ML20206P510
| ML20206P510 | |
| Person / Time | |
|---|---|
| Issue date: | 02/03/1999 |
| From: | Orrik D NRC (Affiliation Not Assigned) |
| To: | Travers W NRC OFFICE OF THE EXECUTIVE DIRECTOR FOR OPERATIONS (EDO) |
| Shared Package | |
| ML20206P326 | List: |
| References | |
| NUDOCS 9905180250 | |
| Download: ML20206P510 (9) | |
Text
,
i, e nerg
'y '
k UNITED STATES g
j 2
NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 2006H001 1
%,*****[- February 3,1999 1 MEMORANDUM TO: William D. Travers, Executive Director for Operations (EDO) ,
FROM: Captain David N. Orrik, USN (REi.)
Security Specialist, NRR y
l
SUBJECT:
DIFFERING PROFESSIONAL OPINION REGARDING NRC'S REDUCTION OF EFFECTIVENESS AND EFFICIENCY IN THE
" STAFF RECOMMENDATIONS" OF THE FOLLOW-ON OSRE -
, PROGRAM FOR NUCLEAR POWER PLANTS This' Differing Professional Opinion (DPO) protests the " staff recommendations" for a follow-on program to the operational r2 guards response evaluation (OSRE) program. The " staff recommendations" are Airwarded in SECY 99-04 ofJanuary 22,1999. They are weak and non-committal, and will reduce the effectiveness and efficiency of the nuclear power industry's counter-terrorist capability. ' Specifically, these recommendations would not assure that nuclear !
power plants can meet the requirements of 10 CFR 73.1 and are capable ofprotecting against the design basis threat for radiological sabotage.
This DPO also identifies that the NRC commitment to Congressman Edward Markey has n'ot j
- been met. On December 15,1998, the NRC Chairman stated, in part, to Congressman Markey that. "The goal of the staff s re-evaluation is to identify more effective and more efficient methods of testing licensees' contingency response capabilities..." The draft " staff recommendations" are, by far, less efTective and less efficient.
Two specific alternatives to the " staff recommendations" are provided. The following NRC staff I
- have read and personally support these alternatives: Thomas W. Dexter, Senior Security
. Inspector, Region IV; Dennis W. Schaefer, Security Inspector, Region IV; A. Bruce Earnest,
~ Security Inspector, Region IV. These safeguards inspectors unanimously agree tha', the draft "staffrecommendations" are, by far, less effective and less efficient.
- Chronolony of Events:
.1. In the summer of 1998, the Office of Nuclear Reactor Regulation (NRR) decided to terminate the OSRE program at the end of the fiscal year. It was so terminated. There was no formal, written announcement.
- 2. . In August,1998, two differing professional views (DPV) were submitted to the Director, -
NRR, protesting the cancellation.
j 9905180250 990503 }
-PDR COMMS NRCC CORRESPONDENCE PDR i Attachment 6 l0lA04lf$Y
,1..- ,
- 4. . ,
I l
- 3. In November, an NRR DPV pand recommended the program be terminated pending resolution ofotherissues. (This DPO protests this decision of the DPV panel.)
)
- 4. In November, the NRC Chairman, learning of the program's cancellation from public, congressional,'and administration (National Security Council) sources, directed the staff to i reinstate the OSRE program. ,
- 5. In December, NRR subruitted a proposal for a follow-on program to the OSRE. (This DPO protests part of the " staff recommendations" in the'OSRE follow-on program.)
- 6. The following issues are included in this DPO:
I'
'A. The decision of the original DPV panel was incorrect and was not responsive to the basic mission of the NRC - To Protect the Health and Safety of the Public.
B. The four (4) NRR " staff recommendations" were: (1) Specific only with respect to target-identification, and non-specific as to the actual purpose, criteria, and frequency of the follow-on program; and (2) the "next best thing" to a program cancellation. - Unspecified parts of the recommendation include:
- Eliminating the experience and skills provided by the NRC contractors.
- Replacing the present 7-person OSRE assessment team with one NRC
" observer".
- Allowing the industry to determine the content and frequency of the evaluation / exercises.
These program-modifications included with the " staff recommendations" would, in effect, replace a strong, expert team evaluation with one person, lacking the necessary, special expertise, to rubber-stamp licensees' self-determined efforts.
Alternatives for NRC's Follow-On Pronram
! Two specific alt ernatives for a follow-on program are suggested. The first alternative (recommended) retains NRC control of the evaluation, but at the region level, eliminates one NRR FTE/ position, and retains the core experience and skills of the contractors.
+ .
4.'.
i 3
BACKGROUND On August 7,1998 two DPVs were submitted protesting NRR's decision to eliminate operational safeguards response evaluations (OSREs) at the end of the fiscal year. OSREs focus on the ability of nuclear power plant to protect against a violent external assault" aimed at causing radiological sabotage (16 CFR 73.1), with equivalent consequences of Chernobyl. In effect, it is the only program NRC has that directly focuses on the terrorist threat against nuclear
. power plants, whether by overt or surreptitious attack. The heart of this program is nuclear power' plant security force demonstrations of their armed response capability in onsite force-on-force exercises. Significant weaknesses were identified in 27 of the 57 plants (or 47%) evaluated to date. "Significant" here means that a real attack would have put the nuclear reactor injeopardy with the potential for core damage and a radiological release, i.e, an American Chernobyl.
The OSRE methodology states that the OSRE team " assumes that significant radiological release would be the objective of power reactor radiological sabotage and uses prevention of significant core damage as an evaluations criterion." The methodology also provides the four sub-criteria that the OSRE team uses to evaluate the licensees' response capability;"the ability of responding officers to arrive at suitable interdicting positions in timely fashion, in sufficient numbers, and appropriately armed and equipped;" Simply put, if a licensee fails to meet the four security sub-criteria, they have a significant weakness in their ability to protect against radiological sabotage.
