From the Special International Workshop on Global Best Practices in Physical Protection held June 14 – 18, 2004, Prague, Czech Republic
The Design and Evaluation Process Outline (DEPO) (see Figure 1) structures and encompasses the best practices in physical protection of nuclear material.
Figure 1. Design and evaluation process outline.
PP1. Determine PPS objectives.
Understanding the protection objectives is essential to adequately protect vital portions of a facility or to avoid overprotection of nonessential components.
The cost of over-design can be significant and the result of inadequate protection can result in unknowingly presenting a risk to society and the world that is too high. Defining the acceptable risk is based on identifying the threat and determining the target(s) and their consequences that the facility is going to protect.
To accomplish this, the analyst or designer must understand the characteristics of the facility. Each state's physical protection regime should be based on a regularly updated evaluation of the credible threat to nuclear facilities in their country, reflecting the capabilities and intentions of potential adversaries. The targets in the facility must be identified. Each state, region, or facility needs to determine the risk they are willing to accept for each target classification.
The facility needs to be characterized as to its structure, authorized entry/exit points, weaknesses in other unauthorized entry/exit points, locations of material of interest or components of interest, understanding of nearby terrain, natural barriers that might exist, and other features which can impact a PPS design.
Each state, region, and site is responsible to identify the threat they are trying to protect against. This definition of the threat and threat capabilities is important when designing the physical protection system needed to neutralize the threat. The threat assessment by the state leads to a design basis threat for a class of facilities, which is a subset of the threat assessment the facility is responsible to protect against. The DBT determines the performance needed from the security system for a specific facility and what the system will be evaluated against. It also provides a basis to assess changes in the threat levels.
Best practices for defining threats:
- The state must understand how many adversaries make up the threat--the PPS will be very different in protecting nuclear material against theft and sabotage from a group of four adversaries versus 24 adversaries.
- The state must understand the capabilities of the threat, including:
- Method of Attack
- Knowledge of Facilities
- Insider cooperation
- The state must understand the motivation of the adversary identified in the threat; motivation may help define the credibility or the probability of an attack occurring.
- Probability of attack must be considered over a given time, such as the life of the facility. If the life of the facility is long enough, the probability of an attack occurring approaches 1.
- In identifying the threat, the state needs to collect information from as many credible sources as possible, including national intelligence and other state, regional, and local sources.
- Each state's PPS should be based on a regularly updated evaluation of the credible threat to nuclear facilities or nuclear materials in their country, reflecting the capabilities and intentions of potential adversaries; this is commonly called a "threat assessment."
- The DBT is generally a subset of the credible threat assessment of the facility. The part of the threat assessment that is not assigned to the facility in their DBT will either be covered by other state resources or accepted as risk.
- The International Atomic Energy Agency has workshops on DBT and Target Identification processes. These workshops help the participants to look to the future, yet be credible (acts, attack modes, motivations, and weapons).
Identify the targets
After the threat is defined, the state needs to identify the targets of concern. These may be state level targets such as reactors, processing facilities, and storage facilities. Each of these high-level targets also has specific nuclear material targets that need to be identified and protected.
Best practices for identifying targets:
- Determine the attractiveness of the material to the adversary.
- Identify the physical form of the material. Determine if it is in a physical form where the adversary can take it easily without special tools. In particular, consider if the material is portable or if it is difficult to transport.
- Consider ways to reduce the market for such materials (the material might be easy for an adversary to use or sell because it is in high demand).
- Material vulnerable to theft requires a "containment"protection strategy; material vulnerable to sabotage requires a "denial"protection strategy.
- Consider the consequences of a stolen or sabotaged target. A consequence table that includes the economic situation of the state or region may be valuable.
- Consider the robustness of the target and if the target is self-protecting. High radiation may protect from theft, but may make it attractive for sabotage.
- Consider how complex the task would be for the adversary to steal or sabotage the target.
- Every facility should use a structured process for identifying targets they would like to protect, such as fault tree analysis.
