Nuclear Power

Plants Have Upgraded Security, but the Nuclear Regulatory Commission Needs to Improve Its Process for Revising the Design Basis Threat Gao ID: GAO-06-555T April 4, 2006

The nation's commercial nuclear power plants are potential targets for terrorists seeking to cause the release of radioactive material. The Nuclear Regulatory Commission (NRC), an independent agency headed by five commissioners, regulates and oversees security at the plants. In April 2003, in response to the terrorist attacks of September 11, 2001, NRC revised the design basis threat (DBT), which describes the threat that plants must be prepared to defend against in terms of the number of attackers and their training, weapons, and tactics. NRC also restructured its program for testing security at the plants through force-on-force inspections (mock terrorist attacks). This testimony addresses the following: (1) the process NRC used to develop the April 2003 DBT for nuclear power plants, (2) the actions nuclear power plants have taken to enhance security in response to the revised DBT, and (3) NRC's efforts to strengthen the conduct of its force-on-force inspections. This testimony is based on GAO's report on security at nuclear power plants, issued on March 14, 2006 (GAO-06-388).

NRC revised the DBT for nuclear power plants using a process that was generally logical and well-defined. Specifically, trained threat assessment staff made recommendations for changes based on an analysis of demonstrated terrorist capabilities. The resulting DBT requires plants to defend against a larger terrorist threat, including a larger number of attackers, a refined and expanded list of weapons, and an increase in the maximum size of a vehicle bomb. Key elements of the revised DBT, such as the number of attackers, generally correspond to the NRC threat assessment staff's original recommendations, but other important elements do not. For example, the NRC staff made changes to some recommendations after obtaining feedback from stakeholders, including the nuclear industry, which objected to certain proposed changes, such as the inclusion of certain weapons. NRC officials said the changes resulted from further analysis of intelligence information. Nevertheless, GAO found that the process used to obtain stakeholder feedback created the appearance that changes were made based on what the industry considered reasonable and feasible to defend against rather than on what an assessment of the terrorist threat called for. Nuclear power plants made substantial security improvements in response to the September 11, 2001, attacks and the revised DBT, including security barriers and detection equipment, new protective strategies, and additional security officers. It is too early, however, to conclude that all sites are capable of defending against the DBT because, as of March 30, 2006, NRC had conducted force-on-force inspections at 27, or less than half, of the 65 nuclear power plant sites. NRC has improved its force-on-force inspections--for example, by conducting inspections more frequently at each site. Nevertheless, in observing three inspections and discussing the program with NRC, GAO noted potential issues in the inspections that warrant NRC's continued attention. For example, a lapse in the protection of information about the planned scenario for a mock attack GAO observed may have given the plant's security officers knowledge that allowed them to perform better than they otherwise would have. A classified version of GAO's report provides additional details about the DBT and security at nuclear power plants.

GAO-06-555T, Nuclear Power: Plants Have Upgraded Security, but the Nuclear Regulatory Commission Needs to Improve Its Process for Revising the Design Basis Threat This is the accessible text file for GAO report number GAO-06-555T entitled 'Nuclear Power: Plants Have Upgraded Security, but the Nuclear Regulatory Commission Needs to Improve Its Process for Revising the Design Basis Threat' which was released on April 4, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Testimony: Before the Subcommittee on National Security, Emerging Threats, and International Relations, House Committee on Government Reform: United States Government Accountability Office: GAO: For Release on Delivery Expected at 2:00 p.m. EDT: Tuesday, April 4, 2006: Nuclear Power: Plants Have Upgraded Security, but the Nuclear Regulatory Commission Needs to Improve Its Process for Revising the Design Basis Threat: Statement of Jim Wells, Director, Natural Resources and Environment: GAO-06-555T: GAO Highlights: Highlights of GAO-06-555T, a testimony before the Subcommittee on National Security, Emerging Threats, and International Relations, Committee on Government Reform, House of Representatives: Why GAO Did This Study: The nation‘s commercial nuclear power plants are potential targets for terrorists seeking to cause the release of radioactive material. The Nuclear Regulatory Commission (NRC), an independent agency headed by five commissioners, regulates and oversees security at the plants. In April 2003, in response to the terrorist attacks of September 11, 2001, NRC revised the design basis threat (DBT), which describes the threat that plants must be prepared to defend against in terms of the number of attackers and their training, weapons, and tactics. NRC also restructured its program for testing security at the plants through force-on-force inspections (mock terrorist attacks). This testimony addresses the following: (1) the process NRC used to develop the April 2003 DBT for nuclear power plants, (2) the actions nuclear power plants have taken to enhance security in response to the revised DBT, and (3) NRC‘s efforts to strengthen the conduct of its force-on-force inspections. This testimony is based on GAO‘s report on security at nuclear power plants, issued on March 14, 2006 (GAO-06-388). What GAO Found: NRC revised the DBT for nuclear power plants using a process that was generally