Twenty-seven plants, in 40 exercises, failed to meet these four sub-criteria. Moreover, the strategy and/or execution involved in those exercises were clear and convincing evidence of an inability to protect vital equipment against the design basis threat. These weaknesses occurred despite a.6-12 month advance notification of the OSRE date and (unchanging) schedule of events.
f Acting under NRR guidance, only the security weaknesses, and not their operational impact, were
~
normally included in the final NRC report. All of these security weaknesses have been corrected.
The " staff recommendations" egregiously misstates / mitigates the failure of the industry to protect critical vital quipment as demonstrated in OSREs. The " staff recommendations" paper states that "the programidentified a number of minor' weaknesses and some significant weaknesses in
~ licensee performance." (see page 1) This is cxpanded (on page 3) where it is stated that, "...OSRE teams identified weaknesses at 27 plants; some of these weaknesses related to failures to prevent mock adversary forces from gaining access to vital equipment." In fact, all.of weaknesses , not "some", related to a demonstrated inability to prevent mock adversary forces from gaining access j.
to vital equipment which could, if sabotaged, cause core damage and radioactive release. For example,14 of these plants were unable to prevent mock adversary forces from gaining
.'(simulated) access into reactor containment! That is not a minor weakness. (All weaknesses have l since been corrected.) . Security forces at twenty seven plants were not able to deny (mock) intruder entry and (simulated) radiological sabotage in one or more onsite exercises.
- L A second part of this program are " assist visits" to NRC regional inspections of plants. In these inspections, the OSRE team contractors physically challenge / test the perimeter sensors, camera 1.
U K, .,
- 4-g -
l 4
l systems, and access control systems ability to dete:t and identify attempts to enter the plant undetected. Dese tests are focused on that part of the design basis threat for radiological i sabotage (10 CFR 73.1) that stipulates "... attack by stealth..:" The OSRE team has defeated i perimeter and access control systems (i.e., were not detected) by unsophisticated - but knowledgeable- means. Most, but not all, of these identified weaknesses have been corrected.
L All nuclear power plants write physical security plans (PSPs) to meet federal regulations
. governing the protection of their plants which NRC approved before the plants were licensed to operate. NRC then, except for OSREs, inspects for comoliance with these plans. OSREs however, were intended to be tests of a plant's caoability. not its security plan. The criterion for OSREs is regulatory, i.e., the design basis tl.reat for radiological sabotage as defined in 10 CFR 73.1. Regional" assists" however, are based in compliance with the security plan, although challenge testing, utilizing the capabilities of the design basis threat is performed as well. Of the 40 weaknesses identified at 27 of the 57 plants having had an OSRE to date, and the over 600 weaknesses identified in over 30 " assist visits " and in 70 OSRE predecessor evaluations (called Regulatog Effectiveness Reviews, or RERs), over 90% were beyond plan commitments and, therefore, beyond normal NRC compliance measures, e.g., NRC could not cite and fine them.
However, all weaknesses in OSREs and RERs were within the scope of the design basis threat and have been corrected. FM example, in 54 of the 57 OSREs, the average plant used 82% more armed responders than they commit to in their plan. Therefore, they cannot be cited for a violation of their plan if they reduce their response force to their plan commitment. The Chairman, ailvised of this situation, decreed that the remaining 11 OSREs would be conducted with the number of responders in the plan. This high frequency of plants with weaknesses occurred after every plant had from 6 to 12 months advance warning of their OSRE date. Plant security directors have advised that they spent from $140k to $1.5m getting ready for their OSRE. They sent observers to frior OSREs. They conducted a target analysis, evolved a (new) response strategy, tested and validated it, made physical modifications to delay armed intruders and to protect their responders, and trained and exercised their shift response forces.
This is nothing less than evidence of an abject failure by the nuclear industy to be capable - by themselves - ofprotecting against radiological sabotage. It took the threat of an OSRE to make them prepare to be " ready", and 47% still were not " ready" to protect against the design basis threat for radiological sabotage. Yet, on page 3 of the "staffrecommendations", it is stated that the "... Task Force concludes that the industry can assume more responsibility for performance assessment of tactical response capability, thereby reducing the NRC's role in the assessment
- while preserving the same level of confidence in the final product." That is not a conclusion; it is a preference (by portions of NRC staff). A conclusion rests on data, events, evidence of some sort. ; All the evidence since 1982 overwhelmingly demonstrates that, without the pressure of NRC's RERs or OSREs, the nuclear power industry has failed to assure protection against radiological sabotage. And now there is increasing pressure throughout the nuclear power industry to reduce costs, and security forces are taking direct hits; reduction in annual budgets,
., reductions in number of security officers. A countervailing pressure is necessary.
i L
)
5 l
" Assist visits" by the OSRE team are, however, conducted / led by regional inspectors who are l allowed to inspect only for compliance (with the security plan). As a result, weaknesses j identified by the team (using the capabilities of the design basis threat) frequently fall into the i category of"beyond security plan commitment." Therefore, correction of these is not requiredl
{
i There have been threats against nuclear power plants. NRC has alsojust eliminated $400,00 for NRCs portion of the jointly funded NRC/ Department of Energy (DOE) Communicated Threat
]'
Credibility Assessment Team (CAT). The CAT has been a long-established, effective program for responding to certain threats involving NRC licensed facilities. The CAT provided a mechanism for coordinating with DOE and the Federal Bureau ofInvestigation (FBI) during a nuclear threat response. NRC has a lon2 standing commitment to the FBI in a Memorandum of Agreement.
Both DOE and the FBI wrote strong letters of protest that urged the NRC to restore funding, support and participation. Further, this action flies in the face of significantly increased Federal emphasis and commitment of resources and money to respond to threats and incidents involving chemical, biological, nuclear, and radioactive materials, i.e, weapons of mass destmetion. An ,
NRC panel, responding to a DPV, recommended NRC resume " full-fledged participation" in the CAT but " vigorously pursue alternative funding mechanisms"... In yet another action, NRC staff has degraded its capability to assure proper analysis and action in the arena of anti-terrorism. This isjust another example of the low priority that NRC places on anti-terrorism.
