3

Physical Security at Civilian Nuclear Facilities

Key Issues

The key issues noted here are some of those raised by individual workshop participants, and do not in any way indicate consensus of workshop participants overall.

•   Nuclear security has three distinct steps: (1) define the requirements, (2) design the physical protection system based on the requirements, and (3) evaluate the physical protection system to assess whether it meets the performance requirements.

•   The most difficult adversaries to address using the physical protection system are terrorists, but activists and demonstrators are also difficult because of the ambiguity of their actions and intentions.

•   The insider threat is a worldwide concern for nuclear security because an adversary with a colluding insider is very dangerous.

•   The vulnerability assessment process can be divided into three broad phases: characterization (target identifications); analysis (identifying vulnerabilities); and neutralization and system effectiveness.

Promising Topics for Collaboration Arising from the Presentations and Discussions

These promising topics for collaboration arising from the presentations and discussions are not those representing the consensus of the participants, but are rather a selection of those topics offered by individual participants throughout the presentations and discussions.

•   To address the growing demand and diverse technology requirements, standardization may be an area for joint discussion because it is essential for benchmarking and for cost-effective systems.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 59
3 Physical Security at Civilian Nuclear Facilities Key Issues The key issues noted here are some of those raised by individual workshop participants, and do not in any way indicate consensus of workshop participants overall.  Nuclear security has three distinct steps: (1) define the requirements, (2) design the physical protection system based on the requirements, and (3) evaluate the physical protection system to assess whether it meets the performance requirements.  The most difficult adversaries to address using the physical protection system are terrorists, but activists and demonstrators are also difficult because of the ambiguity of their actions and intentions.  The insider threat is a worldwide concern for nuclear security because an adversary with a colluding insider is very dangerous.  The vulnerability assessment process can be divided into three broad phases: characterization (target identifications); analysis (identifying vulnerabilities); and neutralization and system effectiveness. Promising Topics for Collaboration Arising from the Presentations and Discussions These promising topics for collaboration arising from the presentations and discussions are not those representing the consensus of the participants, but are rather a selection of those topics offered by individual participants through- out the presentations and discussions.  To address the growing demand and diverse technology requirements, standardization may be an area for joint discussion because it is essen- tial for benchmarking and for cost-effective systems. 59

OCR for page 59
60 India-U.S. Cooperation on Technical Aspects of Civilian Nuclear Materials Security  Potential saboteurs can utilize a protest by mixing with activists and de- monstrators who could gain entry. Understanding how to address materi- als security in these scenarios is an area of potential discussion for U.S. and Indian experts. Technologies and Physical Security of Nuclear Materials: An Indian Perspective Ranajit Kumar described technologies for physical security of nuclear material (see Table 3-1). He began by noting that India’s commitment to securi- ty of nuclear material comes from the highest levels of the government, illustrat- ed by the statement made by Prime Minister Manmohan Singh explaining that the Indian Atomic Energy Act1 provides the legal framework for securing nucle- ar materials and facilities and committing India to developing a Global Centre for Nuclear Energy Partnership, one element of which will be a school for nu- clear materials security. In addition, India is a party to the Convention on the Physical Protection of Nuclear Material and its 2005 amendments.2 The major concern about nuclear material primarily derives from the fact that it can be used to make nuclear explosive devices, which can be highly cata- strophic. Nuclear sabotage, a major concern for nuclear facilities like nuclear pow- er plants, can also be catastrophic. A dirty bomb or radiological dispersal device is not a weapon of mass destruction, but a weapon of “mass disruption.” Nuclear security has five key components, according to the Nuclear Threat Initiative: quan- tity and sites, security and control measures, global norms, domestic compliance TABLE 3-1 Potential targets worldwide that require nuclear security. Compiled by Kumar from International Atomic Energy Agency data. Number of items Type of Item 25000 nuclear weapons 3000 tons civil and military HEU and Pu 480 research reactors (>160 with HEU) 100 fuel cycle facilities 440 operating nuclear power plants 100000 Cat I and II radioactive sources 1000000 Cat III radioactive sources 1 The Department of Atomic Energy, The Atomic Energy Act, 1962. Available at http:// dae.nic.in/?q=node/153. Accessed September 3, 2013. 2 IAEA. 1980. Convention on the Physical Protection of Nuclear Materials. Available at: http://www.iaea.org/Publications/Documents/Conventions/cppnm.html. Accessed Septem- ber 20, 2013.

