- Lessons that can be learned from the accident to improve commercial nuclear plant safety and security systems and operations and
- Lessons that can be learned from the accident to improve commercial nuclear plant safety and security regulations, including processes for identifying and applying design-basis events for accidents and terrorist attacks to existing nuclear plants.
The safety portions of these tasks were addressed in this committee’s phase 1 report (NRC, 2014).
The chapter also addresses the final part of Study Charge 4 on lessons learned on processes for identifying and applying design-basis events for accidents and terrorist attacks to existing nuclear plants.
The March 11, 2011, Great East Japan Earthquake and tsunami caused extensive and long-lasting (days to weeks) damage to safety and security infrastructure at the Fukushima Daiichi plant. Written reports from the plant’s operator, Tokyo Electric Power Company (TEPCO), describe the severe damage that occurred to plant safety systems following the earth-
quake and tsunami (TEPCO, 2011, 2012a; see also Investigation Committee, 2011, 2012). Detailed discussions of the accident and its impacts on the reactors and spent fuel pools at the Fukushima Daiichi plant are provided in the present committee’s phase 1 report (NRC, 2014) and in Chapter 2 of the present report.
To the committee’s knowledge, TEPCO has not publicly disclosed the impacts of the earthquake and tsunami on plant security systems. Nevertheless, the committee infers from TEPCO’s written reports, as well as its own observations during a November 2012 tour of the Fukushima Daiichi plant, that security systems at the plant were substantially degraded by the earthquake and tsunami and the subsequent accident. There are three principal lines of evidence that support this inference:
- Physical damage. The areas surrounding Units 1-4 (see Sidebar 1.1 in Chapter 1) at the plant were flooded to depths of about 5.5 m by the tsunami; there was extensive damage to physical infrastructure in and surrounding the units, including damage to plant access controls in the owner-controlled and protected areas (see Chapters 3 and 4 in NRC, 2014).
- Electrical power. All offsite electrical power to the plant was lost following the earthquake, and DC power was eventually lost in Units 1-4 following the tsunami. Offsite AC power was not restored until 9 to 11 days later (see NRC, 2014, Table 4.1). Security equipment requiring electrical power was probably not operating continuously during this blackout period.
- Personnel. Plant workers, including workers monitoring the protected area of the plant, evacuated to higher ground just before the tsunami arrived on March 11, 2011 (TEPCO, 2012a, p. 163). Additionally, early on the fourth day of the accident (March 15), about 650 workers were temporarily evacuated from the plant. Among the evacuated workers was the Security Guidance Team, which was responsible for controlling plant access. This team did not return to the plant until the afternoon of that same day (TEPCO, 2012a, p. 166).1 These evacuation events are described in the present committee’s phase 1 report (NRC, 2014, pp. 107-108).
Tsunami damage and power losses likely affected the integrity and operation of numerous security systems, including lighting, physical barriers and other access controls, intrusion detection and assessment equipment, and communications equipment.
The committee’s observations about the impacts of the earthquake and tsunami on security at the Fukushima Daiichi plant led to one finding and recommendation, presented in the next section.
3.1.1 Finding and Recommendation
FINDING 3.1: Extreme external events and severe accidents such as occurred at the Fukushima Daiichi plant can cause widespread and long-lasting disruptions to security infrastructure, systems, and staffing at nuclear plants. Such disruptions can create opportunities for malevolent acts and increase the susceptibility of critical plant systems to such acts.
RECOMMENDATION 3.1: Nuclear plant operators and their regulators should upgrade and/or protect nuclear plant security infrastructure and systems and train security personnel to cope with extreme external events and severe accidents. Such upgrades should include
- Independent, redundant, and protected power sources dedicated to plant security systems that will continue to function independently if safety systems are damaged;
- Diverse and flexible approaches for coping with and reconstituting plant security infrastructure, systems, and staffing during and following extreme external events and severe accidents; and
- Training of security personnel on the use of these approaches.
The U.S. nuclear industry should consider expanding its Diverse and Flexible Coping Strategies (FLEX) capability to address this recommendation. The U.S. Nuclear Regulatory Commission (USNRC) should support industry’s efforts by providing guidance on approaches and by overseeing independent review by technical peers (i.e., peer review).