Regulations and Risk Management
If the risk analysis process is to be used to determine the adequacy of the facility PPS design, the designers must know the level of risk that the competent or licensing authority is going to accept. The level of acceptable risk should be determined by the regulators or the state's competent authority. One method for determining risk at a facility is (a) doing a fault tree analysis to identify the sabotage and theft targets, (b) developing a consequence table for these targets, (c) performing computer modeling to determine the effectiveness of their PPS, and (d) applying the risk equation.
Best practices for risk management:
- Implement international norms.
- Perform iterative site analysis.
- Learn as much as possible from others' experience.
- Determine worse case scenarios.
- Have trained/qualified personnel determine risk.
- Run tabletop exercises and force-on-force exercises involving all elements (including guards, response forces, and management).
- Make the risk scalable, graded, and credible based on information on the probability of attack.
- Estimate the physical protection system effectiveness using a conservative approach that is based on the full design basis threat with the adversaries using their optimal path, strategy and scenarios, and the associated conservative system performance data.
PP2. Design/Characterize PPS
Physical protection of nuclear materials and facilities should incorporate elements of deterrence (signs, lighting, visual robustness, etc.), detection (exterior perimeter sensors, door and interior intrusion sensors, television surveillance, personnel access control systems, material screening systems, alarm stations, etc.), delay (fences, gates, vehicle barriers, doors, walls, and dispensable delays, etc.), response (unarmed and armed guards, highly trained special response forces, local law enforcement officers, in some cases detachments of the military, etc.), and mitigation (how to mitigate the consequences if theft or sabotage acts are successful). The sequential relationship of these functions, which should all be present, creates a stronger system.
Defense-in-depth for detection, delay, and response is a good practice. The existence of these layers requires an adversary to avoid or defeat a number of different protective devices in sequence in order to be successful. For example, an adversary might need to penetrate two or more separate barriers before gaining access to a reactor control room. The layered defense concept adds to a system's overall reliability by eliminating dependency on one barrier or system. Moreover, it deters the adversary by adding uncertainty, requiring different techniques and tools, and creating additional steps.
The subjects of deterrence and mitigation are not included in the DEPO process (see Figure 1). Deterrence is impossible to quantify and the DEPO process is aimed at creating a quantifiable level of risk. Mitigation is important in reducing the effect of the overall success of the adversary, but the primary responsibility of the PPS is to prevent the adversary from being successful. Still, mitigation is important, and if it is affected by operational procedures at a facility, the consequence of a successful adversary attack might be significantly reduced.
Best practices for deterrence:
- Make some protection elements visible to the adversary. These include warning signs, roaming patrols, clean facilities (reflects well run and well maintained), and good lighting.
- Promote the perception of a high level of security. This includes regular security exercises, which show the adversary that you are well trained and equipped to address the threat, and published propaganda talking about the high level of security at a facility.
- Publicize and enforce severe punishment for attempted theft or sabotage. This includes published information on those who have been punished for not following security rules and a state legal system that supports high security by prosecuting to the fullest any illegal activities involving nuclear materials.
Best practices for detection:
- Detection must occur early (before delay) to help the response force interrupt the adversary.
- The detection system must be properly installed and integrated.
- The system must have redundancy for critical elements.
- The design of the detection system should incorporate complementary technologies so that the adversary must use a variety of defeat methods.
- The detection system should have a low nuisance and false alarm rate with a high probability of detection.
- The system should be designed to detect tampering by the adversary.
- The system should be reliable and robust to the environment.
- The system should be maintained and that maintenance verified through testing.
- The detection system must be combined with a good assessment system (there is no detection without assessment).
- The detection system must be balanced so that the probability of detection is continuous around the target.
Best practices for delay:
- Delay should be accomplished by balancing the use of hardware and/or protective force personnel.
- The location of delay elements is important in a physical protection system. It is usually less expensive to place delay closer to the target being protected, which is typically desirable when trying to protect against theft of nuclear material. When sabotage is of concern, it becomes more desirable to place the delay hardware farther from the target being protected.
- The capabilities defined in the threat identification determine where delays are needed.
- Several delay technologies should be applied in the protection of nuclear material, forcing the adversary to bring a variety of tools to defeat each delay element.
- Delays should be integrated into the facility design, which will help minimize the effect delay systems have on safety features. Take advantage of design features associated with the facility.