OCR for page 59
Physical Security at Civilian Nuclear Facilities 61 and capacity, and societal factors.3 Kumar focused on security and control measures noting that nuclear security is more than gates, guns, and guards. Nuclear security has three distinct steps: define the requirements, design the physical protection system based on the requirements, and evaluate the phys- ical protection system to assess whether it meets the performance requirements (see Figure 3-1). The third step feeds back into the second step so that if the sys- tem does not meet the end objective of neutralizing the adversary with a certain probability, the physical protection system can be adjusted or redesigned. The first step is to define the requirements of the physical protection system. This step includes characterizing the facility, identifying the targets that need to be protected, and defining the threat the system must protect against. A graded ap- proach is taken in target identification. The International Atomic Energy Agency (IAEA) has categorized nuclear material (Category I through III; see IAEA Infor- mation Circular 225/Rev 5)4 according to handling requirements. For unirradiated FIGURE 3-1 Diagram of the design and evaluation process outline (DEPO). SOURCE: Kumar, 2012. 3 Choubey, Deepti, Sam Nunn, Joan Rohlfing, Page Stoutland. 2012. NTI Nuclear Mate- rials Security Index: Building a Framework for Assurance, Accountability and Action. Available at: http://www.nti.org/analysis/reports/nti-nuclear-materials-security-index/. Ac- cessed September 3, 2013. 4 Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities (INFCIRC/225/Revision 5). IAEA Nuclear Security Series No. 13. Available at: http://www-pub.iaea.org/MTCD/publications/PDF/Pub1481_web.pdf. Ac- cessed September 3, 2013.

OCR for page 59
62 India-U.S. Cooperation on Technical Aspects of Civilian Nuclear Materials Security material, the category is based on the hazard of the material or its perceived value to a malefactor, which in turn is based on its utility in making a nuclear explosive and the quantity that is present. For example, unirradiated plutonium in quantities of 2 kg or more qualify as Category I. Most nuclear power plants use Category III nuclear material, except for some research reactors. There are several considerations in defining the threats that the system must protect against. The threats may include thieves, saboteurs, terrorists or protesters. For any adversary, the requirements include how many people are involved; whether it involves outsiders, insiders, or a combination of the two; the motivation (ideological, economic benefit, or something else), and; objective or intention (e.g., are they interested in sabotaging a plant to disrupt the power plant, to disrupt the power production, or is their intention to take the nuclear material?). The threat definition also includes the adversary’s tactics (force, deceit or stealth) and capa- bilities (numbers, training, knowledge, weapons, equipment). The various aspects of the threat are summarized in the form of what is called the design-basis threat (DBT). India has a national DBT for the design of physical protection systems for all civilian nuclear power applications and civilian nuclear facilities. The DBT is confidential for obvious reasons. Kumar said that his initial perception was that the most difficult adversary to address using the physical protection system would be terrorists, but he under- stands now that even activists and demonstrators are difficult because of the ambi- guity of their actions and intentions. That said, the insider threat is a worldwide concern for nuclear security because an adversary with a colluding insider is very dangerous. They can be internally motivated or externally coerced, passive or ac- tive, and nonviolent or violent. After defining the requirements comes the design phase. Based on the na- tional DBT, a local and facility-specific threat document is prepared because there are certain threat elements that are specific to a particular locality, a partic- ular region, or a particular state. All facilities are required to prepare their facili- ty-specific DBT document and the physical protection system is designed to that threat. There are three elements of the physical protection system: detection, de- lay, and response. Detection can be carried out by intrusion sensing (exterior and interior) and by entry control and other methods. Typical sensors include infra- red thermal cameras with video analytics. Another tool is to look for objects that are not permitted—for example, explosives—to detect threats to the facility. Entry control is used for the purpose of allowing authorized personnel to gain access to the facility to carry out their normal duties and requires both identity validation and access control. The target should be protected in such a way that the system provides a certain minimum delay to the adversaries to reach, gain access to, and either sabotage or take the target. In theft scenarios, the facility protectors have both the time to reach the target and the time it takes the adversary to leave the facili- ty. The delay elements are walls, structures, barriers, including active barriers or dispensable barriers (e.g., slippery or sticky foams). For delay to be effective,

