The key issues noted here are some of those raised by individual workshop participants, and do not in any way indicate consensus of workshop participants overall.
• Nuclear security has three distinct steps: (1) define the requirements, (2) design the physical protection system based on the requirements, and (3) evaluate the physical protection system to assess whether it meets the performance requirements.
• The most difficult adversaries to address using the physical protection system are terrorists, but activists and demonstrators are also difficult because of the ambiguity of their actions and intentions.
• The insider threat is a worldwide concern for nuclear security because an adversary with a colluding insider is very dangerous.
• The vulnerability assessment process can be divided into three broad phases: characterization (target identifications); analysis (identifying vulnerabilities); and neutralization and system effectiveness.
Promising Topics for Collaboration Arising from the Presentations and Discussions
These promising topics for collaboration arising from the presentations and discussions are not those representing the consensus of the participants, but are rather a selection of those topics offered by individual participants throughout the presentations and discussions.
• To address the growing demand and diverse technology requirements, standardization may be an area for joint discussion because it is essential for benchmarking and for cost-effective systems.
• Potential saboteurs can utilize a protest by mixing with activists and demonstrators who could gain entry. Understanding how to address materials security in these scenarios is an area of potential discussion for U.S. and Indian experts.
Technologies and Physical Security of Nuclear Materials: An Indian Perspective
Ranajit Kumar described technologies for physical security of nuclear material (see Table 3-1). He began by noting that India’s commitment to security of nuclear material comes from the highest levels of the government, illustrated by the statement made by Prime Minister Manmohan Singh explaining that the Indian Atomic Energy Act1 provides the legal framework for securing nuclear materials and facilities and committing India to developing a Global Centre for Nuclear Energy Partnership, one element of which will be a school for nuclear materials security. In addition, India is a party to the Convention on the Physical Protection of Nuclear Material and its 2005 amendments.2
The major concern about nuclear material primarily derives from the fact that it can be used to make nuclear explosive devices, which can be highly catastrophic. Nuclear sabotage, a major concern for nuclear facilities like nuclear power plants, can also be catastrophic. A dirty bomb or radiological dispersal device is not a weapon of mass destruction, but a weapon of “mass disruption.” Nuclear security has five key components, according to the Nuclear Threat Initiative: quantity and sites, security and control measures, global norms, domestic compliance
TABLE 3-1 Potential targets worldwide that require nuclear security. Compiled by Kumar from International Atomic Energy Agency data.
|Number of items||Type of Item|
|3000||tons civil and military HEU and Pu|
|480||research reactors (>160 with HEU)|
|100||fuel cycle facilities|
|440||operating nuclear power plants|
|100000||Cat I and II radioactive sources|
|1000000||Cat III radioactive sources|
2 IAEA. 1980. Convention on the Physical Protection of Nuclear Materials. Available at: http://www.iaea.org/Publications/Documents/Conventions/cppnm.html. Accessed September 20, 2013.
and capacity, and societal factors.3 Kumar focused on security and control measures noting that nuclear security is more than gates, guns, and guards.
Nuclear security has three distinct steps: define the requirements, design the physical protection system based on the requirements, and evaluate the physical protection system to assess whether it meets the performance requirements (see Figure 3-1). The third step feeds back into the second step so that if the system does not meet the end objective of neutralizing the adversary with a certain probability, the physical protection system can be adjusted or redesigned.
The first step is to define the requirements of the physical protection system. This step includes characterizing the facility, identifying the targets that need to be protected, and defining the threat the system must protect against. A graded approach is taken in target identification. The International Atomic Energy Agency (IAEA) has categorized nuclear material (Category I through III; see IAEA Information Circular 225/Rev 5)4 according to handling requirements. For unirradiated
FIGURE 3-1 Diagram of the design and evaluation process outline (DEPO). SOURCE: Kumar, 2012.
3 Choubey, Deepti, Sam Nunn, Joan Rohlfing, Page Stoutland. 2012. NTI Nuclear Materials Security Index: Building a Framework for Assurance, Accountability and Action. Available at: http://www.nti.org/analysis/reports/nti-nuclear-materials-security-index/. Accessed September 3, 2013.
4 Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities (INFCIRC/225/Revision 5). IAEA Nuclear Security Series No. 13. Available at: http://www-pub.iaea.org/MTCD/publications/PDF/Pub1481_web.pdf. Accessed September 3, 2013.
material, the category is based on the hazard of the material or its perceived value to a malefactor, which in turn is based on its utility in making a nuclear explosive and the quantity that is present. For example, unirradiated plutonium in quantities of 2 kg or more qualify as Category I. Most nuclear power plants use Category III nuclear material, except for some research reactors.