logical and well-defined. Specifically, trained threat assessment staff made recommendations for changes based on an analysis of demonstrated terrorist capabilities. The resulting DBT requires plants to defend against a larger terrorist threat, including a larger number of attackers, a refined and expanded list of weapons, and an increase in the maximum size of a vehicle bomb. Key elements of the revised DBT, such as the number of attackers, generally correspond to the NRC threat assessment staff‘s original recommendations, but other important elements do not. For example, the NRC staff made changes to some recommendations after obtaining feedback from stakeholders, including the nuclear industry, which objected to certain proposed changes, such as the inclusion of certain weapons. NRC officials said the changes resulted from further analysis of intelligence information. Nevertheless, GAO found that the process used to obtain stakeholder feedback created the appearance that changes were made based on what the industry considered reasonable and feasible to defend against rather than on what an assessment of the terrorist threat called for. Nuclear power plants made substantial security improvements in response to the September 11, 2001, attacks and the revised DBT, including security barriers and detection equipment, new protective strategies, and additional security officers. It is too early, however, to conclude that all sites are capable of defending against the DBT because, as of March 30, 2006, NRC had conducted force-on-force inspections at 27, or less than half, of the 65 nuclear power plant sites. NRC has improved its force-on-force inspections”for example, by conducting inspections more frequently at each site. Nevertheless, in observing three inspections and discussing the program with NRC, GAO noted potential issues in the inspections that warrant NRC‘s continued attention. For example, a lapse in the protection of information about the planned scenario for a mock attack GAO observed may have given the plant‘s security officers knowledge that allowed them to perform better than they otherwise would have. A classified version of GAO‘s report provides additional details about the DBT and security at nuclear power plants. What GAO Recommends: In its March 2006 report, GAO recommended that NRC improve its process for making changes to the DBT and evaluate and implement measures to further strengthen its force-on-force inspection program. www.gao.gov/cgi-bin/getrpt?GAO-06-555T. To view the full product, including the scope and methodology, click on the link above. For more information, contact Jim Wells at (202) 512- 3841 or wellsj@gao.gov. [End of section] Mr. Chairman and Members of the Subcommittee: I am pleased to be here today to discuss our recent work on security of the nation's 103 operating commercial nuclear power plants, located at 65 sites in 31 states. My testimony today is based on our report being released today, entitled Nuclear Power Plants: Efforts Made to Upgrade Security, but the Nuclear Regulatory Commission's Design Basis Threat Process Should Be Improved (GAO-06-388).[Footnote 1] As you know, nuclear power plants were among the targets considered in the original plan for the September 11, 2001, terrorist attacks. Furthermore, according to the Nuclear Regulatory Commission (NRC), which regulates and oversees the safe operation and security of nuclear power plants, there continues to be a general credible threat of a terrorist attack on the nation's commercial nuclear power plants, in particular by al Qaeda and like-minded Islamic terrorist groups. Such an attack could cause a release of radioactive material and endanger public health and safety through exposure to an elevated level of radiation. To defend against a potential terrorist attack, NRC issues and enforces security-related regulations and orders, and nuclear power plant licensees implement security measures to meet NRC requirements. In particular, NRC formulates a design basis threat (DBT)--the threat that plants must defend against--and tests plants' ability to defend against the DBT. The DBT characterizes the elements of a potential attack, including the number of attackers, their training, and the weapons and tactics they are capable of employing. NRC periodically reviews the potential terrorist threat to determine whether to make changes to the DBT. Most recently, NRC revised the DBT in April 2003 in response to the September 11 terrorist attacks. After revising the DBT, NRC required nuclear power plant sites to submit new security plans by April 29, 2004, for its review and approval and to implement the security described in their new plans by October 29, 2004. In November 2004, NRC began using its force-on-force inspection program to test sites' ability to defend against the revised DBT. This program employs mock terrorist attacks as the principal means to test the sites' security. The DBT does not represent the maximum size and capability of a terrorist attack that is possible but, rather, NRC's assessment of the threat that the nuclear power plants must at all times be prepared to defend against "to ensure adequate protection of public health and safety." Furthermore, NRC regulations do not require nuclear power plants to protect against attacks by an "enemy of the United States," whether a foreign government or other person.