TESTIMONY OF PAUL LEVENTHAL
on behalf of the
NUCLEAR CONTROL INSTITUTE
RECOMMENDATIONS OF THE NRC SAFEGUARDS PERFORMANCE
ASSESSMENT TASK FORCE
presented to the
U.S. NUCLEAR REGULATORY COMMISSION
MAY 5, 1999
Good morning. My name is Paul Leventhal. I am president of the Nuclear Control Institute (NCI), a non-profit research and advocacy center concerned with problems of nuclear proliferation and the threat of nuclear terrorism. With me today is our Counsel, Eldon Greenberg, a partner in the Washington D.C. office of the law firm of Garvey, Schubert & Barer. We appreciate your invitation to present a statement today.
Before founding NCI in 1981, I worked on the staff of the U.S. Senate and was responsible for preparing investigations and legislation that resulted in enactment of the Energy Reorganization Act of 1974 and the Nuclear Non-Proliferation Act of 1978. I also was Co-Director (with James Asselstine, who later became an NRC Commissioner) of the bipartisan Special Senate Investigation of the Three Mile Island Nuclear Accident, and I helped prepare the "lessons learned" legislation that was enacted as a consequence of this investigation. Thus, for the past 25 years I have been concerned in various ways with prevention of misuse and abuse of civilian nuclear energy programs, including prevention of radiological sabotage.
I am particularly interested in the Commission's present engagement with the staff's Operational Safeguards Response Evaluation (OSRE) program. Since 1991, in response to heightened concerns about terrorist attacks in the wake of the Gulf War, this three-person headquarters unit, with a budget of $90,000 a year, has been supervising so-called "force on force" exercises---mock attacks---at nuclear power plants. The exercises test the capabilities of plant operators to successfully repel an adversary whose objective is radiological sabotage---that is, destruction of a plant's vital systems to cause a core meltdown and breach of containment. Given the dire consequences that would result from a successful attack, I cannot think of anything more important for the NRC staff to do and for the Commission to make sure the staff does well.
Among the lessons learned from the TMI accident was that when a severe accident occurs, the uncertainty among operators and supervisors in the control room can run high, can contribute to the severity of the accident, and that uncertainty itself should be considered a condition of the plant in weighing whether an evacuation of the surrounding population is called for. The lessons-learned legislation enacted as part of the NRC Authorization Act of 1980 included a requirement that a newly constructed plant must be denied an operating license if the Commission is not presented the results of drills demonstrating that the surrounding area can be evacuated. Specifically, federal, state and local authorities must participate and agree that the surrounding area could be evacuated. As a consequence, the Shoreham plant was shut down before reaching full power after state and local authorities refused to participate in the drills because of their judgement that Long Island could not be evacuated. The Seabrook plant in New Hampshire came close to suffering a similar fate but was eventually granted an operating license.
I review this bit of history to illustrate the overriding importance of protecting a reactor's vital systems so that evacuation is never required. None of the plants operating today were really constructed with evacuation in mind. Emergency planning was an afterthought---considered not before issuance of the construction permit but just prior to granting of the operating license. The 10-mile inhalation zones and 50-mile ingestion zones established by the Commission, post-TMI, will have little meaning to the residents of New York City or Chicago, for example, if one of the plants operating nearby is successfully hit and a radioactive plume is heading their way. There will be a spontaneous desire to evacuate, and it will not be pretty, to say the least.
TMI was a close call. A total meltdown was averted after a newly arrived shift supervisor, Brian Mehler, figured out, two hours into the accident, that the Pilot Operated Relief Valve was stuck open and draining coolant from the core. As it turned out, about half the fuel melted as a result of the stuck valve and of the confusion it caused. How likely that a total melt could be averted if the precipitating event were not a mechanical failure, but rather the failure of security guards to prevent terrorists with explosives from successfully penetrating the protected area of a plant, or the failure to prevent a truckbomb the size of the one used against the federal building in Oklahoma City or the U.S. airmen's barracks in Dhahran, Saudi Arabia, from reaching and being detonated at or near the protected-area fence?
We could, of course, debate what the actual consequences of a successful attack would be, but why bother? Why not simply give NRC staff the resources and impose the necessary requirements on industry to make it extremely unlikely that such an attack could ever succeed?
That, in my view, is the essential question before the Commission today. The public expects that kind of protection and would surely demand it if the current deficiencies became widely known. If there were a successful attack, the human suffering and property loss that would ensue would almost certainly bring about the downfall of the nuclear industry---something that members of the Commission who regard the industry's survival as a sacred trust should ponder hard.
The basic position of the Nuclear Control Institute is that---
(1) current security regulations at nuclear power plants are inadequate to protect against radiological sabotage;
(2) the "design-basis threat" (10 CFR 73.1) against which plants are protected does not correspond to current real-world dangers and is not even fully applied with regard to the insider threat;
(3) the Commission cannot rely on advance warning to provide the necessary lead time to bolster defenses against an armed assault or vehicle-bomb attack (See: Lee V. Gossick, "Operating Assumption Covering the Use of and Reliability Placed in Information from the Intelligence Community" [memorandum from the Executive Director for Operations to senior NRC staff], April 10, 1978); and, therefore,
(4) the Commission must mandate measures sufficient to repel attacks on nuclear power plants that occur without any warning, and provide NRC staff the resources to enforce these measures.
Since 1985, NCI, in collaboration with the Committee to Bridge the Gap in Los Angeles, has pressed the Commission to upgrade its regulations regarding the Design Basis Threat (DBT). The current DBT contemplates several external attackers, in collaboration with one insider, approaching the plant as a single team and employing no more than hand-held weapons and explosives. The DBT for the "Truckbomb Rule"---promulgated in 1994 after the vehicular intrusion by a deranged man into the turbine building of the remaining TMI plant and after the truckbomb attack on the World Trade Center---appears insufficient to protect against the larger terrorist bombs used in Oklahoma City and Saudi Arabia since then.
The subject of today's meeting is the set of recommendations transmitted in January to the Commission by the Safeguards Performance Assessment (SPA) Task Force. The Task Force was formed last October to resolve sharp differences that had emerged within NRC staff, and between staff and industry, over the activities of the OSRE program. Things came to a head last summer when the OSRE staff learned by word of mouth that the program was to be terminated for budgetary reasons on September 30, the end of the fiscal year, without public announcement, and apparently without the Commission being advised either.
The head of the OSRE program, joined by a number of regional inspectors, filed Differing Professional Views (DPVs) with regard to termination of the program and to their complaints that current regulations are deficient to assure the level of protection against radiological sabotage at nuclear power plants required by the Design Basis Threat. An Ad-Hoc Review Panel was formed to consider the matter.
On November 4, the panel issued its report recommending that OSRE exercises be "terminated" pending resolution of a problem raised by industry. Industry contends, and NRC staff lawyers apparently agree, that failures by a licensee during OSRE force-on-force exercises to protect against the Design Basis Threat are not subject to fines or otherwise subject to enforcement action so long as a plant's Physical Security Plan (PSP) meets NRC regulatory requirements. Mr. Greenberg will address this legal question in a moment.
The panel's rather peculiar solution---to terminate the regulator because the regulations he's attempting to enforce are deficient---might have passed unnoticed except that an article appeared the day before in the Los Angeles Times disclosing the death of the OSRE program.
Included in this article (and revealed in greater detail subsequently during public meetings that I monitored between industry and NRC staff were the alarming results of the exercises: a failure rate of 47% (27 of the 57 plants tested thus far) despite the fact that licensees were given six months to a year to prepare, were allowed to beef up response personnel by an average of 80% over levels authorized in their physical-protection plans, and had spent from $140,000 to $1.5 million on capital improvements. The additional guards were usually let go after the OSRE exercise, and this reduction in force did not comprise a violation because the smaller guard force still complied with the plant's Physical Security Plan.
To make matters worse, it became known during discussions between NRC staff and industry that OSRE (operating under informal staff guidance) limits its exercises so as not to test against the full Design Basis Threat. The mock insider plays a "passive," not "active," role---that is, provides information to the attackers, but does not facilitate entry, disable alarms and/or participate in the violent attack, as called for in the Design Basis Threat.
Even with this considerably less rigorous testing, the weaknesses identified at nearly half the plants tested were described by OSRE personnel as "significant." At the 27 plants that failed, security forces were unable to deny entry to mock intruders or to prevent simulated sabotage of vital equipment in one or more on-site exercises. At 14 of these plants, the mock intruders were able to gain simulated access into the reactor containment itself.
On November 10, one week after the Los Angeles Times story appeared and the same day as a lengthy letter from Rep. Ed Markey to Chairman Jackson arrived, the NRC announced that the Chairman had directed NRC staff to reinstate the OSRE program. OSRE would be permitted to complete exercises at the 11 plants not yet tested, while NRC staff would accelerate a study to determine the "proper level of performance testing appropriate to ensure that nuclear power plants can withstand the design basis threat, as defined in NRC security requirements."
Although not mentioned in this announcement, two other security programs appear to be in jeopardy at NRC---one, the so-called "assist visits" by OSRE team contractors, accompanied by NRC regional inspectors, to test and physically challenge the perimeter fences, sensors, cameras and access control systems to determine whether they can detect "attack by stealth." We understand the OSRE contractors were to be eliminated from this program at the end of the current fiscal year, leaving it to less-expert NRC inspectors to observe utilities testing their own systems. The other program already may have been zeroed out---NRC's $400,000 annual contribution to the Threat Credibility Assessment Team (CAT), run jointly with the FBI and DOE out of Lawrence Livermore National Laboratory, to give the NRC expedited intelligence information on threats to nuclear plants.
We urge the Commission to maintain these programs or reinstate them if they have been terminated, because they are important complements to the OSRE exercises.
The SPA Task Force has made four staff recommendations to the Commission. Two seem rather specific and potentially beneficial---relating to modification of regulations and preparation of a regulatory guide to develop target sets, protective strategies, and a program of periodic drills and exercises, as well as requirements to upgrade security plans when weaknesses are identified. The details are still being developed, and we will reserve judgment until we see them. The devil is in the details.
The other two recommendations are vague and potentially troublesome---relating to identifying the NRC inspectors' role in "observing tactical response exercises" and to training them for their new responsibilities. Implicit in these two recommendations is the phasing out of the expert contractors used by OSRE to monitor and evaluate the attack exercises and to evaluate perimeter fencing and detectors.
If this is the intent, and the Commission accepts these last two recommendations, OSRE's effectiveness will be neutralized, and the NRC will be reduced to essentially observing licensees running their own drills. This appears to be the objective of industry representatives in their discussions with NRC staff. The Commission should not permit such an outcome. Industry clearly wants to be out from under the costs and the embarrassment of the OSRE exercises. But given its dismal physical-protection track record to date, industry simply cannot be relied upon to regulate itself in this vital area. If the Commission were to cede this regulatory authority to industry, it would violate the most basic principle and intent of the Energy Reorganization Act---to separate regulation from promotion of nuclear power and establish the NRC as an independent regulatory agency.
The commission, rather than acquiesce in a papering over of the deeply troubling inadequacies I have described, should initiate a major upgrading of the Design Basis Threat for radiological sabotage and should provide the OSRE program the needed resources and regulatory authority to fully test and enforce it. In particular, the exercises must assume an active insider, especially because industry now argues that operator intervention to mitigate the consequences of radiological sabotage should be factored into security requirements imposed on licensees and enforcement actions taken when licensees fail to protect against the Design Basis Threat. If operators are to be relied upon to do more, the role of an insider to neutralize operators also must be considered and tested.
I will close by turning to Mr. Greenberg to address the legal question, noted earlier, that was raised in the Ad-Hoc Review Panel's report.
I understand that the Commission does not currently consider that a licensee, which otherwise meets the requirements of 10 C.F.R. 73.55 (b)-(h), can be subject to an enforcement action if it fails to demonstrate successfully its capability to defend against the design basis threat. Indeed, the Report of the Ad Hoc Review Panel specifically states, "Enforcement guidance has been issued that indicates that the sole basis for security enforcement action is the facility security plan. This has led most facilities to be in compliance with applicable requirements in the security plan, but not necessarily being able to demonstrate that they can protect against the DBT." Elsewhere the report notes that findings of security weaknesses are "beyond enforceable requirements."
In NCI's judgment, it is not necessary to read the Commission's regulations so narrowly. Rather, the regulations can properly be read as requiring licensees to be able actually to defend against the design basis threat.
Section 73.1(a) states that the specified design basis threat "shall be used to design safeguards systems to protect against acts of radiological sabotage" (emphasis added). In turn, Section 73.55(a) states again, "The physical protection system shall be designed to protect against the design basis threat of radiological sabotage as stated in 73.1(a)" (emphasis added). The same Section goes on to provide, "To achieve this general performance objective, the onsite physical protection system and security organization must include, but not necessarily be limited to, the capabilities to meet the specific requirements contained in paragraphs (b) through (h) of this section" (emphasis added).
Several things about these rules support the conclusion that they can be read to create an enforceable obligation to provide protection in fact against the design basis threat. First, the language of the rules is mandatory. "Shall is the language of command." Escoe v. Zerbst, 295 U.S. 490, 493 (1935). Second, the phrase "not necessarily limited to" surely suggests licensees may need to take additional steps, beyond those specified in Subsections (b)-(h), to ensure that real protection exists. Third, the rules do not contain language that would clearly indicate that compliance with Subsections (b)-(h) would be a "safe haven" against an enforcement action.
Even though NCI believes that the current regulations can be interpreted as I have just suggested, I think it would be appropriate for the Commission to remove any ambiguity that might be found in the regulations. In particular, I would favor clarifying that the design basis threat is an enforceable requirement, e.g., by expressly stating that compliance with Subsections (b)-(h) is not a safe haven.
In addition, we would strongly support rewriting the rules to state clearly that, where deficiencies are identified, for example in an OSRE exercise, licensees are required by law to remedy them. SECY-99-024 now only recommends that rulemaking "consider regulatory changes necessary to require licensees to maintain the effectiveness of their contingency plans and to upgrade their security plan commitments whenever these [OSRE] exercises reveal weaknesses in their ability to protect against the design basis threat." The Commission should do more than merely "consider" these changes. Especially given the findings of the Ad Hoc Review Panel, it is essential that the Commission adopt these changes if the public is to have confidence that power reactors are adequately protected against radiological sabotage.
Thank you for your attention. We would be pleased to respond to questions.
What's New Nuclear Terrorism Page Home Page