There are several considerations in defining the threats that the system must protect against. The threats may include thieves, saboteurs, terrorists or protesters. For any adversary, the requirements include how many people are involved; whether it involves outsiders, insiders, or a combination of the two; the motivation (ideological, economic benefit, or something else), and; objective or intention (e.g., are they interested in sabotaging a plant to disrupt the power plant, to disrupt the power production, or is their intention to take the nuclear material?). The threat definition also includes the adversary’s tactics (force, deceit or stealth) and capabilities (numbers, training, knowledge, weapons, equipment). The various aspects of the threat are summarized in the form of what is called the design-basis threat (DBT). India has a national DBT for the design of physical protection systems for all civilian nuclear power applications and civilian nuclear facilities. The DBT is confidential for obvious reasons.
Kumar said that his initial perception was that the most difficult adversary to address using the physical protection system would be terrorists, but he understands now that even activists and demonstrators are difficult because of the ambiguity of their actions and intentions. That said, the insider threat is a worldwide concern for nuclear security because an adversary with a colluding insider is very dangerous. They can be internally motivated or externally coerced, passive or active, and nonviolent or violent.
After defining the requirements comes the design phase. Based on the national DBT, a local and facility-specific threat document is prepared because there are certain threat elements that are specific to a particular locality, a particular region, or a particular state. All facilities are required to prepare their facility-specific DBT document and the physical protection system is designed to that threat.
There are three elements of the physical protection system: detection, delay, and response. Detection can be carried out by intrusion sensing (exterior and interior) and by entry control and other methods. Typical sensors include infrared thermal cameras with video analytics. Another tool is to look for objects that are not permitted—for example, explosives—to detect threats to the facility. Entry control is used for the purpose of allowing authorized personnel to gain access to the facility to carry out their normal duties and requires both identity validation and access control.
The target should be protected in such a way that the system provides a certain minimum delay to the adversaries to reach, gain access to, and either sabotage or take the target. In theft scenarios, the facility protectors have both the time to reach the target and the time it takes the adversary to leave the facility. The delay elements are walls, structures, barriers, including active barriers or dispensable barriers (e.g., slippery or sticky foams). For delay to be effective,
the protection system should detect an adversary action as early as possible and notify the response teams.
The Central Industrial Security Force (CISF) under the Ministry of Home Affairs is the primary response force for nuclear facilities in India. They have a separate set of training requirements and weapon qualifications for guarding nuclear facilities. Depending on the requirements, the local police and some of the national response forces also may be called upon.
Kumar noted that most of the technologies that are deployed in Indian nuclear installations for nuclear material security, as well as for nuclear facility security, are developed in-house by either the Bhabha Atomic Research Centre (BARC) or Electronics Corporation of India, Limited. They are designed to particular specifications because of the need for reliability given that some elements can compromise the security of a nuclear installation if they do not function properly.
BARC has also designed security systems for non-nuclear facilities, applying the systems engineering approach used for nuclear facilities to other installations. For example, BARC designed security for the Indian Parliament and some of the same design principles, such as for vehicle barriers, were taken from nuclear facilities.
Nuclear material control and accounting is another major component of nuclear material security. This system is the first to detect whether there is any diversion of nuclear material occurring. The Indian Department of Atomic Energy has the nuclear material accounting group, which is responsible for carrying out the nuclear material and accounting.
In the inner layer where the nuclear material is stored, some of the physical protection techniques, such as the two-man rule to open locks, are applied. Similarly, there are several electronic locks designed indigenously that are used. Material is guarded by using indigenously developed electronic seals for storage containers and portals for detection of nuclear material in personnel monitoring. Kumar noted that BARC has also developed other radiation detectors primarily for border applications (i.e., to detect illicit trafficking), and handheld detectors for searches. The government of India mandated that the portals be installed across all of India’s airports and seaports. So far, they are deployed in a couple of seaports.
The moment one utilizes any network-based system, it is vulnerable to an attack from external sources and they can gain access. That is why information security is an integral part of the program (see Figure 3-2). India has developed a secure messaging and voice communication device that sits within a mobile device and helps communicate in a secure manner, both for messaging and voice communication. India has requirements for both safety and security of nuclear material transport.
