Text

.}s

}

r

~

UNITED STATES

[,..sg '7o NUCLEAR REGULATORY COMMiss!ON WASHINGTON, D. C. 20555 1

s., 7 g

)

y s

e

%.7[.. #

AUG f120 MEMORANDUM FOR: William J. Dircks, Director Office of Nuclear Material Safety and Safeguards Harold R. Denton, Director Office of Nuclear Reactor Regulttion Victor Stello, Jr., Director Office of Inspection and Enforcement Robert B. Minoque, Director Office of Standards Development FRCM:

Robert J. Budnitz, Director Office of Nuclear Regulatory Research

SUBJECT:

RESEARCH INFCRMATICN LETTER NO. D "ISEM" ADVERSARY SEQUENCE EVALUATION MODEL Introduction Tnis memorandum transmits the cceputer program and cocumentation (Ref.1) of ccmpleted research on the Insider Safeguards Effectiveness Model (ISEM), which is part of a continuing NRC research activity entitled " Effectiveness Evaluation Methods for Fixed-Site Physical Protection." The study was performed by Sandia National Laboratories, Albuquerque, New Mexico, and was jointly sponsored by the NRC and the DOE. Support of this work by the Office of Nuclear Regulatory Research (RES) was motivated by a research request (NMSS-77-1) coordinated among i

your offices, identifying a need for evaluative methods for fixed-site theft and sabotage prevention systems. Documentation (Refs. 2-5) concerning ISEM during its development has previously been made available throughout the NRC.

The purpose of this study was to develop a methodology for analyzing fixed-site security systems as to their effectiveness against threats posed by insiders (i.e., adversaries having authorized access to the facility), only one of whom may take forcible action. Analysis considerations may include trade-offs in-volving on-site and off-site response forces and response times, perimeter system alanns, barrier configurations, and the sensitivity of system effective-ness to guard utilization (numbers, stationing, weaponry, competence, and deployment in response to alarms). The model provides a framework for performing 8104220 D

,.. A.. 4. L. -

.c..'2.__._.

. Addressees inexpensihestudiesrelatedtofixed-sitesecuritysystems,forevaluating alternative decisions, and for estimating the relative cost effectiveness associated with these decision policies.

Discussion ISEMisadiscrete-ehentMonte-Carlosimulationoftheinteractionbetween one adversary (either insider or outsider) and the physical protection system of a nuclear facility as the adversary traverses a prescribed entry The physical layout of the facility is treated as an arrange-or exit path.

An adversary ment of AREAS, BARRIERS, and PORTALS, which are called entities.

Provision is made for additional path is an ordered sequence of entities.

inside adversaries who may covertly tamper with the sensor systems to which These covert insiders who tamper with the sensors do not they have access.

play an active role during the simulation.

A sensor system consists of a sensor and a serially connected set of (frca 0 to 2) logic points which connect in parallel to a set of (from 1 to 3) alarm Each sensor system has one sensor, end there is no explicit maximum points.

Defeat of any logic p int ensures the defeat of all number of sensor systems.

The defeat of an alarm point alarms from the sensors connected to it.

interrupts alarms only to that point; there is no effect on any other alarm Sensors are not attacked, but logic and alarm points can be attacked.

points.

Guards (who may be insiders) may have access to logic or alarm points located in AREAS and PORTALS. Employees (whomaybeinsiders)haveaccessonlyto logic or alarm points located in AREAS. Success probabilities for tampering Each tampering are specified separately for logic points and alarm points.

attempt is assumed to be independent.

Proceeding along the path, each entity is checked to see if an alarm would have occurred had there been no tampering. If so, a check is made to see

[The likelihood of successful whether tampering, if any, defeated the alarm.

tampering is diminished by a sufficient population density of employees in the entity and by the presence of a closed-circuit television (CCTV) assess-ment system.]

Intrusion detection is based upon a probability of detection associated with entering the effective region of an area sensor, crossing a line sensor, or Scanning sensors being scanned by or directly activating a local sensor.

have been modeled in some detail; these include SNM detectors (gamma and neutron flux), high explosives detectors, and metal detectors.

If the insiders were unsuccessful in defeating the sensor system and an alarm annunciates, an assessment delay occurs, followed by the deployment of guards to specific PORTALS from their normal stations in specific AREAS.

It is assumed that the assessment is made correctly and that the adversary in unauthorized possession of material is identified on sight as the adversary.

l

" m :'...... _ _

b

, Addressees If the adversary is within a PORTAL when a guard arrived, it is assumed that If the adversary the adversary is defeated for that particular interaction.

has left the PORTAL by the time a guard arrives and is in or at an adjacent entity, there is.a probability that the guard will call for maximum reinforce-If the adversary arrives at the PORTAL af ter a guard has reached it, ment.

In a call for reinforcement, guards are individually an encounter ensues.

redeployed to the location of the encounter.

