RADIOLOGICAL SABOTAGE AT NUCLEAR POWER PLANTS:
A MOVING TARGET SET
Edwin S. Lyman, Paul Leventhal
Nuclear Control Institute
1000 Connecticut Avenue, NW, Ste 804
Washington, DC 20036 (202) 822-8444
The Operational Safeguards Response Evaluation (OSRE) is a Nuclear Regulatory Commission (NRC) program that uses force-on-force exercises to test the strategies and capabilities of the security organizations at commercial nuclear power plants to protect the public from radiological sabotage. Despite the success of OSRE --- which uncovered serious physical protection inadequacies in nearly half of the plants tested --- it was cancelled in 1998 by NRC staff.
After whistleblowers publicized OSRE's cancellation, NRC reinstated the program. However, the nuclear industry, acting through the Nuclear Energy Institute (NEI), is attempting to significantly weaken it by influencing a revision of the NRC requirements for physical protection of nuclear power plants contained in 10 CFR Part 73.55. While this revision would require licensees to conduct periodic performance testing of their security plans, including force-on-force exercises, the testing regimen favored by NEI would be conducted under far less NRC supervision than the current OSRE program, and its results would be far more ambiguous.
Ideas that have been proposed by NEI include changing the physical protection goal so that saboteurs would be able to cause substantial damage to plant systems, as long as operators were able to prevent an uncontrolled meltdown and loss of containment. In contrast, under OSRE such an outcome would have been considered a failure, even if it would not have resulted in a radiological release.
No level of damage to critical safety functions should be considered an acceptable outcome of a test of the effectiveness of physical protection at nuclear power plants. Denial of access must remain the fundamental goal.
The Clinton Administration has identified the increasing threat of domestic terrorism, including use of weapons of mass destruction, as one of the most important security issues facing Americans. Although it rarely receives as much attention as biological or chemical attack, radiological sabotage is an important component of this threat that should not be underestimated. Commercial nuclear power plants, many of which are located near densely populated urban areas, are logical targets for attack. Additional concerns include the introduction of plutonium in the form of MOX fuel at two Duke Energy nuclear plants as part of DOE's warhead plutonium disposition plan. Use of MOX may increase the attractiveness of these reactors as targets not only for theft but also for radiological sabotage, because an attack on a MOX-fueled plant would cause a greater number of casualties.
The Nuclear Regulatory Commission (NRC) is charged with ensuring that operators of commercial nuclear plants are capable of protecting the public from acts of radiological sabotage. NRCs objective of maintaining public confidence in its effectiveness is especially challenging in the physical protection area. While the public has access to considerable information about the NRC's activities in ensuring reactor safety, it does not have comparable access to safeguards information and thus cannot independently verify the adequacy of physical protection at nuclear plants. Therefore, those aspects of plant security that are visible to the public (as well as terrorists) must provide unambiguous assurance that the public will be fully protected from radiological sabotage, within a comfortable safety margin.
The Operational Safeguards Response Evaluation (OSRE) is a performance-based program, modeled after programs at DOE facilities, that was introduced to test the effectiveness of nuclear plant physical protection systems to protect against the design-basis threat (DBT) of radiological sabotage. The central evaluation consists of a number of force-on-force (FOF) exercises in which mock adversaries attempt to disable an entire "target set." An OSRE target set is defined as "a combination of equipment that would have to be disabled for an adversary to achieve [significant] core damage." Another series of evaluations, known as Regional Assists, tests the effectiveness of a plant's perimeter intruder detection systems (PIDS) and other means of denying unauthorized access.
OSRE has been highly successful in identifying significant physical protection vulnerabilities at U.S. nuclear plants --- as of summer 1998, 40 instances in which mock adversaries were able to defeat an entire target set occurred, demonstrating the potential for terrorists to cause "significant core damage" at nearly half (27 of 57) the plants tested. Most licensees that failed their OSRE evaluations did so in spite of the fact that they were in compliance with the requirements of their NRC-approved physical security plans (PCPs), had many months of advance warning, had observed prior OSREs and had increased the sizes of their security forces by an average of 80% over the numbers they had committed to in their PCPs.
