Bulletin of the Atomic Scientists
January 21, 2002
The question immediately arose on September 11 and has persisted: As horrific as the terrorist attacks were, what might have happened if the terrorists who seized jumbo jets and used them as weapons against the World Trade Center and the Pentagon had aimed them at nuclear power plants instead? And if more attacks are likely, as government officials have said, are nuclear facilities on the terrorist target list?
The Sunday Times of London reported in October that some intelligence assessments suggest that the intended target of the fourth plane, the one downed in Pennsylvania, was a nuclear power reactor. The plane had descended much too soon for Washington to be its intended destination, these assessments indicate, suggesting that the true target may have been one of several nuclear plants in its flight path, with the single still-operating unit at Three Mile Island seeming the most likely. This assessment cannot be confirmed, of course. But if it is correct, we owe even more to those brave passengers who succeeded, at the cost of their own lives, in bringing the plane down before it reached its intended target.
Immediately after the September 11 attacks, the U.S. Nuclear Regulatory Commission (NRC) and the nuclear industry issued statements asserting that U.S. reactor containments were designed to withstand the crash of a fully loaded jumbo jet. Within days, both had to recant and admit that the opposite was the case. Just hours after the terrorist attacks, NRC spokesperson Breck Henderson said U.S. nuclear plants were safe because “containment structures are designed to withstand the impact of a 747.”
Ten days later he admitted that “the initial cut we had on that was misleading.” In a formal statement, the agency conceded that it “did not specifically contemplate attacks by aircraft such as Boeing 757s and 767s, and nuclear power plants were not designed to withstand such crashes.” A similar pattern of assurance followed by retraction characterized the behavior of public relations personnel for a number of specific nuclear sites.
Early on, however, David Kyd, spokesperson for the International Atomic Energy Agency (IAEA), was quoted as saying that most nuclear plants, built during the 1960s and 1970s, were designed to withstand only accidental, glancing impacts from the smaller aircraft used at the time. “If you postulate the risk of a jumbo jet full of fuel, it is clear that their design was not conceived to withstand such an impact,’’ he said. In reporting Kyd’s comments, the Associated Press quoted an unnamed U.S. government official to the effect that a direct hit at high speed by a modern jumbo jet “could create a Chernobyl situation.”
The press has focused on the vulnerability of reactor containment buildings to airborne attack. But there are also “soft targets” outside containment, and their protection is critical to preventing radioactive release. Excessive emphasis on the risk of air attack obscures the far larger and more frightening possibility of ground assault or the threat from insiders. Security at the nation’s nuclear plants has been grossly inadequate for decades, and the nuclear industry and its captive regulatory agency, the NRC, have refused to do anything about it—both before and after September 11.
1,000 times more
A typical nuclear power plant contains within its core about 1,000 times the long-lived radioactivity released by the Hiroshima bomb. The spent fuel pools at nuclear power plants typically contain some multiple of that—several Chernobyls’ worth (see “What About the Spent Fuel?” page 45).
Any analogy with the dropping of a bomb is imperfect, of course, because much of the destruction caused by an atomic bomb comes from blast effects, and the damage caused by a terrorist attack on a nuclear plant would stem almost exclusively from the release of radioactivity. However, the potential casualties from an atomic attack and those resulting from using conventional explosives to produce a radiological release from a nuclear facility would be surprisingly similar. For example, the NRC estimated years ago that a meltdown at one of the San Onofre reactors in Southern California could produce 130,000 “prompt” fatalities, 300,000 latent cancers, and 600,000 genetic defects. Analyses for other reactors performed by Sandia National Laboratories for the NRC estimated damages up to $314 billion in 1980 dollars (the equivalent of about $700 billion today).
Because there is an immense amount of radioactivity at a reactor, and because the fuel must be constantly cooled to prevent it from melting and releasing that radioactivity, it is not difficult to understand why nuclear facilities might be a tempting target. As Bennett Ramberg pointed out in 1984 in his seminal book on the subject, Nuclear Power Plants as Weapons for the Enemy: An Unrecognized Military Peril, any country that possesses nuclear energy facilities gives its adversaries a quasi-nuclear capability to use against it. Conventional explosives—a truck bomb, for example—could cause a massive radiological release, with terrorists turning their adversaries’ own technology against them. And just as simple box-cutters were used to convert U.S. jumbo jets into guided missiles, conventional means could turn U.S. nuclear plants into radiological weapons. The need to protect nuclear facilities against terrorist attack should be obvious.
Yet for decades, NRC regulations have required only minimal security. Fifteen years ago in the March 1986 Bulletin (“Protecting Reactors from Terrorists”), two colleagues and I warned even then that terrorist trends were rendering the NRC security rules inadequate. But with only a single, partial exception, the agency’s primary security regulations are unchanged from a quarter century ago. And despite September 11—when the NRC’s assumptions crumbled at the moment the Twin Towers fell—both the industry and the agency that regulates it continue to resist making any significant improvement to dismally inadequate and outmoded security regulations.
We reported in 1986—and it is still the case today—that NRC regulations require nuclear reactor operators to protect against no more than a single insider and/or three external attackers, acting as a single team, wielding no more than hand-held automatic weapons.
Security personnel at power reactors are not required to be prepared for:
• more than three intruders;
• more than one team of attackers using coordinated tactics;
• more than one insider;
• weapons greater than hand-held automatic weapons;
• attack by boat or plane; or
• any attack by “enemies of the United States,” whether governments or individuals.
For years, reactor sites were not even required to provide protection against truck bombs. But after a decade of efforts by the Committee to Bridge the Gap and the Nuclear Control Institute to get the agency to strengthen security and repeated refusals by the NRC to require greater protection, the 1993 World Trade Center bombing and an intrusion event at Three Mile Island finally propelled the agency to amend the rules. But the truck bomb rule is still a concern because of the limited size of the explosion that operators must protect against. It apparently requires protection against truck bombs of roughly the size used at the World Trade Center in 1993, but not the larger quantities of explosives that have been used in similar attacks since then. The NRC is behind the curve, “fighting the last war” rather than protecting against threats that can materialize without warning.
To deal with the limited threat that the NRC does recognize—called the “design basis threat” (DBT)—the agency requires a nuclear power plant to be guarded by a total of five individuals. It may seem incomprehensible in today’s world that targets capable of producing tens or hundreds of thousands of casualties and hundreds of billions of dollars of damage are protected by a mere five guards, but that is the minimum the NRC mandates.
The events of September 11 demonstrated the inadequacy of the agency’s quarter-century-old security rules. There were 19 terrorists on the planes, and possibly additional participants in the conspiracy—far in excess of the three external attackers the NRC envisages. They acted as four coordinated teams, but the NRC rule requires the nuclear industry to guard against only a single team. They used jumbo jets filled with jet fuel as their weapons, far more lethal than the hand-carried automatic weapons and explosives contemplated in the regulation. They were very sophisticated, training for months to fly big jets, and willing to die—a level of motivation and capability far beyond that upon which the NRC rules are predicated.
None of the details of the agency’s DBT are secret. With a single exception discussed below, they can all be found in the Code of Federal Regulations, available in most libraries and on the Internet. Any potential adversary can immediately learn that the required security arrangements that protect these high-value targets are inadequate.
Three external attackers . . .
The only aspect of the DBT that is not explicitly stated in the Code is the famous number “three”—the maximum number of external attackers against which reactor owners must provide protection. The Code indicates that reactors must be protected against an attack by “several” intruders, and that “several” is less than the number required to operate as more than one team. This is enough to give a pretty clear indication of exactly how small the DBT is, but other publicly available documents make it clear that “several” means three.
The number was publicly revealed as a consequence of the licensing hearings for the Diablo Canyon nuclear plant in California in the early 1980s. The Governor of California was a party in the hearings, in which the adequacy of security at the plant was a key issue. The state’s security experts testified that a dozen attackers was a credible number to safeguard against. But the utility, Pacific Gas & Electric (PG&E), and the NRC staff argued that irrespective of any threat that might exist, NRC requirements were far more modest. The precise number in the DBT became a key issue in the hearings.
The NRC’s Atomic Safety and Licensing Appeal Board decided in favor of PG&E and the NRC staff, expressly ruling on how many attackers a reactor operator is required to protect against. The ruling was not immediately published on the theory that it contained sensitive information. The specific number for the DBT, according to the Diablo decision, was withdrawn at the last minute from the published regulations and replaced with “several,” not for any security reason, but because the commission thought it would have trouble explaining to the public why it was requiring a lesser level of protection against sabotage for reactors than against theft at non-reactor sites. This remains the case today—NRC nervousness about public discussion of the DBT of three external attackers is not motivated by a security concern, but by fear of embarrassment were it widely known that it only required reactors be capable of protecting against no more than a trivial terrorist challenge.
The Governor of California, however, asked that an expurgated version of the decision be published, and the agency agreed. When the “sanitized” Appeal Board decision was released, the actual number had been deleted. But ironically, the remaining text explained what “several” meant, and other underlying documents cited in the text—which had been publicly released—gave away the actual number.
The Appeal Board ruling cited a number of NRC documents it relied on in concluding that the DBT should be limited to three attackers. And although the ruling was redacted, all of the underlying documents were available in the NRC’s public reading room. Those documents, the “SECY Memoranda,” are the agency’s actual decision documents on adopting the rule. Over and over again the SECY Memoranda state that the DBT in the rule is “an external threat of one to three persons armed with pistols, shotguns, or rifles (including automatic weapons), and who may be assisted by an insider (employee or unescorted person).” This is the so-called “three-and-one” threat described in publicly available NRC documents.
The Appeal Board decision discloses some of the rationale for settling on three external attackers. First, the board states, power plants by rule are not required to protect against more than one team of attackers—only fuel-cycle facilities with weapons-grade material must do that. Because the minimum number of attackers who could operate as more than one team is obviously four, three is the maximum number of attackers who cannot act as more than one team.
. . . and five guards
Second, and perhaps most astonishingly, the Appeal Board discloses how the regulation’s minimum force of five guards was derived:
“A response force ratio (i.e., ratio of guards to attackers) must be equal to 1 [1 to 1] to protect power reactors. The report [the NRC staff report that formed the basis for the numerical determination for the design basis threat] then states: ‘Given the above response force ratio modified by a measure of conservatism, the minimum number of guards available for response to an assault may be determined. Therefore, for the presently specified threat, the minimum number of guards available for response at a nuclear power plant is judged to be 5’” (emphasis added).
The Appeal Board decision went on to indicate that the “presently specified threat” referred to was the external threat (of three) along with a single insider capable of participating in a violent attack. This three-and-one threat created a maximum total of four attackers. A 1:1 ratio of guards to attackers would require only four guards. But modifying the ratio “by a measure of conservatism” (giving the guards a one-person advantage) resulted in the regulations requiring a minimum of five guards.
(The actual regulation mentions a “nominal” number of 10 guards, with a minimum of five. But the Diablo decision and underlying documents indicate that this “nominal” number was employed to “camouflag[e] the exact threat.”)
Thus, the NRC security regulations, unchanged except to require protection against small-sized truck bombs, require operators to protect against an attack by three outsiders, perhaps aided by one insider, with no team-maneuvering tactics, no attack by boat or air, and minimal hand-held weapons.
This rule made little sense when it was first adopted, and it makes even less today. The September 11 attacks—with at least 19 attackers, four times as many teams, and a level of sophistication far beyond that contemplated by the agency—blew away the NRC’s security regulations. Yet those regulations remain unchanged.
Seventeen years of trying
For 17 years, my group, the Committee to Bridge the Gap, joined by the Nuclear Control Institute, has worked quietly behind the scenes in a largely futile effort to convince the NRC to upgrade its security requirements. With one partial exception, the truck bomb rule, we have failed.
In 1984, in the wake of truck bombings in the Middle East, the NRC staff decided to consider requiring protection against truck bombs at U.S. power reactors. It commissioned Sandia National Laboratories to study the vulnerability of plants to truck bomb attacks. The results were frightening—small truck bombs could cause “unacceptable damage to vital reactor systems,” and larger truck bombs could have the same effect, even if detonated off site, because the exclusion zone surrounding many facilities is small. Inexplicably, after the study was conducted, the agency dropped the idea of a truck bomb rule.