The Government Accounting Office (GAO), in their 1977 report to Congress titled, " Security at Nuclear Powerplants - At Best, Inadequate," also noted the inadequacy of plants' security plans and recommended that NRC should (inter alia);
" Authorize and encourat;e inspectors to go beyond approved security plans when appraising security systems and implement a timely procedure for correcting deficiencies" and, '
" Develop and implement additional procedures to provide greater assurance that inspec6s are consistently thorough and make unannounced inspections."
Licensee security plans have been demonstrated to NOT be sufficient, and may never be.
Compliance (with security plans) has been demonstrated over 17 years of testing to be an insufficient tool. GAO noted that in 1977, and it has been thoroughly documented by the over 150 inspection results noted above that took place between 1982 and 1999. In view of this, the NRC should reconsider its misleading April 2,1998 response to the Justice Department's (DOJ)
"5-year Inter-Agency Counter-Terrorism and Technology Crime Plan Survey." Item B1 called for the following to be addressed: " Deterrence, prevention or response to physical attacks on !
critical U.S. Infrastructures." The NRC response was; " Commercial power reactor facilities are required by NRC to protect against radiological sabotage. Fuel facilities which possess NNNM must protect against theft ofmaterial. As such, NRC regulations require the development,
. maintenance, and implementation of contingency plans for response to malevolent events." This infers that the contingency plans provide adequate " deterrence, prevention, or response..." Yet .
27 of 57 nuclear power plants were not able to demonstrate - by their own efforts - that they could provide adequate response "to physical attacks on critical U.S. infrastructure." And the i
y
~ ,
.. )
3 . j i
l 6
question comes to mind; for how many years had that situation existed?
Further, all of these inspections were announced well in advance. They were, however, consistent. All of the 57 OSREs to date have had the same basic schedule of events (times varied, not events). And all were tested with the same design basis threat. However, the test did n91 utilize the full caoabilities of the desian basis threat as stated in the renulations; NRR management l had also placed other (unwr:tten) restrictions on the threat.
The OSRE team on site consists of 7 people to enable the team to evaluate the efforts of several l
- attackers going to several locations (targets), the many responders coming from different ,
scattered positions to different interdicting positions, and the command and control from security and operations. A (simulated) attack on a nuclear power plant is a very fast moving and complicated event. To evaluate these attack / defense scenarios, the OSRE team consists of: 2 security specialists and 1 nuclear engineer (for target analysis) from NRR,1 NRC regional security inspector, and 3 contractors. The very nature of these (simulated) violent exercises requires specialized experience and training in the core evaluators. Each of the contractors has had 8 to 14 years ofintense specialized military training and exercising, and field operations in the elements involved in OSREs and regional" assist visits." They are experienced in small force combat tactics, communications, command and control, use and capability of automatic and military weapons and explosives, explosive entry, ballistics, and barrier penetration. The NRC provides them with training in perimeter sensor and access control equipment, although they provide the physical skills - and age - to perform challenge testing in these areas. Also, because ;
of their previous training and qualifications, we are able to conduct annual training and field testing at a government site in areas, e.g., ballistics and explosive entry, to keep abreast of the latest modifications that licensees have made to their plant. For example, how much of a time delay did the plant gain by a specific hardening of a portal? Did they delay " adversaries" long enough to enable security officers to reach an interdicting position?
To become proficient and expert (more so than the licensee being evaluated) in all of these takes considerable time - years - as well as annual retraining and field testing. There are some NRC personnel with prior relevant military experience, but they are in the minority and approaching retirement age. Our contractors are recognized in the industry as expert in these areas, in fact more expert than the licensees. They provide instant c'redibility to OSRE findings. NRC inspectors have neither the long and relevant experience and training of the contractors, nor the physical abilities necessary to challenge perimeter systems and to run, climb with, and observe, mock terrorists or responders in OSRE exercises.
The OSRE team and the OSRE process, besides being recognized as expert and effective by the U.S. nuclear industry, has received the ultimate compliment; it is being copied. The nuclear regulatory agencies of the governments of five other countries, after their representative have observed an OSRE or regional assist, are copying all or parts ofit.
,' l
. 1 7
Ilearned of the esanation of the OSRE program in the summer (1998) by word of mouth from my Division Director. NRR hadjust crossed it out of their budget. There was'no wntten cancellation or notification.
My August 1998 DPV was formally supported by 9 NRC regional security inspectors, three of whom also saw fit to submit their own DPV protesting the elimination of the OSRE program.
The NRR panel, in November 1998, recommended terminating the program pending review of the kind of program needed in this anti-terrorism arena.
The Chairman, leaming of the program elimination in November from the media promptly directed the NRC to reinstate the program, and called for a review ofwhat was needed. The
" goal of the (NRC) staff's re-evaluation", as stated by the NRC Chairman in a December 15, 1998 letter to Congressman Edward Markey, "is to identify more effective and more eflicient methods of testing licensees' contingency response capabilities..." The NRC has a staffofover 2,000 people and a budget of about $500m; the OSRE program normally costs 3 full-time people (now reduced by NRR to 2 full-time and one part-time - about 20%), a contract of $90k per year, and about $20k for field-testing. The " product" can be measured in terms of 57 nuclear power plants that now shp_uM be able to demonstrate the ability to protect against the design basis threat.
Questions to consider are:
(1) In view of the considerable efforts that virtually all plants took before their OSRE, how'many nuclear plants would have "significant weaknesses" identified in their OSRE -
beyond the 27 that did - if the OSRE had been unannounced?
(2) Since the full DBT was not utilized during the first 57 OSREs, should not it be utilized in the next eleven and in the succeeding OSRE-replacement?