- Validate the amount of delay time expected to be provided by delay hardware. This should be done by testing or simulation and modeling.
- Design the delay system to channel the adversary along specific paths. This will enable the response force to more effectively interrupt the adversary.
- Always provide detection before delay. Delay does not count until the adversary is detected because delay times are limited.
Best practices for response:
An effective physical protection system must include the element of response. The meaning of "response" or "response force" varies from country to country, and often even from facility to facility within a given country. A part or all of the response force may be located off site. The response force may include local and state police, national police, military forces, and dedicated highly trained response teams. INFCIRC/225 encourages states to "use armed guards to the extent of that the laws and the regulations permit."Because of the variability in cultures and national approaches it is difficult to generalize about specific procedures or tasks that the response force may be expected to perform. Regardless of differences in approach, the response force must prevent the adversary from accomplishing their objective. The response force must act on a clear legal basis, including having clear rules of engagement.
- All response force personnel must be part of a trustworthiness/reliability program.
- An integrated response plan must be developed that defines responsibility among enforcement agencies. An important aspect of this would be communications during the response.
- Exercises must be conducted to validate response force readiness that , include:
- Consistent evaluation of exercises
- Defined performance criteria
- Multiple enforcement exercises.
- Response forces should receive regular training in weapons, physical fitness, tactics, etc. Training should be based on a performance based training program that directly addresses the threat as defined in the DBT. It is essential to have joint training of response forces from all agencies that may have to respond in case of emergency situations, including police and military. Recognize that response force personnel can be trained and qualified to a point that they can compensate for some deficiencies in the other design features of PPS.
- The response force equipment (such as guns, body armor, and explosives) must be capable of mitigating the threat identified by the DBT
Best practices for mitigation:
- States and facilities should design emergency plans to respond to unauthorized removal of nuclear material or sabotage of nuclear facilities or materials. These plans should be tested and evaluated.
- Mitigating actions by the operational personnel should begin immediately upon indication from the security system that an attack on the facility is underway. These actions could be starting a shutdown process of the reactor, putting safety systems in automatic mode, locking doors, transferring control to remote locations, etc.
PP3. Analyze PPS Design
A PPS is a complex configuration of detection, delay, and response elements. Techniques must be applied to evaluate the physical protection system against the defined threat (DBT). For most analysis models, the targets and the series of actions against targets must first be identified for both theft and sabotage. These actions must then either be modeled, simulated, or exercised to determine the performance of the physical protection system of the facility. If computer models are used to determine performance, it is very important that the data used to represent detection, delay, and response for the facility be as accurate as possible.
Best practices for analysis:
- Computer software modeling and analysis allows looking at a single path and its associated detection, delay, and response, or looking at the entire facility and identifying the most vulnerable paths into facility based on detection, delay, and response. This method provides the most information, but is only as good as the data put into it.
- A force-on-force exercise provides very good resolution on the effectiveness of the scenario selected, but this method is limited on the number of scenarios that can be run based on the human resources needed and the time and expense it takes to run each exercise.
- A tabletop exercise session allows several scenarios to be run with limited human resources. It does not provide the resolution on determining effectiveness that force-on-force provides, but it is less expensive and faster.
- Insider investigations should consider the human reliability program in place. These investigations can use the same analysis tools as used for the outsider to analyze the effect of insider assistance or insiders acting alone.
- Regularly scheduled performance tests on each element of the physical protection system are useful in determining the current effectiveness and potential degradation of hardware. Multiple and replicated data points (statistically supportable) should be used in the analysis for detection, delay, and response.
- Regulators and other outside audit organizations should run tests against the physical protection system. These tests are usually discrete in nature and only test individual components.
- Every change to the PPS must be reevaluated. Whenever the physical protection system is upgraded or components are replaced, performance tests must be conducted to validate that the component is providing the required capability.
- The personnel evaluating the physical protection system must be trained in physical protection fundamentals and be experts in evaluation techniques. Experts can be used from inside and outside the facility. There should be no involvement of people who do not have professional knowledge and experience.
- Assessment tools must be used in concert with each other, such as computer analyses using the results of performance tests and expert opinion.
- Analysis should be treated as a quality process that is documented and defendable with a constant review.