POGO's Public Comments on "Security Inspection and Security Performance Assessment of NRC Licensees"

Submitted: September 11, 2008

The Project On Government Oversight’s Public Comments

Docket ID: NRC-2008-0413

Docket Title: Security Inspection and Security Performance Assessment of NRC Licensees

Document ID: NRC-2008-0413-0001

Document Title: Possible Improvements to the Level of Openness and Transparency of Information Associated With NRC Security Inspection and Security Performance Assessment of NRC Licensees

Weaknesses of the Current System of Public Access to Security Information

The Project On Government Oversight (POGO) is an independent nonprofit that investigates and exposes corruption and other misconduct in order to achieve a more accountable federal government. POGO has conducted a number of investigations into nuclear security and found numerous weaknesses. We have also found that there is a lack of public access to security information.

The Nuclear Regulatory Commission (NRC) is hiding behind 9/11 as an excuse not to inform the public of pertinent information. In contrast to the NRC, recent force-on-force (FOF) tests at the Lawrence Livermore National Laboratory (LLNL) were by DOE’s own words “catastrophic,” as the adversarial force overwhelmed the guard force and gained access to highly enriched uranium (HEU) and plutonium in both theft and Improvised Nuclear Device (IND) scenarios. POGO learned about some of the specifics of the failure, and DOE admitted to others. Compensatory measures were put in place. Once the story got out in a major news magazine, important improvements were ordered throughout the complex in training, performance testing of high-tech weapons, etc. The public discussion of this failure and the resulting improvements were not considered a roadmap to terrorists.

NRC’s annual Report to Congress on the Security Inspection Program for Commercial Power Reactor and Category I Fuel Cycle Facilities: Results and Status Update and NRC’s cover letters to its security inspection reports are meaningless to the public for many reasons, including:

• Absence of Pertinent Information – As all politics are local, so is the concern over the security of nuclear power plants. Given the risks and the history of events such as security lapses at Peach Bottom, Indian Point, and Salem and Hope Creek nuclear power plants, the public wants to know how well the facility in their backyard is able to handle the terrorist threat. NRC Commissioners and staff have assured us that once vulnerabilities are discovered during FOF tests, compensatory measures are implemented to eliminate the vulnerabilities prior to the NRC leaving the plant. Yet, the NRC does not provide the public even the most basic information on security inspections and FOF tests, such as:

Which. The Report to Congress does not state the number of FOF performance tests NRC’s contractor adversary force ran against the guard forces at unnamed nuclear power plants. The general tenor of the NRC’s reports to Congress is that the vast majority of the plants are well protected. However, the reports leave major information gaps such as the number of findings at each of the plants. If you live in Westchester County and are concerned about security at the Indian Point nuclear power plant, what does this Report tell you if it does not name the power plant? What. NRC’s cover letters to its security inspection reports do not adequately inform the public about the criteria used in evaluating security at the plants. How. NRC’s cover letters do not tell the public how the security investigations are carried out.

• Incomplete Information – As NRC does not provide the number of FOF that are run, and other basic information, it is hard to determine the credibility of its statement in the 2007 Report to Congress that there were only a total of five findings from security inspections.

• A staff member at POGO has been present at more than 50 FOF tests at the Department of Energy’s (DOE) nuclear weapons sites and found that at the majority, there were significant failures at some and less serious failures at the others. Thus, it is hard to believe that NRC had so few findings.

Nuclear power plants are protecting against a Design Basis Threat (DBT) that is unrealistically low–not only the number of attackers, but the kinds of weapons the mock-terrorists are allowed to bring to the fight. The plant is told six to eight months ahead of time that there will be a FOF test. The plants are allowed to choose which guards are to be tested. (Obviously, the youngest and best shots are chosen, and the unit is heavily trained in the lead up to the test). The guards know within a 2-3 hour window that an attack will take place. In the military, this is called “leaning forward in the fox hole.” Surprise, of course, is the greatest advantage attackers have. There is none in the NRC tests. The DBT for Category I facilities at Nuclear Fuel Services (NFS) in Erwin, TN and Nuclear Products Division of BWXT in Lynchburg, VA is significantly below the DBT for DOE sites with the very same types of special nuclear material. For example, the number of attackers in the NFS DBT is slightly larger than the power plants, but less than half that of the Pantex Plant. Unlike DOE sites with the same material, NRC’s Category I DBT scenarios do not guard against the threat of terrorists creating an Improvised Nuclear Device (IND). These NRC licensees have a large inventory of highly enriched uranium (HEU)—the material terrorists are most interested in acquiring because INDs are so easy to create using it.

The 2007 NRC Report to Congress indicates that the major security concern is terrorists stealing special nuclear material. It fails to mention that an equally significant risk is of terrorists constructing an IND on site, which can take only minutes. To steal HEU, terrorists have to get in and out of the facility; with an IND , they only have to get in the facility.

The NRC may actually be unaware of the exact risk its Category 1 licensees face when it comes to IND creation. Sources have told POGO that DOE refuses to share its information with the NRC on the timelines to create an IND.

Weak Measures – The information provided to the public is even less telling about the security of commercial power reactors and Category I fuel cycle facilities given the serious weaknesses in NRC’s FOF performance tests:

Recommendations

• POGO believes that after FOF performance tests are conducted and the guard force is unable to protect the target sets, the NRC should release a good deal of information about the results without revealing current vulnerabilities.
• Information that should be released regarding FOF tests and security inspections include:
  1. the results;
  2. what other failures occurred;
  3. why the failures happened;
  4. when;
  5. if the adversaries got to the target sets;
  6. what damage could have occurred;
  7. any other generic problems that may be present at other power plants; and
  8. how the problems got corrected.

POGO believes that after FOF performance tests are conducted and the guard force is unable to protect the target sets, the NRC should release a good deal of information about the results without revealing current vulnerabilities.Information that should be released regarding FOF tests and security inspections include:

1. the results;
2. what other failures occurred;
3. why the failures happened;
4. when;
5. if the adversaries got to the target sets;
6. what damage could have occurred;
7. any other generic problems that may be present at other power plants; and
8. how the problems got corrected.

If the information is made public, it would have a ripple effect throughout the industry because other plants do not want to be embarrassed. For example, because of the publicity surrounding the films of sleeping guards at the Peach Bottom Atomic Power Station, other power plants, the nuclear power industry in general, and DOE weapons facilities became more vigilant. One licensee told his staff to watch for potential inattentiveness and overtime hours “because we don’t want a Peach Bottom here.”

• Address serious vulnerabilities in NRC’s security apparatus:

• Install more barriers and delay mechanisms to extend timelines from the site perimeter to the targets sets.
• Increase training and performance testing of high-tech weapons such as Remote Operated Weapon System (ROWS).
• Address the vulnerabilities of Bullet Resistant Enclosures (BRE).
• Bolster the DBT for Category I facilities to account for INDs.

NRC should demand that it be briefed by the DOE on the critical information about the timelines to create an IND.NRC should explain the incredible discrepancy between the DBTs of Erwin, TN and Lynchburg , VA with those of the Pantex Plant.