(2) What will NRC do in the future to counter the ubiquitous, increasingly intense pressure in the nuclear power industry to cut security costs, especially personnel costs?
(3) Why "fix" something that isn't broken? The OSRE program and concept costs the NRC very little, and is " facilitating" a drastically higher level of protection at nuclear power plants than existed when the industry vu s left to " regulate themselves".
THE FUTURE NRR, in December 1998, submitted a recommendation for a follow on program. This " staff recommendation" was only the position of NRR management - which terminated the program in
, the budget process, and is planning on terminating the $90k contract - and four task force member ofNRR staff, none of whom signed a DPV protesting the OSRE termination. None of the NRC inspectors who did sign a DPV c .rticipated in the draft NRR recommendations.
- The first two recommendations are specific with respect to target-identification, and are appropriate and needed. However, the 3d and 4 6recommendations are non-specific as to the actual purpose, criteria, and frequency of the follow-on program. It appears to be the "next best a _--.
8 (i.e., worst) thing" to eliminating the OSRE program, if that is the intent. Although not specifically mentioned in the recommendation, the plan includes: canceling the OSRE contract, eliminating the experience and skills the contractors provide (that NRC does not have), replacing
- the present 7-person assessment team with one NRC " inspector", and allowing the industry to determine the content and frequency of the evaluation. I submit that the recommendation does not commit NRC to a meaningful, strong course of action. It would, ifimplemented, result in a meaningless NRC rubber-stamping of whatever the industry decided it cou'J afford. It does not take the terrorist threat seriously. While recommendations 1 and 2 actually require licensee
- action, numbers 3 and 4 talk about considering and develooing changes but would allow licensee control and NRC observation (not control) of exercise content and prosecution.
I offer two, alternative plans-of-action. They commit the NRC to take action to compel the industry to demonstrate the capability to protect against the DBT. Rule changes may be required '
to meet NRC's proper role and responsibility. Both alternatives would continue OSREs until all plants had had an initial OSRE. However, in accordance with the Chairman's direction, all OSREs would henceforth require plants to use the number of armed responders they commit to in their physical security plans. The plants would also be required to specify - and commit to -
any physical changes made to the plant to assist their effort to protect public health and safety. l The entire DDT will be used, unlike now, and other restrictions would be reconsidered. l Both of these alternatives would not require any additional assets. In fact, alternative one would allow NRR to complete their ongoing reduction of security persons dedicated to the OSRE program to one (from two). Nor would it require that all regional inspectors be trained or experienced in the elements involved in OSREs and regional assists to become as proficient and expert as our contractors (and more so than the licensee personnel being evaluated). However, some of this specialized training would undoubtedly be of value for our regional inspectors.
m 1
. . p \
.. 1
.a -
,t I !
ALTERNATIVE FOLLOW-ON PROGRAMS TO THE OSRE l Both alternatives would continue OSREs until all plants had had an initial OSRE. However, in accordance with the Chairman's direction, all OSREs would henceforth require plants to use the number of armed responders they commit to in their physical security plans. The plants would also be required to specify - and commit to - any physical changes made to the plant to assist their effort to protect public health and safety. The entire DBT will be used, unlike now, and other i restrict. ions would be reconsidered.
{
Alternative #1 (Recoinmended) The regionalinspectors will request a" regional assist" for an inspection. The assist will be provided by two HQ personnel (one security, one nuclear engineer) and three expert, experienced contractors, as currently is the case. However, the regional assist would include sufficient force-on-force exercises to ensure that the licensee demonstrate their
- ability to interdict the design basis threat as defined in 10 CFR 73.1 Physical testing of the perimeter protection system (i.e., the intrusion detection system and the alarm assessment system) and access control systems (e.g. metal detectors) would continue to be part of the regional assist.
Including these in an assist will evaluate the licensee's capability against both the violent overt attack and the surreptitious attack by the design basis threat. This type of assist shall be done at least once every 3 years. (This will mean a continuation of about 20-24 evaluations per year.) l Failure to demonstrate an interdiction capability or satisfactory detection or assessment 1 capabilities.will result in an order to correct or a violation. All testing would be based on the capability of the design basis threat. Physical security plan commitments would be required to meet the challenge of the design basis threat and performance statements in the (revised) !
regulations.
Alternative #2.. Continue the NRC headquarters OSRE team and program as it exists. Require plants to demonstrate the ability to interdict the DBT in an OSRE tailored for each site. Failure to' do so will result in an order to correct or a violation (of 10 CFR73.55(a)). All licensees shall be also required to exercise their shift response forces and their site protection system on an annual basis for training and self-validation of their interdiction capability. The site protection l system, including delay barriers and responder protection measures shall be included in their
. security plan. As a separate measure, " regional assists", which focus on the perimeter protection
- system, will continue to be conducted at the same frequency as OSREs, i.e., each plant would be visited every 7 years by the OSRE team for a capability readiness evaluation and also for the l perimeter, etc., regional assist testing. Testing for both evaluations will emphasize the capability L
of the DBT (in contrast to the artificial limitations imposed in some security plans). The regional assist would also include table-top, time-line drills and may include one (or more) force-on-force exercises as an interim evaluation of the licensee's interdiction capability.
[
u
Question 5. Mr. Richard Rosano of the NRC is quoted as saying utility companies " felt they l were having to spend a great deal of money to gear up for exercises that some didn't believe there was any authority for." What nuclear utilities or trade groups have questioned the legal authority for the program or supported elimination of the program? Was there industry support for keeping the program? What was the average and/or range of costs to plants to prepare for and respond to the
. security drills?
Answer
- The L.A. Times reporter asked Mr. Rosano if it was true that licensees had complained about the expense of preparing for an OSRE and that some licensees expressed doubts about the legal authority to conduct the OSRE visits. Mr. Rosano said he had not heard those complaints himself but had spoken to some NRC staff members who claimed to have heard those complaints. Mr. Rosano added, in responding to the reporter, that some of the expense incurred by licensees would finance practice runs and overtime to pay for additional guards to simulate an attack force, not just for upgrading security.