In 1985, the Committee to Bridge the Gap testified before the Safeguards and Security Subcommittee of the NRC Advisory Committee on Reactor Safeguards, pointing to data showing increasing terrorist capabilities and actions, urging the agency to upgrade the regulations to deal with larger attacking forces and with truck bombs. The response was unenthusiastic, with many subcommittee members indicating that there were so many ways to destroy a reactor that, if you protected against truck bombs, you’d have to protect against all those other vulnerabilities as well.
Over the next few years, both the Committee to Bridge the Gap and the Nuclear Control Institute continued to push the NRC to upgrade security regulations, to no avail. In 1991, at the time of the war with Iraq and the prospect of terrorist attacks against U.S. targets, we formally petitioned the NRC to upgrade its regulations. In addition to urging protection against truck bombs, the petition called for a new DBT with 20 external attackers (ironic in light of the 19 terrorists on the planes on September 11) capable of operating as two or more teams, with weapons and explosives more significant than hand-held rifles. The NRC denied the petition, ruling that “there has been no change in the domestic threat since the design basis threat was adopted that would justify a change.”
Finally, after the truck bomb attack on the World Trade Center in 1993 and an event at Three Mile Island in which an intruder drove a station wagon through the perimeter and into the turbine building, where he stayed for hours while security tried to figure out if he had a bomb, the NRC adopted a new rule requiring some measure of protection against truck bombs. However, the rule may not be sufficient to protect against truck bombs of the size that have been used since 1993.
The rest of the DBT remains unaltered, despite the NRC’s promises in 1994 that in a second phase it would consider upgrading the rest of the security regulations.
In fact, a number of actions have weakened security. For example, in 1996 the NRC issued Generic Letter 96-02, “Reconsideration of Nuclear Power Plant Security Requirements Associated with an Internal Threat.” It permitted “reductions in unnecessary or marginally effective security measures,” granting licensees the option, for instance, to keep “doors to vital areas . . . unlocked.”
One counterterrorism program, killed
In late 1998, I received a plain manila envelope in the mail. Inside were documents indicating that the NRC had recently terminated its only counterterrorism program, called the Operational Safeguards Response Evaluation program, (OSRE). The program evaluated nuclear plant security by undertaking mock terrorist attacks—“black hat” force-on-force exercises. The documents contained astonishing information: Given six months advance warning, including the date on which the security test would occur, plants prepared by increasing their guard force by as much as 80 percent. Even so, security failed the tests. In nearly half of the tests conducted at the the country’s reactors, mock terrorists penetrated security and reached at least one “target set” that, had the intruders been actual terrorists, could have resulted in a meltdown and massive radioactivity release.
This failure rate is extraordinary. No terrorist group is going to give notice six months in advance of when and where it intends to attack. And these tests were against the existing DBT—against only three intruders.
Other publicly available NRC documents from the early 1990s indicate that in an OSRE test at the Peach Bottom reactor, it took only 17 seconds for the mock terrorists to penetrate the perimeter fence and breach the access control barrier. It took intruders 18 seconds at San Onofre, 30 seconds at Duane Arnold, and 45 seconds at Maine Yankee.
And what was the response to this dismal failure rate? The NRC killed the program—there could be no more failures if there were no more tests.
My organization passed the OSRE documents along to the Los Angeles Times, which ran a major story about the program’s termination. The agency was sufficiently embarrassed that a couple of days later Shirley Jackson, then NRC chair, reinstated the program. Since then, however, the industry and the agency have worked together to gut the tests. Earlier this year, the NRC approved the industry’s proposed self-evaluation program that would replace NRC-run force-on-force tests. Companies failing the independent tests are now able to test themselves! The problems inherent in self-regulation should be obvious.
After September 11
Our two organizations have persisted in so-far-fruitless attempts to get the DBT upgraded. Last year, we met with NRC Chairman Richard Meserve, trying once again to get the NRC to fix gaping security problems. Nothing came of the meeting. As we were leaving, Meserve said we should feel free to see him again, adding something to the effect that he meets with industry “all the time,” and there is no reason he can’t meet with public groups from time to time as well. (And indeed, as we left we saw a number of industry lobbyists sitting outside his office waiting to go in.)
After September 11, we wrote to Chairman Meserve, urging him to recommend that the National Guard be called out to protect all the nation’s reactors, that air defenses be deployed to protect them, and that employees and contractor personnel be thoroughly re-vetted.
We also asked the NRC to upgrade its security regulations immediately to protect against attacks involving greater numbers, operating as multiple teams, with more than one insider; require a strong two-person rule and other enhanced measures to protect against insiders; require protection against a truck bomb as big as a large truck can carry; require protections against boat and airplane attacks; require full security protection of spent fuel storage pools and dry cask storage, including after reactor closure; and that the Operational Safeguards Response Evaluation program be reinstated and expanded.
The NRC response was business as usual. The agency is continually reviewing the DBT, we were told, just as we have been told for the last 17 years.
But no improvements were promised and none has been made. Both the Committee to Bridge the Gap and the Nuclear Control Institute have decided that after years of quiet work it is time to go public about these problems. It is clear that the United States has sophisticated adversaries out there and everything we know is available to them as well. The only people not taking the danger seriously are the ones who should be required to do something about it—the nuclear industry and the agency that is supposed to regulate it.
All the NRC has done in the wake of the attacks on the World Trade Center and the Pentagon is to recommend—not even require—that licensees go to a higher state of alert within their existing security system and within the existing DBT. A no-fly-zone excluded small planes from flying near power reactors, but after a week that restriction was lifted. The federal government has failed to call out the National Guard—although in the absence of federal action, some governors have taken that step on their own. The NRC and the industry strongly oppose legislation introduced by Sens. Harry Reid, Hillary Clinton, Jim Jeffords, Joe Lieberman, and Cong. Ed Markey that would have required the agency to upgrade security regulations.
In 1981, the NRC and industry argued against the Governor of California’s contention in the Diablo case that there should be protection against up to a dozen terrorists, saying such an attack wasn’t credible. In 1991, the NRC and industry argued against our rulemaking petition that the DBT be increased from three to 20 external attackers operating as several teams, against asserting that there was no evidence there could ever be an attack of more than three as a single team. Protections against attacks by boats, large truck bombs, or from the air remain beyond the design threat. On September 11, 19 attackers in four teams using planes caused the worst terrorist event in U.S. history. Yet the NRC and industry refuse to upgrade the DBT regulations to a level consistent with the now-evident threat.
The industry’s response is shocking. Rather than conceding the vulnerability of its facilities and the need to upgrade security, at a press conference on September 25 a spokesman for the Nuclear Energy Institute took the extraordinary stand that greater security isn’t required because Chernobyl wasn’t that bad.
Why does the industry continue to ignore the need to protect its facilities? First, more security means more expense, and its every instinct is to avoid current expenses. Second, if it admits its reactors are vulnerable, the industry’s dream of a nuclear renaissance is diminished.
Having received a big boost from the Cheney energy plan, the industry had been hoping to build new reactors, supposedly of the new pebble-bed design. In order to save money, these “passively safe” reactors would be built without a containment structure. In addition, they are made of graphite, which burns readily, as evidenced by Chernobyl and the earlier Windscale accident in Britain. As poorly resistant to terrorism as today’s reactors are, pebble-bed reactors would be far worse. Furthermore, the industry-Cheney proposals involve a revival of the idea of reprocessing spent fuel to separate plutonium, which would then be used in civil reactors, creating a massive additional risk that terrorists might acquire nuclear weapons materials from poorly guarded civilian power plants. The nuclear industry hopes that its post–September 11 problems will go away, without having to upgrade security.
And why has the NRC not imposed upgraded security requirements? Put bluntly, the NRC is arguably the most captured regulatory agency in the federal government, a creature of the industry it is intended to regulate. Efforts to separate its promotional and regulatory functions, which led to the breakup of the Atomic Energy Commission in the mid-1970s, have failed utterly. The NRC’s principal interest is in assisting the industry, keeping regulatory burdens and expenses to a bare minimum, and helping to jumpstart the nuclear enterprise.
But the risk of terrorist attack at one or more nuclear plants is simply too great to allow this failed agency and the industry it allegedly regulates to continue to ignore the need to provide reasonable protection. The industry’s short-term economic or political concerns pale in comparison to the damage that would occur if attackers turn the nation’s reactors into radiological weapons.
Daniel Hirsch is president of the Committee to Bridge the Gap, a Los Angeles- based nuclear policy organization.