Plants Have Upgraded Security, but the Nuclear Regulatory Commission Needs to Improve Its Process for Revising the Design Basis Threat
GAO-06-555T, Apr 4, 2006
The nation's commercial nuclear power plants are potential targets for terrorists seeking to cause the release of radioactive material. The Nuclear Regulatory Commission (NRC), an independent agency headed by five commissioners, regulates and oversees security at the plants. In April 2003, in response to the terrorist attacks of September 11, 2001, NRC revised the design basis threat (DBT), which describes the threat that plants must be prepared to defend against in terms of the number of attackers and their training, weapons, and tactics. NRC also restructured its program for testing security at the plants through force-on-force inspections (mock terrorist attacks). This testimony addresses the following: (1) the process NRC used to develop the April 2003 DBT for nuclear power plants, (2) the actions nuclear power plants have taken to enhance security in response to the revised DBT, and (3) NRC's efforts to strengthen the conduct of its force-on-force inspections. This testimony is based on GAO's report on security at nuclear power plants, issued on March 14, 2006 (GAO-06-388).
NRC revised the DBT for nuclear power plants using a process that was generally logical and well-defined. Specifically, trained threat assessment staff made recommendations for changes based on an analysis of demonstrated terrorist capabilities. The resulting DBT requires plants to defend against a larger terrorist threat, including a larger number of attackers, a refined and expanded list of weapons, and an increase in the maximum size of a vehicle bomb. Key elements of the revised DBT, such as the number of attackers, generally correspond to the NRC threat assessment staff's original recommendations, but other important elements do not. For example, the NRC staff made changes to some recommendations after obtaining feedback from stakeholders, including the nuclear industry, which objected to certain proposed changes, such as the inclusion of certain weapons. NRC officials said the changes resulted from further analysis of intelligence information. Nevertheless, GAO found that the process used to obtain stakeholder feedback created the appearance that changes were made based on what the industry considered reasonable and feasible to defend against rather than on what an assessment of the terrorist threat called for. Nuclear power plants made substantial security improvements in response to the September 11, 2001, attacks and the revised DBT, including security barriers and detection equipment, new protective strategies, and additional security officers. It is too early, however, to conclude that all sites are capable of defending against the DBT because, as of March 30, 2006, NRC had conducted force-on-force inspections at 27, or less than half, of the 65 nuclear power plant sites. NRC has improved its force-on-force inspections--for example, by conducting inspections more frequently at each site. Nevertheless, in observing three inspections and discussing the program with NRC, GAO noted potential issues in the inspections that warrant NRC's continued attention. For example, a lapse in the protection of information about the planned scenario for a mock attack GAO observed may have given the plant's security officers knowledge that allowed them to perform better than they otherwise would have. A classified version of GAO's report provides additional details about the DBT and security at nuclear power plants.