|
My name is Paul Leventhal,
President of the Nuclear Control Institute (NCI), a non-profit organization based in
Put simply, the nations
nuclear power reactors are vulnerable to attack by terrorists, and the Nuclear
Regulatory Commission and other government entities have failed to move
decisively to impose the further security measures that are needed to prevent a
successful attack and avert catastrophic radiological consequences. Three
days after the attacks of September 11, NCI and CBG wrote to NRC Chairman
Richard A. Meserve. We cited the extraordinary and
unprecedented threat that now exists inside the These
proposals include immediate use of National Guard troops at all of the nations
reactors to deter attacks from land and water, prompt deployment of advanced
anti-aircraft weapons to defeat suicidal attacks from the air, and a thorough
re-vetting of all plant employees and contractors to protect against sabotage
by insiders. In addition, we called on the NRC to significantly upgrade
its security regulations to protect against the larger numbers and the greater
sophistication of attackers posed by the new terrorist threat. In a brief reply to our
specific proposals, Chairman Meserve stated only that
the Commission is evaluating current requirements and statutory authority
relating to acts or threats of terrorism, including but not limited to those
that you presented in your letter. Our letter to Chairman Meserve and his response are attached to this testimony. A Familiar Refrain The Chairman's response is a
familiar refrain, and we frankly do not have the luxury of time to allow the
NRC and other federal agencies to engage in a prolonged bureaucratic review process
that Chairman Meserve has since said is now underway.
The immediate danger is
underscored by the fact by that nearly half of the nuclear plants tested in
NRC-supervised security exercises have failed to repel mock terrorist attacks.
These exercises involve small numbers of simulated attackers compared with the
large number of terrorists who waged the four sophisticated, coordinated
attacks of September 11. The NRCs mock
terrorist exercises severely limit the tactics, weapons and explosives used by
the adversary, yet in almost half the tests they reached and simulated
destruction of safety systems that in real attacks could have caused severe
core damage, meltdown and catastrophic radioactive releases. Now in response to
operator complaints and budgetary constraints , the
NRC is actually preparing to shift responsibility for supervising these
exercises to the operators themselves. Current events clearly show that
nuclear power plant security is too important to be left to industry
self-assessment. Dr. Edwin
Lyman, a physicist and NCIs scientific director, has performed a
straightforward calculation indicating that a direct, high-speed hit by a large
commercial passenger jet would in fact have a high likelihood of penetrating a
containment building that houses a power reactor. Following such an
assault, the possibility of an unmitigated loss-of-coolant accident and
significant release of radiation into the environment is a very real one.
Such a release, whether caused by an air strike, or by a ground or water
assault, or by insider sabotage could result in tens of thousands of cancer
deaths downwind of the plant." A number of these plants are located near
large cities, such as the Indian Point facility outside We submitted Dr.
Lyman's analysis to Chairman Meserve with a request
for his comments and for an NRC study to evaluate the consequences for each
licensed operating reactor that could result from an attack similar to those on
September 11. On November 29, Chairman Meserve responded in a letter that our analysis will be
considered in the agency's overall reevaluation of security and safeguards,
which "will include an assessment of the potential consequences of a large
aircraft attack on a commercial nuclear power plant." The present plan, he said, was that
"this assessment will broadly consider the vulnerabilities of operating
reactors, followed by a more focused study of a few representative
plants." I submit an abridged
version of Dr. Lyman's study for the hearing record, along with the exchange of
letters with Chairman Meserve, and I submit a
non-public copy of Dr. Lyman's full analysis for the subcommittee's use in
overseeing the work NRC does to evaluate the vulnerability of reactor
containments to attacks from the air. As Dr. Bennett Ramberg, until recently CBGs
research director, noted in his seminal work on the subject, Nuclear Power Plants as Weapons for the
Enemy: An
Unrecognized Military Peril (University of California Press, 1984), the
possession of nuclear energy facilities gives to ones adversaries a
quasi-nuclear capability to use against you.
