2

Systems Approach to Security at Civilian Nuclear Facilities

Key Issues

The key issues noted here are some of those raised by individual workshop participants, and do not in any way indicate consensus of workshop participants overall.

•   Weapons-usable material must be kept out of the hands of adversaries who may be trying to get their hands on this material and could use it for malevolent actions.

•   No material is absolutely safe, and any material is vulnerable at some level.

•   Nuclear security is a continuous, dynamic risk management job and requires constant and vigorous efforts.

•   Program resources were to be used for both safety and security. The balance of risk and security as well as the balance of resources needs to be maintained to not undermine employees’ interest in maintaining high-quality science as well as a vigilance of safety and security measures.

•   In India, the primary security concern at civilian nuclear facilities is sabotage.

•   Several safety features can be incorporated into reactors, which also aid security.

•   Material categorization is also essential to the security design process because there is a direct relationship between the protection required and the quantity of the material and its enrichment level.

•   Apart from resource extension, the closed fuel cycle can be designed to be more proliferation resistant.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 27
2 Systems Approach to Security at Civilian Nuclear Facilities Key Issues The key issues noted here are some of those raised by individual workshop participants, and do not in any way indicate consensus of workshop participants overall.  Weapons-usable material must be kept out of the hands of adversaries who may be trying to get their hands on this material and could use it for malevolent actions.  No material is absolutely safe, and any material is vulnerable at some level.  Nuclear security is a continuous, dynamic risk management job and requires constant and vigorous efforts.  Program resources were to be used for both safety and security. The balance of risk and security as well as the balance of resources needs to be maintained to not undermine employees’ interest in maintaining high- quality science as well as a vigilance of safety and security measures.  In India, the primary security concern at civilian nuclear facilities is sabotage.  Several safety features can be incorporated into reactors, which also aid security.  Material categorization is also essential to the security design process because there is a direct relationship between the protection required and the quantity of the material and its enrichment level.  Apart from resource extension, the closed fuel cycle can be designed to be more proliferation resistant. 27

OCR for page 27
28 India-U.S. Cooperation on Technical Aspects of Civilian Nuclear Materials Security Promising Topics for Collaboration Arising from the Presentations and Discussions These promising topics for collaboration arising from the presentations and discussions do not necessarily represent the consensus of the participants, but are rather a selection of the topics offered by individual participants throughout the presentations and discussions.  There is little sharing of experience among experts working in fuel cycle facilities in some countries, which indicates that there is opportunity for communication in this area.  Due to the high consequence to the public if a malevolent act were to occur, proper protection planning, design, and implementation approaches are well documented and shared within the global security community. However, thus far Indian and American experts have not had an oppor- tunity to fully exchange experiences, therefore more such opportunities should be sought bilaterally and within the broader security community. This offers the opportunity for more Indian-U.S. exchange.  The problem of how to assess quantitatively the probability (frequency) of attack in the security and safeguards areas may be one possible joint research project.  Commonality in the measure of consequences across safety, security, and safeguards is a possible area of joint cooperation.  At many nuclear installations there is a need to augment communication resources for purposes of both security and safeguards.  Consequence management training tools, such as the development of a plume simulator for handheld instruments, could be another area of cooperation.  Exchange programs for students would be beneficial for both countries. Overview of Civilian Nuclear Security: A Systems Approach Robert Kuckuck drew upon his experience as a former director of a nuclear facility and a principal deputy director of the National Nuclear Security Administration to provide his views on security for civilian nuclear facilities from a systems perspective. This perspective begins, he stated, with a global system and continues to the local, facility system. The global system involves policies and agreements; the domestic system also involves policies, enforcement, and oversight. Operational facility systems are embedded systems that involve the actual handling of materials and the actual implementation of nuclear security features.

OCR for page 27
Systems Approach to Security at Civilian Nuclear Facilities 29 Nuclear security systems from a facility and operational perspective have always had two principles for Kuckuck. The first principle is that weapons- usable material must be kept out of the hands of adversaries, and that adversaries are indeed trying to get their hands on this material and could use it for malevolent purposes. Responsibility for protecting the mateiral is the utmost priority. Even though there has been a tremendous global effort over many years, there still are no agreed upon standards around the world for protecting nuclear material. Any individual state is only as safe or protected as the weakest link in the entire international system. A systems approach is very much needed on a global level. Kuckuck noted that dialogue among scientists is an important first step, and many, many more steps between India and the United States are needed. Scientists start with facts that are well understood on each side, and can make progress in forming understanding relationships and developing a path to the future. Kuckuck’s second guiding principle throughout his career was that no material is absolutely safe, and any material is vulnerable at some level. Therefore, the task of nuclear security at the level of facility operations has always been one of risk management. How does one assess the quality and quantity of the material at the facility, and how does one assess the attractiveness value of that material to an adversary? What security measures are in place to protect that material? And what is the understanding and best estimate of the capabilities that an adversary can bring to bear against the facilities and operations? It is the balance of those factors, the risk management, that constitutes the nuclear security system at a facility-operations level. All of these factors are dynamic, continually changing and uncertain. The capabilities of security measures change. The perception of the adversaries’ capabilities changes. The public’s perception of security measures and the adversary’s capabilities are every bit as important as the facility director’s understanding of the facility in real time. These are very real concerns to a facility manager, and particularly to a government official. This continuous, dynamic risk management job, which is what Kuckuck calls nuclear security, requires constant and vigorous efforts. With these two principles, the facility director concludes that he or she always has to have his or her eyes open and mind active to decide if the balance of risk is appropriate. To Kuckuck, the most important and fundamental element of facility security is the people. The security culture of the facility is critical to the effectiveness of the facility’s security system. A facility’s management has to convey and communicate a need for the security measures in place, “not just walk the walk and not just talk the talk, but to walk the talk.” Management has to act in support of those principles at all times with an organization structured with clear motivations, incentives, roles, responsibilities, accountabilities, authorities. Every person must be trained to know why they, and management, are taking these measures. The people must have the authority and the capability to do their jobs,

