As President Obama is preparing to attend the third Nuclear Security Summit in The Hague next week, the United States is playing the “do as I say, not as I do” game concerning protection of commercial nuclear facilities against terrorist attacks.
The Nuclear Regulatory Commission (NRC), following the nuclear industry’s lead, is carrying out major changes that could fatally undermine the effectiveness of its “force-on-force” inspection regimen, perhaps the world’s most stringent program for conducting security oversight of commercial nuclear facilities. As the United States heads to the summit, it should lead by example and bolster the security of its nuclear facilities at home.
Instead, it is sending the wrong message by weakening its security requirements: reducing the number of tests that are conducted at each site and proposing to give more credit for tests that the plant owners conduct and grade themselves.
A similar effort at the Department of Energy (DOE) to decentralize security oversight under former Secretary Steven Chu contributed to a major security breach: the successful intrusion by three anti-war protesters into the Y-12 plant in Tennessee, the nation’s main storehouse of bomb-usable highly enriched uranium. DOE is now trying to undo that mistake.
Why are Tests Important?
Why is testing security performance with force-on-force (FOF) exercises essential? Because experience has shown that paperwork reviews of security plans cannot fully assess the actual, on-the-ground efficacy of security forces. The NRC requires facilities that are high-value terrorist targets be protected with “high assurance” against a “design basis threat” (DBT). The DBT lays out the NRC’s assumptions about the general characteristics (weaponry, tactics, skills) of potential adversaries. For example, it requires nuclear power plants to be protected against an external attacking force (with the help of an insider) that seeks to damage safety systems and cause a Fukushima-type meltdown.
U.S. experience at both military and civil facilities has shown that simply complying with regulations and standards is not sufficient to prove that security plans will work in practice. Since the 1990s, the NRC has been conducting force-on-force testing as part of its security inspections at nuclear power plants. According to a brochure issued by the NRC in October 2013 titled “Protecting Our Nation,” FOF inspections are “an essential part of the oversight of the security of these facilities.”
FOF inspections routinely uncover security vulnerabilities that require prompt correction. In the years preceding the 9/11 attacks, U.S. nuclear plants failed roughly 50 percent of their exercises, meaning that the mock attackers were able to simulate damaging enough equipment to result in a meltdown. After 9/11, the NRC required plant owners to make security upgrades and strengthened its inspection of those upgrades, in part to comply with a 2005 congressional mandate to conduct FOF tests every three years. After the NRC revamped the program, nuclear plants have been failing at a rate of about 5 percent on average, with no significant downward trend in the failure rate yet apparent.
Considering the horrific consequences of a real security failure, this rate is still too high and indicates there is room for improvement. Now is not the time for the NRC to take the pressure off the industry to protect its nuclear plants.
The Nuclear Industry Hates FOF Tests
One thing that has become obvious from monitoring the force-on-force inspection program for years is the industry despises it. This is understandable—no one likes to take tests. And just like schoolchildren who complain that a test was unfair when they don’t do well, the industry has persistently raised questions about the test protocols to try to diminish the significance of poor performance.
From my discussions with NRC inspectors, it is apparent that preserving an element of surprise is one of the most important factors to ensure that FOF tests are able to accurately measure nuclear plants’ everyday security readiness. Of course, the exercises can never fully simulate a surprise attack: Nuclear plants must prepare for weeks before mock attacks so that they can be carried out safely. But there are aspects of a surprise FOF test that can help ensure the exercises are challenging. One important factor is the independence of the mock attack force. The attack force should be free to choose any attack scenario as long as it is consistent with the capabilities of the design basis threat, even if it employs those capabilities in new ways
The NRC also has to make sure that the attack force cannot collude with defending forces to “fix” the tests. It will be difficult for the agency to maintain the necessary separation if the mock attackers are made up of plant security force members, since there is a potential for conflict of interest.
In the first iteration of its FOF inspections in the 1990s, the NRC used actual members of the U.S. Army Special Forces (whom it referred to euphemistically as “subject matter experts”) as an integral part of the team that planned and carried out the mock attacks. But apparently they were too good at their jobs. After industry complaints, and a brief cancellation of the program, the industry proposed that the NRC replace the FOF inspections with a self-assessment program, in which the licensees themselves would staff and run the FOF drills and the NRC would be relegated to the role of a passive observer. This raised concerns among some NRC staff, who feared that this could whittle down the exercises to mere dog-and-pony shows in which the licensees would stage well-rehearsed performances for the NRC inspectors’ benefit.
Inadequate Tests, Even after 9/11…
The 9/11 attacks partly derailed this effort and prompted the NRC to strengthen the FOF inspections and increase their frequency from one every eight years to one every three years. However, the NRC has downgraded the subject matter experts’ role in the current program, and the tests use an industry-run “composite adversary force” (CAF) instead. The NRC says that it avoids conflict of interest issues by requiring “a clear separation of functions between the CAF and plant security forces.”
Nevertheless, questions remain about whether the post-9/11 inspection program is as rigorous and independent as the earlier program. In addition, numerous other artificialities compromise the tests’ realism, including strict limitations on the role insiders could play in assisting in attack planning, and no requirement to consider simultaneous cyberattacks.
Unfortunately, the industry has never given up on the idea of substituting its own FOF drills for the NRC-run inspections, and now the NRC seems more open than ever to allowing this to happen. The Nuclear Energy Institute (NEI), the industry’s primary trade association, formed an “Alternate Approach to FOF Focus Group” in February 2013, which is promoting a very similar approach to the self-assessment program it proposed before the 9/11 attacks.
… and Maybe Worse to Come
In response to industry complaints, the NRC already has reduced the number of FOF exercises per inspection from three to two and is proposing to reduce it to only one by 2017. In exchange, the NRC will give more credit to licensee-run security drills and will observe one such drill in each inspection cycle. This is a slippery slope toward the industry’s ultimate goal: to take control of the process and eliminate the potentially embarrassing FOF exercises altogether. Even worse, the NRC commissioners have directed the staff to review the entire FOF program with an apparent eye toward weakening it even further.
On top of that, NRC commissioners are apparently questioning the agency’s policy that plant owners should immediately correct all security vulnerabilities detected during FOF inspections.
If the NRC continues on its current course, the potential for terrorists to trigger a Fukushima-like meltdown at a U.S. nuclear plant—already unacceptably large, in our view—will only increase.
More information on NRC and industry plans and UCS’s response can be found here.