U.S. NRC Blog

Transparent, Participate, and Collaborate

Category Archives: Nuclear Security

Safeguarding The Nation’s Secrets

Robert L. Norman
Sr. Program Manager, Safeguards Information

sgiAs part of its role in protecting health and safety, the NRC uses information security procedures to prevent sensitive information from getting into the wrong hands. The NRC puts sensitive information in three categories: classified, Safeguards Information (SGI), and Sensitive Unclassified Non-Safeguards Information (SUNSI).

Each category has specific marking requirements and security procedures. Although the NRC is the only agency with the authority to set requirements for protecting SGI, most agencies have requirements for the protection and designation of unclassified sensitive information.

You’ve probably heard the terms Top Secret, Secret, and Confidential; these are categories of classified information. Each category has a corresponding federal security clearance level needed for access. Executive Orders, Security Classification Guides and the Atomic Energy Act of 1954, as amended, lay out criteria for protecting information and identifying what nuclear information is classified at a particular level. A breach of classified information could threaten national security.

SUNSI, while generally unavailable to the public, does not require a federal security clearance. This category of information contains various types of information, including Personally Identifiable Information and attorney-client privilege. SUNSI is protected by the Privacy Act, NRC and other federal agency regulations.

While classified information and SUNSI are broad categories, SGI is much narrower. The SGI designation covers the physical protection of nuclear facilities and materials. This includes operating reactors, spent fuel shipments, and radioactive material at certain levels. Nuclear facilities require high security measures. Armed guards, physical barriers, and surveillance systems are just some of the ways we protect nuclear plants. Information about these detailed security measures is carefully guarded. Without SGI protection, people could use this information to attempt to circumvent physical barriers and break into security systems.

sgiSection 147 of the Atomic Energy Act requires the NRC to regulate SGI. The NRC is in charge of deciding what qualifies as SGI and how to protect it. A specially trained group of personnel, called SGI Designators, create and/or check documents for SGI. Even though a federal security clearance isn’t needed for access, SGI is treated similarly to Confidential information. Individuals must pass a background check and have a “need to know” to access SGI.

The use of SGI has often come into question. The Office of the Inspector General conducted an audit in 2004 of the NRC’s protection of SGI. According to the audit, the Confidential classification could protect SGI without seriously affecting costs. However, NRC staff concluded the proposal would require the government to perform thousands of expensive federal security clearances and change how information is stored and encrypted. A switch to a lower designation, such as standard official use only, would put security at risk. Current regulations already protect SGI without breaking the bank.

Another OIG audit revisited the topic in 2012. This audit discussed giving people outside of the NRC and its licensees access to SGI. The OIG recommended setting up a specific plan for granting outsider access. Based on the recommendations, outsiders will still need to undergo background checks and have a “need to know.”

The NRC strives to be as open and transparent as possible. However, when it comes to safeguarding sensitive information for the good of the country, and our licensees, information protection will always take priority over transparency.

Droning On Over Nuclear Power Plants

Monika Coflin
Technical Assistant
Division of Security Policy

Drones, or unmanned aerial vehicles, have been in the news lately. Last fall, unidentified drones breached restricted airspace over 13 of France’s 19 nuclear power plants in a seemingly coordinated fashion. In January, a drone crashed onto the lawn of the White House. And this week, a drone was found on the roof of the Japanese prime minister’s office.

PrintDrones may be fun toys, but they pose a number of concerns. They can be used to conduct surveillance to gather intelligence about facility security. They can also be used to deliver payloads that could include explosives. While the majority of drones currently in use are relatively small, larger ones are becoming available that could possibly deliver payloads capable of causing damage to facilities that are not hardened.

Security experts haven’t yet identified who was responsible for the French flyovers, but with the prices of drones falling and their popularity rising, the potential threat will likely continue to grow.

There are ways to detect and intercept drones, such as jamming radio signals or using helicopters to pursue encroaching drones. Chinese scientists are developing a laser weapon that can detect and shoot down small, low-flying aircraft, and interception drones have the ability to drop nets over intruding drones. However, there are many legal issues that challenge the use of these techniques.

The Federal Aviation Administration (FAA) has a long-standing “Notice to Airmen” warning pilots not to linger over nuclear power plants. The FAA has also issued guidelines on where users should not fly drones, but the industry is largely unregulated as more companies look to use the relatively new technology in their businesses. The FAA has been working to craft a comprehensive regulatory framework for drones, following calls from Congress and the President, and recently issued draft regulations for the commercial use of drones.

PrintPresident Obama likened the drone industry to cyberspace, which has brought new technologies that U.S. laws are still trying to catch up to.

“These technologies that we’re developing have the capacity to empower individuals in ways that we couldn’t even imagine 10-15 years ago,” the President said, pledging to work to create a framework that “ensures that we get the good and minimize the bad.”

Given the evolving nature of technology and the need to balance the threat with the potential benefits of drones, the NRC is actively engaging with the departments of Homeland Security, Energy, and Defense to move this government collaboration effort forward. For example, we have reached out to the FAA to examine available legal and regulatory options, and attended inter-agency meetings to learn about how other agencies are addressing potential impacts from drones.

In addition, NRC will participate in a U.S.-initiated drone working group under the nuclear counterterrorism umbrella with the governments of France and the United Kingdom. The NRC has provided, and will continue to provide, pertinent information on this topic in a timely manner to its licensees to ensure continued safe and secure operations.

Watching Over a National Research Tool

Alexander Adams
Research and Test Reactor Licensing
 

NRC inspectors can find themselves most anywhere in the United States, but one of the facilities we oversee is just down the street. The Center for Neutron Research, at the National Institute of Standards and Technology (NIST), is only about 20 minutes from our headquarters in Rockville, Maryland.

nistneutronresearchfacilityThe Center is the largest research and test reactor we regulate, but large is a relative term – the Center’s reactor is 75 times smaller than the smallest U.S. commercial nuclear power plant. The reactor exists for only one purpose – to generate neutrons, pieces of atoms than can help researchers examine fantastically small details in many areas of science. The Center’s latest experiments have looked at materials that could improve oil and gas refining, and have examined biological cell wall behavior in real time.

As important a research tool as the Center is, it still has to operate safely. NRC inspectors check on the NIST facility at least twice annually to verify the reactor is operated safely and that only properly trained and licensed personnel run the reactor. Our ongoing reviews of the research reactor show that, even in the very unlikely case of the reactor’s systems failing during an accident, no effects are expected outside of the Center.

Security is another key factor in our oversight of the Center, and we inspect the facility’s security at least once every two years. NIST must follow our requirements to properly control access to the Center. Our security rules also keep fresh reactor fuel under strict control until it goes into the reactor, as well as keeping the reactor’s used fuel securely stored until it can be sent back to the Department of Energy.

Our security inspections at the Center show it has complied with the additional requirements the NRC imposed after the 9/11 attacks. In fact, the Center has worked with other federal agencies to add security features that go beyond our requirements. The bottom line is that used fuel is highly radioactive, very difficult to handle safely by untrained people, and very strong measures are in place to protect the facility and the material.

Security and Nuclear Power Plants: Robust and Significant

Robert Lewis
Director of Preparedness and Response
 

Security of the nation’s commercial nuclear facilities is a critical part of the NRC’s mission. In response to recent media stories about security securityat nuclear power plants, we want to reassure you that U.S. nuclear power plants are adequately protected against potential terrorist attacks. In fact, they are among the best-protected sector of our national infrastructure.

In the decade since the 2001 terrorist attacks, the NRC, and its licensed operators, acted to enhance security at the nation’s nuclear plants. While the plants are secure, robust structures designed and built to withstand a variety of natural and man-made enemies, we ordered additional measures. For example, we strengthened requirements related to physical barriers, access controls, and intrusion detection and surveillance systems, as well as the existing well-trained and armed security officers.

Specific security measures are considered “safeguards information” (a type of unclassified, yet sensitive information) and are not made public, for obvious reasons. The NRC can, however, describe these enhancements in general terms.