[Footnote 2] NRC originally included this provision in its regulations in 1967 (prior to issuing the first DBT for nuclear power plants). According to NRC officials, the provision was intended to address the possibility that Cuba might launch an attack on a nuclear power plant in Florida. In revising the DBT in April 2003, NRC did not use this provision to exempt plants from defending against terrorist groups such as al Qaeda but, rather, stated that a private security force (such as at a nuclear power plant) cannot reasonably be expected to defend against all threats--for example, airborne attacks. Importantly, NRC works with other federal agencies to coordinate an integrated response to a terrorist threat or attack on a nuclear power plant. Our March 2006 report examined (1) the process NRC used to develop the April 2003 DBT for nuclear power plants, (2) the actions nuclear power plants have taken to enhance security in response to the revised DBT, and (3) NRC's efforts to strengthen the conduct of its force-on-force inspections. For the report, we reviewed documents detailing the process NRC used to revise the DBT and interviewed the NRC commissioners and staff. We also visited four nuclear power plant sites (one in each of the four NRC regions) to observe the security enhancements that sites made to address the revised DBT, and we reviewed a sample of NRC's baseline and force-on-force inspection reports. GAO staff with security expertise accompanied us on our visits in order to assist in our review of the sites' security strategies. Finally, we observed a total of three force-on-force inspections at two other sites. We performed our work from November 2004 through January 2006 in accordance with generally accepted government auditing standards. Summary: NRC revised the DBT for nuclear power plants using a process that was generally logical and well-defined. Specifically, trained threat assessment staff made recommendations for changes based on an analysis of demonstrated terrorist capabilities. To enhance the predictability and consistency of its assessments and its recommendations to the NRC commissioners for changes to the DBT, the NRC threat assessment staff developed and used a comprehensive screening tool to analyze intelligence information and to evaluate particular terrorist capabilities, or "adversary characteristics," for inclusion in the DBT. The resulting DBT requires plants to defend against a larger terrorist threat, including a larger number of attackers, a refined and expanded list of weapons, and an increase in the maximum size of a vehicle bomb. The revised DBT generally, but not always, corresponded to the original recommendations of the threat assessment staff. For example, the maximum number of attackers in the revised DBT is based, in part, on the staff's analysis of the size of terrorist cells worldwide. However, for other important elements of the DBT, such as the weapons that attackers could use against a plant, the final version of the revised DBT does not correspond to the staff's original recommendations. We identified the following two principal reasons for these differences: * First, the threat assessment staff made changes to its initial recommendations after obtaining feedback from stakeholders, including the nuclear industry, on a draft of the DBT. A number of the changes reflected industry objections to the draft. For example, following meetings with industry, the staff decided not to recommend including certain weapons in the list of adversary characteristics that nuclear power plants should be prepared to defend against. In its comments, the industry had pressed for NRC to remove such adversary characteristics from the draft DBT. The industry considered them to be prohibitively expensive to defend against or to be representative of an enemy of the United States, which is the responsibility of the government, rather than the industry, to defend against. NRC officials told us the changes resulted from further analysis of the intelligence data and the reasonableness of required defensive measures rather than the industry objections. Nevertheless, in our view, this situation created the appearance that changes were made based on what industry considered reasonable and feasible to defend against, rather than an assessment of the terrorist threat. * Second, in deciding on the revised DBT, the commissioners largely supported the staff's recommendations but also made some significant changes. These changes reflected their policy judgments on what is reasonable for a private security force to defend against. However, the commissioners did not identify explicit criteria for what is and what is not reasonable for a private security force to defend against, such as the cost of defending against particular adversary characteristics. For example, the commissioners decided against including two weapons that the threat assessment staff had concluded could plausibly be used against a U.S. nuclear power plant. Furthermore, instead of providing a reason for its decision to remove these weapons, the commission's voting record showed that individual commissioners used differing criteria and emphasized different factors, such as cost or practicality of defensive measures. We believe the absence of reviewable criteria reduced the transparency of the decision-making process. The absence of criteria also potentially reduced the rigor of the decision-making process. Licensees of nuclear power plants have made substantial changes to their security in response to the September 11, 2001, attacks and the 2003 revisions to the DBT. At the sites we visited, these actions included, for example, adding security barriers and detection equipment, implementing new protective strategies, enhancing access control, and hiring additional security officers. In some cases, the sites went beyond what NRC required. For example, one site added electronic intrusion detection equipment to its outer perimeter, which was not required. According to NRC, other sites implemented security enhancements similar to what we saw at the sites we visited. Despite these considerable efforts, it is too early to conclude that all sites are capable of defending against the DBT because, as of March 30, 2006, NRC had conducted force-on-force inspections at 27, or less than half, of the 65 sites. According to NRC, sites have generally performed well during force-on-force inspections, and the results of baseline inspections show that sites have generally complied with their security plans. However, a number of sites have experienced problems and have not