OCR for page 59
Physical Security at Civilian Nuclear Facilities 63 the protection system should detect an adversary action as early as possible and notify the response teams. The Central Industrial Security Force (CISF) under the Ministry of Home Affairs is the primary response force for nuclear facilities in India. They have a separate set of training requirements and weapon qualifications for guarding nu- clear facilities. Depending on the requirements, the local police and some of the national response forces also may be called upon. Kumar noted that most of the technologies that are deployed in Indian nu- clear installations for nuclear material security, as well as for nuclear facility secu- rity, are developed in-house by either the Bhabha Atomic Research Centre (BARC) or Electronics Corporation of India, Limited. They are designed to par- ticular specifications because of the need for reliability given that some elements can compromise the security of a nuclear installation if they do not function properly. BARC has also designed security systems for non-nuclear facilities, apply- ing the systems engineering approach used for nuclear facilities to other installa- tions. For example, BARC designed security for the Indian Parliament and some of the same design principles, such as for vehicle barriers, were taken from nuclear facilities. Nuclear material control and accounting is another major component of nu- clear material security. This system is the first to detect whether there is any diver- sion of nuclear material occurring. The Indian Department of Atomic Energy has the nuclear material accounting group, which is responsible for carrying out the nuclear material and accounting. In the inner layer where the nuclear material is stored, some of the physical protection techniques, such as the two-man rule to open locks, are applied. Simi- larly, there are several electronic locks designed indigenously that are used. Mate- rial is guarded by using indigenously developed electronic seals for storage con- tainers and portals for detection of nuclear material in personnel monitoring. Kumar noted that BARC has also developed other radiation detectors primarily for border applications (i.e., to detect illicit trafficking), and handheld detectors for searches. The government of India mandated that the portals be installed across all of India’s airports and seaports. So far, they are deployed in a couple of seaports. The moment one utilizes any network-based system, it is vulnerable to an at- tack from external sources and they can gain access. That is why information secu- rity is an integral part of the program (see Figure 3-2). India has developed a se- cure messaging and voice communication device that sits within a mobile device and helps communicate in a secure manner, both for messaging and voice com- munication. India has requirements for both safety and security of nuclear material transport. India does real-time tracking of secure vehicle transportation using its geostationary satellite. The system also utilizes the local Global System for Mobile Communications or Code Division Multiple Access (CDMA) mobile communica- tion network. They are completely tracked within India from a central monitoring station.

OCR for page 59
64 Ind dia-U.S. Cooper ration on Technical Aspects of C Civilian Nuclear Materials Secur rity FIGUR 3-2 Conceptu diagram of the elements an interconnectio of informati RE ual t nd ons ion security SOURCE: Kum 2012. y. mar, Finally, Kumar said, all of th F r hese elements are combined in an integrat d ted physica protection system (PPS). An integrated PPS is in pla at all nucle al s ace ear ations and is a prerequisite fo new builds. The requirem installa or ment is to addre ess nuclear security usin the right mix of securi hardware, procedures, a r ng m ity and properl trained perso ly onnel. One witthout the other makes the sys r stem incomple ete. Further the systems cannot be kept in isolation; t r, t they have to in nteract with eaach other. But they must be kept secure, particularly when the who system is b B ole be- coming network-cent g tric. Technology has been one of the central asp T s t pects of nuclear material secu r uri- ty. To address the gr rowing demand and diverse r d requirements aacross India, KKu- mar sai his team str id rives for standa ardization and , as much as ppossible, a stan nd- ardized process, whic is essential for benchmarki and cost-ef d ch f ing ffective system ms. Technologi and Physic Security of Nuclear Mat ies cal f terials: A U.S. Perspective e Jordan Parks began by statin that modeli and simula J ng ing ation for physic cal protecttion was first done in the late 1980s when t U.S. Air Fo d e the orce began usiing a tool from Lawrence Livermore National Labora f e atory called SEEES, which simmu- lated fo orce-on-force exercises. The tool evolved i e into Joint Tech hnical Simulatiion (JTS) and later into Jo Conflict an Tactical Sim a oint nd mulation (JCAATS). JCATS w was