OCR for page 27
30 India-U.S. Cooperation on Technical Aspects of Civilian Nuclear Materials Security including the resources they need. If any of those conditions are violated, management loses an employee’s support; his heart is no longer in tune with the principles and this starts to weaken security culture. As a facility director, Kuckuck always felt that one of his biggest jobs was to maintain and sustain that security culture at his facility. Every person, from a custodian to a technician to a scientist to the protective force guards, needed to believe in and support the nuclear security program. That is what Kuckuck calls nuclear security culture. There are many other elements in the nuclear security program at a facility with attractive nuclear material, be it a reactor, a materials processing facility, or a storage facility. Kuckuck began by asking himself if the facility was robust. Can the facility process the material, handle it, store it, take care of it? The second element was how much material was at the facility and how should it be controlled and kept track of? How does the facility director know at every minute whether the material is still there? How does the director know that something hasn’t gone wrong and that nothing was missed or that material has not gone missing? To answer these questions, Kuckuck employed material control and accountability. Next, he asked, “How do I control people’s access to the material?” The answer was to put up barriers. In the United States, facilities commonly have several concentric barriers of increasing magnitude. Outside barriers may not even be alarmed, merely patrolled. As one moves inward, toward the material, the barriers become much more robust. They are alarmed and are constantly monitored. This layered system is called a graded approach. As one moves in, one reaches a hardened facility with even stronger barriers. At this level, access is controlled for each person. Each person’s motive and authorization for being in that zone is diligently investigated and understood. Each person is given credentials, which are the only way that he or she can access the secure zone. In some cases, individuals are allowed access, but must be accompanied by more than one person, use more than one key, and use more than one control system. Now that the facility has the material controlled inside, and has only granted access to the right good guys (and there are lots of other good guys that are not granted access), how does the facility keep the bad guys out? This begins with surveillance. Barriers are monitored constantly, as are alarms. Protective forces are engaged and conduct patrols, and the like. If an alarm signals or if there is some indication of a penetration of a barrier, or an attempted penetration, facility personnel, especially the protective force must be prepared to respond immediately. In some cases, additional barriers go into place automatically. Communication occurs across the entire facility so that everyone knows that there is an issue, prompting them to lock up their own material or do whatever is appropriate in their position. The protective force has an even more thorough communication system so that they know exactly what is happening at any point in time and can adjust their reactions accordingly. Finally, a pursuit and recovery operation is undertaken to either contain the intruders and/or recover the material. If needed, each facility has

OCR for page 27
Systems Approach to Security at Civilian Nuclear Facilities 31 very prescribed ways in which the protective force reaches out to supplemental forces such as the local police, the military, etc. As a facility director, this was the system that Kuckuck always had in his mind as he reviewed security. However, he observed that there are at least three very important elements that underpinned this sequence of protections just outlined. The biggest one is the human aspect of nuclear materials security. Every person who is involved with the material system at any level is completely vetted with background investigations. This occurs every five years at a minimum. Employees are not vetted by the facility or by the director, they are vetted by an independent government authority so that there is no chance for conflict of interest by the director thinking he needs a particular individual and maybe does not do the investigation diligently. Training is required in every aspect that is relevant to protecting the material during handling, storage, and so forth. Fitness for duty, which is different from training, is a daily inspection done in various ways. For example, for the protective forces, the supervisor of a small group on each shift does various tests or interrogations to make sure that every member of his team is fit for duty that day, is not sick, or does not have some other issue that may prevent him from doing what he needs to do. Technology supports all of this, whether it be offensive or defensive weapons or alarms or capabilities. A major aspect of this technology is cyber- security, both in the control and communications of the facility. Forensics also plays an important role in deterrence and resolution should an incident occur. One hopes that an adversary is deterred by the concern that he will be caught and brought to justice. Finally, another underlying technology is just information security in general. Across the whole facility, how does the facility protect information that pertains to the classification of material, the location of the material, and how the material is protected. How is the information protected once it is classified? These are underpinning technologies, or underpinning elements, that are fundamental to the system of nuclear security at any facility. Kuckuck then shared issues that arose during his time as a director of a facility and as a government official overseeing these facilities. One of the biggest difficulties as a director of a facility with nuclear operations was sustaining the nuclear culture. It is a constant task and there are many realities that try to undermine that culture. One is just plain complacency: years go by and no intruders come through the fence and there are no issues. If we lose the hearts and minds of the facility employees regarding the need for security, then they start doing that risk balance on their own. They start deciding that they do not really have to do a lock up or take a compensatory measure because it is not necessary. It is very important to not allow the security system to get into the position of being judged by the employees in a critial way that allows them to make their own risk balance. Complacency is a very serious issue. Resources are another important issue. As a director, there is a constant balance required between using resources for the mission with the material and the security required to protect that material. That balance can be off in either

OCR for page 27
32 India-U.S. Cooperation on Technical Aspects of Civilian Nuclear Materials Security direction. Some people will argue that one cannot have too much security. But Kuckuck believes one can have too much of the wrong kind of security. This applies to safety as well. There may be multiple requirements for bureaucratic accounting of things that make no real contribution to safety and this begins to undermine the safety culture itself because employees become disgruntled and they do not follow the safety rules or they fake it or they just do not take it seriously. The same thing happens with security, therefore it is important to maintain the balance of security requirements and actual risk. This requires the development of a design basis threat (DBT), which is established by government oversight organizations. Specifically, they define the threat that the facility has to use as the basis from which to build its nuclear security. The DBT is derived by using intelligence, understanding of an adversary’s past actions, and other input. Kuckuck explained, however, that there is a cycle to DBTs. A force-on- force exercise, bringing in so-called armed adversaries to attack the laboratory, would be conducted to determine whether the security system could meet the DBT. If the laboratory forces defended every time successfully, the people that designed the threat felt that maybe they needed to escalate the threat a bit. They wondered where failure would occur: perhaps if the adversary had one more machine gun? Therefore, the laboratory would test beyond the DBT, and test to failure. Invariably, however, that would become the new DBT. This created periods where the DBT was totally out of alignment with realistic threats from an adversary. When that happened, people would start to lose adherence to the security system. They knew the threat was not realistic, they were bitter, and they made their own judgements. The situation also could go the other way. Program resources were to be used for both safety and security. The complacency factor would enter and resources for security would be cut. As stated earlier, the balance of risk and security as well as the balance of resources needed to be maintained to not undermine employees. The second issue is very difficult. Kuckuck explained that in the United States, facilities are not guarded by the military, they are guarded by security companies or employees of the facility. These people must be trained. Most guard forces are recruited from among soldiers returning from Iraq or Afganistan. But they come home and complain that after a little while, they feel like night watchmen although they are expected to be soldiers, to train like soldiers, and to do combat exercises. They drive a car around all evening and nothing ever happens. It is very difficult for them to adjust to that, it is very difficult to keep them alert. There have been incidents when guards missed obvious events that were not even an exercise, someone trying to cut through a fence, for example. Another significant problem is the degree to which the exercises are realistic. During a major exercise at a laboratory, there is a full security force on site right then that are not playing in the exercise—they are protecting the facility. There is another shift that is going to be exercised that night and they all

OCR for page 27
Systems Approach to Security at Civilian Nuclear Facilities 33 have yellow vests on and are using laser guns to shoot each other in the vest. There is a vast number of people out here in the yards: some are umpires, some are judges, some are observers, some are guys with vests who are playing, and some are guards that are ignoring them. It is very hard to have a realistic exercise of troops. Kuckuck has always worried about that problem. Recently there was a situation in the United States, Kuckuck recounted, that raises a question about threats. An 82 year old nun and a couple of other gentlemen cut through the fence and entered a facility. In analyzing that incident, many of these factors came into play. They never actually got near the material and there was never a real threat, but there were a lot of lessons to be learned from how this happened. Regarding accountability, as a facililty director, Kuckuck found it very difficult to explain to the public in the United States why the fact that kilograms of highly enriched uranium (HEU) or platonium would go “missing” every year is considered unclassified information. The material was held up in the pipes, or otherwise unaccounted for (see Santi’s talk). The argument of course, is there are ways that one can eventually account for that material by decontamination. This was a very difficult public relations issue. Kuckuck concluded by asking “Are we using technology to our fullest extent?” He answered, “we know we are not.” There are more aggressive deterrence capabilities that could be automatically activated when someone came through a fence, but this may lead to an accidental killing, which underscores the need to balance safety and security. Are there other technologies not being used to either inhibit the intruder or to devalue the target they are coming after? Is there artificial intelligence that the guards can use to help them in their boredom so that they don’t miss something on the camera? NUCLEAR MATERIALS SECURITY AT CIVILIAN REACTOR FACILITIES Indian Perspective Ranjit Kumar shared his experience working with civilian nuclear facilities in India and the associated issues of nuclear materials security that he has encountered. He began by noting that in addition to pressurized heavy-water reactors, which have been the mainstay of the India nuclear power program in the first stage of its development, India has developed advanced heavy-water reactors, which are based on low enriched uranium and thorium with several improved safety and nonproliferation or proliferation-resistant features. India also has a program on fast breeder-type reactors, with a research reactor now running for nearly 30 years. Also, India’s prototype fast breeder reactor will be ready in a couple of years. India has various types of nuclear facilities encompassing the entire nuclear fuel cycle, starting from mining to power production and other uses of

OCR for page 27
34 India-U.S. Cooperation on Technical Aspects of Civilian Nuclear Materials Security nuclear radiation sources, to waste disposal. India has both back-end and front- end fuel cycle facilities in the civilian domain. India is poised for extensive growth, including potentially the use of many more nuclear power reactors in the country. As nuclear power reactor deployment increases, there will be increased requirements of fuel fabrication and other fuel cycle services. Non-power applications of radiation are also growing across India, particularly in industrial and agricultural applications. There are large programs that have made a contribution to the overall economy of the country. Regarding security at civilian nuclear facilities, the primary concern is sabotage. There have been several terrorist incidents that cause concern about potential sabotage attempts on a nuclear power plant, other civilian nuclear facilities, or any nuclear facility. These concerns have led experts in India to look deeply at the security of these facilities including various analyses right after the attacks of September 11, 2001. A review committee was established to look into security. Subsequently, regulations were developed and a great deal of oversight, audits, and reviews have taken place. Immediate measures have been undertaken and long-term goals have also been developed. Several design- related measures have been introduced in order to prevent and protect the nuclear facilities against sabotage attempts. Although sabotage is the primary threat, theft is also a concern, not as much for nuclear power projects or nuclear power facilities or power reactors and research reactors, but rather for other facilities such as fuel fabrication facilities. Facilities such as reprocessing facilities have both sabotage and theft threats. As an end product, reprocessed material may be a theft target. Kumar provided some examples of nuclear facilities and comments on their potential as sabotage targets:  Nuclear power plants: o core damage or containment failure, which can lead to radioactive release o spent fuel storage: pool could be drained and lead to radioactive release  Research reactors: o target depending on the type of reactor  Fuel fabrication facility: o not a primary sabotage target, but could be even though it will not cause consequences as severe as a sabotage attack on a facility with radiological materials or a reactor facility o end product can be utilized to cause a disruption as well as to contaminate an area  Enrichment, conversion, and storage facilities o spent fuel reprocessing facilities and waste disposal facilities are of greater concern o in a waste disposal facility, there is a heavy concentration of materials that may present a potential sabotage target