The encounter between guards and the adversary is modeled as a discrete-The encounter is described by state, continuous-time stochastic process.

the weapon and competence levels of the opposing forces (recall that.cnly one adversary may be amed), along with the number of guards that have arrived at the encounter point. Competence and weapon levels are assumed to remain The encounter is cencluded when either the fixed throughout the encounter.

If the adversary is adversary or the guard force has been eliminated.

eliminated, the physical protection system wins; if the guards are eliminated, subsequent encounters are still possible. The adversary can win only if his entire path is successfully traversed.

Since ISEM simulates either an entry or an exit path for one run, it is necessary to make two runs to simulate a scenario that requires both entrance and exit paths. Proper conditioning of the input allows a system response to be initiated along the entrance path and centinued along the exit path.

Generally, between 500 1000 si;ulated interactions are randomly generated The model collects statistics on various against th2 site for each scenario.

aspects of each scenario that may be utilized by the decision maker as an aid in evaluating or upgrading a physical protection system.

The input data required in the model consist of detailed information related to (1) facility areas, (2) facility barriers, (3) facility portals, (4) facility sensors, (5) insiders, both guards and other employees, (6) the description of

~

Special Nuclear Materials, (7) the description of explosives, and (8) security forces, including descriptions, tactics and data on adversaries.

The three principal types of output information available from ISEM are (1) event sequences which illustrate how events occur with. time along a path, (2) twenty-two statistical variables which summarize simulation results, and (3) fif teen histograms which pictorially represent and further expand the statistical results.

Results_

The primary product of this research is a computer program and its documentation, which is hereby transmitted.

ISEM is written in the GASP IV simulation language which is a package of FORTRAN subroutines. It is operational in the " batch" mode on Sandia's SCOPE operating system and in the time-sharing mode on Sandia's The batch version requires approx'imately 100K octal words NOS operati.1g system.

The user's of central memory and a single replication takes about 0.1 CPU second.

manual (Ref.1) describes the batch version, which should be readily adaptable to

.e

,me e

p-- - - - -

+-,

n

--,e-m

h b

[I s

.. Addressees any computer having the GASP IV package, a FORTRA1 compiler, and the required The time-sharing version is not easily adaptable to other central memory.

computers.

In the latter stages of Sandia's development and testing, applications of ISEM were carried out.at seven (DOE and/or NRC) facilities, including Rocky Since its completion, the capability for applying Flats and Savannah River.

ISEM as well as EASI.(RIL #23) and FESEM (RIL #24) has been requested by industry and other government agencies.

The program is currently available for NRC use via an access code number to The Tektrcnix 4054. intelligent terminal purchased Sandia's CDC-5500 computer.

for the recently established Application and Development Facility (ADF) provides A training program was given in NMSS with convenient access to this m0 del.This can be repeated for other April 1978 to a few.NRC potential users.

interested users given sufficient requests.

The ISEM model was included in the user tests conducted within the N of Evaluation Methods" program.

safeguards system evaluaticn computer programs.

Recomendations_

ISEM is a first-generation model suitable for the stuoy of physical protection system interaction with a single adversary following a prescribed path, preceded by a covert attack on sensor system elements by a group of model may be used by NMSS and other offices as an ancillary aid in fomulating regulatory requirements, licensing, inspection and other monitoring oper related to the insider problem.

One output from ISEM provides of guard tactics and procedures at a facility.the user with information th vulnerable to the particular scenario analyzed. Sensitivity analyses can be made on most components along the adversary's path to determine the worth (for a particular scenario) of upgrading individual physical protection determine appropriate upgrade actions and provide a cost / benefit. analysis of components.

There are aumerous time-sharing terminals available the system improvements.

throughout NRC from which the Sandia NOS interactive system can be accessed.

+

Technical questions regarding ISEM may be referred to R. C. Robinson of the Safe-guards Research Branch.

Robert J. Sudnit Director Office of huclear egulatory esearch m

=

p s.

5-Addressees References Boozer, D. D., & D. Engi, " Insider Safeguards Effectiveness Model 1.

(ISEM) Users Guide," Sandia Laboratories, Albuquerque, New Mexico, S AND77-0043, November 1977.

Engi, D., & D. D. Boozer, "The Use of ISEM in Studying the Impact of 2.

Guard Tactics on Facility Safeguards System Effectiveness," Sandia Laboratories, Albuquerque, Now Mexico, SAND 77-0410C, July 1977.

Boozer, D. D., & D. Engi, " Simulation of Personnel Control Systems 3.

with the Insider Safeguards Effectiveness Model (ISEM)," Sandia Laboratories, Albuquerque, New Mexico, SAND 76-06S2, April 1977.

Beczer, D. D., & D. Engi, Nuclear Facility Safeguards Systems 4.

Modeling Using Discrete Event Simulation," Sandia Laboratories, Albuquerque, New Mexico, SAND 77-0075, July 1977.

Analytical Engi, D., "A Small Scale Engagement Model with Arrivals:

S.

Solutions," Sandia Laboratories, Albuquerque, New Mexico, SAND 77-0054, April 1977.

--,-4-,-

-, - _