- The NRC's authority for conducting OSREs is derived from 10 CFR 73.55(a), which requires licensees to have a physical protection system designed to protect against the design basis threat of radiological sabotage. The staff's review of the OSRE program is intended to ensure that valid demonstrations of the licensees capabilities are conducted.
- The NRC does not have direct information regarding industry support for keeping OSRE.
However, informal feedback during site visits indicates that the security organizations, and often senior management, on the sites recognized the OSRE program as instrumental in improving security at the plants. Members of the staff report that some licensees also have expressed discontentment with various aspects of the OSRE program during informal conversations. The NRC has not received written proposals from our licensees or industry representatives suggesting that the program be eliminated, nor have we received legal challenges to the OSRE program.
- Licensees have indicated that between $140,000 and $1,500,000 was spent per plant to prepare for OSRE visits.
l.
p r.
' Question 6. Does the Commission believe that it lacks legal authority to run the program?-
Please provide any NRC documents or memoranda that describe, analyze, or explain the legalissues. If the Commission is concerned about its legal authority to conduct the program, why did the Commission not request remedial
. legislation that would make clear NRC's authority to oversee and test plant security rather than cancel the program?
Answer l
The Commission has the legal authority to conduct OSRE visits.~ In 10 CFR 73.55(a), the licensees are required to establish a physical protection system " designed to protect against
! the design basis threat of radiological sabotage." This requirement is both inspectable and enforceable, and the NRC has the legal authority to conduct evaluations, including tests with meaningful results, to ensure the licensees' ability to comply with that requirement.
l l
i i
a i
l
, . l l
\
l
- l l
Question 7. The Times article claims that 47% of tested plants did not pass anti-terrorist !
tests. Please provide a list of all plants that did not perform satisfactorily in anti-terrorist tests and describe the ways in which each plant failed and whether they have corrected the identified problems. The article also states that eleven ,
plants have not been tested. Please provide a list of all plants that have not i been tested since the program's inception in 1991 using " force on force drills."
l Answer l
- In noting two nuclear plants that had passed their OSRE test, the L.A. Times article referred to Mr. Orrik's Differing Professional View (DPV) in saying "[t] hat was not the case
. . at 47% of the plants tested nationally." In fact, Mr. Orrik's DPV did not refer to plants fa.iling OSRE tests, but instead stated that "(w]eaknesses were identified in 47% of the plants evaluated to date." As previously explained in greater detail in the answer to Question 3 herein, all of these weaknesses were corrected.
1 e OSRE visits were conducted at 57 nuclear power plants between 1991 and 1998. During these visits, OSRE teams identified weaknesses at 27 plants; some of these weaknesses related to failures to prevent mock adversary forces from gaining access to vital equipment. Appropriate short-term and long-term measures were taken to upgrade security in response to these findings and were reinspected and found to be adequate.
For more detailed information and copies of the reports, see the response to Question 3, i herein.
e The 11 nuclear plants that have not had OSRE visits are Clinton, Comanche Peak, Davis-Besse, Ginna, Limerick, Perry, Quad Cities, Seabrook, St. Lucie, Susquehanna, and Watts Bar. However,10 of these 11 plants received reviews under the program that j preceded the OSRE program, known as the Regulatory Effectiveness Review (RER) ]
program. The eleventh plant, Watts Bar, did not receive an RER because the RER j program was terminated in 1991, and Watts Bar had not yet received its operational license at that time. Watts Bar received an OSRE during the week of April 26,1999, as j the first of the remaining 11 plants. 4 I
l
)
l
Question 8. According to the article, Mr. Orrik claimed that "[t]o perform well in force on force drills, plants were compelled to employ an average of 80% more personnel than their security plans called for." What was the basis for the security plans, and why were they inadequate to defend against simulated attacks? What plants,if any, have reduced the size of their response teams from that tested or assigned response personnel other duties?
Answer
- The basis of the security plan is the design basis threat described in 10 CFR 73.1(a)(1) for radiological sabotage at nuclear power plants. in 10 CFR 73.55(a), licensees are required to submit physical security plans that would satisfy the requirements of paragraphs 73.55(b) through (h). These plans are reviewed and approved by the NRC, with necessary adjustments, then incorporated into the license by license condition. Through this process, the NRC staff judges whether a site security plan is adequate, in the composite, to protect against the design basis threat and, thereby, comply with 10 CFR 73.55(a). The periodic inspections conducted by NRC's regional security inspectors verify that the licensees comply with the security plan commitments. Under 10 CFR 50.54(p),
licensees are permitted to make changes without prior Commission approvalif the changes do not decrease the safeguards effectiveness of the plan. All other changes must be submitted under 10 CFR 50.90 and require prior Commission approval.
- The initial NRC reviews of licensee security plans consist of in-office and on-site reviews by NRC inspectors and reviewers with appropriate expertise. These reviews are thorough in their own right; however, they do not include actual performance testing. Therefore, when performance testing is conducted, such as under the OSRE program, vulnerabilities may be identified that would have been difficult to detect during the initial reviews.
- Although the NRC is not aware of licensees that have reduced the available number of response force personnel to a level below that which was determined minimally necessary during the OSRE, ensuring that security plan commitments appropriately reflect the necessary response numbers is an issue that NRC will be addressing in the programs the agency is now considering. It should also be noted that severallicensees have been able j to reduce the number of response force personnel needed to defend their sites as a result j of lessons learned during the OSREs. These reductions were based on re-evaluation of )
defensive strategies, physical barriers, and time-lines used during the OSREs. Most j licensees have maintained the response force personnel strength at the same level as ;
1 that used during the OSRE.
i e As for assignment of response personael to other duties, some licensees have :
determined that personnel assigned response force duties can also be assigned collateral j l
duties such as a fire-watch. Most licensees are appropriately conservative with j l
l assignment of collateral duties in order to ensure that these personnel are able to i successfully meet established incident response time-lines. When collateral duties assigned to response personnel are found to be in significant conflict with time-lines used ;
during the OSRE, NRC inspectors have documented the occasions and licensees have j taken corrective actions. In at least one instance, a licensee assigned fire-watch duties to a response force team member which significantly interfered with that team member's ability to meet applicable response time-lines. As with other weaknesses, this problem has been corrected. Several other cases are currently being evaluated by NRC staff.
