The Nuclear Regulatory Commission lacks adequate oversight to keep counterfeit or defective parts out of the nation’s nuclear power plants, the NRC’s inspector general said in a pair of investigative reports this week.
A report titled “Special Inquiry into Counterfeit, Fraudulent, and Suspect Items in Operating Nuclear Power Plants,” by NRC Inspector General Robert Feitel, concluded that “counterfeit, fraudulent, and suspect items” (CFSI) believed to be present in U.S. reactors “present nuclear safety and security concerns that could have serious consequences for nuclear power plant equipment required to perform a safety function.” An inquiry report accompanied the IG’s audit.
The investigation was unable to pinpoint specific safety hazards because of insufficient information reported by reactor operators and collected by the NRC.
“The NRC does not have a process for collecting, assessing, and disseminating information regarding CFSI,” the audit said. “Potential CFSI information comes in through different channels and is treated differently by different NRC offices.
“Sometimes offices flag information as CFSI, sometimes they do not,” the audit charged. The evidence of counterfeit or defective equipment may be substantially understated by the industry’s oversight, the document concluded, citing Department of Energy data.
Under NRC rules, reactor licensees are not required to report defective items, unless the items in question substantially affect safety, the reports said.
Noting that nuclear reactors contain millions of parts, the IG said “according to the Electric Power Research Institute (EPRI), counterfeit parts have been found in valves, bearings, circuit breakers, pipe fittings, and structural steel, and can be difficult to spot.”
When reactor operators find issues with parts, they communicate that to other operators through third-party organizations — principally the industry’s Institute of Nuclear Power Operations (INPO) and EPRI — the audit said.
There are few reported cases of fraudulent parts in the United States, according to the reports. EPRI, INPO and the Nuclear Procurement Issues Corp. have listed fewer than 10 potential such cases since 2016, the audit said.
But the IG said the Department of Energy staff identified more than 100 instances of fraudulent, counterfeit or suspect components in the last fiscal year, including five involving “safety-significant” components in reactors.
The audit did not examine the effectiveness of the industry’s self-regulation, but did conclude that the NRC was not on top of the issue. The inquiry quoted an unnamed NRC source saying “licensees [reactor owners], not the NRC, are responsible for which parts end up in their plants.”
The audit included a statement from the agency saying, “NRC management stated their general agreement with the findings and recommendations of this report and chose not to provide formal comments for inclusion in this report.”
An NRC spokesperson said yesterday via email: “While the inquiry’s findings include the ongoing presence of CFSI at U.S. reactors, nothing in the report suggests an immediate safety concern. The NRC’s office of the Executive Director for Operations is thoroughly reviewing both the inquiry and audit report and will direct the agency’s program offices to take appropriate action. The agency intends to meet the response dates in the IG’s reports.”
Rules, requirements and ‘confusing language’
The Nuclear Energy Institute, which represents U.S. reactor operators, said it was still reviewing the inspector general’s findings.
“The industry has practices in place to limit susceptibility using effective qualification processes for supplies, robust supplier quality assurance requirements, reliance on original equipment manufacturers, and strong procurement and maintenance controls. We are committed to working with the NRC as they review these findings,” an NEI spokesperson said.
Edwin Lyman, senior global security scientist with the Union of Concerned Scientists, which advocates for stronger safety regulation of reactors, said the “IG reports that the process for rigorously identifying, reporting and correcting defects — fraudulent, counterfeit or not — doesn’t really exist.”
“There is a lot of confusing language in the regulations and guidance with the potential that some serious problems are being missed,” Lyman said.
The IG report does not consider whether counterfeit parts could contain hidden malware, posing serious cybersecurity threats to nuclear plants, but that risk has loomed larger and larger within the electric power industry generally. A 2019 report by the North American Electric Reliability Corp., the interstate grids’ security monitor, warned that “malicious actors may target one or more vendors in the supply chain to create or exploit vulnerabilities that could then be used to initiate cyber attacks.”
NRC spokesperson Scott Burnell told E&E News that “operating reactors have reporting requirements beyond CFSI. The agency continues to be satisfied CFSI does not present any cybersecurity issues of particular concern.”
The audit lists eight recommendations to the NRC, including development of a new process to collect and manage CFSI information, and inspection and training programs to increase CFSI detection. The inspector general asked the NRC to respond to the recommendations in one month.
The inspector general noted that the commission shut down a rulemaking in 2016 that was directed at addressing CFSI issues.
“We did not substantiate that the NRC has lowered CFSI standards, but found several examples that appear as such,” the inquiry found, noting the 2016 decision.
“This is a problem that was recognized years ago, and the attempt to fix it was stopped by the commission as part of the effort to reduce costs to the industry,” Lyman said.
The investigation included information from an unnamed informant who has made repeated allegations about counterfeit, fraudulent or defective parts over the past ten years. The NRC “reviewed the information, determined it did not meet the criteria of an allegation, and requested additional specific information,” which the complainant apparently did not provide, the report said.
The NRC told the complainant in a 2014 letter that in the case of one nuclear plant the person had singled out, the operator had a “corrective action system” to manage defective equipment issues, the IG said. That was not the case, the report added.
Correction: An earlier version of this story omitted a comment from the Nuclear Regulatory Commission.