ML20151P320
| ML20151P320 | |
| Person / Time | |
|---|---|
| Site: | Fermi  |
| Issue date: | 04/01/1987 |
| From: | Hayes B, Kazmar R, Pawlik E NRC OFFICE OF INVESTIGATIONS (OI) |
| To: | |
| Shared Package | |
| ML20151N259 | List: |
| References | |
| FOIA-88-227 3-86-006, 3-86-6, NUDOCS 8808090318 | |
| Download: ML20151P320 (27) | |
Text
- <. :. l l
l
[ CASE No. 3-86-006
,p m ,,
United States b i i Nuclear Regulatory Commission
,,,,,/
~
~
Report of Investigation FERMI Power Plant, Unit 2: l Material False Statement l
l 1
I Office of Investigations Reported by 01: Rill g Bo g e 880630 f1AXWELL88- 227 PDR
i l
Title:
FERMI POWER PLANT, UNIT 2 MATERIAL FALSE STATEMENT l Licensee: Case Number: 3-86-006 Detroit Edison Company- Report Date: April 1,1987
,' 6400 North Dixie Highway ,
Detroit, MI Control Office: 01:RIII J l
. Docket No. 50 141 Status: CLOSED
. Reported by: Rey ed by:
0 1 Richard C. Kazmg W JWWY Eugene T OPawlik )
Investigator Director ,
Office of Investigations Office of Investigations !
Field Office, Region III Field Office, Region III l Appr by: I u.,h ,S j U~en B. Hayes // I Director Office of Inves 'ga ions Participating Personnel: 1 James N. Kc1kman, Investigator. 01:RIII l Terry J. Madeda, Physical Security l Inspector, RIII Encle:>: o Co..toins SAFEGUARDS INFORMATION Upon Separation This l Page is Decontrolled WARNING The attached docuaent/ report has not been reviewed pursuant to 10 CFR i 2.790(a) exemptions nor has any exempt material been deleted. Do not disseminate,or discuss its contents outside NRC. Treat as "0FFICIAL USE l ONLY." 'l l
3tAl
SYNOPSIS On May 1, 1986, NRC Region III (RIII) requested that the Office of Investigations (01) investigate the allegation that Detroit Edison Company's (DECO's) Fermi 2 Director of Nuclear Security (DNS) willfully furnished false ,
information to an NRC inspector during an inspection (No. 50-341/85047) on or I about November 12, 1985.
In June 1986, 01 began to investigate the allegation which is based on l information provided by a Deco Nuclear Security Specialist (NSS) to a RIII Inspector during Inspection No. 50-341/85047, conducted at the Fermi 2 Power Plant during November 12 through December 27, 1985.
The NSS informed the inspector that Safeguards Information (SI) had been entered into DECO's Comprehensive Electronic Office (CE0) system under the direction of the DNS during the preparation of a written report submitted to ,
the NRC regarding a security incident which had occurred at the plant on l November 1, 1985. The NSS stated that the DNS was aware that the CEO system I had an offsite transmission capability since he had access to the results of an inquiry as to why the CEO should not be used for SI and which had been l i
completed by one of his own staff members on September 30, 1985. The results '
of the inquiry state that "the system is not self contained within the facility."
Subsequent to receiving the allegation from the NSS, an NRC Inspector confronted the CNS on or about November 12, 1985, and in response to an inquiry as to why the CEO was used for SI, he stated that he had been "unaware of the offsite l
transmission capability" of the system. This statement by the DNS to the l inspector, which is incorporated in Inspection Report No. 50-341/85047, is the j basis of the allegation.
01 was able to corroborate the information provided by the NSS and also l developed evidence indicating that the DNS was aware of the contents of the l results of the inquiry into the use of the CEO system for SI shortly after its completion on September 30, 1985. The investigation also revealed that the l
. Assistant DNS had warned the DNS, as confirmed by two other DECO employees, not to use the CEO in the preparation of the five day letter.
In view of the foregoing, 0I was able to establish that the DNS was knowledge-able that there existed questions as to the suitability of using the CEO for l processing SI, and that his statement to the inspector, which implies his lack l of knowledge, was false and an attempt to mislead the NRC inspector.
l I
i 1
Case No. 3-86-006 1 i
l
\
l l
i i
1 l
1
'l 1
- l l l
l l
l l
1
) l THIS PAGE LEFT BLANK INTENTIONALLY. !
l
)
i 1
1 1
l l
l Case No. 3-86-006 2
ACCOUNTABILITY The following portions of this Report of Investigation (Case No. 3-86-005) -
will not be included in the material placed in the PDR. They consist of pages ' through 17.
I r
l l
l d
Case No. 3-86 006 3 s.
