U.S. NRC Blog

Transparent, Participate, and Collaborate

Category Archives: General

NRC Finalizes Violations for Arkansas Nuclear One

Victor Dricks
Senior Public Affairs Officer
Region IV

The Arkansas Nuclear One power plant, in Russellville, Ark., is coming under increased NRC focus as a result of flood protection problems.

anoBeginning in 2013, Entergy Operations officials and the NRC began extensive inspections of the flood protection program at ANO. Many problems were discovered and are described in a Sept. 9, 2014, NRC inspection report.

All told, more than 100 previously unknown flood barrier deficiencies creating flooding pathways into the site’s two auxiliary buildings were found. These included defective floor seals, flooding barriers that were designed, but never installed, and seals that had deteriorated over time. In one case, a special hatch that was supposed to be close a ventilation duct in the Unit 1 auxiliary building in the event of flooding had never been installed.

In the unlikely event of extreme flooding – a kind not seen since weather records have been kept for the area – significant amounts of water could have entered the auxiliary buildings. This could have submerged vital plant equipment, as well as the emergency diesel generator fuel vaults. The licensee has replaced degraded seals, installed new flood barriers and adopted new measures to better protect the site from flooding.

NRC held a regulatory conference with Entergy officials on Oct. 28, 2014. After considering information provided by the company, NRC determined violations related to flood protection have substantial safety significance, or are “yellow.” (The NRC evaluates regulatory performance at nuclear plants with a color coded process that classifies inspection findings as green, white, yellow or red, in order of increasing safety significance.)

The NRC divides plants into five performance categories, or columns on its Action Matrix. ANO Units 1 and 2 received yellow violations in June 2014 because electrical equipment damaged during an industrial incident increased risk to the plant. Workers were moving a 525-ton component out of the plant’s turbine building when a temporary lifting rig collapsed on March 13, 2013, damaging plant equipment. Those violations moved both units from Column 1 to Column 3 of the NRC’s Action Matrix. The agency increases its oversight of plants as performance declines.

The new violations will lead NRC to reassess whether even more inspection resources need to be focused on ANO. The NRC will determine the appropriate level of agency oversight and notify Entergy officials of that decision in a separate letter.

Protecting the NRC’s Cyber Frontier

By David McIntyre
Public Affairs Officer

 

computersec1The email was flagged urgent and screamed in capital letters: YOUR IMMEDIATE ATTENTION REQUIRED! The message said a software update was needed to avoid major system disruption, and to click a link and enter a network password. The NRC employee who received the email thought the message looked suspicious. Instead of clicking on the link, she forwarded the message as an attachment to the NRC’s Computer Security Incident Response Team.

Within minutes, a CSIRT member was analyzing the email on a computer unconnected to the NRC network. He quickly determined the message was bogus, a “phishing” attempt to gain unauthorized access to the system. He instructed the employee to delete the message and block the sender to avoid receiving any further attempted intrusions from that Internet address.

Had the employee provided her username and password, she could have exposed the NRC’s computer network and its sensitive information to compromise and possible disruption. Personal information about NRC employees would have been at risk, as well as sensitive pre-decisional information about agency policies and licensees. While Safeguards and classified information about the security and status of nuclear plants is maintained on separate higher security systems, the information we process on the NRC corporate network must also be protected.

CSIRT, part of the NRC’s Computer Security Office, is a small group of experts, all highly trained in cyber defense. Their mission is to detect and thwart attacks on the NRC’s computer networks and prevent “spills” of sensitive information. Such attacks can come through phishing attempts, such as the fictional incident described above, malware implanted in website advertisements or viruses and malware on portable data devices.

The team routinely works with other federal agencies, including the Homeland Security Department’s U.S. Computer Emergency Response Team (US-CERT) to stay up to date on the latest vulnerabilities. They even practice “white hat” hacking to test the NRC’s systems.

As a response team, CSIRT investigates suspicious emails that have already passed through the NRC’s extensive SPAM filters and Internet firewall, robust cyber security defenses mounted by the Office of Information Systems.

About 10 million emails are directed to NRC.gov addresses each month, and nearly 90 percent of them are blocked by the agency’s network security technologies as spam or for carrying viruses or suspicious attachments, says Mike Lidell, IT Specialist in the OIS Security Operations and Systems Engineering Branch. The OIS team administers the NRC’s firewalls, intrusion detection systems and spam filters.

computersec1While the percentage of blocked emails seems high, Lidell says it’s pretty much “par for the course” for any large organization or government agency. Emails that get through the initial line of defense are scanned again by the internal servers and a third time by the end-user’s individual computer. Internet data returned from the Web is scanned by NRC servers and individual workstations as well to guard against “drive-by downloads” of malicious software.