To the committee’s knowledge, no significant security incidents occurred at the Fukushima Daiichi plant during or after the accident. Nevertheless, the events at the plant suggest an important lesson from the accident: Extreme external events and severe accidents can have severe and long-lasting impacts on the security systems at nuclear plants. Such long-lasting disruptions can create opportunities for malevolent acts and increase the susceptibility of critical plant systems to such acts.
Power and certain safety and security systems were unavailable at the Fukushima Daiichi plant for weeks after the March 11, 2011, earthquake
and tsunami. Similar situations could occur as a result of other natural disasters. For example, a hurricane or destructive thunderstorm that spawned tornados could damage onsite and offsite power substations and high-voltage pylons, causing a loss of a nuclear plant’s offsite power. The storm could also damage security fences, cameras, and other intrusion-detection equipment. Relief security officers and other site personnel may not be able to report to duty on schedule if storm-related damage was widespread in surrounding communities. An adversary could use this disruption to advantage in carrying out a malevolent act.
An extreme external event or severe accident at a U.S. nuclear plant could require the temporary suspension of security measures. USNRC regulations allow for such suspensions under the conditions specified in 10 Code of Federal Regulations (CFR) 73.55(p) (Suspension of Security Measures):
- The licensee may suspend implementation of affected requirements of this section under the following conditions:
- In accordance with §§ 50.54(x) and 50.54(y) of this chapter, the licensee may suspend any security measures under this section in an emergency when this action is immediately needed to protect the public health and safety and no action consistent with license conditions and technical specifications that can provide adequate or equivalent protection is immediately apparent. This suspension of security measures must be approved as a minimum by a licensed senior operator before taking this action.
- During severe weather when the suspension of affected security measures is immediately needed to protect the personal health and safety of security force personnel and no other immediately apparent action consistent with the license conditions and technical specifications can provide adequate or equivalent protection. This suspension of security measures must be approved, as a minimum, by a licensed senior operator, with input from the security supervisor or manager, before taking this action.
- Suspended security measures must be reinstated as soon as conditions permit.
- The suspension of security measures must be reported and documented in accordance with the provisions of § 73.71.
The regulations are specific about the conditions under which security at a nuclear plant can be suspended: to protect public health and safety (point (i) above) and protect the health and safety of security personnel (point (ii) above).
The regulations require that the suspended security measures be reinstated as soon as conditions permit. The Fukushima Daiichi accident illus-
trates that full restoration of security measures could potentially take days to weeks after an extreme external event or severe accident: Damaged security equipment must be restored and destroyed equipment must be replaced. During this interim period, security could be provided by increasing the size of the guard force at the plant to perform needed surveillance and access control functions if habitable conditions exist.
U.S. nuclear plants are required to have both onsite and offsite emergency response plans. Security personnel are key participants in the onsite emergency plan. 10 CFR 50.47 (Emergency Plans) requires that adequate staffing be maintained at all times to provide initial facility accident response in key functional areas. Interim Compensatory Measures Order EA-02-026,2 issued after September 11, 2011, requires that sufficient personnel be available on each shift to implement security and emergency plans.
The assembly and accountability requirements during an emergency are normally implemented by members of the security force and utilize an accountability system based in the security computer that maintains normal logs of personnel entering and exiting the facility. The protective action options of sheltering and evacuation are combined with a consideration of the necessity for keeping specific technical or management personnel onsite. The security force assists in implementing site evacuations.
The committee’s recommendation calls for upgrading and/or hardening nuclear plant security infrastructure, systems, and training to cope with extreme external events and severe accidents. The committee judges that the following three actions are needed:
- Ensuring that there is adequate separation of plant safety and security systems so that the security systems can continue to function independently if safety systems are damaged. In particular, security systems need to have independent, redundant, and protected power sources so that they continue to function when normal plant power is unavailable.
- Implementing diverse and flexible approaches for coping with and reconstituting plant security infrastructure, systems, and staffing during and following external events and severe accidents.
- Training of security personnel on implementing approaches for reconstituting security infrastructure and systems.
With respect to point 1, the regulations in 10 CFR Part 73 (Physical Protection of Plants and Materials) require that intrusion detection and assessment equipment at the perimeter of the plant’s protected area remain operable from an uninterruptible power supply in the event of the loss of
2 This order is designated as Safeguards Information and is not available to the public.
normal power (10 CFR 73.55(i)(3)(vii)); similarly, the regulations require that nonportable communications equipment must remain operable from independent power sources in the event of the loss of normal power (10 CFR 73.55(j)(5)). However, the regulations do not specify the performance requirements for these backup power supplies.3 These backup supplies need to be adequately protected and sized to cope with a long-duration event such as occurred at the Fukushima Daiichi plant.
With respect to points 2 and 3, the U.S. nuclear industry has developed and is currently implementing its FLEX initiative (NEI, 2012) to augment the coping capabilities at nuclear plants to external beyond-design-basis events. The strategy has four elements:
- To have portable backup equipment capable of providing water and power to the reactor. Such equipment includes, for example, electrical generators, batteries, and battery chargers; compressors; pumps, hoses, and couplings; equipment for clearing debris; and equipment for temporary protection against flooding.
- To stage this equipment in locations both on- and offsite where it will be safe and deployable.
- To develop procedures and guidance for implementing FLEX.
- To develop programmatic controls that will ensure personnel are well trained and equipment is maintained.
Each plant is responsible for developing implementation procedures for the protection and deployment of equipment, procedural interfaces, and utilization of offsite resources.
The committee sees an opportunity for industry to expand its FLEX initiative to include critical security-related equipment, such as access control, intrusion detection and assessment, communications, and portable-lighting equipment. This equipment would need to be sufficiently standardized so that it could be used across the U.S. nuclear plant fleet and adequately protected against extreme external events, severe accidents, and sabotage.4 Security personnel at U.S. plants would need to be trained on the use of this equipment if it were different from existing equipment at their plants.
3 Regulatory Guide 5.44 (USNRC, 1997a, p. 5.44-6) states that “Emergency power should be capable of sustaining operation without external support for . . . a site-specific period of time determined according to station blackout criteria for power reactor facilities.” Additionally, USNRC (2011a) states that “[t]he capability of the emergency/backup power source to sustain security system operations should be based on the timeframe to restore primary power as derived through a site specific analysis” (p. 9.2).
4 This applies to equipment located at nuclear plants as well as equipment located at regional FLEX facilities.
3.2 LESSONS LEARNED FOR IDENTIFYING AND APPLYING DESIGN-BASIS EVENTS FOR ACCIDENTS AND TERRORIST ATTACKS TO EXISTING NUCLEAR PLANTS
The Committee’s phase 1 report described a design-basis event as
“a postulated event that a nuclear plant system, including its structures and components, must be designed and constructed to withstand without a loss of functions necessary to protect public health and safety. An event that is ‘beyond design basis’ has characteristics that could challenge the design of plant structures and components and lead to a loss of critical safety functions.” (NRC, 2014, p. 9)
The USNRC uses the design-basis concept for regulating both the safety and security of commercial nuclear plants:
- The USNRC uses the design-basis accident (DBA) concept in its safety-related regulations. DBAs describe a specified set of failures or abnormal events, for example equipment malfunctions, which must be considered in the design of a nuclear plant. Plant safety systems must be designed to allow plant operators to recover the plant to a safe state following such malfunctions. The committee’s phase 1 report (NRC, 2014) discusses the application of design-basis events for accidents to existing nuclear plants (see especially Sidebar 1.2 in Chapter 1 and Section 5.2 in Chapter 5).
- The USNRC uses the design-basis threat (DBT) concept in its security-related regulations. DBTs describe a specified set of adversary attributes that must be considered in the design of plant security systems. The USNRC has established DBTs for radiological sabotage5 and for theft or diversion of formula quantities of strategic special nuclear materials.6 These requirements are defined in 10 CFR Part 73 (Physical Protection of Plants and Materials).
5 Radiological sabotage is defined in 10 CFR 73.2 as “any deliberate act directed against a plant or transport . . . or against a component of such a plant or transport which could directly or indirectly endanger the public health and safety by exposure to radiation.”
6 Special nuclear material includes plutonium, uranium-233, or uranium enriched in the isotopes uranium-233 or uranium-235. Formula quantity is defined as 5,000 grams or more, in any combination, of grams U-235 + 2.5 * grams U-233 + grams plutonium.
