Congressional Auditors Find U.S. Nuclear Plant Security Flawed

WASHINGTON, DC, September 24, 2003 (ENS) - Security at the 104 U.S. nuclear power plants needs immediate upgrading, according to a report released today by the General Accounting Office, the investigative arm of Congress. The report recommends that the Nuclear Regulatory Commission's oversight at commercial nuclear power plants be improved by "promptly restoring annual security inspections" and strengthening force-on-force exercises designed to prepare security personnel to deal with an attack.

The report on the Nuclear Regulatory Commission's (NRC) oversight of power plant security was prepared at the request of Congressman John Dingell, a Michigan Democrat who is the ranking minority member of the House Committee on Energy and Commerce, and committee member Congressman Edward Markey, a Massachusetts Democrat who also serves on the House Homeland Security Committee.

The General Accounting Office (GAO) was asked to review the effectiveness of the NRC’s security inspection program and legal challenges affecting power plant security.

The GAO determined that although the NRC has "taken numerous actions to respond to the heightened risk of terrorist attack," three aspects of its security inspection program were flawed.

power plant

Baltimore Gas and Electric Company's Calvert Cliffs nuclear power plant (Photo courtesy NRC)
First, NRC inspectors often used a process that minimized the significance of security problems found in annual inspections by classifying them as “non-cited violations” if the problem had not been identified frequently in the past or if the problem had no direct, immediate, adverse consequences at the time it was identified, the GAO reports.

Non-cited violations do not require a written response from the power plant licensee and do not require NRC inspectors to verify that the problem has been corrected.

For example, the GAO found that guards at one plant failed to physically search several individuals for metal objects after a walk-through detector and a hand-held scanner detected metal objects in their clothing. The unchecked individuals were then allowed unescorted access throughout the plant’s protected area.

"By making extensive use of non-cited violations for serious problems, NRC may overstate the level of security at a power plant and reduce the likelihood that needed improvements are made," the GAO warned.

Second, the NRC has no routine, centralized process for collecting, analyzing, and disseminating security inspections to identify problems that may be common to plants or to provide lessons learned in resolving security problems, the GAO pointed out.

Third, although NRC’s force-on-force exercises can demonstrate how well a nuclear plant might defend against a real life threat, several weaknesses in how NRC conducted these exercises limited their usefulness.

The GAO reported weaknesses including using more personnel to defend the plant during these exercises than during a normal day, attacking forces that are not trained in terrorist tactics, and using unrealistic weapons - rubber guns - that do not simulate actual gunfire.

Only limited use of some available improvements that would make force-on-force exercises more realistic and provide a more useful learning experience have been incorporated by the Nuclear Regulatory Commission, the report found.

Releasing the GAO report today, Congressman Dingell said, "It is unfortunate that one terrorist attack on American soil wasn't enough to prompt the NRC to pay greater attention to the security risks at some of our country's most vulnerable sites. The GAO report is another wake up call to the NRC that they need to change their attitude about nuclear security by making much needed improvements immediately."


Congressman John Dingell of Michigan (Photo courtesy Office of Representative Dingell)
In April, the Nuclear Regulatory Commission issued a new design basis threat that the commercial nuclear power plants must be prepared to defend against.

"However," the report warned, "NRC’s past methods for ensuring that plants are taking all of the appropriate defensive measures - the annual security inspections and the force-on-force exercises - had significant weaknesses. As a result, NRC’s oversight of these plants may not have provided the information necessary for NRC to ensure that the power plants were adequately defended."

"It is stunning that the NRC still isn't assuring the safety of the millions of Americans who live near the 104 licensed nuclear reactors two years after the attacks of September 11," said Markey today. "GAO has documented a disturbing pattern of lax NRC oversight and inattention to security at these sensitive facilities that are at the very top of Al Qaeda's list for future attacks."

The NRC is in the process of revising both its security inspection program and its force-on-force exercise program. The NRC expects its security inspection program to be restored by 2004 and will decide the future of its force-on-force program after completing its pilot program - at a date yet to be determined.

Jim Wells, director of the GAO's Natural Resources and Environment division, explained in the report that the Nuclear Regulatory Commission had seen a draft version for review and comment.

"NRC stated that our report did not provide a balanced or useful perspective of its role in ensuring security at commercial nuclear power plants. NRC believed that our report was 'of a historical nature,' focusing on NRC’s oversight of power plants before September 11, 2001, and that our report failed to reflect the changes NRC has made to its program since September 11.

The commission told the GAO that its characterization of "non-cited violations as minimizing the significance of security problems is a serious misrepresentation," Wells wrote.

The commission called the issues raised in the GAO report “anecdotal” and said they were “relatively minor issues” and that it treated them appropriately.

"We agree," Wells wrote, "that NRC has taken numerous and appropriate actions since September 11, 2001, and that additional security procedures have been, and are being, put in place to increase power plant operators’ attention to enhancing security."

But, Wells warns, "NRC’s oversight actions since September 11 have been interim in nature; it has conducted ad hoc inspections and some force-on-force exercises as part of a pilot program."

power plant

Oconee nuclear power plant in Oconee County, South Carolina is operated by Duke Energy. (Photo courtesy NRC)
The Nuclear Regulatory Commission has suspended the two primary elements of its oversight program - the security inspection program and the force-on-force exercises - and has not yet resumed them, the GAO points out.

Wells defends the GAO's inclusion of pre-September 11 security practices by explaining, "NRC said that it plans to reinstitute the security inspection and the force-on-force exercise programs in the future, but it does not now know what the revised programs will consist of. As a result, we remain convinced that it was appropriate to examine NRC’s security oversight program before September 11. In the absence of any formal post-September 11 oversight program, this was the only way to systematically assess the strengths and weaknesses of NRC’s oversight."

The GAO's recommendations are "directed at strengthening the oversight programs and making NRC’s oversight more relevant to the post-September 11 environment," Wells wrote.

The GAO recommends that the NRC commissioners ensure that NRC’s revised security inspection program and force-on-force exercise program are restored promptly and require that NRC regional inspectors conduct follow-up visits to verify that corrective actions have been taken when security violations, including non-cited violations, have been identified.

The NRC should routinely collect, analyze, and disseminate information on security problems, solutions, and lessons learned and share this information with all NRC regions and licensees, the report states.

The commissioners should make force-on-force exercises a required activity and strengthen them by conducting the exercises more frequently at each plant.

The exercises should use laser equipment to ensure accurate accounts of shots fired, and require the exercises to make use of the full terrorist capabilities stated in the design basis threat, including the use of an adversary force that has been trained in terrorist tactics.

The NRC commissioners should continue the practice, begun in 2000, of prohibiting licensees from temporarily increasing the number of guards defending the plant and enhancing plant defenses for force-on-force exercises, the GAO recommends.

The GAO report will be submitted to the Senate Committee on Governmental Affairs and the House Committee on Government Reform not later than 60 days after the date of this report’s release, which is today.

It will be submitted to the Senate and House Committees on Appropriations with the agency’s first request for appropriations made more than 60 days after today.

The report, "Nuclear Regulatory Commission: Oversight of Security at Commercial Nuclear Power Plants Needs to Be Strengthened," is available on the GAO website at: