Chapter 66: Scurity of Nuclear Power Plants

Nuclear facilities on a nation’s own territory threaten its security as a target of enemy action, while nuclear facilities on an enemy’s territory threaten security as a possible source of nuclear weapons.

Nuclear Power Plants (NPPs) pose the following two basic security concerns:

  • All nuclear reactors both use and produce radioactive elements (e.g., Uranium and Plutonium) that can be used to build nuclear weapons; and
  • All reactors and nuclear-waste storage facilities contain large amounts of radioactive material. This material might be stolen for later use as a terrorist weapon (e.g., by being combined with conventional explosives to form a radiological dispersal weapon, also termed a “dirty bomb”) or, in the case of concentrated fuel, to build nuclear weapons.  Alternatively, radioactivity might be released directly to the environment by sabotaging safety systems or blowing up a facility with missiles, planted charges, or hijacked jet aircraft.

For many years, as part of the Atoms for Peace program initiated by President Eisenhower in 1953, the United States literally gave away reactors, nuclear materials, and essential nuclear knowledge to many countries.  At least 26 reactors fueled by highly enriched (bomb-grade) uranium were given to countries including Argentina, Brazil, Iran, Israel, South Korea, Pakistan, Spain, and Taiwan.  Thousands of scientists from these countries and others were trained in reactor theory, plutonium extraction and enrichment, and other knowledge essential to nuclear bomb manufacture.  Thanks to Atoms for Peace (and sales of nuclear technologies by other nuclear powers), preventing the global proliferation of nuclear weapons by restricting nuclear materials, reactors, and reprocessing facilities to a relatively few states ceased to be an option long ago.  Nuclear proliferation has occurred and will probably continue.  Israel is now believed by most observers to possess more than 200 nuclear weapons, India exploded its first nuclear weapon in 1974, and Pakistan (whose first nuclear reactor was a gift from the U.S.) exploded its first nuclear weapon in 1998.

Systematic efforts, however, have been made to control the proliferation of nuclear weapons worldwide. The International Atomic Energy Agency (IAEA) is an arm of the United Nations charged with the promotion and global monitoring of nuclear power. The IAEA has sought, through inspections programs, to prevent the diversion of nuclear materials from reactors to weapons. Compliance with IAEA inspections is, however, voluntary. Furthermore, diversions below the “measurement noise level” could suffice to build a nuclear weapon. For example, in a nuclear facility where 1,000 1-kilogram units of fissionable material were measured to an accuracy of .001 kilogram each year, up to 1 kilogram (1,000 samples of less than.001 kg each) could be undetectably diverted annually, and enough for a bomb accumulated in a few years. Many observers deem it unlikely that any state seriously desiring to manufacture nuclear weapons has yet been prevented from doing so by IAEA inspections.

Another method for controlling proliferation, so far adopted only by Iran and Israel, is the destruction of nuclear facilities possessed by enemy states. On September 30, 1980, planes bearing Iranian markings destroyed Iraq’s Tuwaitha nuclear research center near Baghdad, the capital of Iraq. On June 7, 1981, 16 Israeli aircraft destroyed the Osirak “research” reactor just south of Baghdad. Israel had tried to prevent completion of the French-supplied facility by means of threatening letters, sabotage, and assassination, but had failed. (The June 7 air attack demolished the facility before it was fueled and operational, so no life-threatening release of radiation occurred.) These attacks may have been effective in their goal of preventing Iraq from obtaining nuclear weapons. However, it is not practical to prevent nuclear proliferation by these means on a global scale.

Thus there does not seem to be any long-term, sure-fire method of preventing technically sophisticated countries that possess nuclear reactors from exploiting them to build nuclear weapons if they so desire. If this is true, absolute security from nuclear weapons is a chimerical goal, and the best that can be hoped for is ongoing negotiation for a state of permanent, radical, and global in security.

The fact of the matter is that the physical protection at nuclear power plants was strong before September 11, 2001.   Perhaps there was no other industry that has had to satisfy the tough security requirements that the Nuclear Regulatory Commission (NRC) has had in place for a quarter of a century.  And these requirements have been significantly augmented over the past year.  The plants are surrounded by multiple fences with continuously monitored perimeter detection and surveillance systems.  They are guarded by well-trained and well-armed security forces.

Nuclear power plants are constructed to withstand hurricanes, tornadoes, and earthquakes, making them among the most formidable structures in existence.  The plants also benefit from redundant and diverse safety equipment so that if any active component becomes unavailable, another component or system will satisfy its function.

Operators are trained to respond to unusual events, and carefully designed emergency plans are in place.  In short, the security at power plants is very strong and the plants have an inherent capacity to withstand severe events of all types, including those that might be initiated by terrorists.

There have been no specific credible threats of a terrorist attack on nuclear power plants since September 11.  The NRC has worked closely with intelligence and law enforcement personnel to assess the threats that may be directed at nuclear facilities.  Although it is difficult to predict when and where terrorists may strike next, the robust security at nuclear plants should serve as a significant deterrent.  Nonetheless, it is prudent to presume that al Qaeda may consider nuclear facilities as potential targets.

As a result, NRC has put in place a five-level threat advisory and protective measures system that requires licensees to take specific actions in response to changes in the threat conditions.

In light of the events of September 11, the NRC has recognized the need to re-examine past security strategies to ensure that they have the right protections in place for the long term.  Shortly after the attacks, they began a comprehensive review of their requirements for physical protection and security.

Since the September 11 attacks, NRC and the USA Congress have taken action to increase nuclear power plant security.  NRC issued a series of security measures beginning in 2002, including a strengthening of the design Basis Threat (DBT) and establishing the Office of Nuclear Security and Incident Response (NSIR).  The office centralizes security oversight of all NRC-regulated facilities, coordinates with law enforcement and intelligence agencies, and handles emergency planning activities.  In 2004, NRC implemented a program to conduct “Force on Force” security exercises overseen by NSIR at each nuclear power plant at least every three years.  The Energy Policy Act of 2005 required NRC to further strengthen the DBT, codified the Force-on-Force program, and established a variety of additional nuclear plant security measures.  In March 2009, NRC published a series of security regulations that require power plants to prepare cyber security plans, develop strategies for dealing with the effects of aircraft crashes, strengthen access controls, improve training for security personnel, and take other new security measures.


Regulations in place prior to the September 11 attacks required all NRC-licensed commercial nuclear power plants to have a series of physical barriers and a trained security force.  The plant sites were divided into three zones:

  • An “Owner-Controlled” buffer region;
  • A Protected Area – Access to the protected area was restricted to a portion of plant employees and monitored visitors, with stringent access barriers; and
  • A Vital Area – The vital area was further restricted, with additional barriers and access requirements.  The security force had to comply with NRC requirements on pre-hiring investigations and training.

The NRC proposed to amend the security regulations and add new security requirements that would codify the series of four orders supplementing the Design Basis Threat (DBT) issued after September 11.

1.1        Design Basis Threat:

The design basis threat describes general characteristics of adversaries that nuclear plants and nuclear fuel cycle facilities must defend against to prevent radiological sabotage and theft of strategic special nuclear material.  NRC licensees use the DBT as the basis for implementing defensive strategies at specific nuclear plant sites through security plans, safeguards contingency plans, and guard training and qualification plans.  General requirements for the DBT are prescribed in NRC regulations, while specific attributes of potential attackers, such as their weapons and ammunition, are contained in classified Adversary Characteristics Documents (ACDs).

The design basis threat is used by NRC licensees as the basis for implementing defensive strategies of a specific nuclear plant site through security plans, safeguards contingency plans, and guard training and qualification plans.  Although specific details of the revised DBT were not released to the public, in general the final rule:

  • Clarifies that physical protection systems are required to protect against diversion and theft of fissile material;
  • Expands the assumed capabilities of adversaries to operate as one or more teams and attack from multiple entry points;
  • Assumes that adversaries are willing to kill or be killed and are knowledgeable about specific target selection;
  • Expands the scope of vehicles that licensees must defend against to include water vehicles and land vehicles beyond four-wheel-drive type;
  • Revises the threat posed by an insider to be more flexible in scope; and
  • Adds a new mode of attack from adversaries coordinating a vehicle bomb assault with another external assault.