1 THIS PAGE LEFT BLANK INTENTIONALLY.
l 1
1 1
1 l
l 1
i Case No. 3-86-006 4 l l
l
TABLE OF CONTENTS Page SYNOPSIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 ACCOUNTABILITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 APPLICABLE REGULATIONS . . . . . . . . . . . . . . . . . . . . . . . . 7 DETAILS OF INVESTIGATION . . . . . . . . . . . . . . . . . . . . . . . 9
- Purpose of Investigation .................... 9 Background ........................... 9 Details . . . . . . . . . . . . . . s .............. 9 W111 fulness / Intent ......................15 Agent's Conclusions . . . . . . . . . . . . . . . . . . . . . . 16 LIST OF EXHIBITS . . . . . . . . . . . . . . . . . . . . . . . . . . 17 I
1 l
1 l
l Case No. 3-86-006 5
a e
THIS PAGE LEFT BLANK INTENTIONALLY.
1 I
\
e Case No. 3-86-006 6 '
i
APPLICABLE REGULATIONS 10 CFR 73.21(h), Requirements for the Protection of Safeguards Information, Use of Automatic Data Processing (ADP) Systems.
c e
4 j
.l .
t i
4 4
l Case No. 3-86-006 7
THIS PAGE LEFT BLANK INTENTIONALLY.
Case No. 3-86-006 8.
DETAILS OF INVESTIGATION Purpose of Investigation This investigation was initiated to determine whether Detroit Edison Company's (Deco's) Director of Nuclear Security (DNS) willfully furnished false informa-tion to an NRC inspector during an inspection (No. 50-341/85047) on or about November 12, 1985.
Backnround On May 1, 1986, the NRC Regional Administrator, Region III (RIII) requested an investigation subsequent to an NRC inspector receiving information on or aoout November 12, 1985, from a DECO Nuclear Security Specialist (NSS) that Safeguards Information (SI) had been entered into DECO's Comprehensive Electronic Office (CEO) system under the direction of the DNS. The NSS alleged that the DNS was aware of the offsite transmissian capability of the CEO, having access to an inquiry into the use of the CEO for SI by one of his own staff members, and thereby was knowledgeable that the CEO should not be used for SI (Exhibit 3; Exhibit 11). When confronted by an NRC inspector, the DNS stated that he had been "unaware of the offsite transmission capability" of the system. This statement by the DNS to the inspector, which is incorporated in NRC Inspection Report No. 50-341/85047, is the basis for the request for investigation (Exhibit 3).
Details On July 1, 1985, a letter (Exhibit 1) was sent by Stuart LEACH, ONS, to l James PIANA, Director, Nuclear Administration, indicating that memt.srs of LEACH's staff had raised concerns that DECO's automatic data processing system known as "CE0" may have deficiencies which would prevent SI from being adequately protected. A copy of the letter was also "ce'd" to Wayne HASTINGS, who at that time was Assistant Director, Nuclear Administration. No specifics as to the nature of the deficiencies were listed in the letter.
l
, 01 determined that the letter originated frc,m concerr.s about the use of the l CEO for SI that were brought to the attention of Joe KORTE, Nuclear Security Coordinator (NSC) by NSS Carolyn LARY (Exhibit 4; Exhibit 5) sometime in June i 1985. These concerns were then related to the Assistant DNS, Sam THOMPSON, who subsequently addressed the issue to LEACH (Exhibit 5). According to KORTE, LEACH requested a memo which KORTE recalled composing possibly with the assistance of LARY (Exhibit 5). Dorothy BALENT, secretary to LEACH, recalled I typing the memo and that it had been written by KORTE (Exhibit 6).
PIANA, the recipient of Exhibit 1, recalled receiving the memo and talking to LEACH about its contents (Exhibit 7, pages 5-6). According to PIANA, in conjunction with the installation of the CEO system, typewriters were being removed from the Nuclear Security Department. LEACH expressed concern to PIANA in regards to removing all the typewriters "because he thought he would have to have one for Safeguards Information" (Exhibit 7, page 6). PIANA Case No. 3-86-006 9
O further stated that he told LEACH to keep his typewriter and look into the concerns (Exhibit 7, page 6). PIANA admitted putting "...it back in his (LEACH's) lap" because he (PIANA) "...didn't pretend at the time to know the regulations or what the requirements were" (Exhibit 7, page 7). PIANA stated that to his knowledge, LEACH never resolved the issue, and about a month later, he left the position of DNS. PIANA also admitted that he "...didn't do a real good job of following it up" (Exhibit 7, page 7).
When questioned as to why HASTINGS was sent a copy of the letter, PIANA stated, "I can only guess, but it was probably because of the previous years when he was in the computer area he got an ancillary assignment to go out and help start up this security system, because they were having a lot of security difficulties. Wayne didn't have any responsibility July 1 for CE0" (Exhibit 7, pages 7-8).
In regard to the contents of the KORTE memo, PIANA stated that he did not
...think Wayne and I ever discussed it" (Exhibit 7, page 7).
When interviewed, HASTINGS stated that he did not recall "...seeing it. And it would not be a major thing to me, because I had no responsibility for CEO at the time" (Exhibit 8, page 7).