As Lidell points out, the “defense in depth” is necessary because the attacks are always evolving and changing. Thorne Graham, CSIRT’s team leader, praises a fourth line of defense against email attacks on the agency’s network: The NRC’s 4,000 employees. All NRC employees take annual online computer security training.

“Our best defense is the individual employee,” Graham says. “Security is everyone’s business.”

 

Improving NRC Processes—Part Two

Patricia Holahan
Director, Office of Enforcement

 

We wrote in June about steps we are taking to improve our “non-concurrence” process, which is a way for NRC staff to air a variety of views before final management decisions are made. Today, we’d like to fill you in on steps we are taking to improve our Differing Professional Opinions (DPO) process—used to bring NRC staff views on agency decisions to the highest levels of NRC management.

publicopinionBoth processes are important to creating an environment where NRC employees feel they can speak up when they disagree—the same safety conscious work environment we expect from our licensees.

First, a little context. The NRC makes hundreds if not thousands of decisions each year. To reach the best decisions, the agency encourages staff to bring their views forward throughout the process. This active engagement is essential.

NRC expects all employees to promptly discuss their views and concerns with their immediate supervisor on a regular basis. Employees are expected to raise concerns and propose solutions as early as possible in the decision-making process. In addition to informal discussions, which should be sufficient to resolve most issues, individuals have various options for expressing and having their differing views heard by decision makers.

In the vast majority of cases, an informal conversation is sufficient. But if not there are a number of avenues for elevating concerns. We have an Open Door policy that allows the staff to request a meeting with any manager at the NRC—including the Chairman and Commissioners—to raise concerns. This policy encourages employees to resolve their concerns informally. There is also the non-concurrence process, which allows the airing of issues through the concurrence chain before a decision is made. An employee who disagrees with an established position can use the DPO process.

The NRC is unique in not only having and promoting these programs, but in assessing them and reporting the results to the public. This transparency helps ensure that differing views do not get lost in the shuffle.

To gauge how well these processes are working, we used a variety of tools to measure user satisfaction and process effectiveness. As with our assessment of the non-concurrence process, the DPO assessment shows the process is sound. NRC staff knows about it and most would be willing to use it. Also like the earlier assessment, the DPO assessment has helped us to identify areas for improvement.

There have been 28 DPOs filed since 2004, or an average of two to three cases per year. In that same time frame, one DPO was withdrawn and 24 DPO decisions were issued. Given that so few NRC employees have direct experience with the process, we were encouraged to see from our agency-wide safety culture survey that only 15 percent of NRC employees would be unwilling to use it. While this number is small, it shows we have some work to do. We want all NRC employees to feel they can use the process, and that it will be effective and lead to better, more informed decision-making. We are also concerned about the 18 percent who worry using the process could impact career development and the 46 percent who are unsure.

These numbers present an opportunity to do more outreach and education to ensure NRC leadership is committed to the DPO process. We will also need to; develop clearer guidance and better tools and support the process; ensure training is readily available to all employees (including a focus on improved communications); and identify ways to address concerns about real and perceived  negative consequences for using the process.

publicopinionAs we work to make these improvements, we can also celebrate the things that make our DPO process strong. From looking at other agencies with similar processes, our assessment shows the NRC is unique in making summaries of our DPO decisions public and, if asked by those who file DPOs, releasing key DPO records.

We are also pleased by the feedback from DPO submitters. We surveyed the 12 who remain at the NRC and received nine responses. All nine reported their views were heard by management. Eight said the DPO panel was sufficiently knowledgeable, independent, impartial, timely, and thorough. The same number said they were understood and treated fairly. Seven said the process added value to the final decision, their views were fully considered, and their management was supportive. Six said they were recognized with a Special Act award or an NRC Team Player award.

As we move forward, we will build on these strengths and take additional steps to foster an organizational culture where employees take personal responsibility for their actions, feel part of a community and work toward shared goals. We value the feedback from these self-assessments and commit to responding constructively so we can continuously improve our performance.

Follow

Get every new post delivered to your Inbox.

Join 1,574 other followers

%d bloggers like this: