Chairman Dale E. Klein
U.S. Nuclear Regulatory Commission
11555 Rockville Pike
Rockville, MD 20852
Via email to SECY@nrc.gov and
Via facsimile: (301) 415-1757
Dear Chairman Klein:
The Project On Government Oversight (POGO) is an independent nonprofit that investigates and exposes corruption and other misconduct in order to achieve a more accountable federal government. For over five years, POGO has been investigating the systemic security failures at our nation’s nuclear power plants. One of the most recent security incidents was at Tennessee Valley Authority’s (TVA) Sequoyah nuclear power plant in Tennessee.
Sequoyah’s policy was to allow crates and other containers with manufacturers’ seals to enter uninspected through the vehicle portal and then be delivered to the Protected Area of the plant. In the recent incident, one of these large crates was, as is allowed by the policy, delivered to the Protected Area and left unattended. When the crate was finally opened, it was found to contain 30 assault rifles. Although it turns out these weapons had been ordered by the facility, no one knew what was in the crate until it was opened – two days after its delivery to the Protected Area. It could have contained anything from canned soup to explosives set to detonate.
The incident exposes a significant security flaw. However, NRC and TVA responses to press inquiries have irresponsibly down-played the seriousness of this vulnerability. As any security expert knows, uninspected containers should never be allowed into Protected Areas. It is not difficult to either steal or counterfeit manufacturers’ seals. If insiders wanted to inflict serious damage to the plant, they could have simply shipped explosives, weapons, and ammunition into the Protected Area and taken the plant down from the inside. The result would be catastrophic.
POGO is not suggesting that the assault rifles in this case were an unauthorized delivery nor, thankfully, did they fall into the wrong hands (although it is our understanding that the TVA employees who opened the crate were not authorized to have access to weapons). But this event demonstrated a serious vulnerability. We have discussed the incident with several security officials at the NRC and, according to them, the NRC immediately changed the procedures at the vehicle portal upon learning about the incident: Now all the contents of vehicles are to be inspected before being permitted into the Protected Area. Furthermore, the NRC also claims that this vulnerability has now been addressed at other plants. Apparently, the flawed policy was not limited to the Sequoyah facility. However, POGO understands from inside sources that despite this change in policy, some containers are still not being inspected.
In addition, we have been told that there is a witch hunt underway by Pinkerton, Sequoyah’s security contractor, to find out who has talked to the NRC, POGO, and the media about the assault rifle incident. In fact, in an earlier apparent attempt to retaliate against a security officer who tried to bring security vulnerabilities to the attention of the NRC, Pinkerton wrongfully put this officer on unpaid leave for several months. They also forced this officer to go to a psychiatrist. The security officer sued, and Pinkerton was forced to cease its retaliation. However, in a proposed settlement agreement, Pinkerton attempted to get the security officer to sign a gag agreement. The gag order would have prohibited the officer from contacting anyone, including the NRC, about security problems at the plant unless subpoenaed. As you know, security officers not only have the Constitutional right to talk to anyone they choose as long as they do not divulge classified or safeguards information, but in fact they have the duty to do so if their superiors continue to ignore long-standing security vulnerabilities.
This ability to report problems directly to NRC Headquarters is especially important because, over the years, POGO has seen a pattern of NRC Regional offices being aware of security problems but not informing NRC Headquarters. For instance, there is evidence that NRC’s Region II was warned about the vehicle portal vulnerability three months prior to the assault rifle incident, yet took no action to solve the security problem until after the incident. NRC Headquarters claimed it was not aware that Region II had known about this vulnerability. In another example, Region I was long aware of training problems and security officer fatigue that significantly compromised nuclear power plant security, but never informed Headquarters. NRC Headquarters did not become aware of the problem, which still hadn’t been fixed eight months after 9/11, until POGO released its report Nuclear Power Plant Security: Voices from Inside the Fences. It is time for the NRC personnel responsible for keeping Headquarters out of the loop to be held accountable.
POGO is also concerned about Sequoyah’s ability to meet the Design Basis Threat (DBT). In a separate incident at Sequoyah, a tractor trailer recently pulled up in front of the Access Control Portal and the driver left the vehicle. He was lost. However, had this been a truck bomb, which the DBT requires a plant protect against, a directed blast could have taken out the Access Control Portal, the Central Alarm Station, the armory, the NRC building, and 15-20 security officers at shift change in the Access Control Portal. This, of course, is one of the main scenarios for an attack on a nuclear facility – a truck bomb blast at the main portal and land attacks at separate locations aimed at the target sets. We certainly hope this vulnerability has been resolved.
These incidents at Sequoyah raise the question, how are these vulnerabilities handled in the Vulnerability Assessments and Site Security Plans for Sequoyah, which were approved by the NRC? We would like to meet with you, as we have done with Commissioners Edward McGaffigan and Greg Jaczko in the past, to discuss these and other security concerns. If you have any questions or require further information, please contact me at (202) 347-1122.