In the early part of September 1985, HASTINGS replaced LEACH as DNS (Exhibit 6; Exhibit 8, page 5). According to LARY, she told HASTINGS, shortly after he became Director, that the secretaries in Nuclear Security were not using the CEO for SI pending a decision by management (Exhibit 4 Section VI).
LARY also stated that she remembers a conversation between NRC Inspector Terry J. MADEDA, HASTINGS, THOMPSON, KORTE, and herself regarding the CEO.
According to LARY, MADEDA asked if there were lines that went offsite and if they were not certain, they should avoid using the CEO for SI (Exhibit 4,Section VI). This conversation appears to be documented in NRC Inspection Report No. 50-341/85047 (Exhibit 3, page 37).
Shortly after HASTINGS became DNS, he directed KORTE to research the matter regarding the use of CEO for SI (Exhibit 4,Section VI; Exhibit 5). HASTINGS confirmed his request to KORTE, but stated that the reason for the request was to use the CEO for storing security procedures and plans (Exhibit 8, page 8) so that they would be available to security personnel and others who were authorized (Exhibit 8,pages10-11). HASTINGS' reason for using the CEO is apparently documented in NRC Inspecticn Report No. 50-341/85047 which states, '
...the security department was considering putting Safeguards Information, to include security plans and procedures, into their CEO data processing system" (Exhibit 3, page 37).
When interviewed. T4OMPSON stated, "When Wayne came in in September of '85, one of the conversations that we were having, Wayne was mentioning he was going to place all our physical security plans, contingency plans, procedures, everything we had, on to the CEO system so that any changes we had, we could have quick turnaround" (Exhibit 12, page 11). THOMPSON continued, saying
...I advised him that we could not do it because you can not put Safeguards on the CE0" (Exhibit 12, page 11). According to THOMPSON, he explained to
. Case No. 3-86-006 10
HASTINGS the requirements of the 10 CFR and "... basically the same thing that Joe had explained to him, that outside lines, that's not onsite; and you know, there are super-users and they can access it real quick" (Exhibit 12, page 12).
THOMPSON also stated that "...after that is when he made the request that...to Joe KORTE to research it for him" (Exhibit 12, page 12).
KORTE stated that he researched the matter, which included talking with NRC Inspectors MADEDA and J. CREED, and subsequently sent a memo to HASTINGS via the CEO (Exhibit 2) dated September 30, 1985, which lists reasons as to why the CEO should not be used for SI (Exhibit 5). KORTE stated that Exhibit 2 was sent in a manner which required a certified response from the person to whom it was sent, i.e., HASTINGS. KORTE identified Exhibit 2A as the certified response and Exhibit 2B as a record, indicating Exhibit 2A was filed in KORTE's account for future access (Exhibit 5). Exhibit 2C was identified by KORTE as a document header created simultaneously with Exhibit 2 and which indicates that the memo was sent to both HASTINGS and THOMPSON (Exhibit 5).
When interviewed, HASTINGS stated, "I don't know whether I read it off, whether my secretary (BALENT) did" (Exhibit 8, page 9). "I do know that I am familiar with the information on this document" (referring to Exhibit 2)
(Exhibit 8, page 9). In addition, HASTINGS stated, "...I recall discussing the information with KORTE" (Exhibit 8, page 10). HASTINGS also stated that he discounted the information on FCRTE's memo because, "...was that he (KORTE) called Region III, got an opinion, wrote it down, called probably somebody in Computer Services, wrote it down. He hadn't done any original work and I just kind of said, well, hell, you know its a...when I got to know, I didn't pursue the original work myself with Computer Services..." (Er.hibit 8, page 28).
HASTINGS added, "...I didn't make a conscious decision about any of the specific information in the memo. I just discounted the idea of it's more hassle than it's worth to put the plans and procedures on CE0" (Exhibit 8, pages 28-29).
BALENT, who became HASTINGS' secretary after LEACH had left, does not recall physically seeing Exhibit 2 or viewing it on the CEO on behalf of HASTINGS (Exhibit 6). In addition, BALENT stated that she recalls a conversation between HASTINGS and NRC Inspector MADEDA, which occurred by her desk and during which she overheard HASTINGS ask if the CEO system could be used for SI (Exhibit 6). BALENT stated that MADEDA told HASTINGS that other nuclear power plants did not use their system for SI (Exhibit 6). BALENT left her position I as secretary tc HASTINGS on October 24, 1986 and stated that the aforementioned !
conversation took place several weeks before she left (Exhibit 6).