Question 9. Given that this program simulated the design basis threat, that the tested plants prepared for months and augmented personnel for the announced drills, and that most of the frequent failures were not due to violations of plant security plans, why are the plant security plans inadequate to meet the design basis threat?
Answer Even though the NRC believes that its regulations provide a sound basis for establishing a plant security plan that provides adequate protection of public health and safety, OSREs identified site-specific weaknesses that were not anticipated during the review and approval of the security plans. Therefore, the NRC has concluded that performance-based testing is necessary for demonstration of protection against a design basis threat. The NRC is currently
- evaluating the most efficient and offective ways of conducting performance testing.
r-l L Question 10. Why does a November 4,1998, NRC press statement on "the status of its Operational Safeguards Response Evaluation program" not state whether or not the program has been eliminated?
Answer
- The press statement was issued in response to the November 3,1998, L.A. Times article that dealt extensively with the cancellation of the OSRE program. In that light, it did not appear necessary to repeat the fact that OSRE was cancelled. However, in hindsight, since the press statement would have readers who were not privy to the L.A. Times article, it would have been more clear to establish the background for the issues discussed by mentioning the cancellation of the program.
l l
l l
b
Question 11. Do "the continuing NRC inspections and required compliance verification programs conducted by the licensees" mentioned in the press statement actually test whether the plants are operating according to their security plans and whether plant security is sufficient to protect against the design basis threat?
Answer
- The regulations in 10 CFR 73.55 are based on a level of protection necessary to protect against the design basis thre9' I icensees' physical security programs are designed to implement the requiremer.ts c' Sa Jon 73.55 with the goal of protecting against the design basis threat, as sim.i an A ; tion 73.55(a). NRC inspections and the licensees' own compliance program, ata designed to ensure that the security programs meet the requirements. Although nc; 3racifically required by regulations, drills are run by the security organizations to test and train the response forces.
l l
Question 12. The press statement states that "the NRC has recently undertaken a review of the appropriate role of performance testing in validating security at commercial nuclear power plants within the overall context of assuring an adequate level of protection." What approach is the Commission reviewing to replace the eliminated program and ensure nuclear plant security against sabotage and terrorist attacks? When do you expect the review to be completed, and when ;
do you expect any new measures to be in place? How would these measures compare in effectiveness to the program which was just canceled?
Answer
- A task force was formalized by a memorandum dated October 2,1998, and directed to consider whether new or revised regulations, inspection procedures, or policy decisions would be necessary to proceed with performance testing in the future. That task force forwarded its recommendations to the Commission on January 22,1999, a copy of which is attached to Question 4.
- Although the task force's recommendations are being considered, a modified OSRE program has been reinstated to continue with performance assessments at the 11 nuclear power plants not yet tested.
- As for the relative effectiveness of the new program over the old, the task force recommendations include more frequent exercising of the licensees' tactical response '
capability, with the NRC overseeing the exercises and reporting on its findings, it is expected that this increased frequency will result in a sustained readiness at each site, thereby providing a continuing assessment of licensee readiness as compared to that under the OSRE program in which each site was visited on an 8-year cycle.
r ._ . .
Question 13. How does the size of the truck bomb in the design basis threat compare with the size of the bomb used to attack the Murrah Federal Building in Oklahoma City and other rect.a'. terrorist bombs? What nuclear plants, if any, are not in full compliance with regulations designed to prevent truck bomb attacks, and what plants have been exempted from the generic regulations?
Answer
- Specifics of the design basis threat are sensitive safeguards information and, therefore, cannot be discussed in this forum. However, the design basis threat is reviewed semiannually to factor in the most recent information regarding terrorist actions. The Murrah Federal Building bombing was factored into this reconsideration. Likewise, any future terrorist actions would be considered in this semiannual review for determining the need to update the design basis threat.
- All operating nuclear plants installed vehicle barriers as required by 10 CFR 73.55(c),
without exemption. These plants were inspected over a 2-year period by NRC Headquarters and regional personnel, with the assistance of the U.S. Army Corps of Engineers. Only minor vulnerabilities were found at some of the plants, and these vulnerabilities have been corrected.
Question 14. What is the worst-case scenario for a terrorist or sabotage attack on a nuclear power plant, including but not limited to a core meltdown? Please include estimates of the number of deaths and number of injuries expected, and of the area over which environmental damage would occur.
Answer
- Sabotage attacks are initiating events in accident sequences; therefore, the worst-case scenario for a terrorist or sabotage attack does not differ from scenarios for other types of postulated reactor accidents. The environmental impacts are evaluated, along with a
- consideration of their likelihood, in individual environmental impact statements issued with
@ licensing approval for each plant. The risks from these scenarios is considered when reviewing a request for a license. Because of the substantiallevels of defense against such scenarios, the risks from them are very low.
- OSREs were set up to determine if any vulnerabilities exist in a site-specific security program. The OSREs set criteria for determining successful sabotage of vital equipment.
If these criteria were met, an assumption was made that sabotage could occur. However, other than identification of the equipment and criteria, consequence evaluations were not conducted. OSREs were limited to security scenarios involving safety equipment, and any security weaknesses identified in the process were to be addressed; but the exercises did not address the safety sequences that would ensue from the sabotage event. The plant staff's ability to recover from and/or mitigate the coneequences of a postulated act of sabotage were not considered.
g i
- ? ;.
