Nuclear Regulatory Commission:
Preliminary Observations on Efforts to Improve Security at Nuclear Power Plants
GAO-04-1064T, Sep 14, 2004
The events of September 11, 2001, and the subsequent discovery of commercial nuclear power plants on a list of possible terrorist targets have focused considerable attention on the plants' capabilities to defend against a terrorist attack. The Nuclear Regulatory Commission (NRC), an independent agency established by the Energy Reorganization Act of 1974 to regulate the civilian use of nuclear materials, is responsible for regulating and overseeing security at commercial nuclear power plants. GAO was asked to review (1) NRC's efforts since September 11, 2001, to improve security at nuclear power plants, including actions NRC has taken to implement some of GAO's September 2003 recommendations to improve security oversight and (2) the extent to which NRC is in a position to assure itself and the public that the plants are protected against terrorist attacks. This testimony reflects the preliminary results of GAO's review. GAO will issue a more comprehensive report in early 2005.
NRC responded quickly and decisively to the September 11, 2001, terrorist attacks with multiple steps to enhance security at commercial nuclear power plants. NRC immediately advised the plants to go to the highest level of security according to the system in place at the time and issued advisories and orders to the plants to make certain enhancements, such as installing more physical barriers and augmenting security forces, that could be completed quickly to shore up security. According to NRC officials, their inspections found that the plants complied with these advisories and orders. Later, in April 2003, NRC issued a new design basis threat (DBT), which establishes the maximum terrorist threat that a facility must defend against, and required the plants to develop and implement new security plans to address the new threat by October 2004. It is also improving its force-on-force exercises, as GAO recommended in its September 2003 report. These exercises are an important agency tool to ensure that the plants' security plans are adequate to protect against the DBT. While its efforts to date have enhanced security, NRC is not yet in a position to provide an independent determination that each plant has taken reasonable and appropriate steps to protect against the new DBT. According to NRC officials, the facilities' new security plans are on schedule to be implemented by October 2004. However, NRC's review of the plans, which are not available to the general public for security reasons, has primarily been a paper review and is not detailed enough for NRC to determine if the plans would protect the facility against the threat presented in the DBT. For example, the plans GAO reviewed are largely based on a template and often do not include important site-specific information, such as where responding guards are stationed, how the responders would deploy to their defensive positions, and how long deployment would take. In addition, NRC officials are generally not visiting the facilities to obtain site-specific information and assess the plans in terms of each facility's layout. NRC is largely relying on force-on-force exercises it conducts to test the plans, but these exercises will not be conducted at all facilities for 3 years. NRC's oversight of plants' security could also be improved. However, NRC does not plan to make some improvements in its inspection program that GAO previously recommended and still believes are needed. For example, NRC is not following up to verify that all violations of security requirements have been corrected or taking steps to make "lessons learned" from inspections available to other NRC regional offices and nuclear power plants. Moreover, if NRC needs to revise its DBT further as the terrorist threat is better defined, it will need longer to make and test all the necessary enhancements. The Department of Energy, for example, is currently reviewing the DBT for its nuclear facilities.