Generic characteristics of the DBT for radiological sabotage are described in 10 CFR 73.1(a)(1):
Radiological sabotage. (i) A determined violent external assault, attack by stealth, or deceptive actions, including diversionary actions, by an adversary force capable of operating in each of the following modes: A single group attacking through one entry point, multiple groups attacking through multiple entry points, a combination of one or more groups and one or more individuals attacking through multiple entry points, or individuals attacking through separate entry points, with the following attributes, assistance and equipment:
(A) Well-trained (including military training and skills) and dedicated individuals, willing to kill or be killed, with sufficient knowledge to identify specific equipment or locations necessary for a successful attack;
(B) Active (e.g., facilitate entrance and exit, disable alarms and communications, participate in violent attack) or passive (e.g., provide information), or both, knowledgeable inside assistance;
(C) Suitable weapons, including handheld automatic weapons, equipped with silencers and having effective long range accuracy;
(D) Hand-carried equipment, including incapacitating agents and explosives for use as tools of entry or for otherwise destroying reactor, facility, transporter, or container integrity or features of the safeguards system; and
(E) Land and water vehicles, which could be used for transporting personnel and their hand-carried equipment to the proximity of vital areas; and
(ii) An internal threat; and
(iii) A land vehicle bomb assault, which may be coordinated with an external assault; and
(iv) A waterborne vehicle bomb assault, which may be coordinated with an external assault; and
(v) A cyber attack.
The detailed characteristics of the DBT—for example the number of attackers, their training, and weaponry—are determined by USNRC commissioners based on USNRC staff analyses of terrorist motivations, capabilities, and technical means. The information used in these analyses is obtained from U.S. law enforcement, homeland security, and intelligence agencies.
The DBT is not designed to be the worst-case threat. It simply defines the upper bound within the total threat environment against which a nuclear plant licensee is required to protect. The responsibility for protecting against beyond-DBT threats is the responsibility of federal, state, and local agencies. The National Infrastructure Protection Plan (NIPP; DHS, 2013) describes how governmental and private-sector participants in the critical infrastructure community (including the nuclear power industry) work together to manage security risks.
The NIPP includes 16 Sector-Specific Plans (SSPs), including a Nuclear SSP (DHS, 2010). The Nuclear SSP covers the following Critical Infrastructure and Key Resources (CI/KR): nuclear power reactors and research and test reactors; fuel fabrication plants; civilian nuclear materials use; and transportation, storage, and disposal of nuclear material and waste. The 2010 version of the plan acknowledges that “some threats are beyond what is reasonable to expect CI/KR owners and operators to protect against by themselves.”7
The U.S. Department of Homeland Security (DHS) has the responsibility for nuclear CI/KR protection in cooperation with the USNRC. Government and sector coordinating councils have been established to share information and coordinate security strategies, activities, policies, and communications. The Government Coordinating Council comprises representatives from DHS, USNRC, the Federal Bureau of Investigation, and the Department of Energy. The private coordinating council consists of representatives from the nuclear industry.
The committee obtained written information about the NIPP and Nuclear SSP but did not have enough time to obtain in-depth briefings on operational details and responsibilities. The committee also did not have adequate time to carry out an in-depth analysis of processes for identifying and applying design-basis events for accidents and terrorist attacks to existing nuclear plants. Consequently, the committee provides observations about these processes rather than formal findings and recommendations.
The committee’s first observation concerns the application of the design-basis concept to nuclear plants: DBAs and DBTs are not intended to cover all safety and security events that can arise at a nuclear plant; rather, they are intended to guide the development of plant safety and security systems. Beyond-DBAs are managed in a number of different ways, for example, through the layering of safety and security capabilities (defense-in-depth; see Appendix 3A), or through operator training (B.5.b and Severe Accident
7 The Nuclear SSP was being updated when the present report was being finalized.
Management Guidelines) and pre-positioned equipment (FLEX).8 Beyond-DBT security threats are managed by the plant’s security forces with assistance from local law enforcement and possibly from other government agencies through the NIPP.
The nuclear industry conducts safety risk assessments on a routine basis to identify potential beyond-DBA scenarios and manage their consequences. However, there is no equivalent process in place for conducting security risk assessments to identify beyond-DBTs and manage their consequences. The committee provides further analysis and a recommendation of security risk assessment in Chapters 4 and 5.
The committee’s second observation concerns the applicability of the DBT concept to protecting nuclear plants against asymmetric threats.9 An adversary who lacks the strength, weaponry, and training of the nuclear plant’s security forces might utilize attack strategies that do not require direct confrontations with those forces. For example, an adversary might choose to attack perceived weak points in the plant’s support infrastructure (e.g., offsite power and water supplies, key personnel) rather than mounting a direct assault on the plant. The goals of such asymmetric attacks might be to cause operational disruptions, economic damage, and/or public panic rather than radiological releases from a plant’s reactors or spent fuel pools. In fact, such attacks would not necessarily need to result in any radiological releases to be considered successful.
Offsite power substations, piping, fiber optic connection points, and other essential systems provide an adversary the opportunity to inflict damage with very little personal risk and without confronting a nuclear plant’s security forces.10 The psychological effects of such attacks, even if these do not result in the release of radioactive material, might have consequences comparable to or greater than the actual physical damage. In the extreme, such attacks could lead to temporary shutdowns of, or operating restrictions on, other nuclear plants until security enhancements could be implemented. (Japan shut down all its nuclear power reactors and briefly entertained the dismantlement of its nuclear power industry due to public pressure following the Fukushima Daiichi accident.)
9 The term asymmetry refers to dissimilarities in the capabilities, strategies, and/or tactics between an adversary and a defending force, for example, a terrorist cell intent on attacking a nuclear plant and that plant’s security forces.
10 Some rehearsals of this type of attack may have already taken place. In April 2013, one or more persons attacked a power transformer yard near San Jose, California, with high-powered rifles (Parfomak, 2014). The suspects are still at large. It is not clear whether their attack was simple vandalism or a rehearsal for a possible future attack on the U.S. power grid.
The DBT is not explicitly designed to address asymmetric threats. Rather, these threats are intended to be addressed by a plant’s industrial security11 programs.
Detailed information about the evolution of the accident at the Fukushima Daiichi plant and its compromised safety systems is widely available on the Internet and in reports such as this one. This information could be used by terrorists to plan and carry out asymmetric attacks on nuclear plants in hopes of creating similar cascading failures. The security risk assessment or CARVER (Criticality + Accessibility + Recuperability + Vulnerability + Effect + Recognizability) analysis described in Chapter 4 could identify asymmetric scenarios of potential concern and suggest ways to manage them.
11 Industrial security is used to protect industrial facilities and equipment against unauthorized access, sabotage, espionage, and malicious manipulation. Industrial security at U.S. nuclear plants is implemented by licensees to protect their interests against security events that could result in operational disruptions but would not result in radiological releases.
The impact of the earthquake and tsunami on the Fukushima Daiichi Nuclear Power Plant’s security systems reinforces the need to ensure that facility security systems are (1) effective, (2) robust and resilient, (3) redundant and overlapping, and (4) readily recoverable.
To be effective, security systems must be designed and implemented to meet the “Five D’s” of security: Deter, Detect and Assess, Delay, Deny, and Defend/Defeat a threat. Together these attributes define a “defense-in-depth” approach to security.
At the outermost boundary of a facility, a perimeter fence defines the owner-controlled area. It serves to deter persons, both via notice not to enter (through signage) and as an initial physical obstacle to entry. A person entering the facility by passing through or over the fencing is assumed to have intent to enter without authorization.
Various sensor systems can then be employed at (or just before or beyond) the perimeter fence to detect an intruder and to assess an intruder’s intent and capabilities (e.g., whether the intruder is carrying a weapon). Additional barriers may be emplaced further inside the property to delay the intruder and to the extent possible deny further access, allowing time for the security force to respond.
Finally, an effective security system includes a well-trained and well-armed response force that may be deployed to defend against and defeat the threat before any sabotage occurs. The security system must also provide for alarm or notification to offsite forces to assist in addressing the threat and to contain any intruders attempting to leave the area.
3A.2 ROBUSTNESS AND RESILIENCE
Physical protection systems must be hardened to withstand extreme natural and accidental events, as well as physical attack. Cameras, sensors, and other systems must be powered by an uninterruptable power source, independent of the power sources used for routine and emergency power for plant safety systems. Ideally each subsystem within the overall security system must have its own independent power supply to prevent the loss of all systems concurrently.
3A.3 REDUNDANT AND OVERLAPPING
Security systems serve overlapping and redundant functions. An alarm by one sensor system must immediately be assessed by a second system. For example, detectors at the perimeter fence, such as vibration, e-field, and microwave, must be assessed using security cameras or other systems to confirm the attempted (or successful) intrusion.
3A.4 READILY RECOVERABLE
In the event of a catastrophic event or attack, security systems must be designed and installed to be quickly reconstituted. Hardened power and fiber optic cables must permit “plug-and-play” installation of replacements for inoperable equipment. Reestablishment of security is critical because an adversary who might otherwise be deterred from attacking a site might be encouraged to carry out an attack at a compromised facility.