always met security requirements. Most notably, we observed a force- on-force inspection at a site in which the licensee's performance at the time was at best questionable in its ability to defend against the DBT. NRC has made a number of improvements to its force-on-force inspection program. For example, NRC is implementing a schedule to conduct the inspections more frequently at each site--every 3 years rather than every 8 years--and has instituted measures to make the inspections more realistic, such as using laser equipment to better simulate the weapons that attackers and security officers would likely employ during an actual attack on a nuclear power plant. These improvements are important because, as we noted from our observation of three force-on- force inspections and our review of NRC reports on others, the inspections have the ability to detect weaknesses in sites' protective strategies, which can then be corrected. Nevertheless, in observing three inspections and discussing the program with NRC officials, we noted issues in the force-on-force program that warrant continued NRC attention. For example, the level of security expertise and training among controllers, who observe exercise participants to ensure the safety and effectiveness of the exercises, was inconsistent. Our report included two recommendations to address the shortcomings in the process NRC used to revise the DBT. First, we recommended that NRC assign responsibility for obtaining feedback from the nuclear industry and other stakeholders on proposed changes to the DBT to an office within NRC other than the threat assessment section, thereby insulating the staff and mitigating the appearance of undue industry influence on the threat assessment itself. Second, we recommended that NRC develop explicit criteria to guide the commissioners in their deliberations to approve changes to the DBT. These criteria should include setting out the specific factors and how they will be weighed in deciding what is reasonable for a private guard force to defend against. In addition, we recommended that NRC continue to evaluate and implement measures to further strengthen the force-on-force inspection program. In commenting on a draft of our report, NRC commended our efforts to ensure that the report was accurate and constructive. NRC also provided additional clarifying comments pertaining to the process it used to revise the DBT for nuclear power plants. For example, NRC requested that we revise the report to explain that it made a deliberate decision to develop the revised DBT while simultaneously seeking input from stakeholders in order to expedite its response to the September 11, 2001 terrorist attacks. We revised the report accordingly. Background: NRC is an independent agency established by the Energy Reorganization Act of 1974 to regulate the civilian use of nuclear materials. It is headed by a five-member commission, with one commission member designated by the President to serve as chairman and official spokesperson. The commission as a whole formulates policies and regulations governing nuclear reactor and materials safety and security, issues orders to licensees, and adjudicates legal matters brought before it. Security for commercial nuclear power plants is addressed by NRC's Office of Nuclear Security and Incident Response. This office develops policy on security at nuclear facilities and is the agency's security interface with the Department of Homeland Security (DHS), the intelligence and law enforcement communities, the Department of Energy (DOE), and other agencies. Within this office, the Threat Assessment Section assesses security threats involving NRC- licensed activities and develops recommendations regarding the DBT for the commission's consideration. The DBT for radiological sabotage applied to nuclear power plants identifies the terrorist capabilities (or "adversary characteristics") that sites are required to defend against. The adversary characteristics generally describe the components of a ground assault and include the number of attackers; the size of a vehicle bomb; and the weapons, equipment, and tactics that could be used in an attack. Other threats in the DBT include a waterborne assault and the threat of an insider. The DBT does not include the threat of an airborne attack. Force-on-force inspections are NRC's performance-based means for testing the effectiveness of nuclear power plant security programs. These inspections are intended to demonstrate how well a nuclear power plant might defend against a real-life threat. In a force-on-force inspection, a professional team of adversaries attempts to reach specific "target sets" within a nuclear power plant that would allow them to commit radiological sabotage. These target sets represent the minimum pieces of equipment or infrastructure an attacker would need to destroy or disable in order to commit radiological sabotage that results in an elevated release of radioactive material to the environment. NRC also conducts baseline inspections at nuclear power plants. During these inspections, security inspectors examine areas such as officer training, fitness for duty, positioning and operational readiness of multiple physical and technical security components, and the controls the licensee has in place to ensure that unauthorized personnel do not gain access to the protected area. NRC's policy is to conduct a baseline inspection at each site every year, with the complete range of baseline inspection activities conducted over a 3- year cycle. For both force-on-force and baseline inspections, licensees are responsible for immediately correcting or compensating for any deficiency in which NRC concludes that security is not in accordance with the approved security plans or other security orders. NRC's Process for Revising the DBT Was Generally Logical and Well Defined, but Some Changes Were Not Clearly Linked to an Analysis of the Terrorist Threat: The process by which NRC revised the DBT for