India does real-time tracking of secure vehicle transportation using its geostationary satellite. The system also utilizes the local Global System for Mobile Communications or Code Division Multiple Access (CDMA) mobile communication network. They are completely tracked within India from a central monitoring station.
FIGURE 3-2 Conceptual diagram of the elements and interconnections of information security. SOURCE: Kumar, 2012.
Finally, Kumar said, all of these elements are combined in an integrated physical protection system (PPS). An integrated PPS is in place at all nuclear installations and is a prerequisite for new builds. The requirement is to address nuclear security using the right mix of security hardware, procedures, and properly trained personnel. One without the other makes the system incomplete. Further, the systems cannot be kept in isolation; they have to interact with each other. But they must be kept secure, particularly when the whole system is becoming network-centric.
Technology has been one of the central aspects of nuclear material security. To address the growing demand and diverse requirements across India, Kumar said his team strives for standardization and, as much as possible, a standardized process, which is essential for benchmarking and cost-effective systems.
Technologies and Physical Security of Nuclear Materials: A U.S. Perspective
Jordan Parks began by stating that modeling and simulation for physical protection was first done in the late 1980s when the U.S. Air Force began using a tool from Lawrence Livermore National Laboratory called SEES, which simulated force-on-force exercises. The tool evolved into Joint Teclmical Simulation (JTS) and later into Joint Conflict and Tactical Simulation (JCATS). JCATS was
really the first complete toolkit for modeling and simulation of physical security, and in 1997, it was approved as the official tool for this purpose in the United States. It was used for the Department of Energy, the Department of Defense, the Nuclear Regulatory Commission, the National Security Agency, and the North Atlantic Treaty Organization, as well as some critical infrastructure applications within the Department of State. Most new tools for this purpose today come from commercial industry, but no new tool has replaced JCATS.
In the 1990s, Sandia National Laboratory created a modeling and simulation vulnerability analysis (VA) lab that became the gold standard for VA across the nuclear weapons complex. This lab did both analysis and training. The analyses are based on actual performance determined by testing. Another important aspect of Sandia’s approach is the use of subject-matter experts (detection experts, delay experts, etc.) at every level of the simulations to give the highest level of fidelity possible.
Sandia decided to develop modeling and simulation tools for international customers with similar goals, but for different targets, such as critical infrastructure in civilian sites where there were multiple targets versus one highly important target. A lot of the tools in industry do not address issues of multiple targets or multiple paths for attack. When using the same performance-based approach, Sandia had to deal with issues of security classification, but the data for the analysis have to be appropriate to the customer.
Finally, Sandia needed to develop a program that would support its own physical facilities, including one that stored Category I nuclear material. Sandia no longer stores Category I material and that facility is now a kind of museum and training ground to teach physical security.
The VA Process
The VA process can be divided into three broad phases. The first is characterization: Target identifications and whether the target can be stolen or is a sabotage target. What does the threat look like? What are the relevant aspects of the facility (fences, detection systems)? What does the protective force or proforce look like and how is it trained? What are the tactics? How long does it take the pro-force to get from point A to point B?
Next is the analysis phase. Looking at paths, what is the most vulnerable path from the outside of the facility to the target? What knowledge, resources, or actions might an insider provide that creates vulnerabilities for the facility?
The third phase addresses neutralization and system effectiveness. Using the inputs from the earlier phases, this is where Sandia applies modeling and simulation. Given a detected adversary, given that guards have engaged the fight, what are the chances that the defenders are going to win that fight? That is what the Sandia modeling and simulation tools address, and the results of those simulations help the facility manager or overseer know how effective the system is at countering adversaries.
Moving to evaluation, a facility that achieves acceptable system effectiveness can move into quality assurance and maintenance, making sure to keep a high standard of effectiveness. Those that do not achieve highly enough turn to upgrades to remedy the weaknesses of the system. Then the cycle is repeated to assess and evaluate the upgraded system.
Tools for Analyzing Effectiveness of Protective Systems
There are several ways to conduct combat effectiveness analysis, Parks said. First, there are tabletop or map exercises. These are some of the most common ways of doing analysis, convening subject-matter experts from the site and from the defense forces around a table and war-gaming or working through different scenarios. The strength of this tool is that it gets everyone involved. The rules of engagement can be enforced and the set of scenarios can be limited to those that are plausible.
Limited-scope performance tests, another type of combat effectiveness analysis, test individual pieces of the system—a specific sensor, a specific response time, how long it takes a guard to move from this point to this point—to obtain reliable data for simulation.
Force-on-force may be the highest-fidelity type of exercise, where the security forces war-game through scenarios with Multiple Integrated Laser Engagement System gear, which is essentially elaborate laser tag equipment. Force-on-force is an incredibly expensive and time-consuming type of simulation, Parks said, and the quantity of data are limited. The exercise might be run two or three times. The exercise is an effective training tool for the protective force, but data are too sparse for statistical analysis and system performance assessment.
Constructive simulation utilizes computer models of the facility, the environment, and the protective force and adversaries to evaluate security. The first set of tools is called human-in-the-loop: real people behind computer screens control the behaviors of entities within a simulation; people playing adversaries and people playing defense forces. This is a highly flexible toolkit, much cheaper than force-on-force exercises, and provides more data, but it still requires a week of 15 to 20 analysts’ work. Also, as the participants learn from one iteration to the next, they try to game the system, which undermines the independence of the runs: An adversary should not have several attempts.
Finally, there are single-analyst tools that enable one person to build the scenario, build the terrain, build the behavior for the actual entities, press “Play,” and allow the computer to run the simulations. These were the focus of the remainder of Parks’ talk. Such tools can be more objective in that once the features of the system are set, no humans make decisions, so the results are reproduceable. They can produce large amounts of data. But one is required to have strong artificial intelligence, strong behavioral models, because the aim is to simulate human behavior with no humans involved, which can lead to challenges.
For single-analyst tools to work, the tool needs the ability to build virtual facilities, to build models in three dimensions, utilize artificial intelligence to simulate human behavior, maintain a complex set of behaviors all working collectively, and if possible create visualizations in three dimensions.
Simulation Toolkit and Generation Environment (STAGE)
Parks described a tool called STAGE, which stands for simulation toolkit and generation environment. STAGE is a commercial, off-the-shelf tool from a Canadian company called Presagis. The tool can be purchased in almost every country in the world. It consists of four main tools. STAGE is the simulation tool. Creator Pro is where the user builds buildings and models. AI. implant is a plug-in toolkit that runs artificial intelligence behind the scenes. Terra Vista is the terrain-modeling tool, which can take in high-fidelity geographic information system data and quickly and efficiently build three-dimensional models and terrains for our simulations.
STAGE has a logic-based behavior model consisting of “if/then” statements in a vast library of possible behaviors. Parks said that his team has yet to find a behavior that cannot be simulated in STAGE, and he said that any analyst can learn how to use the tool and build this, without writing code.
AI. implant conducts dynamic path planning, which enables entities in the simulation to navigate between their present positions and their objectives without the user preplanning every action that they can do. The entities navigate around each other and around buildings intelligently. This, coupled with a probability-based combat model and performance-based databases give the user the simulation. Sandia’s team has customizable functions that adjust for sensor performance and weapons performance
Because the package runs independently, it can be run in batch mode: 10, 20, 100 runs overnight yielding a large repository of data on the scenarios that played. It can also be run in federation, communicating with other simulations at runtime. For example, STAGE can simulate the adversary force based on artificial intelligence and have actual guards from the facility control protective force in an interactive simulation for training.
With STAGE, a user can simulate each piece of the physical protection system, examining the sensitivity of the system’s performance to the performance or that component (a sensor) or subsystem (command and control or situational awareness). The same can be done for the threat. Sandia is beginning to assess insider threats using these models. But it is mostly used in training and in calculating neutralization in overall physical protection analysis and system effectiveness. Sandia has also used STAGE to evaluate the value of potential upgrades.
Parks showed a video clip illustrating the simulations of the Sandia demonstration facility. As the simulation proceeded, viewers saw computer animation of an adversary team breaching barriers at the boundary of a facility and moving to
inner fences, through doors, through the rooms in a building, and then engaging the guard force. Throughout, the tool notes when and where sensors detect the intruders. In the engagements viewers see tracers and in this example the adversary team won the first engagement. At each stage, the simulated adversaries proceed toward their target with realistic time increments for each task, and the simulated guard force responds to signals from sensors and encounters with the adversaries. When there is a failure of the protective system, upgrades to the guard force or the physical systems may be considered and tested cheaply and efficient using this tool.
