Division of Security Operations
Demonstrating an intense focus, stealth, and military-style tactics, a team moves in concert to destroy a specific target. The team plans and executes each action with deliberate purpose. Who are they? What are they after? This could easily be mistaken for any civilian war-game.
But this is no game. This is an important part of the inspection program for one of the nation’s most critical assets — commercial nuclear power plants.
These mock attacks, called force-on-force exercises, are one time when the so-called “bad guys” are part of the plan. Known as the national “Composite Adversary Force,” or CAF, they are usually security professionals from other nuclear plants across the country. CAF members complete a rigorous selection process and training to prepare them for this two-year assignment.
At each site, the CAF attempts to gain access to and destroy its target — equipment that if compromised could impact the safety of the plant and the surrounding community. The “attackers” normally use various routes, methods of entry and tactics to challenge the ability of the plant’s security force to protect the facility. Security forces must be able to defend the site against a standard set of characteristics called the “design basis threat,” or DBT. Specific details of the DBT are not disclosed, for obvious reasons, but the DBT’s scope is laid out in the NRC’s regulations.
The simulated attacks occur over two days and nights, but the full inspection lasts two weeks. During the first week, NRC inspectors have unrestricted access to the site. The inspectors take multiple tours and review the site’s protective strategy and security plan. The inspection team works with the CAF to develop mission plans for a second trip to the site, called the exercise week.
During the exercise week, the CAF performs two mock assaults on the site. The full inspection concludes with a management critique after the last exercise. Senior management at the site participate in these critiques to use lessons from the exercises to help improve the overall security program. Any vulnerabilities identified are addressed before the NRC inspectors leave.
The NRC has been conducting force-on-force exercises since 1991, but they were significantly modified after the Sept. 11, 2001, attacks. The NRC conducts a force-on-force inspection at each nuclear power plant every three years. The NRC inspection teams are drawn from a diverse group. A core team of NRC headquarters staff is augmented by NRC regional and resident inspectors and active duty military members from the U.S. Special Operations Command.
You may not have heard much about the specific details or results of the force-on-force program due to its security-sensitive nature. Simply put, the NRC doesn’t want the real bad guys to obtain information about the security strategies and plans at the plants.
The force-on-force inspection is part of the baseline inspection process, which the NRC uses to provide an overall assessment of safety and security for each plant. While the specific details of security inspection findings or violations are not made public, overall site performance under the reactor oversight process is made available through the NRC’s website.
The NRC will continue to explore ways to enhance the force-on-force program and will announce future meetings on possible enhancements as they occur. More information on force-on-force inspections is available in the NRC’s backgrounder. General information on nuclear power plant security requirements is also on the NRC’s website.