nuclear power plants was generally logical and well defined in that trained threat assessment staff made recommendations for changes based on an analysis of demonstrated terrorist capabilities. The NRC commissioners evaluated the recommendations and considered whether the proposed changes constituted characteristics representative of an enemy of the United States, or were otherwise not reasonable for a private security force to defend against. However, while the final version of the revised DBT generally corresponded to the original recommendations of the threat assessment staff, some elements did not, which raised questions about the extent to which the revised DBT represents the terrorist threat. NRC's Process for Revising Its DBT Was Generally Logical and Well Defined: NRC made its 2003 revisions to the DBT for nuclear power plants using a process that the agency has had in place since issuing the first DBT in the late 1970s. In this process, NRC staff trained in threat assessment use reports and secure databases provided by the intelligence community to monitor information on terrorist activities worldwide. (NRC does not directly gather intelligence information but rather receives intelligence from other agencies that it uses to formulate the DBT for nuclear power plants.) The staff analyze this information both to identify specific references to nuclear power plants and to determine what capabilities terrorists have acquired and how they might use those capabilities to attack nuclear power plants in the United States. The staff normally summarize applicable intelligence information and any recommendations for changes to the DBT in semiannual reports to the NRC commissioners on the threat environment. In 1999, the NRC staff began developing a set of criteria--the adversary characteristics screening process--to decide whether to recommend particular adversary characteristics for inclusion in the DBT and to enhance the predictability and consistency of their recommendations. The staff use initial screening criteria to exclude from further consideration certain adversary characteristics, such as those that would more likely be used by a foreign military than by a terrorist group. For adversary characteristics that pass the initial round of screening, the threat assessment staff apply additional screening factors, such as the type of terrorist group that demonstrated the characteristic. For example, the staff consider whether an adversary characteristic has been demonstrated by transnational or terrorist groups operating in the United States, or by terrorist groups that operate only in foreign countries. Finally, on the basis of their analysis and interaction with intelligence and other agencies, the staff decide whether to recommend that the commission include the adversary characteristics in the DBT for nuclear power plants. NRC's Office of Nuclear Security and Incident Response, which includes the Threat Assessment Section, reviews and endorses the threat assessment staff's analysis and recommendations. Terrorist attacks have generally occurred outside the United States, and intelligence information specific to nuclear power plants is very limited. As a result, one of the NRC threat assessment staff's major challenges has been to decide how to apply this limited information to nuclear power plants in the United States. For example, one of the key elements in the revised DBT, the number of attackers, is based on NRC's analysis of the group size of previous terrorist attacks worldwide. According to NRC threat assessment staff, the number of attackers in the revised DBT falls within the range of most known terrorist cells worldwide.[Footnote 3] NRC staff recommendations regarding other adversary characteristics also reflected the staff's interpretation of intelligence information. For example, the staff considered a range of sizes for increasing the vehicle bomb in the revised DBT and ultimately recommended a size that was based on an analysis of previous terrorist attacks using vehicle bombs. Intelligence and law enforcement officials we spoke with did not have information contradicting NRC's interpretation regarding the number of attackers or other parts of the NRC DBT but did point to the uncertainty regarding the size of potential attacks and the relative lack of intelligence on the terrorist threat to nuclear power plants. In addition to analyzing intelligence information, NRC monitored and exchanged information with DOE, which also has a DBT for comparable facilities that process or store radiological materials and are, therefore, potential targets for radiological sabotage.[Footnote 4] However, while certain aspects of the two agencies' DBTs for radiological sabotage are similar, NRC generally established less rigorous requirements than DOE--for example, with regard to the types of equipment that could be used in an attack. The DOE DBT includes a number of weapons not included in the NRC DBT. Inclusion of such weapons in the NRC DBT for nuclear power plants would have required plants to take substantial additional security measures. Furthermore, DOE included other capabilities in its DBT that are not included in the NRC DBT. Despite these differences, both agencies used similar intelligence information to derive key aspects of their DBTs. For example, both DOE and NRC based the number of attackers on intelligence on the size of terrorist cells, and DOE officials told us they used intelligence similar to NRC's to derive the number of attackers. Likewise, DOE and NRC officials provided us with similar analyses of intelligence information on previous terrorist attacks using vehicle bombs. DOE and NRC officials also told us that most vehicle bombs used in terrorist attacks are smaller than the size of the vehicle bomb in NRC's revised DBT. Changes to the Threat Assessment Staff's Initial Recommendations Were Not Clearly Linked to an Analysis of the Terrorist Threat: While NRC followed a generally logical and well-defined