The results of the OSRE program to date have demonstrated that simple compliance with the PSPs, which are based on requirements specified in 10 CFR 73.55 (b)-(h) (such as physical barriers and communication systems) does not itself guarantee compliance with 10 CFR 73.55(a), which requires that licensees provide "high assurance" that the public will be protected from the health and safety consequences of radiological sabotage.
OSRE was secretly cancelled in 1998 by NRC management after numerous complaints by licensees. Embarrassed by their failures, licensees had challenged NRC's legal authority to conduct the tests, which are not explicitly required by regulation. Whether or not the cancellation was a result of industry pressure, the public perception of the incident as a case of "shooting the messenger" was unavoidable. To restore public confidence, NRC must take exceptional care to demonstrate independence from industry influence as its reactor safeguards program is redesigned.
Following public disclosure of OSRE's cancellation, the White House ordered it reinstated. In the spring of 2000, the last of 68 nuclear plant sites, Commonwealth Edisons Quad Cities plant, was evaluated, and the cycle began again with Duke Energys Oconee plant. In spite of the fact that the controversy led to a renewed focus on nuclear plant security by politicians, regulators and the public, the performance of licensees has apparently not improved following reinstatement, with the failure rate remaining at nearly 50%. Significant vulnerabilities continue to be identified at an alarming rate. Most recently, according to the Union of Concerned Scientists, both Quad Cities and Oconee failed their OSREs.
REVISING THE RULE: FIXING SOMETHING THAT "AIN'T BROKE"?
The licensees challenge to the legal basis of OSRE was based on their view that as long as they met their PSP commitments, they were in compliance with regulations, even if their protective strategies and/or the ability of their security personnel to carry them out were deficient. Although NRCs general counsel disagreed with this interpretation, NRC decided to clarify the legal status of the OSRE program by amending 10 CFR 73.55 to require force-on-force exercises. Industry then intervened, demanding that the entire rule be revised, and NRC concurred. Based on the recommendations of a staff task force, NRC also decided that the industry could be given more responsibility for assessing its own tactical response capability, even though all the evidence of its past performance points to a need for more stringent oversight, not less.
The revised rule will contain modifications explicitly requiring licensees to conduct OSRE-like evaluated exercises on a more frequent cycle than the current program (every three years instead of every eight years), with more numerous smaller-scale drills in between. While these changes will be improvements, the overall rule revision may significantly limit NRC's role in supervising and assessing these drills and exercises. Past experience has shown that a lower level of NRC oversight would result in a reduction in security at nuclear plants.
Part of the reason for this concern about the revised rule is the new philosophy that NRC has adopted in which licensees and other "stakeholders" are afforded a much greater influence in the rulemaking process than they have had previously. Although in principle this would seem to be advantageous for public involvement, in practice only industry has the resources to participate as a full partner with NRC in this "interactive rulemaking" process. This has the effect of converting rulemaking proceedings into a format resembling two-party contract negotiations, which places the licensee in an inappropriate position relative to the regulator. NRC's contract is with the public to protect its health and safety --- it is not with the industry it regulates.
The increased clout of the industry in influencing fundamental NRC activities has been apparent during a series of public meetings being conducted by NRC to discuss the interim "self-assessment" program that will replace the current OSRE program until the revision of 10 CFR 73.55 is completed. This plan, which has been drafted by the Nuclear Energy Institute (NEI) and is subject to NRC approval, contains numerous elements that substantially weaken NRC's authority to identify, require corrections at and take enforcement actions against plants with significant vulnerabilities in their physical protection systems. Although NRC staff oppose many of NEIs proposed changes, currently resulting in a stalemate, there is considerable pressure to resolve the outstanding issues and accept the plan. Until this occurs, OSREs will continue under the existing framework.
TARGET SETS: FROM "PART 100" TO "CRITICAL SAFETY FUNCTIONS"
The definition of target sets is one of the most important elements for developing a protective strategy, because it determines the equipment that must be protected and the resources that must be expended by licensees to do the job. The target sets are not immutable but are functions of the ultimate protection goal. According to the regulations, this goal is protection against "the design basis threat of radiological sabotage." However, the size and content of target sets can be varied depending on how "radiological sabotage" is interpreted.