OCR for page 27
Systems Approach to Security at Civilian Nuclear Facilities 35 Based on International Atomic Energy Agency (IAEA) data, there have been attacks on facilities, and in many cases the aim has been sabotage. In some cases, theft was the motive. Kumar noted that India wants to avoid such incidents. Attacks can take place in three major ways: stealth, deceit, and force. Physical protection systems should address all three methods of attack. That said, Kumar noted that civilian nuclear facilities, particularly reactors, are difficult targets for sabotage. There are several safety features incorporated into the design of the reactor itself. Specifically, he referenced several fundamental principles of design safety:  Redundancy: ensure that safety does not depend on any single system functioning correctly  Reliability: design to numerical reliability targets (999/1,000)  Testability: ensure systems are testable to demonstrate their reliability  Independence: ensure systems that perform the same safety function are independent  Separation: ensure systems that perform the same safety function are spatially separated  Diversity: ensure, where possible, that systems which perform the same safety functions are of dissimilar design  Defence-in-Depth: multiple barriers and systems  Fail safe: ensure system/component fails safe if practical Kumar elaborated on the principle of “diversity.” For example, in a nuclear power plant shutdown system, there are diverse mechanisms or diverse methodologies used for this purpose alone, such as a cooling rod, which uses a neutron-absorbing material like cadmium. There are others, like injection of neutron poison into the coolant. Several such diverse mechanisms are utilized for safety purposes in order to address that single failure and ensure that the plant remains safe. Many of these safety features also aid security in diverse ways. For example, to release radioactivity from a fuel core in a pressurized heavy water reactor the radioactive material would have to breach the fuel cladding to enter the coolant tube and then to the reactor calandria vessel, to the biological shield, which contains the leak. This all makes the reactor a hard target for sabotage, although the risk cannot be entirely eliminated. Risk can never be 100-percent eliminated. New, evolutionary reactor designs are bringing security into the design drawing room itself to attempt to incorporate security features, which will aid security directly. This is known as security by design. This process begins with siting and continues to the design of the containment facility, and throughout the entire process. When considering security measures themselves, if they are incorporated into the design phase, they are significantly more cost effective than attempts to retrofit a facility. At times, certain security measures are impossible to retrofit.

OCR for page 27
36 India-U.S. Cooperation on Technical Aspects of Civilian Nuclear Materials Security The Indian nuclear power program is guided by certain regulatory prerequisites overseen by the Atomic Energy Regulatory Board (AERB). The AERB is responsible for oversight, as well as for all aspects of review and audit of plants already in operation and those in the design phase. Each plant design is reviewed for its applicability, maintainability, and upgradability, particularly if it is an existing operating nuclear power plant. These designs should be consistent with national and international guidelines, standards, conventions, and treaties. Kumar noted that India follows certain international guidelines, particularly those stipulated by the IAEA and other regulatory bodies. Experts in India try to understand the requirements and to compare and adopt similar policies as well as design philosophies most suitable for India. The main elements of security at nuclear facilities include security organizations with a well-defined allocation of responsibilities, duties and reporting lines, and well-coordinated with state agencies. The following questions are answered by these organizations: What is the responsibility of the guard force? What is the responsibility of the security manager or the chief security officer? Whom should this person contact in local law enforcement agencies? The next element of security is the engineering system for physical protection. This includes hardware systems such as fences and barriers, detection and alarm devices, access control and surveillance, and guards. The physical protection system is designed based on the performance of the guard forces and the design basis threat (DBT). These aspects of physical security all interact. Kumar noted that they are trying to analyze response times and appropriate response forces against the DBT. Contingency and emergency plans are also designed for both security and safety. This is a systems engineering approach that can be utilized for the physical protection of any critical infrastructure facility. This process starts with the required analysis stage even before the design of the reactor, during which the target is identified in vital areas. This vital area identification is a separate process in itself because it is essential to determine protection equipment needs, with particular attention to the threat of sabotage. A detailed methodology is followed in this process to determine a minimum set of locations and equipment needed to provide full protection against sabotage and the release of radioactive materials. In particular, during the identification of vital areas, two sabotage scenarios are considered. The first scenario is a “direct” scenario during which adversaries sabotage the material itself (e.g., using explosives) with the aim of causing radioactive dispersal. In such a scenario, an adversary would use some explosives. The second scenario is an indirect one during which a safety system would be attacked causing the dispersal of material. Kumar stated that this is called an event of “malevolent origin” and the security systems—through the DBT—are designed to prevent such events, again, starting with the vital area identification process. Material categorization is also essential to this security design process because there is a direct relationship between the quantity of the material and its

OCR for page 27
Systems Approach to Security at Civilian Nuclear Facilities 37 enrichment level with regard to vital area identification, although categorization of material does not factor in with sabotage threats. Kumar stated that there is an effort in India to categorize nuclear facilities from the point of view of radiological sabotage but it has not yet been established. There are efforts to define criterion for what is called an “unacceptable radiological consequence” (URC). Each state in India is to define what an URC would be and based on that definition, the vital areas to be protected would be defined. However, the physical security at a nuclear facility should protect against any sabotage scenario even those exceeding the URC criterion. A design for these scenarios would follow the same principles of detection, delay, and response, which are interlinked. Until the detection takes place, there is no value of a delay. This systems engineering methodology brings in two competing timelines. One is called the physical protection system timeline and the other is the adversary timeline. In order for the adversary to be successful, he has to complete his task before the physical protection system (PPS) delay time. If the task completion time by the adversary is more than the PPS response time, then the security system is successful. To establish these timelines, the first step is identification of the critical detection point, and a definition of the role of early detection. The security elements of detection, delay, response, and access control are the same for a nuclear facility as well as for nuclear materials. A good security design should include:  balanced protection: the front end and the back end of a facility should be protected equally  protection in-depth: layered protection measures, not only physical measures, should be applied  reliability: the instruments and systems should be reliable  information security: should not be neglected  confidentiality: physical protection systems should be kept confidential to maintain the reliability of the system  consideration of operational needs: security systems should not interfere with the operation of a facility There is considerable interaction between safety and security systems and at times, they have contradictory requirements. Such contradictions should not be allowed in the case of security. To address these issues, dialogue is needed between safety and security requirements. Indian nuclear power plants, from the inside out, have four layers of protection, starting with the operating island. There is a double fence around the inner and the vital areas. This is called the protected area. Then there is the main plant boundary, the outermost layer is known as the exclusion zone boundary, the second layer is the main plant boundary, which is 500 meters from the operating island. Third is the operating island, which is declared as a protected