process to revise the DBT for nuclear power plants, two aspects of the process raised a fundamental question--the extent to which the DBT represents the terrorist threat as indicated by intelligence data compared with the extent to which it represents the threat that NRC considers reasonable for the plants to defend against. These two aspects were (1) the process NRC used to obtain stakeholder feedback on a draft of the DBT and (2) changes made by the commissioners to the NRC staff's recommended DBT. With regard to the first aspect, the process NRC used to obtain feedback from stakeholders, including the nuclear industry, created the appearance of industry influence on the threat assessment regarding the characteristics of an attack. NRC staff sent a draft DBT to stakeholders in January 2003, held a series of meetings with them to obtain their comments, and received written comments. NRC specifically sought and received feedback from the nuclear industry on what is reasonable for a private security force to defend against and the cost of and time frame for implementing security measures to defend against specific adversary characteristics. During this same period, the threat assessment staff continued to analyze intelligence information and modify the draft DBT. In its written comments on the January 2003 draft DBT, the Nuclear Energy Institute (NEI), which represents the nuclear power industry, objected to a number of the adversary characteristics the NRC staff had included. Subsequently, the NRC staff made changes to the draft DBT, which they then submitted to the NRC commissioners.[Footnote 5] The changes made by the NRC staff--in particular, the size of the vehicle bomb and list of weapons that could be used in an attack--reflected some (but not all) of NEI's objections. For example, NEI wrote that some sites would not be able to protect against the size of the vehicle bomb proposed by NRC because of insufficient land for installation of vehicle barrier systems at a necessary distance. Instead, NEI agreed that it would be reasonable to protect against a smaller vehicle bomb. Similarly, NEI argued against the inclusion of certain weapons because of the cost of protecting against the weapons. NEI wrote that such weapons (as well as the vehicle bomb size initially proposed by the NRC staff) would be indicative of an enemy of the United States, which sites are not required to protect against under NRC regulations. In its final recommendations to the commissioners, the NRC staff reduced the size of the vehicle bomb to the amount NEI had proposed and removed a number of weapons NEI had objected to. On the other hand, NRC did not make changes that reflected all of the industry's objections. For example, NRC staff did not remove one particular weapon NEI had objected to, which, according to NRC's analysis, has been a staple in the terrorist arsenal since the 1970s and has been used extensively worldwide. With regard to the commissioners' review and approval of the NRC staff's recommendations, the commissioners largely supported the staff's recommendations but also made some significant changes that reflected policy judgments. Specifically, the commissioners considered whether any of the recommended changes to the DBT constituted characteristics representative of an enemy of the United States, which sites are not required to protect against under NRC regulations. In approving the revised DBT, the commission stated that nuclear power plants' civilian security forces cannot reasonably be expected to defend against all threats, and that defense against certain threats (such as an airborne attack) is the primary responsibility of the federal government, in coordination with state and local law enforcement officials. Based on such considerations, the commission voted to remove two weapons the NRC staff had recommended for inclusion in the revised DBT based on its threat assessment. However, the document summarizing the commission's decision to approve the revised DBT did not provide a reason for excluding these weapons. For example, the commission did not indicate whether its decision was based on criteria, such as the cost for nuclear power plants to defend against an adversary characteristic or the efforts of local, state, and federal agencies to address particular threats. In our view, the lack of such criteria reduced the transparency of the commission's decisions to make changes to the threat assessment staff's recommendations. Nuclear Power Plants Made Substantial Changes to Their Security to Address the Revised DBT, but NRC Inspections Have Uncovered Problems: The four nuclear power plant sites we visited made substantial changes in response to the revised DBT, including measures to detect, delay, and respond to the increased number of attackers and to address the increased vehicle bomb size. These security enhancements were in addition to other measures licensees implemented--such as stricter requirements for obtaining physical access to nuclear power plants--in response to a series of security orders NRC issued after September 11, 2001. According to NEI, as of June 2004, the cost of security enhancements made since September 11, 2001, for all sites amounts to over $1.2 billion. To enhance their detection capabilities, the four sites we visited installed additional cameras throughout different areas of the sites and instituted random patrols in the owner-controlled areas.