The criterion for evaluating the success of a licensees security response during an OSRE is "prevention of significant core damage." The presumption is that if significant core damage occurs, significant radiological releases to the environment will follow. However, NEI criticized this criterion and proposed that it be replaced with the criterion used to demonstrate protection of the public from design-basis accidents --- "prevention of a 10 CFR Part 100 release." Part 100 releases, which are assumed to result from accidents that "result in substantial meltdown of the core with subsequent release of fission products, correspond to doses less than 25 rem to individuals at the site boundary.
This change would mean that a licensee could pass an OSRE even if the mock adversary were able to cause "significant core damage," provided that the radiological release predicted to result from the attack would not exceed Part 100 limits. An NEI memorandum makes clear that this proposal was intended to change the OSRE ground rules so that past failures could be reinterpreted as successes. Moreover, it would shield future failures from enforcement actions.
In defending the Part 100 approach, NEI argued that the "significant core damage" criterion was too conservative, because it did not take into account operational responses and engineered features that could mitigate the consequences of a core melt, even if an entire target set were destroyed and significant core damage occurred. NEI also stressed that it sought to bring the security regulations into conformity with other safety regulations, in effect treating sabotage as if it were a design-basis accident. These arguments are deeply flawed.
The Part 100 proposal failed the "public confidence" test in a number of ways and clearly showed how out of touch with the public the industry has become. First, the public would not be likely to accept the inability of a plant security force to prevent terrorists from blowing up multiple pieces of vital equipment and causing a partial core meltdown, even if the off-site releases were minimal. To appreciate this point, one need only look at the intense public and media response to the recent Indian Point 2 steam generator tube rupture, which did not result in a measurable release of radiation. Another example was the 1999 Tokaimura criticality accident, which did not cause radiation doses in excess of Part 100 limits (the maximum dose at the site boundary was estimated as 9.2 rem) yet caused an uproar in Japan and around the world that has not yet subsided.
Simply put, it is foolish to weaken physical protection standards so that saboteurs would have the opportunity to cause significant core damage, because under those circumstances, the uncertainties associated with efforts to bring the plant to a safe condition would be much greater than if access were effectively denied to intruders. NEI's proposal would have made it impossible to provide a credible estimate of the risk to the public from acts of radiological sabotage.
Although NRC management was initially inclined to accept a Part 100-based approach, once the shortcomings were fully appreciated it decided to adopt a different strategy. Accordingly, in SECY-00-0063, NRC staff proposed --- and the Commission accepted --- an alternative which is closer to the spirit of the OSRE standard, and in fact may be even more conservative. In this approach, performance criteria would be tied not to permissible radiological releases, but to protection of the so-called critical safety functions (CSFs) that provide the capabilities for achieving safe shutdown and long-term heat removal.
A requirement to protect CSFs is more fundamental than a requirement to prevent significant core damage, and also covers other potential sources of radiological releases, such as spent fuel storage areas. However, some CSFs (such as process monitoring systems) are less critical than others, in that if lost, core damage would not inevitably result. Because this could mean more targets that need protection and substantial additional resource expenditures for security, NEI has embraced the original significant core damage standard and has not accepted the staffs approach. Some NRC inspectors familiar with OSRE also believe that the CSF approach would not be cost-effective.
It is clear that a balance must be struck. While the prevention of significant core damage must remain the fundamental goal, there also must be recognition that public confidence would be shaken if terrorists were able to penetrate a nuclear plant and disable any combination of systems, not merely those that would inevitably cause a severe accident.
Despite NEIs apparent abandonment of the Part 100 criterion, it is continuing to search for other opportunities within the rulemaking process to weaken the revised regulations for physical protection. For instance, the possibility that credit may be given for operator response is still on the table. NEI maintains that even if an entire target set is destroyed by a sabotage attack, operators will be able to act appropriately in sufficient time to prevent significant core damage from occurring. However, there is no evidence that operators have the necessary training to cope with the complex set of events that could occur during an attack. Destruction of an entire target set typically corresponds to a "beyond-design-basis" accident, which is likely to be beyond the effective control of operators or mitigation systems.
Moreover, operators may not be willing or able to take actions that require leaving the control room or other secured areas to operate auxiliary controls during a security event. During the intrusion of the protected area at Three Mile Island in February 1993, a number of operators, including the shift supervisor and operations coordinator, acted out of concern for personal safety rather than fulfill their command and control duties appropriately. In spite of this data point, NEI hopes to get credit for postulated heroic actions by operators to save the plant while risking injury.
If NRC is prepared to allow credit to be given for operator intervention during exercises, at a minimum it should require that simulators or equivalent means be employed to test operator response. Credit should not be given for any operator action unless the licensee can demonstrate that such a response is achievable, given the highly confusing state of the plant during the attack and the small window of time (on the order of thirty minutes) between destruction of a target set and core uncovery. NEI argues that no such demonstrations are necessary because plant operators are capable of dealing with such accidents through the implementation of Severe Accident Management Guidelines (SAMGs), but this is not sufficient to alleviate this concern. As a recent NUREG report notes, there is no credible human reliability analysis built on SAMGs, which are not procedures, but guidelines that require subjective assessments by the operators.
Some in the industry have objected to use of simulators in this context, on the basis that existing units cannot be programmed to handle such complex events. However, this argument only underscores the point that operators are not trained for these events and need to be tested if they wish to assert their capability to act under extreme conditions.
Also, if credit is to be given for beneficial operator actions, then consistency demands that negative credit be given for malevolent operators. The current OSRE rules do not consider the possibility of active insiders, who could have access to the control room. An insider holding control room operators at bay with firearms for the duration of the attack, intentionally disabling safety systems or tampering with instrumentation and control systems could neutralize the ability of operators to bring the plant to a safe condition. Scenarios must be considered in which the operators themselves are targets.
NRC staff has acknowledged these concerns, and while it is prepared to allow operator actions to be considered, it has proposed significant constraints on the circumstances under which credit will be given. In particular, it has specified that credit for operational decisions [will be] based on probability of success of those actions. This includes requiring that operators in the field be provided protection if they are to be given credit for their actions. In effect, operator actions will be considered CSFs that must be protected. Not surprisingly, NEI has rejected these restrictions.
No matter what constraints are imposed, consideration of operator actions will greatly increase the complexity of interpreting the results of performance testing. Former NRC Chairman Jackson observed during a May 5, 1999 hearing that analysis based on probabilistic risk assessment (PRA) would be necessary to determine the probability of successful mitigation of sabotage events. The uncertainties inherent in PRA analysis are themselves significant --- the uncertainties that would plague an attempt to extend PRA analysis to include deliberate acts of sabotage would be even greater. A large degree of subjectivity would be injected into the evaluation of security response, providing a great deal of leeway that would distract attention from the fundamental issue --- the poor performance of the security organization. This will complicate the job of inspectors, who need simple and well-defined criteria to judge licensees' performance during exercises.
In addition to not testing for an active insider, there are a number of other characteristics of the DBT which have not been utilized during OSREs in accordance with unwritten instructions to inspectors (details are Unclassified Safeguards Information and are not publicly available). As part of a Commission request, a new Adversary Characteristics Document (ACD) has been prepared that updates and clarifies the DBT. However, both NEI and NRC are opposed to a requirement that at least one exercise be conducted during the three-year cycle which utilizes the full capability of the adversary specified in the ACD. Instead, NRC will be satisfied with individual drills and exercises that only use subsets of the ACD's capabilities, as long as the union of all the subsets includes the entire ACD.
This does not make sense. Clearly, licensees must be able to demonstrate that they can protect against the entire DBT at once. Response capability is not a linear process --- the full DBT is likely to pose a greater challenge than the sum of its parts.