OCR for page 59
Physical Security at Civilian Nuclear Facilities 65 really the first complete toolkit for modeling and simulation of physical security, and in 1997, it was approved as the official tool for this purpose in the United States. It was used for the Department of Energy, the Department of Defense, the Nuclear Regulatory Commission, the National Security Agency, and the North Atlantic Treaty Organization, as well as some critical infrastructure appli- cations within the Department of State. Most new tools for this purpose today come from commercial industry, but no new tool has replaced JCATS. In the 1990s, Sandia National Laboratory created a modeling and simula- tion vulnerability analysis (VA) lab that became the gold standard for VA across the nuclear weapons complex. This lab did both analysis and training. The anal- yses are based on actual performance determined by testing. Another important aspect of Sandia’s approach is the use of subject-matter experts (detection ex- perts, delay experts, etc.) at every level of the simulations to give the highest level of fidelity possible. Sandia decided to develop modeling and simulation tools for international customers with similar goals, but for different targets, such as critical infrastruc- ture in civilian sites where there were multiple targets versus one highly im- portant target. A lot of the tools in industry do not address issues of multiple targets or multiple paths for attack. When using the same performance-based approach, Sandia had to deal with issues of security classification, but the data for the analysis have to be appropriate to the customer. Finally, Sandia needed to develop a program that would support its own physical facilities, including one that stored Category I nuclear material. Sandia no longer stores Category I material and that facility is now a kind of museum and training ground to teach physical security. The VA Process The VA process can be divided into three broad phases. The first is char- acterization: Target identifications and whether the target can be stolen or is a sabotage target. What does the threat look like? What are the relevant aspects of the facility (fences, detection systems)? What does the protective force or pro- force look like and how is it trained? What are the tactics? How long does it take the pro-force to get from point A to point B? Next is the analysis phase. Looking at paths, what is the most vulnerable path from the outside of the facility to the target? What knowledge, resources, or actions might an insider provide that creates vulnerabilities for the facility? The third phase addresses neutralization and system effectiveness. Using the inputs from the earlier phases, this is where Sandia applies modeling and simulation. Given a detected adversary, given that guards have engaged the fight, what are the chances that the defenders are going to win that fight? That is what the Sandia modeling and simulation tools address, and the results of those simulations help the facility manager or overseer know how effective the system is at countering adversaries.

OCR for page 59
66 India-U.S. Cooperation on Technical Aspects of Civilian Nuclear Materials Security Moving to evaluation, a facility that achieves acceptable system effective- ness can move into quality assurance and maintenance, making sure to keep a high standard of effectiveness. Those that do not achieve highly enough turn to upgrades to remedy the weaknesses of the system. Then the cycle is repeated to assess and evaluate the upgraded system. Tools for Analyzing Effectiveness of Protective Systems There are several ways to conduct combat effectiveness analysis, Parks said. First, there are tabletop or map exercises. These are some of the most common ways of doing analysis, convening subject-matter experts from the site and from the defense forces around a table and war-gaming or working through different scenarios. The strength of this tool is that it gets everyone involved. The rules of engagement can be enforced and the set of scenarios can be limited to those that are plausible. Limited-scope performance tests, another type of combat effectiveness analysis, test individual pieces of the system—a specific sensor, a specific re- sponse time, how long it takes a guard to move from this point to this point—to obtain reliable data for simulation. Force-on-force may be the highest-fidelity type of exercise, where the se- curity forces war-game through scenarios with Multiple Integrated Laser En- gagement System gear, which is essentially elaborate laser tag equipment. Force-on-force is an incredibly expensive and time-consuming type of simula- tion, Parks said, and the quantity of data are limited. The exercise might be run two or three times. The exercise is an effective training tool for the protective force, but data are too sparse for statistical analysis and system performance assessment. Constructive simulation utilizes computer models of the facility, the envi- ronment, and the protective force and adversaries to evaluate security. The first set of tools is called human-in-the-loop: real people behind computer screens control the behaviors of entities within a simulation; people playing adversaries and people playing defense forces. This is a highly flexible toolkit, much cheap- er than force-on-force exercises, and provides more data, but it still requires a week of 15 to 20 analysts’ work. Also, as the participants learn from one itera- tion to the next, they try to game the system, which undermines the independ- ence of the runs: An adversary should not have several attempts. Finally, there are single-analyst tools that enable one person to build the scenario, build the terrain, build the behavior for the actual entities, press “Play,” and allow the computer to run the simulations. These were the focus of the re- mainder of Parks’ talk. Such tools can be more objective in that once the features of the system are set, no humans make decisions, so the results are reproduceable. They can produce large amounts of data. But one is required to have strong artifi- cial intelligence, strong behavioral models, because the aim is to simulate human behavior with no humans involved, which can lead to challenges.