[Footnote 6] Furthermore, the sites we visited installed a variety of devices designed to delay attackers and allow security officers more time to respond to their posts and fire upon attackers. The sites generally installed these delay devices throughout the protected areas as well as inside the reactor and other buildings. Sites also enhanced their ability to respond to an attack by constructing bullet-resistant structures at various locations in the protected area or within buildings, increasing the minimum number of security officers defending the sites at all times, and expanding the amount of training provided to them. (See fig. 1 for an example of a bullet-resistant structure.) According to NRC, other sites took comparable actions to defend against the revised DBT. Figure 1: Example of a Bullet-Resistant Structure: [See PDF for image] [End of figure] In addition to adding measures designed to detect, delay, and respond to an attack, the licensees at the four sites we visited installed new vehicle barrier systems to defend against the larger vehicle bomb in the revised DBT. In particular, the licensees designed comprehensive systems that included sturdy barriers to (1) prevent a potential vehicle bomb from approaching the sites and (2) channel vehicles to entrances where security officers could search them for explosives and other prohibited items. The vehicle barrier systems either completely encircled the plants (except for entrances manned by armed security officers) or formed a continuous barrier in combination with natural or manmade terrain features, such as bodies of water or trenches, that would prevent a vehicle from approaching the sites. In general, the four sites we visited all implemented a "defense-in- depth" strategy, with multiple layers of security systems that attackers would have to defeat before reaching vital areas or equipment and destroying or disabling systems sufficient to cause an elevated release of radiation off site. The sites varied in how they implemented these measures, primarily depending on site-specific characteristics such as topography and on the degree to which they planned to interdict attackers within the owner-controlled area and far from the sites' vital area, as opposed to inside the protected area but before they could reach the vital equipment. For example, one site with a predominantly external strategy installed an intrusion detection system in the owner-controlled area so that security officers would be able to identify intruders as early as possible. The site was able to install such a system because of the large amount of open, unobstructed space in the owner-controlled area. In contrast, security managers at another site we visited described a protective strategy that combined elements of an external strategy and an internal strategy. For example, the site identified "choke points"--locations attackers would need to pass before reaching their targets--inside the protected area and installed bullet-resistant structures at the choke points where officers would be waiting to interdict the attackers. NRC officials told us that licensees have the freedom to design their protective strategies to accommodate site-specific conditions, so long as the strategies satisfy NRC requirements and prove successful in a force-on-force inspection. In addition to the security enhancements we observed, security managers at each site described ways in which they had exceeded NRC requirements and changes they plan to make as they continue to improve their protective strategies. For example, security managers at three of the sites we visited told us the number of security officers on duty at any one shift exceeded the minimum number of security officers that NRC requires be dedicated to responding to attacks. Similarly, in at least some areas of the sites, the new vehicle barrier systems were farther from the reactors and other vital equipment than necessary to protect the sites against the size of vehicle bomb in the revised DBT. Despite the substantial security improvements we observed at the four sites we visited, it is too early to conclude, either from NRC's force- on-force or baseline inspections, that all nuclear power plant sites are capable of defending against the revised DBT for the following two reasons: * First, as of March 30, 2006, NRC had completed force-on-force inspections at 27 of the 65 sites, and it is not planning to complete force-on-force inspections at all sites until 2007, in accordance with its 3-year schedule. NRC officials told us that plants have generally performed well during force-on-force inspections. However, we observed a force-on-force inspection at one site in which the site's ability to defend against the DBT was at best questionable. The site's security measures appeared impressive and were similar to those we observed at other sites. Nevertheless, some or all of the attackers were able to enter the protected area in each of the three exercise scenarios. Furthermore, attackers made it to the targets in two of the scenarios, although the outcomes of the two scenarios were called into question by uncertainties regarding whether the attackers had actually been neutralized before reaching the targets. As a result, NRC decided to conduct another force-on-force inspection at the site, which we also observed. The site made substantial additional security improvements-- at a cost of $37 million, according to the licensee--and NRC concluded after the second force-on-force inspection that the site had adequately defended against a DBT-style attack. * Second, we noted from our review of 18 baseline inspection reports and 9 force-on-force inspection reports that sites have encountered a range of problems in meeting NRC's security requirements. NRC officials told us that all sites have implemented all of the security measures described in their new plans submitted in response to the revised DBT. However, 12 of the 18 baseline inspection reports and 4 of the 9 force- on-force inspection reports we reviewed identified problems or items needing correction. For example, during two different baseline inspections, NRC found (1) an intrusion detection system in which multiple alarms were not functioning properly, making the entire intrusion detection system inoperable, according to the site, and (2) three examples of failure to properly search personnel entering the protected area, which NRC concluded could reduce the overall effectiveness of the protective strategy by allowing the uncontrolled introduction of weapons or