Question 15. Have there been any recent creedible threats of terrorism or sabotage against
. U.S. nuclear plants? If so, againa ,vhich plants and by whom were the threats made?-
' Answer
- All reported threats to NRC-licensed nuclear power plants are assessed by the NRC Information Assessment Team. This team is on call 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> a day and is composed of NRC Headquarters and regional staff. During recent months, one reported threat was assessed as having low but sufficient credibility to warrant an NRC threat advisory. The threat was general in nature, and the timeframe for the threatened action passed without incident.
l l
5-..:
In addition to the above, the November 10,1998 letter from Congressman Markey also '
requested the following:
Please enclose a copy of NRC Information Notice 98-35 dated September 4,1998,
" Threat Assessments and Consideration of Heightened Physical Protection Measures," as ;
well as any reports, memoranda, " Differing Professional Views," or other correspondence f L from NRC staff or contractors concerning the elimination of the anti-terrorist program. l 1
- Answer '!
)
- - A copy of the unclassified version of Information Notice 98-035 is attached. Copies of the l Differing Professional Views are attached with Question 4. !
)
I
Attachment:
IN 98-35 l
f i
I
p
..c UNITED STATES i 9(' NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REACTOR REGULATION L'
WASHINGTON, D.C. 20555-0001 September 4,1998 NRC INFORMATION NOTICE 98-35: THREAT ASSESSMENTS AND CONSIDERATION OF HEIGHTENED PHYSICAL PROTECTION MEASURES
! Addressees
( All U.S. Nuclear Regulatory Commission fuel cycle facilities, power and non-power reactor -
licensees.
! P_urpose The U.S. Nuclear Regulatory Commission (NRC) is issuing this Information Notice to inform addressees of factors considered by the NRC when assessing threats and disseminating that information to its licensees. This Information Notice advises addressees of the NRC's suggestion of what additional physical protection measures should be considered for the threat ~
. conditions described below, it is expected that recipients will review the information for applicability to their facilities. The information provided herein is not an NRC requirement and, therefore, no written response is required from addressees.
l Desenption of Circumstances The NRC issues threat advisories to licensees to notify them of specific changes in the threat l environment which may prompt consideration when temporary upgrades to a licensee's site l physical protection posture may be advisable. Threat advisories issued by the NRC are l unclassified and, therefore, use generallanguage which could be subject to various interpretations and result in a corresponding variety of physical protection responses from
! licensees. To avoid misunderstanding of future NRC threat advisories and to facilitate an appropriate and comparable level of physical protection response throughout the nuclear
. Industry, the following discussion of threat levels and appropriate response levels is provided.
Discussion f
The NRC routinely reviews a variety of classified threat-related information and works closely l i
with other Federal agencies, including the Intelligence Community, concemed with counter- .j terrorism. In addition, the NRC participates in two threat alert and advisory systems maintained j by the Department of State and the Federal Bureau of Investigation. In a very limited number of circumstances, the NRC has concluded that a threat advisory is necessary and some additional temporary physical protection measures may be prudent.
9809040364 )
Attachment I
[ hdhhSk '
.o IN 98-35 Y September 4,1998 l I'
Page 2 of 3 Page 2 intentionally left blank l
i Original Page 2 contained Safeguards information as specified in 10 CFR 73.21 l
l l
r
~
6 IN 98-xx
/
September xx,1998 Page 3 of 3
'As stated above, the information provided herein is not an NRC requirement and, therefore, no written response is required from addressees.
If you have any questions about the information in this notice please contact an NRC Information Assessment Team (IAT) member listed below or the cognizant office project manager.
hhr
- b Elizabeth Q. Ten Eyck, Director , JackTN. oe, Acting Director
/ Division of Fuel Cycle Safety Division of Reactor Prograrn Management and Safeguards Office of Nuclear Reactor Regulation Office of Nuclear Material Safety and Safeguards NMSS lAT contact: John Davidson -
301-415-8130 JJD@NRC. GOV
- NRR IAT contact: Eugene McPeek 301-415-3210 EWM2@NRC. GOV
Attachment:
List of Recently issued NRC Information Notices q
f: '
a 2133 Ravesm% svitoAG
,1 ". TimE() D41Jact.
WARD.J. MAfiKEY Massacuvtt'TS C2 2 28 6
.,, COMMEICE COMMITTit DISTRsCT OHictS 5!B35"u ,, Congregg of tije Unittb Starts ,= '=t-JtwD CONSUMim Pn0TICTiCN 0 011296-2900 Mi&OURCE S COMMITTil .
QQ${ Of h[p[fh(U[d{fh&I tes CONCORD 5WEUuff t 102 COMMISSION ON StCumrTV AND PAAMINGHAM. M A 01702 c a n a^'o~'a'ua " Hiastjington, DC 20515-2107 < =
- 2=
November 10,1998 l
Shirley Ann Jackson Chairman Nuclear Regulatory Commission Washington, DC 20555
Dear Ms. Jackson:
I am writing to express my concerns about the reported recent elimination of the NRC counter-terrorism programs called Operational Safeguards Response Evaluations and Regional LAssists Although I understand the constraints recent budget cuts have imposed on the Commission, it is also clear that tenorism is a significant threat to nuclear reactor safety and hence to public safety. Recent bombings of U.S. embassies in Kenya and Tanzania, and previous attacks against the World Trade Center in New York and the Murrah Federal Building in Oklahoma City, show both the desire and the ability of terrorists to mount serious attacks against large, well-protected U.S. targets. The widespread death and long term environmental damage j from the Chemobyl disaster have underscored that the destruction resulting from a successful attack on a nuclear reactor could dwarf the impact of terrorist attacks on other targets. In light of the potential threats, this is not the time to relax protection against terrorist attacks on nuclear power plants.
