Summary
The September 11, 2001, terrorist attacks intensified the nation's focus on national preparedness and homeland security. Among possible terrorist targets are the nation's nuclear power plants--104 facilities containing radioactive fuel and waste. The Nuclear Regulatory Commission (NRC) oversees plant security through an inspection program designed to verify the plants' compliance with security requirements. As part of that program, NRC conducted annual security inspections of plants and force-on-force exercises to test plant security against a simulated terrorist attack. GAO was asked to review (1) the effectiveness of NRC's security inspection program and (2) legal challenges affecting power plant security. Currently, NRC is reevaluating its inspection program. We did not assess the adequacy of security at the individual plants; rather, our focus was on NRC's oversight and regulation of plant security.
NRC has taken numerous actions to respond to the heightened risk of terrorist attack, including interacting with the Department of Homeland Security and issuing orders designed to increase security and improve plant defensive barriers. However, three aspects of its security inspection program reduced NRC's effectiveness in overseeing security at commercial nuclear power plants. First, NRC inspectors often used a process that minimized the significance of security problems found in annual inspections by classifying them as "non-cited violations" if the problem had not been identified frequently in the past or if the problem had no direct, immediate, adverse consequences at the time it was identified. Non-cited violations do not require a written response from the licensee and do not require NRC inspectors to verify that the problem has been corrected. For example, guards at one plant failed to physically search several individuals for metal objects after a walk-through detector and a hand-held scanner detected metal objects in their clothing. The unchecked individuals were then allowed unescorted access throughout the plant's protected area. By making extensive use of non-cited violations for serious problems, NRC may overstate the level of security at a power plant and reduce the likelihood that needed improvements are made. Second, NRC does not have a routine, centralized process for collecting, analyzing, and disseminating security inspections to identify problems that may be common to plants or to provide lessons learned in resolving security problems. Such a mechanism may help plants improve their security. Third, although NRC's force-on-force exercises can demonstrate how well a nuclear plant might defend against a real-life threat, several weaknesses in how NRC conducted these exercises limited their usefulness. Weaknesses included using (1) more personnel to defend the plant during these exercises than during a normal day, (2) attacking forces that are not trained in terrorist tactics, and (3) unrealistic weapons (rubber guns) that do not simulate actual gunfire. Furthermore, NRC has made only limited use of some available improvements that would make force-on-force exercises more realistic and provide a more useful learning experience. Even if NRC strengthens its inspection program, commercial nuclear power plants face legal challenges in ensuring plant security. First, federal law generally prohibits guards at these plants from using automatic weapons, although terrorists are likely to have them. As a result, guards at commercial nuclear power plants could be at a disadvantage in firepower, if attacked. Second, state laws vary regarding the permissible use of deadly force and the authority to arrest and detain intruders, and guards are unsure about the extent of their authorities and may hesitate or fail to act if the plant is attacked.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
No director on record
No team on record
No phone on record
Recommendations for Executive Action
Recommendation: To strengthen NRC's security inspection program, the NRC Commissioners should ensure that NRC's revised security inspection program and force-on-force exercise program are restored promptly and require that NRC regional inspectors conduct follow-up visits to verify that corrective actions have been taken when security violations, including non-cited violations, have been identified.
Agency Affected: Nuclear Regulatory Commission
Status: Implemented
Comments: NRC has reinstated revised inspection and force-on-force exercise programs. If significant problems are identified, NRC inspection staff do not leave the site until compensatory actions are taken. Although NRC inspectors do not later follow up on all security violations to determine if they have been corrected, they are selecting a sample of corrective actions for verification.
Recommendation: To strengthen NRC's security inspection program, the NRC Commissioners should ensure that NRC routinely collects, analyzes, and disseminates information on security problems, solutions, and lessons learned and shares this information with all NRC regions and licensees.
Agency Affected: Nuclear Regulatory Commission
Status: Implemented
Comments: NRC now gathers information on security problems, solutions, and lessons learned and shares such information through various means. NRC initially experienced technology shortcomings and security concerns related to developing a computer-based system. However, according to NRC, it has addressed these concerns and plans no further action in response to the recommendation.
Recommendation: To strengthen NRC's security inspection program, the NRC Commissioners should make force-on-force exercises a required activity and strengthen them by conducting the exercises more frequently at each plant.
Agency Affected: Nuclear Regulatory Commission
Status: Implemented
Comments: NRC has made force-on-force exercises a required activity and has substantially increased their frequency from once every 8 years to once every 3 years at each nuclear power site. The energy bill recently signed by the President also requires NRC to conduct force-on-force exercises every 3 years at each site.
Recommendation: To strengthen NRC's security inspection program, the NRC Commissioners should make force-on-force exercises a required activity and strengthen them by using laser equipment to ensure accurate accounts of shots fired.
Agency Affected: Nuclear Regulatory Commission
Status: Implemented
Comments: In August 2004, the NRC Commissioners approved the use of Multiple Integrated Laser Engagement Equipment (MILES) or other exercise simulated equipment found acceptable by NRC. The NRC staff subsequently incorporated the use of this equipment into its Inspection Procedure dated November 10, 2004. In November 2004, the staff began conducting evaluated force-on-force exercises as a triennial requirement using MILES equipment in according with the inspection procedure. The equipment has been used in all exercises since.
Recommendation: To strengthen NRC's security inspection program, the NRC Commissioners should make force-on-force exercises a required activity and strengthen them by requiring the exercises to make use of the full terrorist capabilities stated in the design basis threat, including the use of an adversary force that has been trained in terrorist tactics.
Agency Affected: Nuclear Regulatory Commission
Status: Implemented
Comments: After incorporating the revised design basis threat and the use of a composite adversary force (CAF) in its inspection procedure dated November 10, 2004, NRC staff began conducting evaluated force-on-force exercises fully using the revised design basis threat and the CAF in accordance with the inspection procedure. The CAF, which is trained in terrorist tactics, is provided by the industry but meets NRC standards and operates under NRC supervision. NRC continues to assess the performance of the CAF in each exercise and states that it will require improvements, if appropriate, up to and including developing an NRC contracted adversary force.
Recommendation: To strengthen NRC's security inspection program, the NRC Commissioners should make force-on-force exercises a required activity and strengthen them by continuing the practice, begun in 2000, of prohibiting licensees from temporarily increasing the number of guards defending the plant and enhancing plant defenses for force-on-force exercises, or requiring that any temporary security enhancements be officially incorporated into the licensees' security plans.
Agency Affected: Nuclear Regulatory Commission
Status: Implemented
Comments: With the reinstatement of the force-on-force exercise program, NRC is continuing its practice of prohibiting licensees from temporarily enhancing plant security solely for force-on-force exercises by increasing the number of security officers defending the plant during the exercises. Currently, the number of security officers defending the plant during an exercise is limited to the number the plant commits to in its NRC-approved security plan.
Recommendation: To strengthen NRC's security inspection program, the NRC Commissioners should make force-on-force exercises a required activity and strengthen them by enforcing NRC's requirement that force-on-force exercise reports be issued within 30 to 45 days after the end of the exercise to ensure prompt correction of the problems noted.
Agency Affected: Nuclear Regulatory Commission
Status: Implemented
Comments: NRC's inspection procedure for its new force-on-force exercise program requires the inspection team to prepare reports on the findings within 30 to 45 days after the exercise is completed. For the first nine force-on-force exercises conducted under the reinstated program, seven reports were essentially issued on time: four were issued in 45 days or less and three were only 1, 2, or 4 days after the 45 days. The other two reports were 15 and 44 days late.