explosives into the protected area. According to NRC, the licensees at these two sites, as well as at the other sites where NRC inspection reports noted other problems, took immediate corrective actions. NRC Has Significantly Improved the Force-on-Force Inspection Program, but Challenges Remain: NRC has made a number of improvements to the force-on-force inspection program, several of which address recommendations we made in our September 2003 report on NRC's oversight of security at commercial nuclear power plants. We had made our recommendations when NRC was restructuring the force-on-force program to provide a more rigorous test of security at the sites in accordance with the DBT, which was also under revision. For example, we recommended that NRC conduct the inspections more frequently at each site, use laser equipment to better simulate attackers' and security officers' weapons, and require the inspections to make use of the full terrorist capabilities stated in the DBT. Actions NRC has taken that satisfy these recommendations include conducting the exercises more frequently at each site (every 3 years rather than every 8 years), and NRC so far is on track to complete the first round of force-on-force inspections on schedule, by 2007. Furthermore, NRC is using laser equipment to simulate weapons, and the attackers in the force-on-force exercise inspections that we observed used key adversary characteristics of the revised DBT, including the number of attackers, a vehicle bomb, a passive insider, and explosives. Nevertheless, we identified issues in the force-on-force inspection program that could affect the quality of the inspections and that continue to warrant NRC's attention. For example, the level of security expertise and training among controllers--individuals provided by the licensee who observe each security officer and attacker to ensure the safety and effectiveness of the exercise--varied in the force-on-force inspections we observed. One site used personnel with security backgrounds while another site used plant employees who did not have security-related backgrounds but who volunteered to help. In its force- on-force inspection report for this latter site, NRC concluded that the level of controller training contributed to the uncertain outcome of the force-on-force exercises, which resulted in NRC's conducting a second force-on-force inspection at the site. Furthermore, we noted that the force-on-force exercises end when a site's security force successfully stops an attack. Consequently, at sites that successfully defeat the mock adversary force early in the exercise scenario, NRC does not have an opportunity to observe the performance of sites' internal security--that is, the strategies sites would use to defeat attackers inside the vital area. When we raised this issue, NRC officials appeared to recognize the benefit of designing the force-on-force inspections to test sites' internal security strategies but said that doing so would require further consideration of how to implement changes to the force-on-force inspections. Based on our observations of three force-on-force inspections, other areas where NRC may be able to make further improvements included the following: * ensuring the proper use of laser equipment; * varying the timing of inspection activities, such as the starting times of the mock attacks, in order to minimize the artificiality of the inspections; * ensuring the protection of information about the planned scenarios for the mock attacks so that security officers do not obtain knowledge that would allow them to perform better than they otherwise would; and: * providing complete feedback to licensees on NRC inspectors' observations on the results of the force-on-force exercises. Mr. Chairman, this completes my prepared statement. I would be happy to respond to any questions you or the other Members of the Subcommittee may have at this time. GAO Contact and Staff Acknowledgments: For further information about this testimony, please contact me at (202) 512-3841 (or at wellsj@gao.gov). Raymond H. Smith, Jr. (Assistant Director), Joseph H. Cook, Carol Herrnstadt Shulman, and Michelle K. Treistman made key contributions to this testimony. FOOTNOTES [1] We also prepared a classified version of our report, which includes additional details about the DBT and security at nuclear power plants that NRC does not release to the public. For more information on NRC's oversight of security at nuclear power plants, see GAO, Nuclear Regulatory Commission: Preliminary Observations on Efforts to Improve Security at Nuclear Power Plants, GAO-04-1064T (Washington, D.C.: Sept. 14, 2004); and Nuclear Regulatory Commission: Oversight of Security at Commercial Nuclear Power Plants Needs to Be Strengthened, GAO-03-752 (Washington, D.C.: Sept. 4, 2003). [2] 0 C.F.R. � 50.13. [3] In this report, "terrorist cell" refers only to terrorists who participate in an attack, not those who support but do not participate in an attack. [4] For further information on the DOE DBT, see GAO, Nuclear Security: DOE's Office of the Under Secretary for Energy, Science and Environment Needs to Take Prompt, Coordinated Action to Meet the New Design Basis Threat, GAO-05-611 (Washington, D.C.: July 15, 2005); and Nuclear Security: DOE Needs to Resolve Significant Issues before It Fully Meets the New Design Basis Threat, GAO-04-623 (Washington, D.C.: Apr. 27, 2004). [5] The NRC staff submitted their final draft DBT to the commissioners for their review and approval in April 2003, together with a summary of stakeholder comments. [6] The owner-controlled area refers to the land and buildings within the site boundary that the owner can limit or allow access to for any reason. The protected area is within the owner-controlled area and requires a higher level of access control. The vital area contains the sites' vital equipment, the destruction of which could directly or indirectly endanger public health and safety through exposure to radiation.