A November 3,1998 article in the Los Angeles Times by Frank CliNord,"U.S. Drops Anti-Terrorist Tests at Nuclear Plants," describes serious plant security lapses discovered by the
. canceled counter-terrorism program. According to the article, a simulated attack by an NRC team would have been able to cause a core melt at one nuclear power plant. At Vermont Yankee
' this past March, a team was able to scale plant fences undetected at several locations and to slip a fake handgun past a plan' t security check. Nearly half of the tests run by the NRC program
. identified security problems, but not all plants were tested. The article also describes industry opposition to NRC's efforts to prevent nuclear terrorism, reportedly due to the cost of upgrading .
. security at nuclear plants and due to questions about NRC's legal authority to condu:t these oversight activities. The article further indicates that cuts in the NRC's budget may have contributed to the decision to terminate this safety program.
The program's success in identifying weaknesses in nuclear plant security and prompting improvements appears to have been worth its small cost. In light of the record of this counter-fitoffED ON EWCvCLAD PAPtn fAA OA z,. . . . - . . .
terrorism program and the seriousness of the terrorist threat, I request your assistance and cooperation in providing responses to the following questions: '
- l. On what basis was this program selected for elimination? Given the NRC's current emphasis on " risk-informed" decisions, how was the risk of a terrorist attack evaluated and compared to other nuclear safety issues?
- 2. Did NRC commissioners vote on the decision to eliminate this program? If so, how did each commissioner vote? If not, who made the decision?
1
- 3. The article quotes Mr. David Orrik, the director of the program, as saying an agency team !
"was able to reach and simulate sabotaging enough equipment to cause a core melt." At what plants would the simulated attack have been able to cause a core meltdown or other severe effects? Please provide the Inspection Reports and any Notices of Violation ensuing from these inspections. Also please estimate what the cost in money and lives-would have been if these attacks had been real.
- 4. The article mentions a memo from several NRC security officials and written objections to the program elimination by eleven NRC inspection officials. Please provide the memo, all written objections, and the Commission's response to these objections.
- 5. Mr. Richard Rosano of the NRC is quoted as saying utility companies " felt they were having to spend a great deal of money.to gear up for exercises that some didn't believe there was any authority for." What nuclear utilities or trade groups have questioned the M legal authority for the program or supported elimination of the program? Was there ,
industry support for keeping the program? What was the average and/or range of costs to j plants to prepare for and respond to the security drills?
- 6. Does the Commission believe that it lacks legal authority to run the program? Please provide any NRC documents or raemoranda that describe, analyze, or explain the legal l i
g(f C issues. If the Commission is concemed about its legal authority to conduct the program, i why did the Commission not request remedial legislation that would make clear NRC's authority to oversee and test plant security, rather than cancel the program? i
- 7. The Times article claims that 47% of tested plants did not pass anti-terrorist tests. Please provide a list of all plants that did not perform satisfactorily in anti-terrorist tests and describe the ways in which each plant failed and whether they have corrected the j
-identified problems. The article also states that eleven plants have not been tested.
l Please provide a list of all plants that have not been tested since the program's inception in 1991 using " force on force drills."
- 8. According to the article, Mr. Orrik claimed that "[t]o perform well in force on force drills,
]
plants were compelled to employ an average of 80% more personnal than their security l
1
..._.._.m..__- .
[ , ,_ .
plans called for." What was the basis for the security plans, and why were they inadequate to defend against simulated attacks? What plants,if any, have reduced the size of their response teams from that tested or assigned response personnel other duties?
- 9. _ Given that this program simulated the design basis threat, that the tested plants prepared for months and augmented personnel for these announced drills, and that most of the frequent failures were not due to violations of plant security plans, why are the plant security plans inadequate to meet the design basis threat?
- 10. Why does a November 4,1998 NRC press statement on "the status ofits Operational Safeguards Response Evaluations program" not state whether or not the program has been eliminated?
L 11. Do "the continuing NRC inspections and required compliance verification programs conducted by the licensees" mentioned in the press statement actually test whether the plants are operating according to their security plans and whether plant security is j sufficient to protect against the design basis threat? 1 L 12. The press statement states that "the NRC has recently undertaken a review of the appropriate role of performance testing in validating security at commercial nuclear power plants within the overall context of assuring an adequate level of protection."
, What approaches is the Commission reviewing to replace the eliminated program and
! ensure nuclear plant security against sabotage and terrorist attacks? When do you expect
! the review to be completed, and when do you expect any new measures to be in place?
How would these measures compare in effectiveness to the program which wasjust
~
canceled?
' 13. How does the sin of the truck bomb in the design basis threat compare with the size of the bomb used to attack the Murrah Federal Building in Oklahoma City and other recent l p g55 terrorist bombs? What nuclear plants, if any, are not in full compliance with regulations designed to prevent truck bomb attacks, and what plants have been exempted from the
! generic regulations?
- 14. What is the worst-case scenario for a tenorist or sabotage attack on a miclear power plant, l including but not limited to a core meltdown? Please include estimates of the number of i- p tW. deaths and number ofinjuries expected, and of the area over which environmental damage would occur.
- 15. Have there been any recent credible threats of terrorism or sabotage against U.S. nuclear WMM plants? If so, against which plants and by whom were the threats made?
In addition,I would appreciate receiving a copy of the NRC Information Notice 98-35 dated September 4,1998," Threat Assessments and Consideration of Heightened Physical Protection i .
[; ..............:.....~..-... . . - - . . - - - - . . . --.-. .
=-
o- ,
Measures," as well as any reports, memoranda, " Differing Professional Views," or other correspondence from NRC staff or contractors conceming the elimination of the anti-terrorist program.
Thank you for your attention to this serious matter. If you have questions concerning this letter please feel free to contact Mr. Lowell Ungar or Mr. Jeffrey Duncan on my staff at (202)225-2836.
Sincerely, j i
Edward J. Markey { ,
Member of Congress I l
l l
1
.........._.._._ _ ..- - . _ _ . _ . , . . . . . . . . . . . . .