In 2006, the Government Accountability Office (GAO) reviewed the upgrades in nuclear plant security and found a generally logical and well-defined process.  GAO found NRC staff trained in threat assessment that monitor information provided by intelligence agencies and screen the information to evaluate particular terrorist capabilities for inclusion in the DBT. However, the NRC produced a revised DBT that generally, but not always, corresponded to the threat assessment staff’s original recommendations.

The DBT final rule excluded aircraft attacks, which raised considerable controversy. In approving the rule, NRC rejected a petition from the Union of Concerned Scientists to require that nuclear plants be surrounded by aircraft barriers made of steel beams and cables (the so-called “beamhenge” concept).  Critics of the rule charged that deliberate aircraft crashes were a highly plausible mode of attack, given the events of 9/11. However, NRC contended that power plants were already required to mitigate the effects of aircraft crashes and that “active protection against airborne threats is addressed by other federal organizations, including the military.”

1.2       Force-On-Force Exercises:

EPACT codified an NRC requirement that each nuclear power plant conduct security exercises every three years to test its ability to defend against the design basis threat.  In these “force-on-force” exercises, monitored by NRC, an adversary force from outside the plant attempts to penetrate the plant’s vital area and damage or destroy key safety components.  Participants in the tightly controlled exercises carry weapons modified to fire only blanks and laser bursts to simulate bullets, and they wear laser sensors to indicate hits.  Other weapons and explosives, as well as destruction or breaching of physical security barriers, may also be simulated.  While one squad of the plant’s guard force is participating in a force-on-force exercise, another squad is also on duty to maintain normal plant security.  Plant defenders know that a mock attack will take place sometime during a specific period of several hours, but they do not know what the attack scenario will be. Multiple attack scenarios are conducted over several days of exercises.

In response to the growing emphasis on security, NRC established the Office of Nuclear Security and Incident Response on April 7, 2002.  The office centralizes security oversight of all NRC-regulated facilities, coordinates with law enforcement and intelligence agencies, and handles emergency planning activities. Force-on-force exercises are an example of the office’s responsibilities.

Full implementation of the force-on-force program began in late 2004.  Standard procedures and other requirements have been developed for using the force-on-force exercises to evaluate plant security and as a basis for taking regulatory enforcement action. Many tradeoffs are necessary to make the exercises as realistic and consistent as possible without endangering participants or regular plant operations and security.

NRC required the nuclear industry to develop and train a “composite adversary force” comprising security officers from many plants to simulate terrorist attacks in the force-on-force exercises. However, in September 2004 testimony, GAO criticized the industry’s selection of a security company that guards about half of U.S. nuclear plants, Wackenhut, to also provide the adversary force. In addition to raising “questions about the force’s independence,” GAO noted that Wackenhut had been accused of cheating on previous force-on-force exercises by the Department of Energy.  Exelon terminated its security contracts with Wackenhut in late 2007 after guards at the Peach Bottom reactor in York County, Pennsylvania, were discovered sleeping while on duty.  EPACT requires NRC to “mitigate any potential conflict of interest that could influence the results of a force-on-force exercise, as the Commission determines to be necessary and appropriate.”

1.3        Emergency Response:

After the 1979 accident at the Three Mile Island nuclear plant near Harrisburg, PA, Congress required that all nuclear power plants be covered by emergency plans.  NRC requires that within an approximately 10-mile Emergency Planning Zone (EPZ) around each plant, the operator must maintain warning sirens and regularly conduct evacuation exercises monitored by NRC and the Federal Emergency Management Agency (FEMA). In light of the increased possibility of terrorist attacks that, if successful, could result in release of radioactive material, critics have renewed calls for expanding the EPZ to include larger population centers.

The release of radioactive iodine during a nuclear incident is a particular concern, because iodine tends to concentrate in the thyroid gland of persons exposed to it. Emergency plans in many states include distribution of iodine pills to the population within the EPZ. Taking non-radioactive iodine before exposure would prevent absorption of radioactive iodine but would afford no protection against other radioactive elements. In 2002, NRC began providing iodine pills to states requesting them for populations within the 10-mile EPZ.


The major concerns in operating a nuclear power plant are controlling the nuclear chain reaction and assuring that the reactor core does not lose its coolant and “melt down” from the heat produced by the radioactive fission products within the fuel rods.  US plants are designed and built to prevent dispersal of radioactivity, in the event of an accident, by surrounding the reactor in a steel-reinforced concrete containment structure, which represents an intrinsic safety feature. Two major accidents have taken place in power reactors, at Three Mile Island (TMI) in 1979 and at Chernobyl in the Soviet Union in 1986.  Although both accidents resulted from a combination of operator error and design flaws, TMI’s containment structure effectively prevented a major release of radioactivity from a fuel meltdown caused by the loss of coolant.  In the Chernobyl accident, the reactor’s protective barriers were breached when an out-of-control nuclear reaction led to a fierce graphite fire that caused a significant part of the radioactive core to be blown into the atmosphere.

2.1       Vulnerability from Air Attack:

Nuclear power plants were designed to withstand hurricanes, earthquakes, and other extreme events. But deliberate attacks by large airliners loaded with fuel, such as those that crashed into the World Trade Center and Pentagon, were not analyzed when design requirements for today’s reactors were determined.   A taped interview

shown September 10, 2002, on Arab TV station Al-Jazeera, which contained a statement that Al Qaeda initially planned to include a nuclear plant in its list of 2001 attack sites, intensified concern about aircraft crashes.

In light of the possibility that an air attack might penetrate the containment building of a nuclear plant, some interest groups have suggested that such an event could be followed by a meltdown and widespread radiation exposure.  Nuclear industry spokespersons have countered by pointing out that relatively small, low-lying nuclear power plants are difficult targets for attack, and have argued that penetration of the containment is unlikely, and that even if such penetration occurred it probably would not reach the reactor vessel.  They suggest that a sustained fire, such as that which melted the steel support structures in the World Trade Center buildings, would be impossible unless an attacking plane penetrated the containment completely, including its fuel-bearing wings. According to former NRC Chairman Nils Diaz, NRC studies “confirm that the likelihood of both damaging the reactor core and releasing radioactivity that could affect public health and safety is low.”

NRC proposes to amend its regulations with a new rule that would require newly designed power reactor facilities to take into account the potential effects of the impact of a large, commercial aircraft.  The proposed rule would only affect new reactor designs not previously certified by NRC.  Westinghouse submitted changes in the design of its AP1000 reactor to NRC on May 29, 2007, proposing to line the inside and outside of the reactor’s concrete containment structure with steel plates to increase resistance to aircraft penetration.

2.2       Spent Fuel Storage:

When no longer capable of sustaining a nuclear chain reaction, “spent” nuclear fuel is removed from the reactor and stored in a pool of water in the reactor building and at some sites later transferred to dry casks on the plant grounds.  Because both types of storage are located outside the reactor containment structure, particular concern has been raised about the vulnerability of spent fuel to attack by aircraft or other means.  If terrorists could breach a spent fuel pool’s concrete walls and drain the cooling water, the spent fuel’s zirconium cladding could overheat and catch fire.

The National Academy of Sciences (NAS) released a report in April 2005 that found that “successful terrorist attacks on spent fuel pools, though difficult, are possible,” and that “if an attack leads to a propagating zirconium cladding fire, it could result in the release of large amounts of radioactive material.”  NAS recommended that the hottest spent fuel be interspersed with cooler spent fuel to reduce the likelihood of fire, and that water-spray systems be installed to cool spent fuel if pool water were lost. The report also called for NRC to conduct more analysis of the issue and consider earlier movement of spent fuel from pools into dry storage.  The FY2006 Energy and Water Development Appropriations Act provided $21 million for NRC to carry out the site-specific analyses recommended by NAS.

NRC has long contended that the potential effects of terrorist attacks are too speculative to include in environmental studies for proposed spent fuel storage and other nuclear facilities. However, the U.S. Court of Appeals for the 9th Circuit ruled in June 2006 that terrorist attacks must be included in the environmental study of a dry storage facility at California’s Diablo Canyon nuclear plant. NRC reissued the Diablo Canyon study May 29, 2007; to comply with the court ruling, but it did not include terrorism in other recent environmental studies.


  1. Espionage Information –  Encyclopedia of Espionage, Intelligence, and Security;
  2. IAEA – Reflections on Nuclear Security by Dr. Richard A. Meserve; and
  3. Nuclear Power Plant Security and Vulnerabilities.

Chapter 67