The discussion addressed the flexibility and validation of Parks’ model. He noted that he has compared his results for a Sandia facility to some results from JCATS, the standard modeling and simulation tool used in the United States, but he and his team have not compared results to an historical battle. On a related point, Robert Kuckuck mentioned in earlier remarks that people who switch from active duty military service with an exciting environment to working as a guard can tend to become bored with guard duty at an installation where attacks seldom happen. Paul Nelson asked whether STAGE could account for the effect of such behavior on effectiveness of the guard force. Parks replied that his team generally simulates a fully functional system and not factors like complacency amongst guards, although they can introduce either random or likely delays in response times (e.g., to simulate a guard who was asleep) or reduced performance, but he noted that they generally do not have data to show how frequently that happens. Other participants noted that artificial intelligence has been applied to image analysis or visual analytics, and there are tricks to mitigate complacency, such as having the software intentionally display false alarms, showing an image of a threat object that is not there, as a way of maintaining a certain level of attention.
Participants asked how physical security systems distinguish different kinds of threats and interlocutors. The example of protestors at the Kudankulam Nuclear Power Plant, who have blockaded the gates and at one point approached the plant with a small flotilla of rafts and boats, raised questions about the kinds of threats to these facilities. Are activitists and protestors in the same category of malicious and malevolent actors, like terrorists, seeking to steal nuclear material or sabotage a nuclear facility? The speakers noted that we cannot know what is in the mind of a person approaching a facility. Potential saboteurs can utilize a protest by, for example, mixing with activists and demonstrators to can gain entry. That is why the IAEA and governments see protests as a potential threat.
Participants asked who in the Government of India and in the U.S. Government is responsible for security of these facilities. Kumar replied that the Atomic Energy Regulatory Board (AERB) ensures the design of security aspects
at civilian nuclear facilities. Other nuclear installations, such as BARC, are under the Department of Atomic Energy (DAE), not AERB.
Insider threats were described as perhaps the most critical or the most dangerous threats and a participant noted that most attacks on military facilities in India have been abetted by an insider. With that in mind, what follow-up or on-going verification is conducted on the reliability of an employee after the initial background check? Kumar explained that in India the background verification is a continuous process, with reverification if an official takes up a new assignment or any classified project. Both Indian and American respondents noted that it is the responsibility of managers to continuously observe the behavior of their staff and report if there is a change in the behavior. One participant noted that it is very difficult to affirmatively point out an issue and have agencies look into the matter, and even harder to terminate the employee because concrete evidence is hard to obtain. Typically employees are just moved from a sensitive job to a non-sensitive job.
Another participant asked whether surveillance technologies can help to identify and “get into the mind of” a bad actor. Are there any breakthroughs on how we actually make an assessment when we screen a person and what we do with that screening? Kumar stated that besides the so-called usual measures, there are technical measures—not for monitoring but for neutralizing threats. An Israeli company has developed a questionnaire that it claims can screen for a tendency to deviate from normal behavior. Philip Gibbs was not optimistic about the psychological testing because historically it has not always performed well. At a World Institute of Nuclear Security conference, there were lessons shared from the diamond and gold mining industries and applied to the nuclear industry. Among them was the guideline “separate people and gold,” which suggests that eliminating the person from the equation entirely at all, where they do not have access to the target or they have access only for a minimal amount of time, may be the most promising strategy.
A participant asked about past U.S.-Indian cooperation on training and other physical security matters. Sandia has conducted international training courses starting back in 1979 or 1980. From that first group onward, DAE has participated, as have some experts from other agencies such as the Ministry of Home Affairs. An Indian delegation visited Sandia’s integrated training facility in July 2012.
In a discussion about sensors, such as infrared sensors deployed to detect people approaching a nuclear facility, an Indian participant asked whether India develops its own sensors and whether India has access to foreign suppliers. Kumar answered that in some cases India uses foreign commercial off-the-shelf components and then adapts and integrates those components for India’s needs. For thermal cameras, this has been the practice and India is now developing such cameras in Mumbai.
The protective force for civilian nuclear facilities is the CISF, which is a paramilitary force deployed for protection of several kinds of industrial facilities, including airports. In recognition that protecting nuclear facilities is differ-
ent from protecting some other kinds of sites, a set of CISF personnel is rotated among the nuclear installations. They are not kept in one place for more than a certain number of years. Michael O’Brien asked then how integrated the facility personnel are with CISF in performing vulnerability analyses. Kumar explained that CISF is part of the response force, so those forces are part of the analysis, and the CISF organization (as distinguished from the guards) is involved in audits and any regulatory review process, including analysis of the DBT.