OCR for page 27
48 India-U.S. Cooperation on Technical Aspects of Civilian Nuclear Materials Security All plutonium facilities are subject to strict nuclear material accounting systems and physical protection measures. These include, protection in depth with multiple layers of protection, portal monitors sensitive to neutrons and gamma rays, containment and surveillance systems together with NMA provide a measure of confidence that potential diversion paths are not being used for clandestine purposes by criminal elements. In plutonium reconversion/fabrication facilities where vulnerability is relatively high, near real time accountancy can be applied to improve the detection sensitivity for loss or diversion of plutonium. Concerted efforts are taken to include design, operation and control features aimed at reducing material unaccounted for and also to incorporate better plutonium measurement techniques. The diversion of nuclear material from facilities can also be minimized by automating the process. Through automation, access to the nuclear material can be minimized and the number of operators can be reduced, thus reducing the possibility of theft or diversion. The International Commission on Radiological Protection (ICRP) recently reduced the exposure limit to the eye from 150 mSv to 20 mSv. To reduce the individual exposure in plutonium fuel fabrication areas, one has to deploy more people, which may conflict with security requirements to keep the staff at a minimum. Therefore, the need for automation of the fabrication process is driven both by security and safety requirements. Remaining challenges to the security of a fuel cycle facility include: the need for automation of the process operations and material accounting, new vulnerabilities from increased use of computers, cyber attacks on computer systems used for process control, nuclear material accounting, and physical protection systems. The absence of structured guidance documents on security similar to the safety codes and guides is also a challenge. Currently, no hierarchical documents exist for security and there are concerns about inadvertent revealing of plant security vulnerabilities. Consequence analysis is essential and conducted using a design basis accident and a design basis threat. A primary distinction is that nuclear safety regulation is not prescriptive, whereas nuclear security regulation is prescriptive. Finally, Sundararajan concluded that the lack of sharing of experiences from fuel cycle facilities in other countries remains a challenge. Likewise, there is a lack of standardization across facilities, which makes security difficult as well. He said that India has excellent probabilistic safety assessment models for safety assessment of nuclear facilities but does not have vulnerability assessment models for security assessment of nuclear facilities. The organization of appropriate training programs to promote security culture would be beneficial. U.S. Perspective Michael O’Brien began his presentation by stating that the protection of nuclear facilities has evolved over many decades. This evolution has been

OCR for page 27
Systems Approach to Security at Civilian Nuclear Facilities 49 necessitated by advances in technologies as well as the need to adapt to a chang- changing threat. According to the IAEA Guide INFCIRC 225 Rev.5,2 which a vast number of nuclear facilities world-wide use as their principle guidance, nuclear facility physical protection should be based on a defined threat. This threat and the characteristics of the threat are defined at the government level in the United States. The facility physical protection system would be expected to adequately address sabotage and theft attempts by adversaries defined in threat guidance and therefore requires development of appropriate protection strategies and proper implementation. When determining the threat, O’Brien stated that the threat guidance, generally referred to as a design basis threat DBT, describes the number and attributes of adversaries. A common DBT would define a group of outsider adversaries and one or more insider adversaries, and outsider adversaries colluding with an insider. The capabilities of the adversaries would also be defined in terms of their knowledge, skills, weaponry, and equipment. The philosophy of protection in the United States includes the notion that nuclear facilities should be designed to allow for redundancy and defense in depth in the protection system to avoid single point failures and to force adversaries to defeat several protection elements in order to achieve their intended task. The facility layout may also be designed in a way to afford a layered or graded protection approach in which protection measures increase closer to target locations. A protection system may encompass several principle objectives. These may include protection against: theft by outsider and/or insider adversaries, sabotage by outsider and/or insider adversaries, or cyber attacks. The combination of protection systems and protective force deployment must effectively mitigate each of these threats. This deployment may require the implementation of multiple strategies. The protection strategies, containment, and denial, are specific to the type of threat one is protecting against. A containment strategy is used for protection against theft of nuclear material, through the use of appropriate detection, delay, assessment, and response capabilities. Protective force assets must be able to respond in time to interdict, contain, and neutralize an outsider adversary force before completion of an attempted theft. A denial strategy is used for protection against sabotage of nuclear material, through use of appropriate detection, delay, assessment and response capabilities. Protective force assets must be able to respond in time to interdict and neutralize an outsider adversary force prior to the adversary forces arrival at the target location thus denying their access to the location and their sabotage attempt. 2 Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities (INFCIRC/225/Revision 5). IAEA Nuclear Security Series No. 13. http://www-pub.iaea.org/MTCD/publications/PDF/Pub1481_web.pdf.

OCR for page 27
50 India-U.S. Cooperation on Technical Aspects of Civilian Nuclear Materials Security Strategies against an insider threat encompass some appropriate combination of separation of duties, limited access, limited responsibilities, compartmentalization, two-person rule procedures, material surveillance, material controls and accountancy measures, as well as safety procedures and systems in order to increase the likelihood of detecting an insider attempt of theft or sabotage. A human reliability program may be administered to further enhance an insider protection program. A strategy against a cyber threat encompasses analysis of electronic networks and the identification of appropriate electronic measures to detect network penetration attempts. According to O’Brien, a strong physical protection system (PPS) design effectively integrates people, procedures and equipment to meet the objectives of the system. The protection system design must facilitate protection elements working together to assure protection rather than treating each single element separately. For example, to be effective, the manager should ensure that fences, sensors, delay systems, closed circuit television assessment systems, procedures, communication systems, and protective force personnel act as an integrated system meeting protection objectives. The primary PPS functions are to detect, delay, assess, and respond to adversary actions. Intrusion detection may consist of an array of technologies designed to detect penetration by an adversary. Some examples include: exterior/interior sensor technologies such as microwave, active or passive infrared, vibration, magnetic field, and electric field. Delay systems decrease the adversary rate of progress toward the target allowing an adequate number of protective force personnel to respond in time to stop a malevolent act. Some examples include: fences, walls, doors, structural enhancements, vehicle barriers, smoke or fog visual obscurants, entanglement systems. Assessment systems aid in the visual verification of detected adversary actions, as well as aid the protective force in the subsequent engagement with the adversaries. Some examples include: closed circuit television cameras, lighting systems, and posted or patrolling protective force personnel. Protective force personnel provide the response actions to interdict and neutralize adversaries. The response force is generally composed of tactically- trained primary responders, tactically-trained secondary responders, and posted or patrolling protective force personnel who augment the engagement by primary and secondary responders. To achieve an appropriate level of system effectiveness, O’Brien noted, the entire protection system must operate in a complementary and integrated manner. Protection elements do not have to be physically integrated, but rather have to work in synergy to achieve the overall protection objective. Three noteworthy points of integration include: (1) nuclear material controls, which allow material accountancy and physical protection to work in a complimentary fashion

