· The nuclear energy industry is one of the few industries with a security program that is regulated by the federal government. The independent U.S. Nuclear Regulatory Commission holds nuclear power plants to the highest security standards of any American industry.
· According to the NRC, “nuclear power plants continue to be among the best-protected private sector facilities in the nation.”
· Approximately 9,000 highly trained and well-armed security officers, augmented by comprehensive detection and surveillance systems, defend the nation’s 62 nuclear power plant sites.
· Nuclear power plants also have robust structures. The design of each plant emphasizes the reliability of plant systems, redundancy and diversity of key safety systems, and other safety features to prevent incidents that could pose a threat to public health and safety.
· Nuclear energy facilities are designed to shut down safely if necessary, even if there is a breach of cybersecurity. A cyber attack cannot prevent critical systems in a nuclear energy facility from performing their safety functions.
· In 2009, the NRC issued comprehensive regulations that require a cyber security plan for all nuclear energy facilities. Every company operating nuclear power plants has earned NRC approval for their cyber security plans and a schedule for implementation.
Nuclear Plant Security Measures
Security measures at the 100 operating commercial nuclear reactors at 62 sites include:
· physical barriers and illuminated detection zones
· approximately 9,000 well-trained and well-equipped armed security officers
· security officers on duty every day, around the clock
· surveillance and patrols of the perimeter fence
· intrusion detection aids (including several types of detection fields, closed-circuit television systems and alarm/alert devices)
· bullet-resisting barriers to critical areas
· a dedicated contingency response force.
New requirements added in 2009 required nuclear energy facilities to have comprehensive cyber security programs and response procedures to address an aircraft threat or loss of large areas of the facility because of explosions and fire.
Highly trained and well-armed security officers, augmented by comprehensive detection and surveillance systems, defend the nation’s 62 nuclear power plant sites. This is a 60 percent increase in the size of nuclear power plant security forces since 2001. These private forces, a large percentage from military and law-enforcement backgrounds, are drilled and tested regularly to ensure their readiness, with mock force-on-force exercises evaluated by federal regulators. An integrated security and response plan with federal, state and local law enforcement agencies ensures robust and extensive site protection.
NRC Security Oversight
The NRC provides regulatory oversight of nuclear power plant security through its routine inspection program as well as evaluations in which a specially trained mock adversary attacks the plant. The agency conducts these force-on-force exercises at each nuclear power plant at least once every three years.
The U.S. Nuclear Regulatory Commission holds nuclear power plants to the highest security standards of any American industry, and the industry exceeds those standards. Based on its regular interactions with federal intelligence and law enforcement authorities, the NRC establishes the threat against which the industry must be protected and sets stringent standards that the industry’s private security forces must meet.
The threat against which a facility must defend—known as the “design basis threat”—is characterized as a suicidal, well-trained paramilitary force, armed with automatic weapons and explosives and intent on forcing its way into the plant to commit radiological sabotage. Such a force may have the assistance of an “insider,” who could pass along information and help the attackers.
The NRC’s “design basis threat” provides a foundation for developing protective response strategies that cover a variety of situations. The agency determines the design basis threat using technical studies and information received from intelligence experts and federal law enforcement agencies. It is reviewed by the agency once a year. Since 2001, the NRC has twice raised the threat level against which nuclear plants must provide protection. In doing so, the NRC has assumed an increased number of possible attackers and weapons capabilities.
Congress also responded to public concern over nuclear plant security by including in the Energy Policy Act of 2005 several provisions that increase security requirements or capabilities. As part of the bill, the NRC was directed to officially increase the scope of the design basis threat. It also requires plants to fingerprint and conduct background checks of their employees.
The legislation also allowed the NRC to authorize security officers to carry certain advanced weaponry and increased federal penalties for sabotage and for bringing unauthorized weapons onto a nuclear power plant site.
Industry Conducts Drills With Local Authorities
The NRC requires licensees to coordinate with local law enforcement and emergency responders who can assist in the unlikely event of an attack. In addition, the industry has developed and implemented guidance to strengthen relationships with local law enforcement agencies and first responders and to enhance the integrated response during a site event. This guidance and the NEI white paper titled “Best Practices for Maintaining Relationships with Law Enforcement Agencies and First Responders at Nuclear Reactor Facilities” are meant to fully integrate the on- and off-site response to a site event.
NEI’s working group on security has also established guidance for conducting a limited exercise of the site-specific integrated response plan. The exercise provides a model for a plant’s security force and local law enforcement to simulate a response to a hostile action.
Robust Structures to Counter Attacks
The FBI considers security forces and infrastructure at nuclear power plants formidable and considers nuclear power plants difficult to penetrate. In addition to the extensive security at nuclear plants, the defense-in-depth features that protect the public from radiological hazard in the event of a reactor incident also protect the plant’s fuel and related safety systems from attempted sabotage. The design of each plant emphasizes the reliability of plant systems, redundancy and diversity of key safety systems, and other safety features to prevent incidents that could pose a threat to public health and safety.
Steel-reinforced concrete containment structures protect the reactor. Redundant safety and reactor shutdown systems have been designed to withstand the impact of earthquakes, hurricanes, tornadoes and floods. Areas of the plant that house the reactor and used reactor fuel also would withstand the impact of a wide-body commercial aircraft, according to analyses by the NRC. The agency’ aircraft impact assessment rule requires design features for new plants to mitigate the effects of an airplane crash, and post-9/11 NRC orders require existing plants to implement similar measures. NRC regulations also require licensees to guard against waterborne attacks or explosives. Plant personnel are also trained in emergency procedures that would be used to keep the plant safe from a sabotage attempt.
Used nuclear fuel is protected by the same security force and electronic surveillance equipment as the rest of the plant.
Computer systems that help operate nuclear power plants and safety equipment are isolated from the Internet to protect against outside intrusion. NEI formed a task force in 2002 that developed comprehensive guidelines for companies operating nuclear power plants to develop and manage an effective program to protect against cyber security vulnerabilities. The NRC endorsed the industry guidelines in 2005. By May 2008, all operating plants had implemented them.
In 2009, the NRC issued comprehensive regulations that require a cyber security plan for all nuclear energy facilities. NRC regulation covers all areas of a plant.
Every company operating nuclear power plants has earned NRC approval for a plan that describes how the facility is implementing its cyber security program. The NRC has reviewed and approved each of these implementation schedules and regularly inspects cyber protection measures at U.S. reactors.
For more information, see NEI’s policy brief on cyber security.