John PIPIS, Administrator, Computer Services, was asked about the contents of 1 the memo (Exhibit 2) sent by KORTE, and PIPIS stated that he had seen a l photocopy of it at about the time it was sent (September 30, 1985) (Exhibit 9, page 9). PIPIS also stated that at the time the memo was sent, he did not agree with the memo's conclusion, i.e., that the CEO system should not be used for SI (Exhibit 9, page 36). PIPIS stated that he may have talked with l HASTINGS in regards to the memo, "... telling him that what was on there really l wasn't correct" (Exhibit 9, pages 31-32), but could not recall that conversation i
...with confidence" (Exhibit 9, page 32). l l
l 1
Case No. 3-86-006 11
PIPIS also stated that in September 1985, a CEO terminal was installed in the executive offices of DECO located on the 24th floor of the Edison building (Exhibit 9, pages 41-42). PIPIS stated that he did not inform HASTINGS of the existence of the terminal after its installation (Exhibit 9, page 43).
Contrary to PIPIS, Paul CHILDS, who is presently Assistant to the Vice President of Nuclear Operations and in 1985 was the supervisory engineer of the Process Control Computer Division, stated that he agreed with each item in KORTE's 1 memo (Exhibit 2), and in addition, is not satisfied that a line by line deletion (referring to Exhibit 2, Item 5) would completely destroy the contents I
of a memo (Exhibit 10). CHILDS further stated that to his recollection, the l
l CEO system had three offsite terminals during the period of July through November 1985, and identified the offices as follows: Charles HEIDEL, President -
of Deco; William PENCE, Vice President of Operations (retired); and Ann POUGE, Cc.mmunications Engineer (Exhibit 10). According to CHILDS, the CEO should not be used for handling SI under any circumstances, including as a word processing unit (Exhibit 10). In addition, CHILDS suted that he understood that the CEO could not only be accessed from offsite terminals, but also from other terminals using MACPAC, a separate DECO computerized information system (Exhibit 10).
CHILDS compared the management style of HASTINGS to LEACH (HASTINGS' predecessor) and stated that whereas LEACH sought the advice of his staff and l the NRC, HASTINGS' approach was not to seek input from his staff and by innuendo, did not want to be "calibrated" by the NRC (Exhibit 10). In addition, l CHILDS stated that HASTINGS had an attitude characterized by CHILDS as "let's see what we can get away with" (Exhibit 10).
On November 1,1985, a security incident was identified by DECO as having occurred at Fermi (Exhibit 11). On November 2,1985, it was detemined that a written report was required to be sent to the NRC, and on November 7, 1985, the report was filed with the NRC (Exhibit 11). '
When interviewed, THOMPSON related the following in regards to the preparation of the letter by DECO:
- 1. On November 6, 1985, KORTE, Joseph CONEN, a licensing engineer with DECO. l and himself were in his office preparing the five day letter (Exhibit 12, l page 9).
2.
HASTINGS walked into the office and inquired as to what they were doing. l THOMPSON told HASTINGS they were working on the five day letter and that it was due the next day, November 7 (Exhibit 12, page 9).
- 3. According to THOMPSON, HASTINGS stated that there was not sufficient time to get it through the review cycle, and THOMPSON told HASTINGS that he l would contact the NRC and get an extension (Exhibit 12, page 10).
- 4. HASTINGS ttated in effect not to call the NRC and that the CEO will be used in order to get a quick turnaround (Exhibit 12, page 10).
Case No. 3-86-C06 12
l
- 5. THOMPSON told HASTINGS it was a Safeguards document and that it cannot be put on the CEO. According to THOMPSON, HASTINGS did not acknowledge his warning, but just turned around and walked out (Exhibit 12, pages 10-11).
XORTE recalled the aforementioned incident and also remembered that after THOMPSON cautioned HASTINGS about the use of the'CEO, HASTINGS had replied that he had taken precautionary measures by changing his password (Exhibit 5).
CONEN, a DECO engineer in the Inspection and Enforcement Section which handles ;
licensing matters, also remembers the incident and stated that HASTINGS '
assured THOMPSON that the letter would not remain in the system overnight, and that he had taken extra precautions, such as changing his password (Exhibit 13). ;
. In addition, CONEN stated that it was generally understood by persons who had )
, access to the CEO, that it was not a secure system and should not be used for l editing or transmission of documents containing SI (Exhibit 13).
Cindy CODY, who replaced BALENT as secretary to HASTINGS, stated that HASTINGS j had dictated the letter required by the NRC to her, which she simultaneously 1 entered into the CEO (Exhibit 14; Exhibit 14A, pages 5-6). CODY explained l that she was not initially aware that the letter contained SI and stated, "I !
can't identify the exact time when I became aware of when it was Safeguards.
Mr. HASTINGS and I did have a discussion" (Exhibit 14A, page 12). When asked if codewords were changed or if HASTINGS related to CODY to do something i different in order to secure the letter, CODY replied, "with my discussion with Mr. HASTINGS, I don't recall the changing of passwords in that discussion" (Exhibit 14A, page 12). When asked if in the subject instance, the password or codeword was changed, CODY stated, "I don't recall it. I don't recall" (exhibit 14A, page 12).
