Discussion of Protecting Nuclear Facilities
G.R. Srinivasan and Rose Gottemoeller,
Session chair V.S. Ramamurthy framed the discussion by noting that new technologies offered opportunities for constructive as well as destructive use and that atavistic attitudes still exist, both in the West and in India. Nuclear technology, more than 50 years old, is a mature technology. It went through a phase of very rapid growth, followed by one of concerns about safety, and then a phase in which proliferation was the major concern; now it has entered a phase dominated by security concerns rising from terrorist threats.
The nuclear industry has addressed these issues in various degrees at various times; perhaps it is the only industry where this is done, but Ramamurthy reminded the group that all new technologies go through these phases. This is true now of biotechnology, the chemical industry, cloning, and other technologies—the similarities cannot be missed. Whatever we do today in the realm of nuclear technology might be a lesson on how to handle the emerging technologies of tomorrow; the issues are not going to be very different. Thus, he urged participants not only to address concerns surrounding nuclear facilities but also to address other emerging technologies.
G.R. Srinivasan noted that both presentations discussed the three real problems of terrorism confronting the nuclear industry: (1) dirty bombs, (2) nuclear explosives, and (3) sabotage or malevolent acts against nuclear facilities. He added that these three threats stem from the unauthorized removal of material as well as sabotage on nuclear plants, both with or without insider assistance, and agreed with John Holdren’s view that sabotage has been neglected. Srinivasan also suggested that one point raised by P. Rama Rao had to be emphasized again: nuclear power plants have a built-in policy of defense in depth, a policy of redundancy, which would stand in good stead against terrorist attacks. Thus, our concern about the catastrophic destruction of a nuclear power plant should be limited to one or two design-based threats (DBTs). In most other cases it would not be so serious. Citing Rama Rao, Srinivasan noted several built-in features of a nuclear plant that could save the situation for the plant; we often jokingly reminded visitors in the
control room not to sneeze heavily lest, because of the fail-safe mechanisms, the reactor is shut down. This is the type of defense in depth or bias towards safety that is built in.
Suggesting that Holdren’s paper could serve as an action document about the steps that can be taken to reduce future risk, Srinivasan elaborated on the design of safety systems and redundant systems. At first these systems were designed for a few incidents, such as a jet of water coming out. Then, after a few fire incidents, the spacing between redundant systems was adjusted for fire. Now we must incorporate threats from explosives and sabotage into the DBT, so there is reason to redesign the safety systems.
Additionally, Srinivasan noted that international cooperation on nuclear safety is very important, and while there may be proprietary details to worry about, these can always be addressed. He was particularly pleased that Holdren had specifically emphasized cooperation with India.
When Srinivasan was Vice-Chairman of the Atomic Energy Regulatory Board there was fairly satisfactory control over the regimented areas, such as nuclear power plants and nuclear facilities, but for the nonregimented areas, such as radioactive sources and the materials necessary for a dirty bomb, there were many areas in need of greater security. This is the situation in many other countries, and there is a real dearth of information in this area.
Security considerations should be included from the beginning—they cannot be retrofitted—and security-related training is critical; the nuclear industry is a knowledge-driven industry and safe operation requires training. Nuclear safety-related training would be strengthened by international cooperation and an exchange of experience.
The DBTs for nuclear power plants are useful in fighting terrorism, as these are state-of-the-art. They include safeguard systems, physical protection systems, extensive data mining (required to fight terrorism), and advanced tools for analysis of design-basis threats such as codes and computer models. In fact, even the response and the delay and modeling of the physical protection system is run through software programs. So any upgrade required has a considerable science and technology component for security-related concerns.
Srinivasan also emphasized that the nuclear industry should not be shut down because of terrorists and their activities; this amounts to punishing the victim, not the aggressor. As for energy supply, he noted, diversity of energy supply equals security.
Srinivasan concluded his comments by reemphasizing a point made by both speakers: that nuclear security is a comprehensive, top-to-bottom, multidimensional, multidisciplinary, multiorganizational effort, not a matter of pointing at one particular area. Production, safety, and security objectives have to be simultaneously achieved. Security is an area where a small security staff of 50 or 80 people cannot tackle the problem. In a nuclear power station everyone needs to be involved with security. Security culture has to be embedded in the organization itself and all four or five hundred employees. It is important that each person does the right thing even when no one is looking.
Discussion moderator Rose Gottemoeller observed that no country owned the perfect model for security. Instead, the best practices of each country can contribute to improving worldwide performance in this area. International cooperation is vitally important because of the driving need to improve the security of the entire system of nuclear material and facility protection worldwide in the face of the urgent threat of
international terrorism. By learning the best that each country has to offer, we can all improve our efforts; this process is not only vital but also timely for each country with civilian or military nuclear facilities or both. We all have the same problem to address— the threat of nuclear terrorism, and we all want to do the best we can to prevent nuclear catastrophes and to protect and preserve our national nuclear assets.
Gottemoeller stated that her assessment was drawn from long experience working in the U.S.-Russian context. In the U.S.-Russian environment, cooperation seemed to work best under the following conditions.
First, the relationship is treated as a partnership, not a relationship wherein one country is providing assistance to another country.
Second, each country is considered to have best practices in nuclear material and facility protection to be incorporated into joint projects. These measures can also inform the counterpart country’s own protection efforts.
Third, the partners each bring resources to the table, whether financial, technical, or human. It is important to underscore that it is not necessary for the resources to be financial for a full partnership to emerge. We have found, for example, that Russian monitoring and sensor systems are sometimes more robust for operating in the harsh climate of the Arctic than U.S.-developed systems, and we had to learn this lesson. Americans had to learn to examine such possibilities rather than to assume that their own systems and technologies were best.
Fourth, each partner participates in project management and decision making. There should be a well-developed system of sharing information and coordinating activities. Such a system performed very well in the early days of the U.S.-Russian cooperation on nuclear reactor safety, but it has not always been present in other types of cooperation, such as the material protection, control, and accounting program.
Fifth, an all-or-nothing approach is generally not helpful to the cooperation; that is, demanding all facilities of a certain type be thrown open for joint project work. Instead, we have found that a pilot project approach is useful, focusing on a single facility to begin with, building up mutual confidence in the cooperation, and then perhaps in the future, on the basis of mutually arrived at decisions, expanding into a wider array of facilities.
Finally, the use of indigenous manufacturers and construction firms can speed cooperative projects and help sustain them. Early on, and again this was another U.S. mistake in establishing the cooperation with Russia, we insisted that U.S. products and companies be used. We were trying to sell the cooperation politically to the U.S. Congress. This approach led to many problems. Russian colleagues resisted this and resented this position. Further, this created difficulties with the sustainability of the joint project efforts. Joint projects today make wide use of Russian firms both for equipment and for construction services. This was a very important lesson from the overall cooperation.
These examples deserve examination and should inform broader international cooperation on protection of nuclear materials and facilities. There is no need to repeat the mistakes of the U.S.-Russian relationship, but rather we can move more quickly to effective cooperation.
Gottemoeller concluded by asking how the problem of radiological dispersal devices (RDDs) can be further examined, and noted that there is a U.S.-Russian bilateral
initiative examining the question of RDDs and nuclear sources, and trying to establish priorities in addressing the problem of control, protection, and accounting of sources.
S. Rajagopal noted that nuclear risks are not the same across-the-board as is seen in the example of reprocessing. As Holdren explained, the risks of attack and release of a large quantity of cesium-137 depends on whether the reprocessing plants are centralized and whether there is a large inventory of spent fuel. This is not so in India because reprocessing plants are decentralized in India. So you can see the risks are fewer when compared with the French facility at La Hague, where there are thousands and thousands of tons of spent fuel kept in the pool. Because of U.S. policy—fuel is not reprocessed but rather goes through a once-through cycle—the United States is holding very large stocks of spent fuel. It then becomes necessary to store this spent fuel away from the reactor. We do not have any away-from-reactor storage except perhaps in Tarapur, because of the policy that we cannot reprocess U.S. fuel.
The risks of illicit trafficking in nuclear (especially fissile) material are also variable, but because of the degree of illicit nuclear trafficking reported by the International Atomic Energy Agency, we need to take this threat very seriously now. Rajagopal was not sure that a terrorist who looks for spectacular results and wants to create instantaneous panic and human loss would resort to a dirty bomb.
As for a terrorist attack on a nuclear plant, what is important is a well-rehearsed emergency preparedness plan that considers the worst-case scenario, looking at wind direction, the radioactive transport mechanism, and so forth. With a very well rehearsed emergency preparedness plan, we will be able to mitigate the effects quite effectively, irrespective of whether there is an accident in the plant or a terrorist attack.
Richard Garwin noted that when he was a member (with Lewis Branscomb) of the National Academies’ group that wrote Making the Nation Safer,46 they looked at the security of radioactive sources. The United States really needs an inventory and more frequent reporting of where the sources are located in order to minimize their use in radiological dispersal devices.
Garwin’s view was that the biggest threat is not an attack on a nuclear facility, (for example, power reactors or reprocessing plants) at least not in the United States, but on spent-fuel storage systems. When prioritizing risks, the spent-fuel casks have received a lot of attention, but they are not that large a problem compared with the storage pools for spent fuel. Storage pools are a greater problem, because they are not as well protected as the reactors themselves, and of course, reactors can be a big problem. The terrorists—if there is a concerted terrorist attack on a reactor—are much better motivated, better equipped, and more interested in their job than are the guards who defend. The terrorists can use tear gas at the same time that they use rifles, machine guns, automatic weapons, bazookas, and all kinds of weapons that can be carried in an attack. Unless we actually look at what can be done and at the difference between security and safety, as Rama Rao indicated, we do not get the right evaluation of the threat to the reactor. The difference between security and safety is that the terrorists can choose to attack the worst plant during the most favorable weather conditions for maximum damage. They can intentionally attack the specific redundant systems to destroy them at the same time,
National Research Council. 2002. Making the Nation Safer: The Role of Science and Technology in Countering Terrorism, National Academies Press, Washington, D.C. The report is available in PDF format at http://books.nap.edu/hml/stct/index.html.
whereas safety imagines that they are destroyed either through some common mode or through a simultaneous accident. So if, in the context of U.S.-Indian cooperation, we do not want to particularly look in detail at Indian plants, U.S. experts could at least use Indian experts’ help in evaluating the threat to U.S. plants because it is not going to benefit the worldwide nuclear industry to have a terrorist-induced catastrophe in any country.
Regarding the Sellafield facility in the United Kingdom, there are more than a thousand cubic meters of liquid fission products, containing 30 times as much cesium-137 as did reactor number 4 at Chernobyl. Furthermore, although there is much less thermal driving force than in the fresh spent fuel within the reactor, if it is struck down, there is plenty of power generated to boil those tanks and to burst them or to evaporate the cesium-137. We must install filters that will accumulate the evaporating cesium-137 in thousands of tons, with improvised filtering material in order to compensate for an attack. These are, Garwin concluded, very serious problems, that could lead to a disaster unless they are carefully evaluated, not from our perspective, but from that of a terrorist’s choice of time and place.
This point was seconded by Kumar Patel, who noted that threat perception may change daily, and since the initiative lies with the terrorists, they have an option to choose when and where to attack. This means that security is not a linear function of the number of armed security guards at a facility. It does not depend on the amount of equipment that is installed, nor does it move linearly with the sophistication of the equipment. Security has to be incorporated into the professional culture of those who work in all facets of the nuclear industry.
B. Raman posed a number of questions regarding physical barriers, the role of intelligence, air attacks on nuclear facilities, and other kinds of attacks.
Holdren’s response was that regarding barriers, there are a number of possibilities, some of them examined in Making the Nation Safer. Towers and cables in various arrangements could make it much more difficult for an aircraft to strike a reactor containment vessel at the right angle, at the right speed, or at all, depending on how towers and cables were deployed. One idea that appeared in the German press for countering this possibility would be to use dispensers that can throw up an obscuring fog if a reactor is under attack, so that the operators of an aircraft could not see where they were going, and could not accurately see their target. It should be noted that for an aircraft attack against a reactor to be effective, a number of conditions have to be met, including a very precise strike against the reactor. If one cannot see where the precise target is, this becomes very difficult. It has already been widely pointed out in the aftermath of September 11, 2001, that flying a jumbo jet into a skyscraper where the attacker does not care where in the building the strikes occur—it does not matter whether the 70th floor or the 80th floor or the 60th floor is hit—is much easier than flying an airliner into a specific point on the ground. This was already demonstrated in a way when the aircraft that was aiming to strike the Pentagon actually struck the parking lot. It then skidded into the Pentagon and caused a lot of damage, but it underlines the point that flying to a particular target on the ground is quite difficult, and you can make it more difficult with barriers, obscuration, and perhaps with other means.
Regarding the role of intelligence, Holdren agreed that, of course, intelligence can play a major role in intervening in terrorist attacks of all kinds, including attacks on
nuclear facilities, and that the growth of international and national cooperative efforts to deal with terrorist threats could, in general, be effective in the context of attacks on nuclear reactors. In the United States, the Nuclear Regulatory Commission (NRC) has greatly increased its interaction with other federal agencies that have security responsibilities, and there is far more communication between the NRC, the Department of Energy, the Federal Bureau of the Investigation (FBI), and the Department of Homeland Security. This extends beyond intelligence to response capacities, that is, in thinking about how to respond to an attack on a nuclear reactor. The capacity to engage multiple agencies very quickly in an emergency response is now being developed.
Finally, on the question of armed intruders versus other threats to nuclear reactors, Holdren elaborated that the threats involve permutations of combinations of intruders and insiders—some might be entirely intruders and some might be entirely insiders. A case where there is someone already inside the reactor as part of the staff or as part of a maintenance contingent could very well do a great deal of damage if such a person were able to smuggle in explosives or were particularly knowledgeable about the plant.
In the discussion that followed, additional questions were raised, with responses by the speakers and others.
One participant asked whether space-based surveillance of nuclear power plants was possible. Garwin responded that it was most likely not possible. Terrorists know when there is cloud, and when a geosynchronous satellite would be blocked. Nuclear energy facilities are sufficiently rare that the way to survey them is from the ground, with towers, with people if need be; this is also affordable, as television cameras are now extremely small and inexpensive. Terrorists could, of course, destroy surveillance systems as part of the attack, but there could be small, covert, and inexpensive systems that would operate in any scenario.
It was also suggested that there might be “force multipliers” in nuclear facilities, the way that other civilian targets were used to increase the devastation. Branscomb responded by noting that the problem is made more severe because there are almost no statistics to suggest the appropriate model of terrorist capabilities we should have in mind. Branscomb would divide their capabilities into two parts: (1) What equipment, vehicles, weapons, devices, and other material devices and facilities they would choose to attempt an attack, and (2) to what extent would they know and understand the target and attack strategy? He submitted that not only is it inherently difficult for terrorists to launch an attack that requires the assembly of a very complex set of equipment, perhaps airplanes with shaped charge weapons, but also it exposes them to intelligence surveillance. Branscomb observed that it was known, after the fact by the FBI, that some of the terrorist groups who were involved in the September 11, 2001, attacks were also involved in trying to obtain experience in how to fly crop-duster aircraft, clearly with a biological or chemical attack in mind. Unfortunately, it was not communicated properly. So there was a catastrophic risk that the terrorists would be discovered. He concluded, from what he agreed was an oversimplified view, that it is safe to assume that terrorists would seek a strategy in which the materials they need to acquire are broadly available, undetectable, and as easy to acquire as possible. Branscomb did not see any limitation on the level of terrorist knowledge or expertise and asserted that there is still a question as to whether Osama bin Laden’s previous experience as an engineer informed al Qaeda’s attack on the World Trade Center buildings. They did try, and failed, in 1993, and they
had 7 or 8 years to try to figure out how to do that job successfully. Branscomb said that he would not be surprised if, in fact, they had a model for how to bring the towers down that involved quite sophisticated analysis that they could do in the privacy of their own secure locations. So, these conjectures about equipment and expertise may provide a useful guide to avoiding what otherwise might be criticized for assuming the worst-case scenarios. Certainly, for many years our military has planned against the worst-case scenarios. We spent a great deal of money on our military when in fact our assumed enemy, the Soviet Union, did not have the capabilities our worst-case scenario imagined they might have. Today, the correct worst case to assume is that terrorists have a lot of technical knowledge, but perhaps not a sophisticated array of equipment and facilities.
Both Holdren and Rama Rao were asked to comment on legal issues related to the protection of nuclear facilities in their respective countries. Are laws updated in light of technological improvements or in light of new threats to nuclear facilities? Holdren responded that in the United States there is a discrepancy in U.S. law because federal authority that applies to nuclear weapons does not always apply to nuclear power plants: nuclear power plants were not thought of historically as a weapon that someone might use against the United States. So the situation now is that nuclear power plants are not ordinarily guarded by employees of the federal government, but are guarded by private employees who are not entitled in most states to use automatic weapons. There are also legal questions about their capacity to use deadly force in defense of private property.
Holdren thought that the NRC’s own view is that U.S. law is currently inadequate for this complex of problems. The NRC has requested that Congress change the law in order to bring about a more coherent, uniform, and effective system for protection of nuclear energy facilities. So far this has not happened. Richard Meserve, a former NRC chairman, visited some state legislatures, including the Massachusetts legislature, and tried to persuade them to change the law state by state. He has been unsuccessful. Holdren’s overall views and those of many people responsible for improving the situation in the United States is that the law is currently inadequate.
Rama Rao noted that the situation in India was just as inadequate as in the United States. There is no strong connection between national legislation and regulations and the Atomic Energy Regulatory Board. However, a study, State System of Physical Protection in India, was conducted and as a result there is a greater awareness of the problem.47 There is a need to base the security of nuclear energy facilities in law. Rama Rao noted that rules can be as effective as laws, and in the current situation the loss of nuclear material would be treated as would a theft of any other material, punishable under law. Regarding defense research, threat perceptions are analyzed in depth and we have not had a grave incident, but this was not so for civilian facilities. Another Indian participant noted that in the last 2 or 3 years, there were concerted efforts to examine threats to civil nuclear facilities and nearly 250 design-basis threats were drawn up; India has improved in the last 3 years, but a lot more has to be done.
Finally, Gottemoeller noted that technology control was another way of addressing the threat of large-scale terrorism. Technology controls and export controls are an important tool in our toolbox, and they have a good practical effect, as
demonstrated by Iraq. A major Carnegie Endowment International Peace (CEIP) study48 examines the evidence of Iraqi weapons of mass destruction and the decision to go to war by the George W. Bush administration. A key conclusion of that study was that there was a very positive impact on constraining the ability of Saddam Hussein’s attempt to reconstitute his weapons program through the use of technology and export controls throughout the 1990s.
That said, Gottemoeller agreed with the view that technology control should not be a barrier to safety and security cooperative endeavors. The conclusion of a small working group of eminent experts convened in 2003 by CEIP was that indeed the legal authority for security and safety cooperation was already in place and there should be no barrier to pursuing such cooperation. However, she added, this opinion was not fully accepted by some of those inside government, and she expressed the hope that this will be an area where there can be very wide ranging cooperation between India and the United States.
Kumar Patel concluded the discussion by observing that while there are broad differences of opinion on the real threats to nuclear power plants and nuclear facilities, one significant incident could have enormous social and physical consequences; there would be nuclear fallout, but also societal fallout, which may make nuclear power plants undesirable all over the world. This is a very significant issue and requires greater thought. As Branscomb noted, the threats will come from smart people using commonly available materials. We need to focus on how we deal with the problem of protecting nuclear facilities from both inside and outside threats.