In effect, a conventional attackbe it a truck bomb, plane crash, attack
by terrorists on foot, or an insidercan turn a nuclear reactor into a
radiological weapon. At the very least, hundreds to thousands of square miles
could be placed off limits to human habitation due to the lingering impact of
long-lived radioactive elements. The economic consequences would be
devastating.
Our organizations have long
been troubled by the dilemma of speaking about the present vulnerability of
nuclear power plants. We have tried to work quietly for a decade and a
half in a largely unsuccessful attempt to get the NRC to upgrade reactor
security. To illustrate this
longstanding effort, I submit for the hearing record an article from the Bulletin of Atomic Scientists of March
1986, "Protecting Reactors
against Terrorists," by the Committee to Bridge the Gaps Daniel Hirsch
and colleagues Stephanie Murphy and Bennett Ramberg,
as well as the recommendations the same year by the International Task Force on
Prevention of Nuclear Terrorism for "Securing Nuclear
Facilities." This Task Force,
convened by the Nuclear Control Institute, included senior nuclear officials
from industry, the military, and the national laboratories. Our principal success came in
1994 when the NRC agreed to require nuclear plant operators to erect barriers
and establish setback distances to protect against truck-bomb attacks.
But this reform came only after the lesson of the bombing of the World Trade
Center the year before, and the NRC has refused our appeals to upgrade
protection to defend against the much larger bombs used by terrorists since. The horrendous attacks of
September 11 have now made NRC foot dragging intolerable. The new threat
should now be evident to all, and the country can afford to wait no
longer. The vulnerabilities at these
plants can and must be closed, now. The American people have a right to
know the dangers and to demand the prompt corrective actions that we propose to
protect nuclear power plants from terrorist attacks and the unthinkable
consequences that could follow. We are concerned with the
longstanding history of inaction on this issue by the Nuclear Regulatory
Commission, a pattern continuing to this day despite the urgency of the
situation posed by the attacks of September 11.
The NRCs security regulations are designed
for a terrorist threat a small fraction of what was made evident to all two
months ago. Yet despite the President
saying we are at war and should expect further terrorist attacks at domestic
targets, the NRC has done nothing concrete but recommend that plants increase
their alertness level and coordinate security with state authorities. The NRC's grossly
inadequate security rules remain unchanged. Each of the nations 103
operating nuclear plants contains in it an extraordinary amount of
radioactivity. An attack by a truck bomb, insider, armed group, or
hijacked airliner at one of our civilian nuclear facilities could result in
sufficient radioactivity released to produce tens or hundreds of thousands of
latent cancers and contaminate hundreds of miles downwind. A Sandia National Laboratory report concluded that a
successful truck bomb attack at a civilian nuclear plant could result in
unacceptable damage, i.e., a meltdown. Further, NRC and the Nuclear
Energy Institute, the industry lobby, now concede that containment structures
were not designed to withstand a 757 crash of the sort witnessed on September
11. In addition, the safety
systems necessary for keeping the fuel cooled and preventing melting are of
special concern, and represent "soft targets" if reached by
terrorists, as are the spent fuel pools.
The latter are generally outside of containment and hold several
For 17 years our two organizations have been warning the Nuclear
Regulatory Commission that its quarter-century-old security regulations for
protecting civilian nuclear facilities from terrorist attack are woefully
inadequate and outdated. These regulations require, for a nuclear power
plant, a very small number of guards---a minimum of five--- [10 CFR 73.55(h)(3)] and the ability to repel no more than a very small group of attackers, entering
the site as a single team and with artificial constraints on weapons and
explosives, and the involvement of only one insider [10 CFR. 73.1(a)(1)] Until recently, when our
repeated petitions were finally granted in part, no protection whatsoever
against truck bombs had been required.
The rule adopted in 1994 was not intended to protect against terrorist bombs much larger than the
one used in the attack on the The NRC has long argued that
stronger security regulations were not required for domestic nuclear facilities
and transport because of the alleged lack of any domestic threat, the
likelihood of advanced warning if a threat materialized,
the relative lack of sophistication in terrorist attacks, and a supposed
reluctance of terrorists to create large numbers of casualties. The
coordinated attacks on the Those attacks involved far
more terrorists than the NRCs Design Basis Threat
(DBT) contemplates, acting as four independent teams (only one attacking team
is contemplated in the DBT), and employing a high level of sophistication and
planning. In addition, the attacks occurred without any advance warning
recognized as such by the responsible agencies. Furthermore, current
regulations state that reactor operators are not required to protect against
attacks by an enemy of the The new "design basis
threat," made manifest by September 11, is at least 19 sophisticated and
suicidal terrorists attacking from at least four different directions. Mr. Chairman, we ask that this Subcommittee
inquire of the Chairman of the Nuclear Regulatory Commission whether any
nuclear power plant today is capable of repelling an attack of that magnitude. If the answer is no, as we suspect it will be,
he should be asked why he has not promptly ordered an immediately effective upgrade of the NRC
security rules to meet such a threat, and why, in the meantime, he has not advised the President that military protection of these plants is
needed to deter and defeat such an attack. This
question is all the more pertinent, given a recent statement by Chairman Meserve. On November 8, he said: Plainly these vicious
attacks (of September 11) far exceeded anything that the NRC had contemplated
as a threat to our licensees. . . .In principle, of course, it is the
responsibility of the Federal Government to protect the nation against threats
from abroad; but the reality of the present crisis is that all of us,
organizations and individuals, public and private, have a responsibility as
citizens to do our part to protect the American people.
But it
is not a matter of principle. It is a
matter of law and regulation. The plain
facts are that there is now a terrorist threat to nuclear plants that the NRC
had failed to foresee. It is the
responsibility of the NRC to require its licensees to provide adequate
security, given the nature of the threat now evident, and to advise the
President how to provide the protection if industry cannot. On November 8, Chairman Meserve
also made a commitment that "the NRC will reexamine the DBT and modify it,
as appropriate." This commitment is
vague and open-ended. It is surely no
substitute for providing immediate military protection of nuclear power plants. In 1991, our two
organizations petitioned the Nuclear Regulatory Commission to upgrade its
Design Basis Threat regulations. In particular,
we called for increasing the assumed attacking force, which security must be designed to
repel, to twenty attackers acting as
multiple teams. That
number has been shown to be remarkably prescient in light of the 9/11 attacks.
The NRC rejected our petition, stating predictably that an attack involving
more than the present Design Basis Threat of several attackers acting as a
single team was not credible. The actual
number of assumed attackers is a very
small group compared with the nineteen attackers in four coordinated teams on
September 11. Thus far, the NRC has
failed to upgrade the DBT rules in response to the new threat environment. It
promises a "top-to-bottom review" of uncertain duration, and
anticipates at some point a government role to fill "any gap between a
licensee capability and the assumed threat." The obvious question is, what do we do in the meantime? Both the threat and the gap to be filled
exist right now. The notion that both
will wait until the NRC gets its act together is unreal and dangerous. President Bush has called up
the National Guard at airports and placed Federal marshals on aircraft to make
Americans feel safe flying again. Yet,
neither the NRC nor the White House has called for military protection of
nuclear power plants located within tens of miles of where millions of
Americans live and work. Relatively
small numbers of National Guard troops have been placed at nuclear power plants
in 13 of the 32 states that have such plants, but at least two states have
recently withdrawn the troops. In the
absence of clear guidance from
To make matters worse, many reactors in the country do not
have security systems in place sufficient to meet even the current, very weak
regulations. The NRCs Operational Safeguards
Response Evaluation (OSRE) Program tests reactor security by running
black hat mock attacks. Even
with six months advance warning of when the test attack will occur, nearly half
the reactors in the country have failed these tests---meaning that the
attackers simulated destruction of a "target set," which is defined
as set of redundant safety systems needed to maintain cooling of the core and
prevent a meltdown. The response by NRC and
industry to this dismal record was to attempt to kill the OSRE program entirely
three years ago, and now, having had to back off because of bad publicity, they
are attempting to convert it into an industry-run, Self-Assessment Program
(originally called SAP, but changed to SPA, for Safeguards Performance Assessment).
Both the NRC and industry representatives claimed that a number of the
exercises were not in fact failures because plant operators could have
intervened to mitigate damage caused by the mock attackers. But they refused to require operators to
demonstrate such supposed "operational impact" on simulators--- that
is, to demonstrate that they actually could respond effectively to
multiple system failures caused by the attackers. Nor, at the outset, did they account for the
possibility that plant operators might not survive an attack or be able to
function effectively inside or outside the control room when a plant is under
siege. When the NRC moved to zero
out the OSRE program in 1998, the NRC official responsible for supervising the
exercises, Retired Navy Seal Capt. David Orrik, filed
a Differing Professional View strongly protesting the move. NRC has only one
small program to ensure that the 60+ nuclear power plants are able to
protect against a terrorist attack aimed at causing radiological sabotage, i.e, an American Chernobyl, he wrote. After the Commission restored the program, Orrik was pressed at a Commission hearing the following
year as to whether his finding that 47 per cent of the plants tested had
revealed significant security weaknesses was too severe,
given the possibility the operators could mitigate damage. He replied: We did not look at operational
impact. That was not my charter. We
looked at the security impact only, and if the target set was reached,
destroyed, that was it. The NRC, at the industrys urging,
has rewritten the procedures to give credit for operators claims that they
could prevent a meltdown even after a set of redundant safety systems is
destroyed in an attack. This approach
only serves to undercut and confuse what should be a clear security goal in
protecting nuclear plants against terrorist attack: denial of access. Under the new procedures, credit is given for
operator intervention only if it is determined that the operators would still
be alive and able to take the mitigating action in the simulated attack
situation. But this is still a highly
subjective and conjectural factor compared with the unambiguous simulated
destruction of a complete target set by the mock attackers. Unfortunately, the security
situation at nuclear power plants has been getting worse. Since May 2000, when NRC began public
reporting of the plant-by-plant results of OSRE exercises, only two of 11
plants tested succeeded in repelling a mock attack force. Of the nine plants that failed, two plants
managed to avoid simulated destruction of a complete target set, while seven
plants failed to prevent destruction that, in the event of a real attack, could
have resulted in severe core damage and meltdown. Thus, 82 percent of the plants tested failed
to repel mock attackers, and 64% of the plants tested lost redundant safety
systems and faced core meltdown. This is
a disgraceful situation that no amount of spin control by the NRC and the nuclear power industry can hide. In addition, certain industry
proposals could significantly increase the targets and risks of nuclear
terrorismparticularly the push for the construction of a new generation of
pebble bed reactors, made of combustible graphite like Chernobyl and with
no containment structure, and the prospect of ending the 25-year-old bipartisan
policy against commercial reprocessing of spent fuel of nuclear power
plants. Reprocessing would put into
commerce immense amounts of separated plutonium that could be stolen by terrorists
for use in nuclear or radiological weapons.
A study performed for NCI by five nuclear weapons designers made clear
that a terrorist group sophisticated enough to steal such material could put
together a technical team capable of making atomic bombs. The NRC response to the World
Trade Center/Pentagon attacks has failed to rise to the extraordinary threat
that the nation now faces. This became apparent on the very first day
when, instead of issuing an immediately effective order to reactor operators to
go to the highest state of alert, it merely recommended that they do so,
noting further that there was no identified threat against any plant (as if
there had been such a threat against the World Trade Center and the
Pentagon). Absent any recommendation from the NRC, the President has not
called up the National Guard to protect nuclear power plants. As noted, the result is that most reactors
have no protection by National Guard troops and those that do, have it in
insufficient numbers. Furthermore, the airspace over civil reactors is not
restricted. (A week-long ban on small
planes flying near nuclear plants has been lifted.) For a decade and a half, the
Nuclear Control Institute and the Committee to Bridge the Gap have worked to try to get
the NRC to act responsibly and to protect these facilities adequately. We
submitted petitions for rulemaking, met with Commissioners and their staffs, submitted scholarly studies. With one partial
exception, a truck bomb rule of insufficient effectiveness, our efforts have
been repeatedly frustrated. The horrendous events of September 11 make clear that our country is facing
adversaries well able to identify this nations vulnerabilities and extremely
willing to exploit them to produce massive loss of life. The
vulnerability of our nuclear plants is no secret. Officials have warned
that there may be more attacks planned; one need not be a rocket scientist to
figure out that nuclear plants may be the next target, topping in destructive
effect the most recent tragedy. Officials have warned that other cells
may have been pre-emplaced in the
To summarize what we believe should be done to protect the public
from the catastrophic consequences that could arise from a successful terrorist
attack, here are our recommendations in brief: 1. Arrange for the National
Guard to be called out to protect each domestic nuclear facility, and advise
the Guard as to the specific kinds of threats that need to be protected
against: truck bombs, attacks by boat or air, ground assault/penetration,
and insiders. We have been advised by
security experts that
a force of 30 to 40 guardsmen for each plant site is needed to provide a
visible show of force and a credible deterrent to attack. 2. Provide anti-aircraft
protection at each reactor site to deal with possible attacks by aircraft. We note the French government has deployed
anti-aircraft measures at sensitive nuclear facilities in 3. Commence a thorough re-evaluation of all nuclear power
plant personnel, including the hundreds of outside contractors who are onsite
during refueling outages and for routine maintenance, for potential security
risks and establish an immediate strict two-person rule to reduce risks of
insider attack. 4. On an immediately-effective basis, promulgate new
security regulations for protection of nuclear facilities that upgrade those
regulations and the associated Design Basis Threat to deal with a threat of the
magnitude that is now clear. That security upgrade should include: (a) increasing the design basis threat to
a significantly larger number of attackers, in excess of the 19 involved in the
September 11 attacks; 5. Reverse the plans for an industry-run, self-assessment
program of security exercises aimed at replacing the NRC-supervised OSRE
exercises; and instead, at least tripling the number and frequency of OSRE
tests; making any problems identified subject to enforcement action; having
OSRE test against the full magnitude of the security threat made clear by
recent events (e.g., large numbers and high sophistication of attackers,
multiple coordinated attacking teams, active insider, etc.) and the full range
of potential targets at the reactor site (including spent fuel storage); and
strictly enforcing the security requirements so that failure of an OSRE test
results in a reactor shutdown unless there is a clear demonstration in a
follow-up OSRE exercise that all deficiencies have been promptly and fully
rectified. 6. Require a demonstration that the design of any new reactor is able
to withstand damage from a terrorist attack after the security system has been
successfully penetrated. 7.Bar any transport of high-level waste until and unless new
security requirements are put in place that require accompanying security forces
capable of meeting attacks by terrorists of the magnitude and sophistication so
dramatically revealed by recent events, and which provide high protection
against insider actions. A number of our
proposals have been incorporated into the House and Senate versions of the
Nuclear Security Act, which were introduced last week. We will submit our detailed views on this
legislation when hearings are held to consider it. Generally, we are supportive of the
provisions requiring the NRC to revise the Design Basis Threat to deal with
threats equivalent to the events of September 11 and establishing a federal
nuclear security force. On the latter we
have reservations about establishing such a force in the NRC and would prefer
that military protection of nuclear power plants be mandated for the duration
of the post-9/11 emergency. We are
dismayed but not surprised by the strong opposition to the legislation
expressed by the NRC and the industry.
The statement by Chairman Meserve (in a letter
to Senator Harry Reid)
that [T]here have been no failures in nuclear plant
security of the type that has plagued
the commercial airline industry and thus no need for such radical change, is
especially egregious, given the results of the OSRE exercises. Chairman Meserve
has made some statements recently that suggest the NRC may now finally be
prepared to upgrade the DBT in light of the current extraordinary
circumstances. But it remains to be seen whether the NRC and industry will
once again stick their heads in the sand, hoping the problem will go away of
its own accord. This has been their customary
posture, which they assume out of concern that if they were to concede that reactors are
vulnerable to terrorist attack and that large-scale health consequences and
contamination would result, public fear
of nuclear power would increase.