In regards to the editing a document, CODY was questioned as to which method would be faster; the CEO or using a typewriter and cutting and pasting. CODY replied, "if you're talking about a document that the CEO typed, or a five day letter that somebody is going to have to get the original, the CEO would outwin it" (Exhibit 14A, page 34).
CODY also stated that she was aware that the CEO was not to be used for SI, having become aware of that during her duties in the Nuclear Security Department (Exhibit 14). In response to a question if somebody at another terminal could have gained access to the letter as it was being entered, CODY stated, "...there are superusers that are identified on sight. And they would be used for various, I mean troubleshooting, I mean if I was in a wreck or I or whatever.
and they needed to get access. So, at the time, there was superusers" (Exhibit 14A, page 11). In addition, CODY stated, "after it was on the terminal, I'm sure they could have access" (Exhibit 14A, page 11).
LARY stated that shortly after the security event at Fermi, she saw CODY at the CEO printer, which is next to the coffee pot table, and as she approached the table, CODY spontaneously remarked something to the effect, "I didn't want to do it" and "he told me I had to do it" (Exhibit 4 Section IX). LARY recalled asking CODY what she was talking about and then saw the draft of the Case No. 3-86-006 13
letter coming off the CEO printer (Exhibit 4 Section IX). LARY stated that she walked away and discussed the matter with KORTE (Exhibit 4 Section IX).
KORTE confirmed that the CEO was used in drafting the letter and that the final letter was printed from the CEO (Exhibit 5).
HASTINGS admitted that he had instructed CODY to use the CEO for the "second draft" of the letter (Exhibit 8, page 13). HASTINGS also admitted that he knew the information in the letter was SI, saying "I knew that it had been our l
i practice to put all five day reports into Safeguard" (Exhibit 8, page 14).
HASTINGS also stated that he told CODY, "...please change your password so that -
only you know it and don't show me because I don't want to know it either" (Exhibit 8, page 14). HASTINGS did not recall the specific conversation ',
related by THOMPSON, KORTE and CONEN where he was warned not to use the CEO ~'
l (Exhibit 8, pages 14-17). However, HASTINGS did say, "I don't recall the I specific...the specific discussion about this report and CEO until Gary PIRTLE i (NRC Inspector) was then investigating the event, came to me and asked me about it" (Exhibit 8, page 20).
HASTINGS admitted that the NRC had made him aware sometime in the time period of September 30 through October 4 that there could possibly be a problem in using the CEO for SI, but "I don't remember getting the NRC's concerns translated in my thinking to the type of incident we're talking about with the drywell (meaning the security incident requiring the five day letter). If I would, I never done it, because the last thing I wanted was a violation and especially one I would be involved in" (Exhibit 8, page 22). HASTINGS added,
...I used the CEO as a word processing action and what I perceived as a self-contained way" (Exhibit 8, page 23), and "I thought the restrictive way that we used this word processing function of the CEO was appropriately within the Safeguard system, okay. Although I didn't have an okay for the whole system" (Exhibit 8, page 38).
HASTINGS also stated that he was not aware of an offsite capability of the CEO system until "...af ter Gary (meaning NRC Inspector PIRTLE) investigated it" (Exhibit 8, page 24). PIRTLE's inquiry was the result of information provided by LARY on or about November 12, 1985, that the CEO had been used for SI, specifically during the preparation of the five day letter (Exhibit 4, .-
Section X; Exhibit 11, pages 2-3). PIRTLE documented that HASTINGS stated that he was unaware of the offsite transmission capabilities during the *,
entering of SI in the CEO (Exhibit 3, pages 37-38). As a followup, PIRTLE had a conversation with the Supervisor, Computer Services (PIPIS), who advised him ..
of an offsite transmission capability and that some personnel designated as "superusers" could also gain access to data from locations onsite (Exhibit 3, page 38).
When NRC:01 questioned HASTINGS further regarding the offsite line, HASTINGS stated that he had made an appointment for PIRTLE to see PIPIS (Supervisor, Computer Services) when PIRTLE had confronted him in November 1985 in regards to the use of the CEO for SI (Exhibit 8, pa was surprised when PIRTLE told him of hisPIRTLE's) (ge 24).HASTINGS subsequent findings, and stated that he he called PIPIS in order to confirm what PIRTLE had told him, namely that there was a line in the corporate President's office Case No. 3-86-006 14
and "...therefore you're in violation" (Exhibit 8, page 25). When asked about item one in KORTE's memo (Exhibit 2) which states that the system has four lines that do downtown, HASTINGS replied, "well, I don't recall the four lines downtown, that's you know, that's a specific element. And I was...you know, I just wasn't aware there was a line like that in the President's office" (Exhibit 8, page 26). HASTINGS stated that he didn't followup on the contents of the memo because, "...it didn't meet what I hoped we could do, That's put the plans up" (meaning on CEO) (Exhibit 8, page 27).
. INVESTIGATOR'S NOTE: On June 19, 1986, DECO responded to a Notice of Violation
- and Proposed Imposition of Civil Penalties in which it is stated that the reason for Violation 2 is that, "in the intent of expediting a complete, detailed, five day report to the NRC on a 10 CFR 73.71 reportable event, the
. Fermi 2, interconnected electronic office equipment (CE0) was used to produce a draft report, instead of a typewriter. It was determined that it was possible to access the system from offsite locations." The procedure governing protection of SI at Fermi 2 has been revised to prohibit the use of the CEO for SI.
Willfulness / Intent.
- 1. Shortly after ass r:ag the position of DNS at Fermi, HASTINGS requested KORTE, a membe. of his staff, to look into the matter of using the CEO for SI (Exhibit 4,Section VI; Exhibit 5). The results of the inquiry (Exhibit 2) were sent by KORTE to HASTINGS via CEO requiring a certified response (Exhibit 2A). The inquiry concludes that the CEO should not be used for SI and lists supporting reasons (Exhibit 2). HASTINGS admitted discussing the results of the inquiry with KORTE (Exhibit 8, page 10).
However, HASTINGS stated that he discounted the findings because he felt KORTE failed to address the issue that he (HASTINGS) claimed he had in mind when he asked KORTE to look into the use of CEO (Exhibit 8, pages 10-11 and 28-29). HASTINGS stated that the issue he wanted KORTE to look into was the feasibility of the storage of security plans and procedures in the CEO (Exhibit 8, pages 10-11).
- 2. On November 1,1985, a security incident was identified by DECO as having occurred at Fermi, and it was determined that a written report was required to be sent to the NRC (Exhibit 11). During the preparation of the report, Assistant DNS THOMPSON warned HASTINGS, as corroborated by v.0 RTE and CONEN, a DECO licensing engineer, not to use the CEO system (Exhibit 5; Exhibit 12, page 10; Exhibit 13). HASTINGS stated that he does not recall being told by anyone at that time not to use the CEO ,
(Exhibit 8, pages 14-17). !
l
- 3. ,uring the inspection period of September 30 - October 4,1985, HASTINGS l was cautioned by NRC inspectors that there could possibly be a problem in i using CEO for SI (Exhibit 8, page 22), however, HASTINGS claims that in l his mind, the NRC concerns applied to the use of the CEO for storing Safeguards plans and procedures and not to the use of the CEO for a word processing function (Exhibit 8, page 23).
1 Case No. 3-86-006 15 i
b
Agent's Conclusion In November 1985, HASTINGS, DNS at Fermi, used the CEO for the preparation of a five day letter regarding a security incident and which had been required by the NRC. When confronted by an NRC inspector, HASTINGS admitted to the use of the CE0; however, he told the inspector that he was unaware of the system's offsite transmission capability thereby implying a lack of knowledge of the system's suitability for SI. Evidence gathered by 01 shows that to the contrary, HASTINGS was at least aware of a question as to whether the CEO ,
could be used for SI, and his statement to the inspector was, therefore, false and a willful attempt to mislead the NRC inspector. ',
+
- \
. i l
l l
l l
)
i Case No. 3-86-006 16 M44 eM FFM m -
LIST OF EXHIBITS
- 1. Detroit Edison Company memorandum dated July 1, 1985, from Stuart LEACH, Director, Nuclear Security, to James PIANA, Director, Nuclear Administration. ,
- 2. A CEO memorandum regarding the availability of CEO for handling Safeguards Information authored by Joseph KORTE.
.e A. A CEO printed message dated September 30, 1985, 5:09 p.m.
,'.~ B. A CEO printed message dated September 30, 1985, 5:19 p.m.
C. A CEO printed message dated September 30, 1985, 12:22 p.m.
- 3. NRC Inspection Report No. 50-341/85047, pages 36-38,
- 4. Report of Interview of Carolyn LARY on June 16 and September 30, 1986.
- 5. Report of Interview of Joseph XORTE on June 24 and October 2, 1986.
- 6. Report of Interview of Dorothy BALENT on September 25, 1986.
- 7. Sworn Testimony of James PIANA on September 17, 1986,
- 8. Sworn Testimony of Wayne HASTINGS on September 17, 1986 (contains UNCLASSIFIEDSAFEGUARDSINFORMATION).
- 9. Sworn Testimony of John PIPIS on September 17, 1986.
- 10. Report of Interview with Paul CHILDS on October 1, 1986.
- 11. NRC memorandum dated April 30, 1986, from Charles WEIL to Jack HIND ,
(contains 10 CFR 2.790 Information).
. 12. Sworn Testimony of Sam THOMPSON on August 13, 1986 (contains UNCLASSIFIED
.,, SAFEGUARDSINFORMATION).
