NRC Security Regulations (DBT) Inadequate
Basis Threat (DBT), January 2007
The NRC requires its licensees to defend against a design
basis threat (DBT), a postulated attack that has become more severe over
time. The present DBT for nuclear power plants was promulgated in
January 2007. Details are not publicly available.
We know from what is published on NRC’s website [10 CFR
73.1 Purpose and scope, June 14, 2007] the plan is to defend against
sabotage from the following:
"(i) A determined violent external assault, attack by
stealth, or deceptive actions, including diversionary actions, by an
adversary force capable of operating in each of the following modes: A
single group attacking through one entry point, multiple groups
attacking through multiple entry points, a combination of one or more
groups and one or more individuals attacking through multiple entry
points, or individuals attacking through separate entry points, with the
following attributes, assistance and equipment:
(A) Well-trained (including military training and skills)
and dedicated individuals, willing to kill or be killed, with sufficient
knowledge to identify specific equipment or locations necessary for a
(B) Active (e.g., facilitate entrance and exit, disable
alarms and communications, participate in violent attack) or passive
(e.g., provide information), or both, knowledgeable inside assistance;
(C) Suitable weapons, including handheld automatic
weapons, equipped with silencers and having effective long range
(D) Hand-carried equipment, including incapacitating
agents and explosives for use as tools of entry or for otherwise
destroying reactor, facility, transporter, or container integrity or
features of the safeguards system; and
(E) Land and water vehicles, which could be used for
transporting personnel and their hand-carried equipment to the proximity
of vital areas; and
(ii) An internal threat; and
(iii) A land vehicle bomb assault, which may be
coordinated with an external assault; and
(iv) A waterborne vehicle bomb assault, which may be
coordinated with an external assault; and
(v) A cyber attack."
the problem with the DBT?
At first glance the current DBT seems impressive,
however it cannot be that good in practice, given:
(A) The equipment that NRC requires for an onsite
security force. Major items of required equipment are semiautomatic
rifles, shotguns, semiautomatic pistols, bullet-resistant vests, gas
masks, and flares for night vision.[10 CFR 73 Appendix B – General
Criteria for Security Personnel, Section V, accessed from the NRC web
site (www.nrc.gov) on 14 June 2007.] Plausible attacks could overwhelm a
security force equipped in this manner.
(B) Press reports state that the assumed attacking force
contains no more than six persons [H. Josef Hebert, Associated Press, "NRC
rejects plan for power plants to stop airliner attacks", The Boston
Globe, January 30, 2007.]
(C) The average US nuclear-plant site employs about 77
security personnel that cover multiple shifts. Thus, comparatively few
guards are on duty at any given time.
[Mark Holt and Anthony Andrews, Nuclear Power Plants:
Vulnerability to Terrorist Attack, Washington, DC: Congressional
Research Service, 4 October 2006].
The 2007 DBT rule "does not require protection against a deliberate hit
by a large aircraft", and that "active protection [of nuclear power
plants] against airborne threats is addressed by other federal
organizations, including the military." [NRC Press Release No. 07-012,
29 January 2007.]
NRC Should Strengthen Reactor
Reactor Security Rulemaking Comments
The 9/11 tragedy prompted the Nuclear Regulatory
Commission (NRC) to undertake a "top to bottom" review of security
requirements for nuclear power plants. As this review progressed, the
NRC issued a series of orders requiring plant owners to upgrade
security. The NRC ordered plant owners to implement interim measures
(February 25, 2002), improve access controls (January 7, 2003), defend
against an upgraded design basis threat, provide security force
personnel with better training, and impose working hour limits on
security force personnel to protect against impairment caused by fatigue
(April 29, 2003), and defend against an updated adversary capability
(March 20, 2006).
The NRC then initiated a series of rulemaking efforts to
codify the various elements of its post-9/11 security requirements. On
October 26, 2006, the NRC published a proposed rule in the Federal
Register seeking public comments on the access control and training
elements of its orders, along with some related issues.
UCS reviewed the proposed rule and submitted formal
comments to the NRC. Our comments included the following:
The proposed rule does not comply with the requirements of the
Energy Policy Act of 2005;
The rule should require that licensees adopt "denial of access"
as the fundamental protective strategy for defense against the
The rule should designate a subset of "critical" security
implementing procedures that are subject to Commission review
The proposed rule would allow enhanced weapons to be used, but
would not require an insider using an enhanced weapon against
the facility to be considered;
The proposed rule requires protection against either core damage
or spent fuel sabotage, not both;
The proposed rule does not close a dangerous loophole in current
search requirements for law enforcement personnel and security
The proposed rule allows escorts to take multiple visitors with
minimal background checks into protected and vital areas within
nuclear power plants, but does not require that the escorts met
even minimal physical and visual capabilities;
The proposed rule would allow a single escort to take more
visitors with minimal background checks into protected areas of
nuclear power plants than was specified as an external assault
force in the recent design basis threat rulemaking and would
allow literally hundreds of visitors with minimal background
checks to be escorted into vital areas;
The rule should ensure that security officers with duties other
than immediate armed response are not required for protection
against the DBT and are not inappropriately credited in
The broad exemption of commercial nuclear power reactors using
plutonium-containing "MOX fuel assemblies" from requirements for
protection of Category I quantities of strategic special nuclear
material from theft is technically unsupportable, irresponsible
and sets a dangerous precedent. The draft section §73.55(l)
should therefore be removed;
The proposed rule could facilitate retaliation by plant owners
against workers raising safety or security concerns;
The proposed rule would allow individuals known to be escaped
felons or on the terrorist list to be escorted into protected
and vital areas of nuclear power plants;
The proposed rule would require plant owners to report tampering
of safety or security equipment, but does not require plant
owners to train workers to recognize signs of tampering.
UCS's full comments, including supporting information for
each of these summary comments, can be viewed/downloaded by clicking on
the link at the top of the page.
Security in The News
Court rejects N.J. nuke plant terrorist
By BOB AUDETTE, Reformer Staff
Wednesday, April 1
BRATTLEBORO -- The
Nuclear Regulatory Commission was right in rejecting a challenge to the
way it evaluates the dangers of a terrorist attack on a nuclear power
plant, according to the 3rd Circuit Court of Appeals in Philadelphia.
On Tuesday, the court ruled against the
New Jersey Department of Environmental Protection and its contention
that the NRC should have examined the potential environmental impacts of
a hypothetical terrorist attack on the plant during the relicensing
process of Oyster Creek nuclear generating station.
The New Jersey DEP contended that the
NRC should have considered the effects of a terrorist attack during the
relicensing review. But the NRC responded that it had already addressed
those effects in its generic environmental impact statement related to
The New Jersey DEP asked the court to
order the NRC to conduct a site-specific analysis, rather than relying
on its generic review.
Attorney General has filed a similar complaint in the 2nd Circuit Court
of Appeals in the relicensing of Pilgrim nuclear power station in
Plymouth, Mass., and the Vermont Yankee nuclear power plant in Vernon.
It is asking the court to order the NRC to change the way it evaluates
the dangers of sabotage and terrorism at nuclear power plants.
Both Pilgrim and Yankee are owned by
Entergy, which is asking the NRC to extend both plants' licenses from
2012 to 2032.
The Massachusetts AG
had no comment on the 3rd Circuit Court's decision.
According to the GEIS, the risk of
sabotage to nuclear power plants is small, wrote the court, and the NRC
has already prepared for such a disaster.
"If such events were to occur, the
(NRC) would expect that resultant core damage and radiological releases
would be no worse than those expected from (a reactor accident)."
The NRC contended that security issues
are not addressed during relicensing proceedings because they do not
relate to the aging of a nuclear power plant. The NRC also contended
that the National Environmental Protection Act "imposes no legal duty on
the NRC to consider intentional malevolent acts ... "
Such a review would be redundant
because the NRC has "undertaken extensive efforts to enhance security at
"The NRC has done so on an ongoing
basis rather than in the context of a license renewal review," said Neil
Sheehan, spokesman for the NRC.
In addition, contended the NRC, it is
the responsibility of law enforcement agencies and the Federal Aviation
Administration to prevent malevolent acts.
The NRC also asserted it would be
improper to discuss classified security measures during the relicensing
procedure, which is intended to be open and transparent to the public.
The court agreed with the NRC.
The New Jersey DEP has the option of
appealing the 3rd Circuit ruling to the U.S. Supreme Court.
Bob Audette can be reached at
email@example.com, or 802-254-2311, ext. 273.
rules OK'd for nuclear power plants
By H. JOSEF HEBERT –
17 hours ago Dec 17, 2008
WASHINGTON (AP) — The
Nuclear Regulatory Commission on Wednesday approved new security rules
for nuclear power plants, including measures aimed at better protecting
against potential cyberattacks.
For years in the
making, the rules update requirements first imposed in emergency orders
after the Sept. 11 attacks. But watchdog groups have criticized the
agency for not going far enough.
They say the rules do
not call on plant operators to help protect against a potential attack
from a large aircraft that might be flown into a reactor or a used fuel
storage pool. The groups also say security forces still are not required
to be strong enough to counter potential coordinated ground attacks by a
dozen or more well-armed terrorists.
The NRC has
maintained that protection against an attack by a large aircraft must be
a joint responsibility among government agencies, the military and plant
operators and is beyond the responsibility of a reactor owner. The new
rules require a reactor operator to have in hand "strategies and
response procedures to address an aircraft threat," the NRC said in a
In addition to stronger measures to
protect against cyberattacks that could disable a plant, the rules call
for new training and qualification requirements for security officials
and says operators must develop new ways to respond in case part of a
plant is lost due to an explosion or fire.
Many details of the
security measures remain classified for security reasons.
The agency rejected a
demand by Three Mile Island Alert, a Harrisburg, Pa., nuclear watchdog
group, that power plants be required to post armed guards at every
entrance to a controlled area.
provide a "visual deterrence" and a way to observe suspicious activity,
the group said. While the NRC did not reject such use of armed guards
outright, it said it was giving plant operators "flexibility to
determine if such personnel postings are necessary."
announcement and link to rule
see: Union of Concerned Scientists at
Government Accountability athttp://www.pogo.org/investigations/nuclear-security/nuclear-power.html
Speech by POGO's Executive Director Danielle Brian to the Nuclear
Regulatory Commission's 2004 Regulatory Information Conference. March
11, 2004; http://www.pogo.org/p/x/2004nuclearpower.html
“Attacks and destructive acts by enemies of the United States and defense
activities,” of Title 10 of the Code of Federal Regulations, September 26,
Power Plant Security: Voices from Inside the Fences, September 12,2003
Project on Government Oversight (POGO), www.pogo.org/p/environment/eo-020901-nukepower.html;
Nuclear Power Plant Guards Continue to Raise Concerns, September 30, 2002,
Project on Government Oversight (POGO), www.pogo.org/p/environment/eo-020904-nukepower.html