they do approve them, that's when I stop flying," says Pat Asendorf, the manager of security at the Indian Point nuclear power plant. Indian Point security was recently reviewed by New York State Office of Public Security Director James Kallstrom, and a number of recommendations for security enhancements were made. Most of those have already been adopted, and the remainder are in process, notes McMullin. "We are working with the Nuclear Energy Institute as well as the NRC in assessing our security program and implementing enhancements," Asendorf says.
Nonetheless, the NRC has tightened security at nuclear plants since 9/11. The commission announced on April 7 that the recently created Office of Nuclear Security and Incident Response is working with the White House's Office of Homeland Security to protect U.S. nuclear reactors. The new office will complement and coordinate work long performed by the NRC's Office of Nuclear Material Safety and Safeguards, which supervises security programs for nuclear fuel facilities and materials, transportation and disposal, and by the Office of Nuclear Reactor Regulation, which supervises nuclear plants and spent nuclear fuel storage facilities, the commission states.
Among concerns about the security of nuclear reactors is the possibility of core damage after sustained power interruption. According to Markey, "If all electrical power to a reactor was cut off (by a deliberate crash of an aircraft into the power generation systems, for example), the time it would take for damage to the reactor core to begin is estimated by the NRC to be about two hours." Similarly, the destruction of cooling towers-built with little protection from the air-could lead to core damage in some circumstances, he says.
Industry Groups Focus on Security Specifics
Since utilities long have been on the march to upgrade their enterprise software and computer hardware systems, perhaps more focus has been placed on keeping electronic assets safe than on keeping physical assets safe, one consultant suggests. "One of the biggest issues with IT security where people see threats is that the grid is run by computers, and you've seen that hackers can get into things quite easily," says Herbst. "This is an area where a lot of consultants are looking now," he says.
Consultants and industry groups are leveraging the experience of IT security enhancements to look beyond data protection to the protection of operations. Trade groups like the not-for-profit EPRI and NERC have been instrumental in this effort over the past few years, and now have become the vanguard of fence-to-fence security planning.
"We started work at EPRI on a comprehensive electric infrastructure security assessment when several board members (of the group's two-year-old Enterprise Infrastructure Security program) asked us what technology could do for security beyond the use of guards, dogs, cameras and guns," says Amin. "By 9/17, we had a team of 30 colleagues performing an end-to-end preliminary system assessment with suggested countermeasures, covering areas including cyber threats, grid operation, distribution, and disaster recovery, with generation and energy market threats," he says. EPRI developed two reports of recommendations as a result. The first covers a rapid response period of