IR 05000263/1993019
| ML20058C061 | |
| Person / Time | |
|---|---|
| Site: | Monticello  |
| Issue date: | 11/12/1993 |
| From: | Belanger J NRC OFFICE OF INSPECTION & ENFORCEMENT (IE REGION III) |
| To: | |
| Shared Package | |
| ML20058B998 | List: |
| References | |
| 50-263-93-19, NUDOCS 9312020331 | |
| Download: ML20058C061 (8) | |
Text
.
.
.
U.S. NUCLEAR REGULATORY COMMISSION
REGION III
l
'
Report No. 50-263/93019(DRSS)
,
Docket No. 50-263 License No. DPR-22 Licensee:
Northern States Power Company 414 Nicollet Mall Minneapolis, MN 55401 Facility Name: Monticello Nuclear Generating Station Inspection Dates: October 26, 1993 (onsite)
October 27-29, 1993 (in-office)
Type of Inspection: Announced Reactive Physical Security Inspection Date of Previous Physical Security Inspection: August 23 to l
September 2, 1993 L
l
-
// h0 /93 l
Inspector:
Q.b ( 2h$21 J. L8 Belanger Date
"
Senior Physical Security Inspector
//!/
f.3 Approved By:
7te
/, James R. Creed, Chief Date
'
[/ Safeguards and Incident Response Section
l Inspection Summarv i
l Inspection on October 26-29. 1993 (Report No. 50-263/93019(DRSS))
l Areas Insoected:
Included a review and discussion of circumstances involving l
a licensee identified incident of inadequate storage of a computer disk l
containing some significant Safeguards Information at the Monticello Nuclear l
Plant.
Results: Based on the results of this inspection, two potential violations were identified regarding:
(1) failure to secure a computer disk containing some significa.it safeguards information that could assist an individual in an act of radiological sabotage; and (2) failure to mark this disk and five
)
others with external safeguards information markings. The licensee identified the violations and reported the unsecured / unattended safeguards information to i
the NRC Operations Center in a one hour report as required by 10 CFR 73.71.
The licensee believed that the Safeguards Information was not actually compromised.
'
9312O20331 931113 ADOCK0500g3 PDR
!,
.
_
_ _
_
_
-
_ __
..-
.
.-
-
-
- _.
._.
.
!
i
!
'
i
'
!
!
REPORT DETAILS
{
l 1.
Key Persons Contacted
!
- L. L. Nolan, General Superintendent Safety Assessment l
- B. Anderson, Superintendent, Security
!
J. R. Bittner, Security Consultant, Corporate Security l
- S. Ray, Senior Resident Inspector, NRC Region III
- Denotes those present at the Exit Interview.
i j
2.
Entrance and Exit Interviews i
a.
At the beginning of the inspection, Mr. B. Anderson,
!
(
Superintendent, Security was informed of the purpose of this l
inspection, its scope, and the topical areas to be examined.
b.
The inspector met with the licensee representatives,-denoted in
Section 1, at the conclusion of inspection activities. A general
'
description of the scope and conduct of the inspection was
provided. Briefly listed below are the findings discusud during l
the exit interview. The licensee representatives were invited to i
provide comments on each finding listed below.
The details of i
each finding listed below are referenced, as noted, ~in the report.
!
The inspector described a potential escalated violation involving l
a failure to adequately secure safeguards information.
The-
!
.
inspector noted that the licensee identified that an unmarked.
!
l computer disk'containing safeguards information that could assist l
l an individual in an act of radiological sabotage, was not
!
controlled. The licensee initiated corrective action.
The event t
was reported to the NRC as required by 10 CFR 73.71. The licensee initiated corrective action to prevent recurrence, as described in
.
Section 4 of the Report Details.
!
i Licensee management agreed with the facts presented by the-
!
inspector regarding the potential violation involving uncontrolled i
safeguards information. The inspector acknowledged that the event was identified by the licensee, properly reported, and that j
comprehensive corrective action was immediately initiated.
.
c.
On October 28, 1993, the Monticello Superintendent,. Security was contacted to obtain copies of the current. revisions of.the safeguards drawings that were on-the computer disk found on August 26, 1993. These drawings'were received and reviewed by the inspector in. Region III on October 29, 1993.. His review resulted in the conclusion that the drawings could assist an adversary in radiological sabotage.
i
!
i
..
.
.
.
,.
-
-
~
.-
.
_.
.
.
-
'
t
.
.
.
,
d.
The licensee was advised by telephone.on November 2, 1993, that
.
the in-office review of the circumstances relating to the event resulted in the conclusion that there appeared to be two violations _ involved in the event: failure to properly mark
_
computer disks containing safeguards information and failure to
properly secure the information when it was unattended.
!
3.
Procram Areas Inspected (MC 0601):
l
Listed below are the areas which were examined by the inspector within
,
the scope of these inspection activities. These areas were reviewed and
evaluated as deemed necessary by the inspector to meet the specified
" Inspection Requirements" (Section 02) of the applicable NRC. Inspection Procedure (IP) and appropriate NRC regulations. Only those areas in which findings were identified are discur. sed in subsequent report sections.
Sampling reviews included interviews, observations and
document reviews. The depth _and scope of activities were conducted as
'
t deemed appropriate and necessary for the program-area being inspected Number Proaram Area and Inspection Reouirements Reviewed l
81038 Records and Reports:
(02) Reports of Physical Security Events
,
81810 Protection of Safeauards Information:
(01) General; (02)
{
Access to Safeguards Information; (05) Storage (07)-
r Reproduction
-
4.
Protection of Safeauards Information (IP 81810): Two potential l
violations were identified and are described below:
l
!
l l
On August 26, 1993, a contract draftsman discovered an unmarked 3.5"
!
i computer disk containing Safeguards Information drawings on his desk.
!
-
'
The disk had not been properly controlled as Safeg9ards Information for
i an indeterminable period of time, possibly back to July 1990. The
'
drawings were from the Vulnerability Assessment and could assist an l
adversary in radiological sabotage. The potential for_ actual compromise i
appeared low but could not be accurately verified. The event was reported to the NRC within one hour of identification.
,
i l
Details of Event
On August 25, 1993, a contract draftsman was using a computer in the work area of a former employee to retrieve a file and needed a disk to a
copy it. He had forgotten to bring a disk from his work station. He I
picked up an unmarked disk from the top of the former employee's desk-and copied the file.
It was not unusual to have loose disks laying l
l around the drafting area and the draftsman did not feel it unusual that-the former employee had left several disks laying on his desk when he
'
l l
terminated employment. The draftsman copied the file he needed, removed
!
the disk, and returned to his work station where he placed the disk on l-his desk and apparently covered it with another document on which he was
l
,
.
l
-
~
_,_.
.
.
,
., _
_
- -.
.._
. ~, _
.
.-.
..
.
.
.
.-.
-
-.
r
.
>
working.
He did not view the contents of the disk until the next day, August 26, 1993.
!
The draftsman discovered that the disk contained nine documents which
.
!
appeared, from their filenames, to be 1990 security documents. He loaded the files onto his hard drive and verified his suspicions by
!
viewing the first document labeled " Zone 1.DWG".
While he was unsure of
,
the contents of the drawing,.it was clearly labeled with " safeguards
information" headers. This draftsman was authorized access to
,
safeguards information in accordance with the licensee's program. The
!
.
draftsman then told a coworker that he had found a disk laying on his
desk and that after viewing the directory, determined it to contain.
!
safeguards information. Without seeing the contents of the disk, the coworker then instructed him to verify that the files on the disk were j
not the same revision number as the files maintained in the security
directory on the mainframe. He then verified through the Monticello security files, located on the VAX main frame, that the documents were not a current version. He attempted to erase the information from the
'
disk; however, after several attempts, his computer indicated that the disk could not be erased. He then attempted to erase and reformat the
'
'
disk in an effort to remove the information; however, each attempt was met with a computer error message, " general drive error". He decided to
.
destroy the disk since the information could not be erased. This was
'
accomplished by removing the outer plastic cover and cutting the disk
into four separate pieces which were then discarded in a waste basket i
located in his work area.
'
Immediately following the incident both draftsmen discussed what they i
should do about the situation and decided to and immediately informed
!
their NSP supervisor who advised the Superintendent, Security of the.
event.
!
i Investication By. 'icensee i
!
'
The licensee conducted an investigation at the request of the Vice
President, Nuclear Generation between August 27 and September 15,1993, j
to ascertain the circumstances surrounding how the disk was found and to
evaluate potential compromise. The investigation was performed by a
!
professional investigator from Corporate Security.
}
,
This investigation showed that the disk found in the drafting area i
contained safeguards information developed during 1990 in preparation j
for the NRC Regulatory Effectiveness Review conducted during September:
i 1990. The drawings were from the Vulnerability Assessment and could -
j assist an adversary in radiological sabotage.
(Details of the.
vulnerability assessment are safeguards information and are not j
included).
l The information contained on the disk was only slightly different from a.
i
..
.
.
!
new available revision'that was published and protected on the mainframe i
directory since December 1991.. The revision was a colorization version C
of the SGI drawings created in 1990. Therefore, the data on the-j i
'
-
1
.
.
.
,,
-
-.
.
-
. - -
. -.
-
- A
.--
-
_
.-
_
.
.
..
unprotected disk was determined to be significant safeguards information.
(The licensee's evaluation verified the unique significance of this information).
On September 10, 1993, the computer hard drive, the disk seized during a review of unmarked disks found in the_ drafting area and the disk destroyed by the subject were transferred to On-Track. Recovery Systems, Inc., a private firm specializing. in retrieving / reconstructing data from problem computer disks or hard drives. The results of this examination were:
The hard drive compression procedure used by the draftsman to
. erase the SGI from his hard drive had also formatted the readable DOS sectors needed to recover the data.
The results of this action made the information contained on the hard drive unreadable thereafter.
The 3.5" disk, cut into four pieces by the draftsman was
i unrecoverable, thus empirical confirmation that the data existed on that disk could not be made.
j
,
The licensee looked at the reliability and trustworthiness issue relating to statements made by individuals regarding this event.
Specifically, the access authorization files of the draftsman who had-found the disk and the former draftsman whose work station the disk was I
found were reviewed. Additionally, a criminal history check for the
.
surrounding seven county metro area were conducted for both individuals.
l The results of the reviews / checks disclosed no information that questioned the truthfulness of each individual.
j The investigation showed that a lack of oversight from NSP in the control of the contract drafting group led to a situation in which the
'
l day-to-day operation and/or decisions made by the contract group were unchallenged, and if improper, not detected. The poor involvement contributed to poor control and SGI marking procedures used by the l
group. The interviews showed that the contract drafting group, while knowledgeable, had not been trained on how to handle, process, mark, protect or destroy safeguards information.
During the investigation, a search of the safeguards file cabinets used by the drafting group and located in the Site Access Building document control vault disclosed seven disks, three which had been properly stamped SGI and four which were unmarked but later confirmed to contain SGI. While these disks had been properly secured, they had not been marked. The deficiency was corrected immediately by the Supervisor Nuclear Projects. Additionally, a search of the Site Security department's SGI cabinets disclosed one unmarked disk' which contained safeguards information relative to the-Site Security plans.
During the investigation, 570 disks were removed from the drafting group
[
working area. The disks included program disks, personal game disks and.
unmarked or labeled disks.
A' word search analysis of each disk-resulted i
1
,
.
.-
. -, -
....-
.-.-
..-.--,-, --
4-
--
_
__.
.
_.
_
__- __
.
.
,
{
e in the identification of one unmarked disk that appeared to contain SGI.
This disk was provided to On-Track Data Recovery Services for further analysis which subsequently showed that there was no safeguards information on this disk.
!
The investigation report stated there had been no malevolent intent and-that the information had not been compromised.
The inspector concluded that the licensee's investigation of this i
incident was comprehensive, objective, and that the information developed during the course of numerous interviews supported the.
i licensee's conclusions; however, it appears that the licensee could not i
prove or disprove compromise, only that the information was apparently uncontrolled for an extended period.
Anoarent Violations a.
10 CFR 73.21(d) requires that while in use, matter containing SGI l
shall be under the control of an authorized individual and that-
.
,
'
l while unattended, safeguards information shall be stored in a locked security storage container.
l
!
l l
Contrary to the above, a disk containing significant Safeguards l
Information that could assist an individual in an act of radiological sabotage was left unattended and unsecured outside of
the protected area.
A specific time frame could not be established to identify when l
the disk was removed from protection but it could have been as
long as two years when the drawings were originated in July 1990
when the drafting group was located in the basement of the Administration Building located within the Protected Area.
In'the
!
fourth quarter of 1991, the drafting. group was relocated from_
inside the PA to the Site Administration _ Building (SAB) located in the Owner Controlled Area.
.
The drafting area in the SAB is an open work area _ consisting of.
!
cubicles. There are no personnel access controls to the SAB during the daytime hours. During evening hours,- the exterior
doors are secured and access is limited to selected _ employees
- t i
authorized to have the cipher lock combination. _ The site security force is responsible to periodically check that the exterior doors are secured. They do not enter the SAB for the purpose of.
conducting interior patrols. There are approximately 350 site employees, of which approximately.100 to 130 work in the SAB.-
Approximately 95% of the plant's eniployees have been' screened for access to safeguards information.
b.
10 CFR 73.21(e) requires that each document or.other matter that contains safeguards information shall be marked " Safeguards.-
-
Information" in a conspicuous manner to indicate the presence of protected information.
.
i i
.
..
.
- -, -.
-
- - -
-.
-
.
.
i
..
Contrary to the above, six computer disks containing safeguards information were not marked. One of the unmarked disks which contained sensitive Safeguards Information was found improperly protected.
The licensee's procedure (4AWI-03.04.03 Revision 6, dated July 1990 required that computer disks have external markings denoting l
SGI in a conspicuous place. The licensee's investigation showed that standard operating procedure employed by the drafting group was not to mark disks containing SGI. A search of a drafting group SGI container, maintained in the document control vault, validated this practice, as four disks that contained SGI, while secured, had not been marked.
Licensee Corrective Actions
,
a.
Immediate Corrective Actions Patrols of the Protected Area and Owner Controlled Area e
were immediately conducted to check for any unauthorized, suspicious, or threatening activities. None were identified.
t All security officers on shift were briefed regarding the
.
details of the incident and the possible implications.
A computerized EOF /0NS report (listing of personnel on site)
.
was run and reviewed against the badge rack to ensure all personnel on site were properly authorized.
Heightened Security Awareness measures were deterained and
.
implemented in response to the potential compromise of significant Safeguards Information. These measures included hourly owner controlled area vehicle patrols; locking all intermediate barrier fence gates; eliminating all owner controlled areas activities such as fishing, hunting; hourly protected area patrols; and positioning pan / tilt / zoom cameras on prime positions for response. Based on the results of the event investigation and the determination that there was no malevolent or deliberate intent, these measures were discontinued at 10:30 a.m. on September 16, 1993.
Badges of the individuals involved in the incident were
.
placed on hold pending further investigation. Based on the
results of the investigation, the hold was lifted.
b.
Followup Corrective Actions The licensee conducted an external investigation of all
.
facts.
Investigators from the Corporate Security Services
,
department were called in the following morning to l
investigate the event.
l
i
.
,
-
.
,,
I I
'
The draftsman's computer hardware and the destroyed disk e
were controlled and sent to an expert computer data
!
!
retrieval firm off-site to attempt recovery of destroyed and deleted information. These attempts were unsuccessful.
.
Prior to this event, plans had been made to move all
Safeguards Information to a central location within the
'
Protected Area. The details of these plans were being developed at the time of the event. Since the event, all Safeguards Information has been moved to storage locations
within the Protected Area under the control of Security.
c.
Corrective Actions To Be Completed
,
A program will be instituted to reduce the amount of e
l Safeguards Information that is available and stored at the
!
site. Documents will be reviewed and declassified as
'
appropriate. Completion Date:
11/15/93.
A document detailing what information should be considered e
,
l SGI will be created and used to declassify any appropriate j
documents currently controlled as SGI. Completion Date:
l 11/5/93.
The Superintendent, Security at the site will be responsible
.
for the classification and declassification of Safeguards
.
Information for the entire site. A site work instruction I
will be revised to assign responsibility to the i
Superintendent, Security. Completion Date:
11/30/93.
Conclusions The licensee's program for the protection of safeguards information
failed in its oversight responsibilities of the contract drafting group.
The contract drafting group lacked adequate training in the marking and
!
handling of safeguards information. As a result, an unmarked disk
containing significant safeguards information had inadvertently been stored with several other uncontrolled disks that did not contain i
safeguards information. The potential for compromise appeared low
,
because the disk was not marked in any way to draw attention to it or to identify that it contained safeguards information. However, due to the apparent length of time the disk was not controlled, the opportunities
for actual compromise could not be determined. The licensee's investigation of the incident was thorough, and the corrective actions taken were comprehensive.
.
!
S
-.
_
-.