OCR for page 27
Systems Approach to Security at Civilian Nuclear Facilities 51 (2) protection systems and protective force, which form the main core of the protection system (3) command and control system integrating physical protection systems as a single command center operated by a protective force. Nuclear material controls may include: material surveillance systems, point sensors, vault-alarm sensors, two-person procedures, material tie-downs, and entry control measures such as nuclear detection portal monitors, metal detectors, and electronic access controls. Physical protection systems provide the means for the protective force to detect, delay, and assess adversary actions allowing the response force to tactically engage the adversaries in a timely manner. When needed in situations of shortcomings, compensatory measures for an integrated system can be either physical protection system elements or protective force personnel. Integration of physical protection systems into a single alarm control and display unit with assessment, entry control, and communication capability provides protective force personnel the ability to effectively operate the entire system for daily operations and in emergency situations such as adversary malevolent acts. Protection systems should be in a constant state of evaluation. System effectiveness should be validated and any shortcomings addressed in a timely manner. This is often best implemented through a performance assurance program, which is a means to collect and store system data in a single location for use by analysts in verifying system effectiveness. A system testing plan should define the manner and frequency system components are tested for functionality as well as performance against design criteria. O’Brien said that all critical systems and their critical elements should be performance tested regularly. Tests can be at the system level or component level. Test results should be documented and archived for use by system administrators, performance assurance program administrators and vulnerability analysts. Protective force personnel should be subject to periodic testing to validate tactics, procedural compliance, and response times. Test results should be documented and archived for use by performance assurance program administrators and vulnerability analysts. Similarly, material control and accounting (MC&A) systems and their critical elements should be performance tested regularly. Tests can be at the system level or component level. Test results should be documented and archived for use by system administrators, performance assurance program administrators and vulnerability analysts. Vulnerability analyses and the documented system effectiveness level should be validated on an annual basis and when a change in operations or facility configuration occurs. In summary, nuclear facilities require the highest level of security due to the high consequence to the public if a malevolent act were to occur. Proper protection planning, design, and implementation approaches are well documented and shared within the global security community.

OCR for page 27
52 India-U.S. Cooperation on Technical Aspects of Civilian Nuclear Materials Security Safety, Security, and Safeguards Paul Nelson began by stating that his presentation would emphasize nuclear security, but that he also would refer to safety and safeguards as well. Together they make up what is known as the “3 S’s.” He also focused on the educational aspects of all three, especially security and research. As has been stated by other presenters, public perception of safety and security is essential, especially in a democracy where public confidence is crucial to nuclear activities. For purposes of nuclear security, it is important to reassure the public that appropriate measures are being undertaken, while not revealing information that might be useful to any potential adversary. In the United States, the responsibility for security of civil materials resides with the (typically private) entity owning the material. Nelson then provided an overview of the Texas A&M University’s Department of Nuclear Engineering at which graduate students do scientific and technical work with policy overtones. Other U.S. universities with similar programs in nuclear security include the University of California at Berkeley, the University of Missouri, the University of New Mexico, and the University of Tennessee. Nelson noted examples of possible research projects for Indo-U.S. collaborative efforts that could be conducted either through these universities or elsewhere. He provided examples rooted in the so-called “risk equation.” Figure 2-1 defines risk as the expected value per unit time of the consequences of an adverse action. At that level of generality, the concept of risk is equally applicable to safety, security, and safeguards, and in fact probably has been most extensively applied to safety in the form of so-called risk-informed approaches to nuclear safety issues. The objective of the defending force is to minimize risk, but Nelson stated that probability and consequences should not be overlooked. The problem of how to assess quantitatively the probability (frequency) of attack in the security and safeguards areas may be one possible joint research project. This could, if successful, move security toward the risk-based approach to safety. The currently accepted alternative is to design safety measures to the design basis threat DBT. Risk = PA PS C , PA  Probability, per unit time, that an attack occurs; PS  Probability an attack is successful, given that one occurs; C  Consequences of a successful attack. FIGURE 2-1 The so-called “risk equation” defines risk as the expected value per unit time of the consequences of an adverse action. SOURCE: Nelson, 2012.

OCR for page 27
Systems Approach to Security at Civilian Nuclear Facilities 53 A second research opportunity could be directed toward affecting some commonality in the measure of consequences across safety, security, and safeguards. The challenge is difficult, because consequences are not measured in the same terms (e.g., property damage vs. lives lost). Even within a single one of the “Ss”—for example safety—there are strongly held opinions regarding rational evaluations, and these differences are further confounded by lack of some basic knowledge such as the linear no-threshold hypothesis for very low radiation doses. The third possible opportunity for collaborative research Nelson proposed lies in the area of information security. It is based on the observation that at many nuclear installations there is need for communication resources for pur- poses of both security and safeguards. It is therefore an obvious idea to achieve economies and efficiencies by sharing resources between these two needs. The problem of course is how to ensure integrity of the two data streams, especially given that for security the host nation is the protectorate, while for safeguards it is the presumed adversary. The research question very roughly could be how to use software-based methodologies to achieve that integrity. The fourth and final example of a possible research collaboration is on consequence management training tools, such as the development of a plume simulator for handheld instruments, or even smartphone applications. Nelson also noted that there could be a junior-level exchange program be- tween Indian and U.S. students to jointly address these and other issues. From his perspective, an ideal arrangement would be an “experiment” in which a few U.S. graduate students in nuclear engineering, for example, could carry out re- search internships at appropriate Homi Bhabha National Institute (HBNI) cam- puses in the summer of 2013, to be followed by similar research-oriented visits by current HBNI students or recent graduates later in the fall of 2013. They could be matched-up in pairs to permit six months of continuous effort by the same people in the same problem area. The hope is that these exchanges would lead to substantial results. He noted that there are some universities in the United States interested in this idea. Hopefully there would also be Indian universities interested in hosting students from the United States as well. DISCUSSION The initial question was about personnel reliability programs and who, in the United States, has access to sensitive target areas. For example, would guards have access to sensitive areas, because this might constitute a type of insider threat if the person were to be ideologically inclined. There were three attacks on military targets, not civilian, likely due to insider threats. O’Brien replied, that, yes, the personnel reliability program does apply to the guard forces. He noted that because their duties or responsibilities relate to the protection of the material, the majority of the MC&A personnel, material handlers in various functions at work that environment, will be under the

OCR for page 27
54 India-U.S. Cooperation on Technical Aspects of Civilian Nuclear Materials Security program. Protective force personnel are under the program. People who main- maintain the systems are under the program, and even some of the first-level supervision of those personnel. The main group of those who either have direct access or who could obtain access to the material are covered by the program in the United States. Kumar replied that to the best of his knowledge, India uses the same ap- proach. Anyone who could potentially be an insider threat, including the top manager, is covered by the program. This is always taken into account in the design phase as well. Other measures are also taken. He continued by stating that when new guard forces enter the system, or come to a new facility, a check is performed; there are always checks and balances. A participant continued, in many of India’s security facilities, there is a layer of overall security, then there is the Central Industrial Security Force (CISF). There is separate training for CISF personnel involved in specific duties at some of facilities. These guards know that if they are assigned to a BARC facility, they have to have additional training. However, what is actually going on inside is something that they may not know at all. Access is granted on “a need-to-know basis.” They do have to be sensitized with additional information. They are also monitored. Also, the CISF forces are rotated perhaps as often as every one or two months. A question was raised about security at nuclear facilities from the front end to the back end. Last year an IAEA Scientific Committee studied the effects of atomic radiation for a 20-year period, 1987 to 2007, and there were only three accidents. There were no deaths or injuries related to the absence of nuclear security. In fact, the IAEA safeguards group, to which safeguards accounting reports are sent every year for all members of the NPT with the exception of the nuclear weapon states, stated that all Indian facilities have nuclear security under control. There has been no diversion, which under IAEA Guidelines means that the probability of diversion of more than 1/3 of standard quantity is less than 1/3. So as far as the nuclear material at nuclear facilities are concerned, there is no guarantee that nothing will happen in the future but thus far there has not been any material breach of security. On the other hand, the same IAEA scientific community said that orphan sources are a breach of nuclear security, and over the 20-year period from 1987 to 2007, 16 deaths have taken place, and there were 28 earlier incidents with more than 200 deaths, which means that the breach of nuclear security in the case of radiological material is far more serious than anything that has been contemplated in the nuclear facilities, and, of course orphan sources means they come only from industrial or medical applications. Those accidents are different. These orphan sources mean a breach of nuclear security, however, this was not discussed at the workshop. Is the real consequence of a breach of security for nuclear radiological materials far more serious and how do we adjust that? What are the concerns in coming years? There must be orphan sources in the United States as well as in India because there has not been a comprehensive check. There have been a few instances where Intercel radiography cameras

OCR for page 27
Systems Approach to Security at Civilian Nuclear Facilities 55 have been lost or nuclear gauges have been procured and not used lying idle for quite a long time. Some more attention should be paid to these sources. It is a public concern and serious, and in the case of Brazil, far more people were affected by unintentional radiation exposure from a radiological source in Goiania than anything that has happened in any other place. The offsite impact of Goiania is far more than the offsite impact of any nuclear accident at Chernobyl and recently Fukushima. A participant noted that the Goiania incident was not a malevolent attack. In other words, incidents regarding orphan sources often arise out of ignorance. People who handled the materials did not know what the consequences would be, including the Mayapuri incident. After the Mayapuri incident, a system has been put in place in India to inventory all of the radiation sources and there is an exhaustive computerized database system. Today, with this particularly high category source, nearly 100 percent of the material has been inventoried. With lower category sources like that used in diagnostic radiology, the inventories are still to be completed because there is a very large number of sources dispatched. A large number of people have been trained in the last two years, as many as 2,000, in hospitals, in port authorities, in customs services, clearing agents; and all of these people have been sensitized with respect to the risk associated with this kind of source.3 Suppose a person receives a source from abroad, at the end of its useful life, it would not be exported. Ten years ago, there were no stipulations in India to address such incidents. Today, no one can import a source from abroad unless there is a commitment by the supplier to take the source back after its useful life in the country. The rules have been tightened and enforcement has been tightened. It is impossible to get a source imported without the clearance of AERB, and clearance for import, for use, for the operation, and for decommissioning and repatriation, without a license at every stage from the regulatory board. Another workshop participant expressed surprise that a nuclear security breach includes an accident or a malevolent attack by a terrorist or a demonstrator. There is no distinction between an intentional or an unintentional act. Both are considered a breach. Second, in a 20 year period, 42 people died. For those 42 people, it makes no difference whether there was a breach of nuclear security because of a malevolent attack or a terrorist attack. Third, yes, these materials were handled, but they were handled not knowing what they were. Non-malevolent acts may also lead to complacency. A participant from the United States added that in the early 1990s, requirements were added to conduct vulnerability analyses on special nuclear material, including what was defined as radiologically toxic material located at a 3 Comptroller and Auditor General of India, Activities of Atomic Energy Regulatory Board, ReportNo. 9 of 2012-13. Available at http://saiindia.gov.in/english/home/Our_Pro ducts/Audit_report/Government_Wise/union_audit/recent_reports/union_performance/2012 _2013/SD/Report_9/Chap_6.pdf. Accessed September 3, 2013.