, 13. Report of Interview of Joseph CONEN on June 25, 1986. l
- 14. Statement of Cindy CODY on June 24, 1986. l A. Sworn Testimony of Cindy CODY on September 17, 1986.
l i
l Case No. 3-86-006 17 i
WAYME, PER YOUR REQUEST KATE AND I HAVE INVESTIGATED THE i POSSIBLE USE OF SO POR HANDLING SAFEGUARDI NPORMATION E (S.I.). WE TOOK INFORMATION FR N NUREG-8794, PROTECTION OF Q j UNCLASSIFIED SAFECUARDE INFORMATidN. NRC INSPECTION AND ENFORCEMENT INSPECTION PROCEDURE 81818, PHYEfCAL PROTECTION a::C SAFEGUARDE INFORMATION, AND NOIP 11.888.114. WE HAD A i
CONVERSATION WITH J. CREED AND T. MADEDA CONCERNING THE
$ l MATTER, AND TALKED WITH COMPUTER SERVICES PERSONNEL.
Cc O
I AFTER RESEARCHING THESE SOURCES AND TALKING WITH THE NRC, WE HAVE THE FOLLOWING REASONS WHY WE COULD NOT USE CEO FOR l
HANDLING SAFEGUARDS INFORMATION. M cc 1
THE SYSTEM IS NOT SELF~ CONTAINED WITHIN THE FACILITY WE - 1 HAVE FOUR LINES THAT GO DOWNTOWN.
i
- 2. CD THE LINES ARE UNPROTECTED PHONE LINES BECAUSE THEY ARE LLJ l NOT PROTECTED BY ANY KIND OF ENCRYPTION DEVICE.
- 3. PERSONNEL, "SUPER USERS" HAVE THE AVAILABILITY TO GAIN ACCESS TO ACCOUNTS OTHER THAN THEIR OWN. ,
- 4. DOCUMENTS DISCARDED INTO THE WASTEBASKET ARE STILL ;
AVAILABLE TO ANYONE GAINING ACCESS TO THE ACCOUNT UNTIL THE I JANITOR CLEANS THE ACCOUNT. !
1
- 5. THE POSSIBILITY OF CREATING A SAFEGUARDS DOCUMENT ON CEO '
WAS RESEARCHED. THE ONLY SAFE WAY TO DISPOSE OF THE INFORMATION CONTAINED IN THE DOCUMENT IS TO DELETE THE .
DOCUMENT ONE LINE AT A TIME. KATE SURVEYED LAURA SIMPSON, l KAREN MARBAUGB, DOROTHY BALENT, AND JAN SYPE, EACH OF THEM j STATED THAT IT WOULD TAKE MORE TIME TO CREATE THE DOCUMENT IN I
( ORDER TO PRINT IT AND THEN HAVE TO DELETE EACB LINE THAN IT :
WOULD TAKE TO TYPE THE DOCUMENT ON THE TYPEWRITER. !
- 6. IN CONJUNCTION WITH NUMBER 5, IF THE DOCUMENT HAD TO BE i EDITED AND WAS STORED FOR A PERIOD OF TIME DURING PROOF I READING, THE DOCUMENT WOULD BE ACCESSIBLE FOR THIS PERIOD.
l l
l 3-86-006 4 l
Karto, Joe 'd m: Bastings, W:yne '
taark: Sep 39,85 5:09 PM tus: Previously read et: Eastings, Wayne has seen, SAFDGUMDS MD CEO sag 2:
The above nessage which you sent Sep 39,8512:23 m was seen by Hastings, Wayne 4
\. .
I l
l 3-86-006 mm,, 74 4
/ p
DOCLNDG' L E R ment nane: CID WAYNE HAS SEEN Document type WBD er: SAFD3UARDS Polder: TRANfEITIALS Jived frce: Eastings, Wayne
- tredified on Sep 38,85 5:09 PM by SSTTSB mrt Bastings, Wayne Typist Bastings, Wayne sd on: Sep 38,85 5:19 3H Message attached ject: Bastings, Wayne has seen, SAFIGUAPDS NO CEO ary: -
'Ihe above message which you sent Sep 38,85 12:23 PM was seen by Bastings, Wayne ents:
l i
-l
]
3-86-006 meir 20
DOCUMENT HEADER Document names CRO Document typet WRD Drawer: SAFEGUARDS Folder: TRANSMITTALS Last modified on Sep 39,85 12:22 PM by SSTTSB Author: Korte, Joe Typist: Korte, Joe
Subject:
CEO - TRANSMITTING SAFEGUARDS Summary:
TBE ATTACHED IS A REPORT ON THE AVAILABILITY OF CEO FOR HANDLING SAFEGUARDS INFORMATION.
Comments:
Mailed to:
BASTINGS, WAYNE THOMPSON, SAM s
4
)
I
\
l l
4 3-86-006 EXHl017- b
l 1
Yson 1
b Date: July 1. 1985 JNS-85-0096 To: James L. Piana .
Director-Nuclear Admi istration )
1 From: Stuart B. Le M
.i Director-Nulcear 6eurity
Subject:
CEO - Protecti_on of Safeguards Information Certain members of my staff have expressed a concern over the possibility of Safeguards Information and other confidential material being inputted into the CEO Syster. Preliminary research by my staff has uncovered certain facts which may reflect this deficiencies in adequately protecting material of nature.
i Please contact me as 1 would appreciate your assistance in researching this matter more extensively.