OCR for page 59
Physical Security at Civilian Nuclear Facilities 67 For single-analyst tools to work, the tool needs the ability to build virtual facilities, to build models in three dimensions, utilize artificial intelligence to simulate human behavior, maintain a complex set of behaviors all working col- lectively, and if possible create visualizations in three dimensions. Simulation Toolkit and Generation Environment (STAGE) Parks described a tool called STAGE, which stands for simulation toolkit and generation environment. STAGE is a commercial, off-the-shelf tool from a Canadian company called Presagis. The tool can be purchased in almost every country in the world. It consists of four main tools. STAGE is the simulation tool. Creator Pro is where the user builds buildings and models. AI. implant is a plug-in toolkit that runs artificial intelligence behind the scenes. Terra Vista is the terrain-modeling tool, which can take in high-fidelity geographic infor- mation system data and quickly and efficiently build three-dimensional models and terrains for our simulations. STAGE has a logic-based behavior model consisting of “if/then” state- ments in a vast library of possible behaviors. Parks said that his team has yet to find a behavior that cannot be simulated in STAGE, and he said that any analyst can learn how to use the tool and build this, without writing code. AI. implant conducts dynamic path planning, which enables entities in the simulation to navigate between their present positions and their objectives with- out the user preplanning every action that they can do. The entities navigate around each other and around buildings intelligently. This, coupled with a prob- ability-based combat model and performance-based databases give the user the simulation. Sandia’s team has customizable functions that adjust for sensor per- formance and weapons performance Because the package runs independently, it can be run in batch mode: 10, 20, 100 runs overnight yielding a large repository of data on the scenarios that played. It can also be run in federation, communicating with other simulations at runtime. For example, STAGE can simulate the adversary force based on artifi- cial intelligence and have actual guards from the facility control protective force in an interactive simulation for training. With STAGE, a user can simulate each piece of the physical protection system, examining the sensitivity of the system’s performance to the perfor- mance or that component (a sensor) or subsystem (command and control or situ- ational awareness). The same can be done for the threat. Sandia is beginning to assess insider threats using these models. But it is mostly used in training and in calculating neutralization in overall physical protection analysis and system ef- fectiveness. Sandia has also used STAGE to evaluate the value of potential up- grades. Parks showed a video clip illustrating the simulations of the Sandia demon- stration facility. As the simulation proceeded, viewers saw computer animation of an adversary team breaching barriers at the boundary of a facility and moving to

OCR for page 59
68 India-U.S. Cooperation on Technical Aspects of Civilian Nuclear Materials Security inner fences, through doors, through the rooms in a building, and then engaging the guard force. Throughout, the tool notes when and where sensors detect the intruders. In the engagements viewers see tracers and in this example the adver- sary team won the first engagement. At each stage, the simulated adversaries pro- ceed toward their target with realistic time increments for each task, and the simu- lated guard force responds to signals from sensors and encounters with the adversaries. When there is a failure of the protective system, upgrades to the guard force or the physical systems may be considered and tested cheaply and efficient using this tool. DISCUSSION The discussion addressed the flexibility and validation of Parks’ model. He noted that he has compared his results for a Sandia facility to some results from JCATS, the standard modeling and simulation tool used in the United States, but he and his team have not compared results to an historical battle. On a related point, Robert Kuckuck mentioned in earlier remarks that people who switch from active duty military service with an exciting environment to work- ing as a guard can tend to become bored with guard duty at an installation where attacks seldom happen. Paul Nelson asked whether STAGE could account for the effect of such behavior on effectiveness of the guard force. Parks replied that his team generally simulates a fully functional system and not factors like com- placency amongst guards, although they can introduce either random or likely delays in response times (e.g., to simulate a guard who was asleep) or reduced performance, but he noted that they generally do not have data to show how frequently that happens. Other participants noted that artificial intelligence has been applied to image analysis or visual analytics, and there are tricks to miti- gate complacency, such as having the software intentionally display false alarms, showing an image of a threat object that is not there, as a way of main- taining a certain level of attention. Participants asked how physical security systems distinguish different kinds of threats and interlocutors. The example of protestors at the Kudankulam Nuclear Power Plant, who have blockaded the gates and at one point approached the plant with a small flotilla of rafts and boats, raised questions about the kinds of threats to these facilities. Are activitists and protestors in the same category of malicious and malevolent actors, like terrorists, seeking to steal nuclear material or sabotage a nuclear facility? The speakers noted that we cannot know what is in the mind of a person approaching a facility. Potential saboteurs can utilize a protest by, for example, mixing with activists and demonstrators to can gain entry. That is why the IAEA and governments see protests as a potential threat. Participants asked who in the Government of India and in the U.S. Gov- ernment is responsible for security of these facilities. Kumar replied that the Atomic Energy Regulatory Board (AERB) ensures the design of security aspects