OCR for page 27
56 India-U.S. Cooperation on Technical Aspects of Civilian Nuclear Materials Security site. Owners now have to analyze vulnerabilities, the risks associated with those items, and define security for those items, as well. And that has been going on ever since the early 1990s at Department of Energy (DOE) sites. Another participant added that the problem seems to stem more from in- industrial radiography sources because a licensed person may wish to buy a source, but then pass it on illegally to someone else. What if it is lost? There was even a case some years ago when a disgruntled employee stole a source and threw it into a public body of water, and then it had to be retrieved. These sud- sudden cases are far more difficult to resolve, but they need to be addressed in whatever way possible. There will always be some situations that cannot be ad- addressed. The issue of retrofitting was then raised. How does this work? Architects are now giving us the option of greening older buildings for energy conservation with green technologies. How do you actually apply this design to an older building to make it secure and explain this to the budgetary authorities? Another participant replied that this is a very good question because often these concepts and methodologies are presented as if we are dealing with perfect facilities, and in reality, no facility is perfect. The truest answer is that we do analysis, assess the risk, and sometimes we will end up with targets that are too close to perimeters or any number of issues. One just really has to do the best one can until the point is reached where one feels an adequate risk level has been achieved, and sometimes additional compensatory measures are unavoida- ble. All of this is driven by the scenarios analyzed at a particular facility. All facilities are different, of course. Whether you have done an adequate job or not is the end result of the risk equation. If that is not achievable, then the true measure is consolidation of material, movement of the material to other loca- tions, and that happens as well. A participant asked a follow-up question about whether or not decisions are made on a budgetary basis. Is a facility then declared as a high risk area? In reply, if the retrofit really truly cannot be done for whatever reason, the material is removed. In the United States, high-risk situations are not tolerated. The mis- sion is moved elsewhere or that activity at that particular location is stopped. Another participant added that sometimes regulations are prescriptive and not performance-based. An example would have been the requirement to have a Perimeter Intrusion Detection and Assessment System (PIDAS) around certain types of facilities. At the Savannah River Site, funding was requested to put the PIDAS around the separations facilities, but it just was not going to happen. There was not enough money in the budget. So, the risk was analyzed, and in that particular situation, it was judged that it was not necessary for the task being performed. The appropriate risk level could be achieved without funding that type of upgrade. So that would be an example where budget came into play, and the problem was reviewed and the decision was not to do the upgrade because it just didn’t make financial and security-base sense. Raymond Jeanloz asked about avoiding a conflict of interest in that par- particular case. Were there outside reviewers, an independent audit or something

OCR for page 27
Systems Approach to Security at Civilian Nuclear Facilities 57 like that? Exceptions should be allowed without opening the door to conflicts of interest. In response, the participant replied that to the best of his memory, there was a congressional line item to do that upgrade, and the cost grew too large, so there was an independent analysis conducted. Another participant recalled the earlier discussion about how the design basis threat DBT can drive costs up and down. There was an experience in the early 1990’s when a local DOE office asked to use the vulnerability analysis results, to conduct sensitivity analysis by adding and taking things away. They requested that certain items be eliminated, basically stripping the protection to determine how much money could be saved by taking protection away, and the facility was forced to do this. That was prior to the events of September 11, 2001. Subsequently, the DBT went up, and the facility was less equipped to ramp up to appropriate levels of security, and it cost quite a bit of additional money to have the right level of security. Therefore, as a note of caution, do not use the vulnerability analysis results as a kind of a cost metric. It is really a per- formance metric of the system, but it can also be misused, if the results are used the wrong way. V. Venugopal agreed that previously, many of the radiological sources were not really properly accounted for, but now the bulk of radiation sources are more secure: sources associated with isotope technology are secured, databases have been completed, and frequent visits to the sites are made to see that every- thing is in place. This is one of the major issues with respect to radioisotopes in the public domain. It is a double edged sword. For example, Am241 were exten- sively used in various places as smoke detectors. And in the United States, 10 years earlier, a school student had collected large number of sources and materi- al was dispersed in that area. His house was contaminated. The area was con- taminated. So much money was spent. Now, this source was removed from smoke detectors. BARC has collected all of these smoke detectors and disposed of them after installing the new varieties. So these are the problems. This is obviously a serious concern. At DOE, there are two programs deal- ing with this issue. One of them is well logging in the oil industry where radio- logical sources have been used and still are being used in reasonably large amounts. DOE is investing money to find an alternative to americium and beryl- lium sources and trying to see if one can receive neutron radiography not using radiological sources. The Department of Atomic Energy would certainly explore similar things. And the second one is DOE’s program, offsite sources recovery program. It is not about orphan sources, but rather an offsite sources recovery program by DOE and Los Alamos National Laboratory. They help remove some of orphan sources and secure them. There is a lot that can be done. Communication also needs to happen because one can never completely avoid risk. It would be difficult to go to a drilling company and ask them to have all of their security measures consistent with those of nuclear and radiological facilities. How do we educate them? How do we procure orphan sources? Some of this is still being thought through.

OCR for page 27
58 India-U.S. Cooperation on Technical Aspects of Civilian Nuclear Materials Security Of these very technical issues, a participant stated that his source of con- cern is nuclear terrorism. During the Washington and Seoul Summits the Indian government and 40 other governments have committed at the highest level to nuclear security. So if one is concerned with nuclear terrorism, then one is con- cerned with security of materials of all forms, i.e. plutonium and uranium in the different forms, and irradiated fuel, and also radiological sources. Frankly, if there is a nuclear terrorist attack, we do not care what kind of material is used, the speaker said. The implications of a terrorist act with radioactive material is very serious. It is difficult to address because the sources are widely dispersed, which could increase the threat of an improvised explosive device. Is there cur- rently a procedure in India to check every site of a bomb explosion for radioac- tivity, because without ever knowing it, there may have been radioactive materi- al mixed with chemical explosives, only to be discovered much later. People who were exposed may have moved away. Maybe every chemical bomb explo- sion anywhere should also be checked for the presence of radioactivity.