Every commercial nuclear reactor in the U.S. is insufficiently protected against “credible” terrorist attacks, according to a new report from the Nuclear Proliferation Prevention Project at the University of Texas at Austin.

According to CBS News, the facilities were found vulnerable to the theft of bomb-grade nuclear materials and sabotage attacks designed to cause a meltdown. While all 107 commercial nuclear power reactors were considered vulnerable, the report spotlighted 11 that were most at risk, including eight which were deemed unprotected from attacks from the sea: Diablo Canyon (Calif.), St. Lucie (Fla.), Millstone (Conn.), Pilgrim (Mass.), and the South Texas Project.

Three civilian reactors fueled with bomb-grade uranium were also deemed particularly vulnerable – University of Missouri in Columbia, the Massachusetts Institute of Technology in Cambridge, and the National Institute of Standards and Technology, which is not required to even protect against a smaller-scale attack (“design basis threat”) despite being within 25 miles of the White House.