OCR for page 59
Physical Security at Civilian Nuclear Facilities 69 at civilian nuclear facilities. Other nuclear installations, such as BARC, are un- der the Department of Atomic Energy (DAE), not AERB. Insider threats were described as perhaps the most critical or the most dangerous threats and a participant noted that most attacks on military facilities in India have been abetted by an insider. With that in mind, what follow-up or on-going verification is conducted on the reliability of an employee after the initial background check? Kumar explained that in India the background verifi- cation is a continuous process, with reverification if an official takes up a new assignment or any classified project. Both Indian and American respondents noted that it is the responsibility of managers to continuously observe the behav- ior of their staff and report if there is a change in the behavior. One participant noted that it is very difficult to affirmatively point out an issue and have agen- cies look into the matter, and even harder to terminate the employee because concrete evidence is hard to obtain. Typically employees are just moved from a sensitive job to a non-sensitive job. Another participant asked whether surveillance technologies can help to identify and “get into the mind of” a bad actor. Are there any breakthroughs on how we actually make an assessment when we screen a person and what we do with that screening? Kumar stated that besides the so-called usual measures, there are technical measures—not for monitoring but for neutralizing threats. An Israeli company has developed a questionnaire that it claims can screen for a tendency to deviate from normal behavior. Philip Gibbs was not optimistic about the psychological testing because historically it has not always performed well. At a World Institute of Nuclear Security conference, there were lessons shared from the diamond and gold mining industries and applied to the nuclear industry. Among them was the guideline “separate people and gold,” which suggests that eliminating the person from the equation entirely at all, where they do not have access to the target or they have access only for a minimal amount of time, may be the most promising strategy. A participant asked about past U.S.-Indian cooperation on training and other physical security matters. Sandia has conducted international training courses starting back in 1979 or 1980. From that first group onward, DAE has participated, as have some experts from other agencies such as the Ministry of Home Affairs. An Indian delegation visited Sandia’s integrated training facility in July 2012. In a discussion about sensors, such as infrared sensors deployed to detect people approaching a nuclear facility, an Indian participant asked whether India develops its own sensors and whether India has access to foreign suppliers. Ku- mar answered that in some cases India uses foreign commercial off-the-shelf components and then adapts and integrates those components for India’s needs. For thermal cameras, this has been the practice and India is now developing such cameras in Mumbai. The protective force for civilian nuclear facilities is the CISF, which is a paramilitary force deployed for protection of several kinds of industrial facili- ties, including airports. In recognition that protecting nuclear facilities is differ-

OCR for page 59
70 India-U.S. Cooperation on Technical Aspects of Civilian Nuclear Materials Security ent from protecting some other kinds of sites, a set of CISF personnel is rotated among the nuclear installations. They are not kept in one place for more than a certain number of years. Michael O’Brien asked then how integrated the facili- ty personnel are with CISF in performing vulnerability analyses. Kumar ex- plained that CISF is part of the response force, so those forces are part of the analysis, and the CISF organization (as distinguished from the guards) is in- volved in audits and any regulatory review process, including analysis of the DBT.