SHLlac.- <
cc: L. Wayne Hastings 1
l l
l l
l 4
3-86-006 exmarr I Enclosure 3 pir.R.R. 006 .9 Q
xec:e l
.' i do
- 14. i Physical Protection Safeouards Information (IP B1810): ~
One poten'tfal~ " ~~ ~
violation was noted during this inspection period.
10 CFR 73.21(a) states, in part, "Each licensee who. . .(2) is authorized to operate a nuclear power reactor, . . .shall ensure that Safeguards Information is protected against unauthorized disclosure. To meet this general performance requirement, licensees. . .shall establish and maintain an information protection system that includes the measurer, specified in Paragraphs (b) through (i) of this section."
cA -
m' A 3 W Y :A ) \/ AT fii. Q 3-86-006 * *4" ' '
)
1 Y '"' "Idettett O 36 PAGE / OF _ 3 -FAGE(S}
j AT nhl ghhI N#)
W d
10 CFR 73.21(h) states, in part, "Safeguards information may be processed or produced on an ADP system provided that the system is self-contained within the licensce's or his contractor's facility and requires the use of an entry code for access to stored information."
Section 6.14.4 of Feral 2 Nuclear Operations Interfacing Procedure 11.000.114. "Protection of Safeguards Information," approved December 12, 1984, states, in part, "Safeguards information say be processed or produced on an automatic data processing system; if the system is self-contained within a controlled access area, it uses an ;
access code known only to tuthorized individuals, and it cannot transmit i
, information offsite." .
Contrary to the above, a document designated by the ifcensee as Safeguards Information was processed in part of an ADP system (100GTOC and CEOMV8) which had access terminals that were not self-contained in controlled access areas and which had an offsite transmitting capability.
Additionally, personnel not designated by the licensee to have access to Safeguards Information could have gained access to the portion of the ADP system which contained Safeguards Information. The Safeguard Information in the ADP system would not significantly assist an individual in an act of radiological sabotage or theft of special nuclear material.
(341/85047-25).
The potential for a violation of the nature cited above was discussed with security management during the September 30-October 4,1985 inspection G period.
At that time, the security department was considering putting Safeguards Information, to include security plans and procedures, into their CEO data processing system. They were cautioned by the inspectors to assure that the system met all of the criteria for a secure system as required by 10 CFR 73.21 and their procedures pertaining to their Safeguards Information Program. Moreover, in July 1985, the past Director, Nuc' ear Security, advised the Of rector, Administrative Services, of the potential for violation of Safeguards Inforsation requirements if Safeguards Information was entered in the existing data processing system.
Interviews with the Director, Nuclear Security disclosed that one document, of approximately four pages, had been entered into the data processing system. The document was a Security Event Report pertaining to failure to provide adequate access controls to the primary containment portion of the fif th floor of the reactor building (refer to Paragraph 10.b for related information). The document was entered in the l
inadequately secured data processing system because the five dty tire l limit for submitting a written report to the NRC pertaining to the ;
incident was near and the document required review and comment by several dif ferent personnel. The document could be sent electronically to these persons for review and therefore enable the review to be completed and the report submitted on time.
The Director, Nuclear Security stated that he was not aware that the data processing system had an offsite transmitting capability (a recent 4 innovation) and thought that the data could be retrieved only at l
h- ggnoivw0 n u n 3 u m- m i V \yM ,
.Vbea S
- -86-006 K 37
~.,..-.. ,
pgog a op _ 3 -rAct j
I
^
g, g- 3 -
4 .p uns>
A J "U f terminals located within the Security Department portion of the GTOC
. ) building. The inspector's interviews with the Supervisor, Computer 4
Services, disclosed that the system had recently been modified to allow of fsite transmission of data and that some personnel (approximately 12) who were not designated for access to Safe 0uards Information (referred to as "Super Users") could gain access to the data from several locations onsite. There was no evidence to confirm that the Safeguards Information was retrieved or transmitted by unauthorized means.
The Director, Nuclear Security, had the Safeguards Information removed from the data processing system and briefed appropriate security and administrative staff members that no Safeguards Information was to be entered in the GTOC 100/CEO system until it had been modified to meet protection criteria in 10 CFR 73.21 and the licensee's procedural guidance.
e O .
c i i i. . . n- o l g, , r -< riwuyitsuo ngUhnu n o u 111ik V
l}!D EXHIRIT O 3-86-006 g gg a _ pyg p
v.,-.... ,
_-. . . - - _ - - . _ . . , . , - _ . . - - - - . - - - . _ _ _ . _ . - . . . . .,_ __--.-. .,---.-.. ,_ .--.- -..- --, -.-., .-. - . , - . - . . _ _ ,