Another troubling aspect of the ACD process is that NRC has solicited feedback from NEI on the financial, operational or managerial impacts of the ACD on licensees, despite earlier statements by NRC staff that the ACD was "a finished document" not subject to industry comment. NEI does not have access to intelligence that would qualify it to challenge any aspect of the ACD. Moreover, the financial impact of the ACD on licensees has no bearing on the content of the document itself. When queried on this issue, NRC management stated that NEIs feedback was limited to the clarity of the document and not its substance, but this clearly conflicts with the original request for comments. Since the public does not have access to these closed-door deliberations, these contradictions can only lead to a growing mistrust of the process.
The past performance of nuclear plants during OSREs has not entitled them to receive a larger share of the responsibility for regulating their compliance with security rules. There is great concern among NRC inspectors that without the vigorous oversight and analytical capabilities of NRC and expert contractors, skills will deteriorate and corners will be cut. A program in which licensees are able to both develop and grade their own tests can obviously be abused.
There also must be comprehensive NRC review of licensee-chosen target sets, especially if operator actions are to be credited. Otherwise, the licensee may deliberately omit pieces of equipment from target sets that could be used to prevent core damage. If the mock intruders were able to destroy the entire target set, the licensee could then argue that operators would have been able to discover and use the additional piece of equipment to save the plant, even though such actions were not part of approved emergency operating procedures. This argument has already been used to reduce the severity of the violation associated with at least one recent OSRE failure.
On the other hand, the more frequent drills required under the new plan could, of course, be all to the good, provided that they are meaningful and effective. Sensitive about the appearance of foxes guarding the henhouse, NRC has changed the name of the Self-Assessment Program (SAP) to the Safeguards Performance Assessment (SPA). To ensure that this represents more than a change in name only, NRC should insist in maintaining its role in devising appropriate drills and independently evaluating performance. The NRC-observed exercises must be at least as stringent as the current OSREs. In particular, regional inspectors have repeatedly flagged the participation of skilled contractors in evaluated exercises as an essential component of a credible program. NEI would like to eliminate the use of these contractors because of their cost.
However, doubts remain about whether the industry will take the SPA seriously, even if all the outstanding issues are resolved in its favor. To date, the industry has refused to commit to incorporate the SPA into plant PSPs, which would make it legally binding on licensees. NEI's position is that the SPA is a voluntary program.
The OSRE program has been quite successful in uncovering vulnerabilities in the physical protection systems at nuclear power plants. It has been the only mechanism for compelling NRC licensees to maintain and improve their physical protection capabilities. Efforts by the industry to reduce its effectiveness in the future must be decisively stopped.
 E. Lyman, "Public Health Consequences of Substituting Mixed-Oxide for Uranium Fuel in Pressurized-Water Reactors," to appear in the journal Science and Global Security.
 U.S. NRC, "Operational Safeguards Response Evaluation (OSRE) Inspection Manual," Inspection Procedure 81110, July 1997.
 D. Orrik, "Differing Professional View Regarding NRC Abandoning its Only Counter-Terrorism Program," memorandum to S. Collins, Nuclear Regulatory Commission, August 7, 1998.
 In a May 3, 1999 letter to Representative Ed Markey, former NRC Chairman Jackson denied that NRC had received any written proposals from the industry to eliminate OSRE, but admitted that some licensees expressed their discontent during informal conversations with staff.
 D. Lochbaum, Union of Concerned Scientists, "Comments on the Safeguards Performance Assessment Program," letter to Glenn Tracy, NRC, July 14, 2000.
 U.S. NRC, Staff Re-Evaluation of Power Reactor Physical Protection Regulations and Position on a Definition of Radiological Sabotage, SECY-00-0063, March 9, 2000.
 U.S. NRC, Unauthorized Forced Entry into the Protected Area at Three Mile Island Unit 1 on February 7, 1993, NUREG-1485, April 1993, p. 3-7.
 M. Pilch et al, Assessment of the DCH Issue for Plants with Ice Condenser Containments, NUREG/CR-6427 (Washington, D.C.: U.S. NRC, 2000), p. 52.
 R. Rosano NRC, presentation at the Public Meeting on the Safeguards Performance Assessment Program, U.S. Nuclear Regulatory Commission, Rockville, MD, July 12, 2000.
 R. Rosano, NRC, Review of Adversary Characteristics Document, memo to Jim Davis, NEI, April 6, 2000.