Each plant’s security plan is based on a Design Basis Threat, or DBT, set by the NRC. This is the maximum threat a private-sector entity can be expected to defend against. Details of the DBT are not public, but our regulations spell out the types of threats our licensees must prepare for. These include an assault by one or more determined and capable adversary forces attacking by land or water, truck bombs, boat bombs, insider threats and cyber attacks. The NRC requires each plant to test its security force annually, and the NRC also tests the security forces at each plant every three years in a sophisticated force-on-force inspection.

Security doesn’t stop at a plant’s boundary. The NRC requires licensees to coordinate with local law enforcement and emergency responders who can assist in the unlikely event of an attack. The NRC itself continuously coordinates with other federal agencies to assess the current terrorist threat and take whatever actions might be necessary to bolster security at nuclear plants. We work with the Federal Aviation Administration, Department of Homeland Security and North American Aerospace Defense Command to guard against September 11-style air attacks.

A recent report published by the Nuclear Proliferation Prevention Project (NPPP) at the University of Texas used non-sensitive “open-source” information to assess the protections in place to counter terrorist threats to nuclear facilities in the United States, including potential threats to commercial nuclear power plants.

As an agency committed to the security of our nation’s nuclear power plants, we welcome recommendations for strengthening our oversight. However, we need to correct the record on two key points made in NPPP’s report. First, both new and existing reactors must mitigate against potential attacks using commercial aircraft; in fact our Aircraft Impact Assessment Rule requires design features for new plants to mitigate the effects of an airplane crash, and the NRC’s post-September 11 orders require existing plants to implement similar mitigating measures. Second, NRC regulations, based upon the DBT, do in fact require licensees to guard against waterborne attacks or explosives.

Force-on-Force or Was That a Gunfight at a Nuclear Power Plant?

Clay Johnson
Chief, Security Performance Evaluation Branch
 

They are dressed in camouflage, fit and well-trained, and they creep quietly toward the perimeter of a nuclear power plant under cover of darkness. Their realistic weapons reflect dully in the moonlight, but these weapons fire blank ammunition and lasers that record hits and misses.

Their goal? A particular target set within the plant which, if compromised, could impact the safety of the plant and the community that surrounds it. The target set this night? A closely guarded secret known only to the “armed intruders” and the NRC inspection team that includes active duty military members from the U.S. Special Operations Command.

The attacks will be repeated over the course of three days and nights so that different attack methods and various targets at each nuclear power plant are tested. In each scenario, the plant’s security personnel work to protect specific areas of the plant according to their facility’s individual security plan. Each plant is tested in this manner every three years.

These force-on-force inspections have been part of the NRC inspection regime since 1991, but they were significantly beefed up and the frequency increased to every three years after Sept. 11, 2001. They are designed to assess the plant’s ability to defend itself against the conditions put forth under the “design basis threat” or DBT. These inspections are in addition to the baseline security inspections performed by the NRC’s regional inspectors and the inspections done daily by the NRC’s resident inspectors. NRC security experts routinely review options for further enhancements to the program.

The details of what happens during a force-on-force inspection are not public due to the sensitive nature of security plans at the plants. If a deficiency is found during an inspection, the NRC inspectors stay on site until compensatory measures are put in place, and then the NRC reviews the plant’s long-term plan to rectify the problem, and may issue violations. These violations are only discussed in a general way with the public.

The “bad guys” are part of what is called the Composite Adversary Force and they are contracted by the nuclear industry to perform these mock attacks to NRC specifications. The plant knows the force-on-force will occur at a specific date for safety and logistical purposes and to provide time to coordinate two sets of security offices – one to participate in the inspection and one to maintain the security posture of the plant. The mock attacks are also preceded by significant planning and on-site tabletop drills conducted by the NRC inspection team.

These realistic and physically intensive exercises are but one vehicle by which the NRC ensures the country’s nuclear power plants and Category I fuel facilities are prepared and able to protect themselves. Meetings on possible additional enhancements to this inspection program will be announced in the future.

Follow

Get every new post delivered to your Inbox.

Join 1,695 other followers

%d bloggers like this: