INDIAN POINT SAFE ENERGY COALITION (IPSEC)

 ISSUE BRIEF

A CRITIQUE OF THE NRC’S DESIGN BASIS THREAT AND THE EXPANDED PILOT FORCE-ON-FORCE EVALUATION REGULATIONS & DRILLS

Background on the Design Basis Threat

One of the more imperative issues facing the Indian Point nuclear power plant is the appropriate Design Basis Threat (DBT) level for the facility in the post-September 11^th world. The U.S. Nuclear Regulatory Commission’s DBT defines the size and capability of potential attackers that nuclear power plant owners, like Entergy, must protect against. The federal government provides protection against attacks above the DBT level per the “enemies of the state” provision. (§50.13, “Attacks and destructive acts by enemies of the United States and defense activities,” of Title 10 of the Code of Federal Regulations, September 26, 1967.)

 For about 25 years, the Nuclear Regulatory Commission (NRC) has required reactor operators to design their security plans to protect only against a land-based terrorist event by no more than three external attackers operating as a single team and using weapons no more sophisticated than hand-carried automatic rifles.  However, on September 11, 2001, more than six times that number of attackers, operating as four separate teams, using airplanes as weapons, launched a terrorist attack in the United States that took thousands of lives.  A successful terrorist attack on a reactor or spent fuel pool could result in tens of thousands of casualties from prompt deaths and delayed cancers.  Yet a year and a half passed without NRC revising its DBT.

 Considering that the National Research Council, in a July 2002 report, stated “the potential for 9/11 type attacks on nuclear power plants is high,” the NRC’s inaction has been troubling. The NRC has previously suggested that, in order not to burden industry, the new rules would not require reactor operators to protect against a threat equal to or greater than encountered on 9/11.  Despite the fact that many elements of the old rules are publicly available in the Code of Federal Regulations, NRC is keeping all details of its new order secret.

 On April 29, 2003, the NRC – after intensive consultation with the nuclear industry, but with representatives of public interest organizations shut out – approved changes to the DBT.  According to their April 29^th media release, the NRC “believes that the revised DBT represents the largest reasonable threat against which a regulated private guard force should be expected to defend under existing law.” These changes were be issued by Order to the licensee, but not made public.

 The NRC can determine adequate protection up to the DBT limit by conducting force-on-force security tests at each nuclear plant site at least once every three years. The NRC began force-on-force security tests under its Operational Safeguards Response Evaluation (OSRE) program in 1991. Each OSRE test featured simulated attacks by a small group of mock intruders, sometimes as small as a single person and often at the DBT limit. These simulated attacks determined whether all the elements of the security program (i.e., intrusion detection devices, locked doors, armed responders, etc.) fit together as intended or if seams existed which the attackers might try to exploit.

 Ten years of force-on-force exercises - pitting teams of mock defenders against teams of mock terrorists - showed that about half of the plants could not stop even these rudimentary sorts of assaults.  Each utility was graded on its ability to keep mock terrorists from reaching the control room or other critical areas of the plant, where they could cut off coolant to the reactor and possibly trigger a meltdown.

 On September 10, 2001, the NRC had plans for force-on-force security tests at fourteen (14) nuclear power plants in the upcoming year. All tests were cancelled following the tragic events of September 11^th. The NRC conducted no force-on-force tests during 2002.

 The NRC has just recently reinstated a modified OSRE program at four plant sites nationwide, including the Indian Point nuclear power plant in Buchanan, NY. [1]

 Prior to September 11, 2001, these mock attack tests occurred only once every eight years.  A few days before the one-year anniversary of Sept. 11^th, the NRC issued a press release announcing that it is planning to begin conducting these OSRE tests every three years. (IPSEC RECOMMENDATION: Whether by legislation or other means, the Congress should make sure that NRC carries out its stated plans to meaningfully test nuclear plant security on a routine basis.)

 The OSRE program can evaluate security readiness up to the DBT level, but it provides no measure of the protection against “enemies of the state” for which the federal government is responsible. (IPSEC RECOMMENDATION: The Department of Homeland Security should assess how well federal entities meet their responsibilities using periodic full participation exercises at all nuclear plant sites.)

Protection against enemies of the state has two primary components. When intelligence gathering and assessment identifies a credible pending threat against one or more nuclear plants, federal resources must be deployed to thwart the attack. When an attack precedes its warning, federal resources must be deployed in response. (IPSEC RECOMMENDATION: Periodic full participation exercises would allow the Department of Homeland Security to assess the readiness of various federal entities in successfully carrying out their protection and response functions.)

 There has only been one full participation exercise involving federal entities responding to a simulated nuclear power plant attack. A major counter-terrorism exercise initiated by the Federal Bureau of Investigation (FBI) was conducted on May 16, 2001, at the Palo Verde Nuclear Generating Station. This exercise of federal capabilities against enemies of the state involved the plant’s owner, the NRC, and other local, state, and federal entities.  The March 1979 reactor accident at the Three Mile Island nuclear plant clearly demonstrated how chaos and bureaucratic mayhem reign when responses to major disasters are ad hoc rather than pre-planned. The ability of the federal government to cope with nuclear plant threats above the DBT level appears no better today than its ability to respond to nuclear plant accidents in February 1979. (IPSEC RECOMMENDATION: Whether by legislation or other means, Congress should make sure the Department of Homeland Security conducts full participation exercises at all nuclear plant sites to verify that the federal government can provide adequate protection against assaults above the DBT level.)

Flaws with the new OSRE drill

 1) There is too much advance notice. Indian Point has had months to prepare for their OSRE drill which is expected in June 2003. Entergy knows the exact date of the test. So, they can make sure all equipment is in top working order and that all security officers are fully trained on their response duties. In reality, the attackers are unlikely to provide early warning. Thus, intrusion equipment may be out of service for repairs and security officers may be new to the job without fully comprehending their duties (per comments by Indian Point Security Officers).

(IPSEC RECOMMENDATION: The right way to perform the OSRE drills is with short notice. Short notice, about two or three weeks, provides the plant owner enough time to arrange “cover” security (during the OSRE, real security officers with real guns must be present but not involved in the exercise in case a real attack were to occur) but not enough time to correct many deficiencies. Short notice OSRE drills are thus a more accurate measure of security readiness.  At the moment of notification, plant operators should be required to “freeze in place” the security force to be tested, rather than calling in their most capable security officers.  When notification occurs months in advance companies have time to hire security-training consultants and additional guards to improve their security posture and chances of success in deterring a mock attack. Even a nuclear industry representative acknowledged that utilities spend ‘millions of dollars’ getting ready for the tests. The security officers said that for months prior to a test, they repeatedly practice for the two or three scenarios on which they will be tested, often with the help of the consultants. The problem, according to the guards, is that they train only on the particular attacks that will be used in the test rather than on many different types of attacks. Once the tests are completed, the security consultants are let go and the guard force reduced until the next test.)

 2) The OSRE drills set a low bar to hurdle by using a low passing grade. The OSRE drill typically features four force-on-force exercises. Each exercise features the mock intruders attempting to destroy every piece of equipment on a “target set” and the armed security officers trying to prevent it. The plant security defense team has to win at least three of the four exercises for the plant to get a bad grade. In real life, there would be no second chances.

(IPSEC RECOMMENDATION: Good security should be scoring 100 rather than 75 on the OSRE drill.)

 3) The OSRE drills are almost always performed with the plant at full power during evening or midnight shifts, i.e. during a time when the number of workers at the plant is minimal. The armed responders, knowing that an OSRE drill is in progress, can literally shoot at anything that moves and be assured it’s an attacker. In reality, the armed responders would have to spend a few seconds distinguishing between friend and foe. Having no “innocent” workers around makes it easier for the defenders and harder for the attackers. In addition, the OSRE drills are never run during outages. During outages, the equipment to be protected is different and the containment barriers may already be breached (opened for refueling).

(IPSEC RECOMMENDATION: OSRE drills should be performed during outages and security officers must be trained and tested to differentiate between plant workers and attackers.)

 4) The OSRE drills limit the insider role to that of a passive participant. The security regulations have long specified that the attackers can be aided by one insider acting in either a passive or active role. The OSRE drills to date and as planned have limited the insider role to that of a passive participant. In other words, the insider provides information to the attackers so they can plan their assault. But the insider does not take an active role (i.e., creating a distraction, damaging target set equipment or security equipment, etc.)

(IPSEC RECOMMENDATION: OSRE drill should involve an active participant.)

 5) The OSRE drills to date and as planned have only involved attackers originating from one direction as one team.  The September 11^th attacks which took thousands of lives and recent subsequent attacks abroad in Saudi Arabia and Casablanca, were comprised of approximately 20 terrorists divided into multiple teams attacking from multiple directions.  A successful terrorist attack on a reactor or spent fuel pool could result in tens of thousands of casualties from prompt deaths and latent cancers.

(IPSEC RECOMMENDATION: OSRE drills should assess the ability of plant security to defend against teams of 4 or 5 attackers originating from multiple directions.)

 6) The OSRE drills to date and as planned only require plant security to defend against a small number of attackers.  The attacks of September 11^th on U.S. soil and more recent attacks abroad involved 19 or more terrorist attackers.

(IPSEC RECOMMENDATION: At a minimum, the OSRE drills should assess the ability of plant security to defend against twenty or more attackers, in teams of 4 or 5, and attacking from multiple directions.)

 7) The OSRE drills do not assess plant security’s ability to defend against an attack on the spent fuel pool. More than 300 OSRE exercises have been conducted since 1991. A grand total of zero (0) of these exercises has been run with the spent fuel as the target.  

(IPSEC RECOMMENDATION: OSRE drills should include the spent fuel storage pool as the target of at least one exercise during the OSRE drills.)

 8) NRC, after intensive consultation with the nuclear industry, did not seek public input while revamping the OSRE exercises. 

(IPSEC RECOMMENDATION: The NRC should receive input from representatives of public interest groups on security policy issues.)

 9) A plant owner which performs poorly on an OSRE drill is not subject to enforcement actions. 

(IPSEC RECOMMENDATION: A plant owner that performs poorly during an OSRE drill should be subject to an enforcement action.  If a plant owner repeatedly performs poorly, the NRC should order the closure of the plant, until the plant owner improves its performance during the OSRE drill.)

 10) No independent observers, those without a vested interest, are present to monitor and evaluate the drills.

(IPSEC RECOMMENDATION: The NRC should allow independent observers, i.e. congressional staff with security clearance, to observe and evaluate the OSRE drills to ensure that the drills are not staged and provide an accurate assessment of plant defenses.)