol Hill. The results since reinstatement are similar: 6 of the last 11 OSRE tests conducted in 2000 and 2001 have resulted in the mock intruders successfully simulating disabling enough equipment to cause reactor damage.[7]

There are no SPA program results to report because the NRC has yet to observe a force-on-force test administered under this program.

What are the nuclear reactor security problems?

The existing security regulations do not provide adequate protection against known terrorist threat capabilities. For example, the regulations do not require protection against attacks by aircraft, boats, and trucks. In addition, the regulations assume that only a single insider will attempt sabotage. September 11th demonstrated that terrorists may devote the time and effort necessary to place more than one individual working at a nuclear reactor site.

The NRC does not use force-on-force tests to demonstrate security compliance at reactors that have permanently shut down and non-power reactors.

The NRC does not use force-on-force tests to demonstrate security compliance for spent fuel storage at operating reactors and reactors that have permanently shut down.

The NRC does not use force-on-force tests to demonstrate security compliance for operating reactors during outages when dozens of temporary workers, with minimal background checks, are allowed onsite. In addition, the defense-in-depth approach to safety is reduced during outages to sometimes only a single layer, making nuclear reactors more vulnerable to sabotage.

The NRC assumes that the mock intruders will be able to disconnect the nuclear power plant from its electrical grid because the transmission lines are unprotected outside the security fences. Yet the NRC does not use force-on-force tests to demonstrate security compliance for operating reactors under the lighting conditions that would be present. For example, UCS viewed the videotape of armed guards responding to four separate mock intrusions, including several conducted at night. None of the guards appeared to be equipped with a flashlight. Had the normal building lighting been extinguished, as it would without offsite power, these security guards would have literally been left "in the dark."

For the past decade, the NRC force-on-force tests have revealed serious security problems at approximately half of the operating plant sites. The majority of plant sites have only been tested once. There's little assurance that sites failing an OSRE several years ago have adequate security today.

Existing security regulations require nuclear reactors to be protected from sabotage by an insider, either acting alone or in conjunction with a small band of outsiders. The NRC limits the role of the insider during its force-on-force tests to a passive function (i.e., providing the mock intruders with information). In reality, the insider could actively aid in the sabotage attack by mispositioning switches and disabling emergency systems.

The NRC assumes that its regulations governing access control and access authorization are fully effective in preventing sabotage by an insider. These regulations require background checks, drug and alcohol screening, and continuing behavior observation. But while background checks and the drug and alcohol screening have resulted in individuals being denied access or having their access privileges withdrawn, the continuing behavior observation has seldom, if ever, identified a potential problem. Thus, all individuals getting past the background checks and screenings have virtually unfettered ability to sabotage the nuclear reactor and spent fuel.

Existing regulations governing changes to nuclear reactor facilities and their operating procedures require prior NRC approval for changes that reduce safety margins.[8] But nuclear reactor owners routinely make changes without NRC approval even though they have not evaluated whether the proposed changes make it easier for insiders to carry out sabotage.

What should be done?

To date, the NRC has assumed that US nuclear reactors are so secure that sabotage would not be attempted. That assumption, if ever proven wrong, provides little protection to Americans living downwind of the target.

Instead, the NRC should assume that sabotage at US nuclear reactors will someday be attempted and take all reasonable measures to both prevent and mitigate successful attacks. UCS recommends that the NRC take the following steps in the short term:

Conduct OSRE tests at all operating nuclear power plants, reactors that have permanently shut down with onsite spent fuel storage, and non-power reactors. The OSRE tests must be expanded to include spent fuel as a sabotage target. The OSRE tests must account for an active role by multiple insiders. The frequency of the OSRE tests must be no less than once every four years. The OSRE tests must be administered by NRC headquarters rather than by its regional offices to ensure consistent quality.

Require all nuclear reactor owners to formally evaluate the risk of sabotage by an insider when they make physical modifications to facilities and revise procedures.

Revise the design basis threat to include attacks by aircraft, boats, and trucks and ensure that all nuclear reactors are adequately protected against the revised design basis threat.

Require potassium iodide (KI) to be readily available for people living in the vicinity of all nuclear reactors. This step ensures that people are protected to the fullest extent possible in the event of a successful sabotage attack against a nuclear reactor.

[1] This includes Browns Ferry Unit 1 in Alabama that is licensed to operate but has not done so since March 1985.

[2] Nuclear Regulatory Commission, Information Digest, 2000.

[3] United States House of Representatives, Committee on Interior and insular Affairs, Subcommittee on Oversight & Investigations, "Calculation of Reactor Accident Consequences (CRAC2) for U.S. Nuclear Power Plants (Health Effects and Costs) Conditional on An SST1 Release," November 1, 1982

[4] R. J. Travis, R. E. Davis, E. J. Grove, and M. A. Azarm, Brookhaven National Laboratory, NUREG/CR-6451, "A Safety and Regulatory Assessment of Generic BWR and PWR Permanently Shutdown Nuclear Power Plants," August 1997, and Nuclear Regulatory Commission, "Technical Study of Spent Fuel Pool Accident Risk at Decommissioning Nuclear Power Plants," October 2000.

[5] Title 10 of the Code of Federal Regulations, Part 73, Physical Protection of Plants and Materials.

[6] David N. Orrik, Nuclear Regulatory Commission. Differing Professional Opinion, February 3, 1999.

[7] Terrance Reis, Nuclear Regulatory Commission, "Physical Security Significance Determination Process," August 30, 2001.

[8] Title 10 of the Code of Federal Regulations, Sections 50.59, Changes, tests and experiments, and 50.90, Application for amendment of license or construction permit.

Powered by Convio
nonprofit software