Prospects for a revival of nuclear power would then diminish, they
believe, and even continued operation of existing reactors might be
jeopardized. But their concerns are
extraordinarily short-sighted, placing the industry's economic interests and
political agenda above public health and the safety and the common defense and
security of the
The NRC is obligated by the
Atomic Energy Act of
1954, as amended, to uphold safety and security interests, and by the Energy
Reorganization Act of 1974 to serve as an independent regulator without regard
to the industry's economic interests when it comes to establishing or enforcing
adequate protection. Statutory
considerations aside,
if the industry and the NRC continue to refuse to adequately
protect these facilities, Americans will demand as they should that the
reactors be shut down. Indeed, there is now a
petition drive, in which Nuclear Control Institute is participating, to shut
down the two reactors still operating at the Indian Point plant, located 25
miles from The NRC now acts as a
captured regulatory agency---captured by the industry it is obligated to
regulate. A quarter century ago,
Congress fissioned the Atomic Energy
Commission into two separate agencies in order to end the inherent conflict in
the old AEC between promotion and regulation of nuclear energy. As a member of the staff of the Senate
Government Operations Committee, I was intimately involved in preparing the law
that created the NRC and the present-day Department of Energy, so I am familiar
with what Congress intended. Today, sadly, the NRC has
come full circle and closely resembles the atrophied Regulatory Division of the
old AEC. In the current threat
environment, this presents a dangerous situation. Congress needs to revisit the overall role
and performance of the NRC, but at this moment it must tell NRC in absolutely
clear terms: upgrade the security of
nuclear power plants, now, to levels sufficient to
protect against an attack of the scale and sophistication of September 11, or
be prepared to face legislation mandating the shutdown of these plants. The danger to the public is too high to
permit a captured and intimidated agency to take a business as usual approach
in these extraordinary times.
We have concluded, as noted, that we needed to go public with the
vulnerabilities to terrorist attack and the failure of the NRC to responsibly
address them. It is prudent to assume that the terrorist adversary knows
that the plants are vulnerable. The training camps in * * * * * *
Paul
Leventhal founded the Nuclear Control Institute in 1981 and serves as its President after having
held senior staff positions in the United States Senate on nuclear power and
proliferation issues. He has prepared four books for the
Institute and has lectured in a number of countries on nuclear issues,
including as Distinguished Visiting Fellow at Mr. Leventhal organized the
Institute's International Task Force on Prevention of Nuclear Terrorism, its
conference in He served as Special Counsel to the
Senate Government Operations Committee, l972-1976, and as Staff Director of the
Senate Nuclear Regulation Subcommittee, l979-1981. He was responsible for the
investigations and legislation that resulted in enactment of two landmark
nuclear laws---the Energy Reorganization Act of 1974, replacing the Atomic
Energy Commission with separate regulatory and promotional agencies, and the
Nuclear NonProliferation Act of 1978, establishing
stricter controls on Mr. Leventhal was a Research Fellow
at He served as Assistant Administrator
for Policy and Planning at the U.S. National Oceanic and Atmospheric
Administration (NOAA), 1977-1978. Mr. Leventhal came to
He holds a bachelor's degree in
government, magna cum laude, from Dan Hirsch is President of the
Committee to Bridge the Gap, a Los Angeles-based nuclear policy
organization. He is the former Director
of the Adlai E. Stevenson Program on Nuclear Policy at the Hirsch
has worked for two decades in the field of nuclear policy, specializing in
risks of nuclear terrorism, accident risks, waste disposal problems and
proliferation. He is the author of
numerous studies, scholarly articles and book chapters on these subjects. In
1985, Hirsch co-authored a study dealing with the risk of terrorism aimed at
nuclear facilities and the failure of regulatory requirements to be updated to
address emerging threats. He and his
co-authors testified on the studys findings before the NRCs
Advisory Committee on Reactor Safeguards, urging revision to the security
precautions required at reactors, thus beginning a 15-year effort to get the
NRC to improve security requirements.
The study was published, in abridged form, in the Bulletin of the Atomic Scientists, in 1986. A subsequent study on the truck bomb and
insider threat to nuclear facilities was published in the book Preventing Nuclear Terrorism.
|