ML20009A155
| ML20009A155 | |
| Person / Time | |
|---|---|
| Issue date: | 12/31/1980 |
| From: | Bush L NRC OFFICE OF INSPECTION & ENFORCEMENT (IE) |
| To: | |
| References | |
| NUDOCS 8107090056 | |
| Download: ML20009A155 (18) | |
Text
_
E' FIRST INTERNATIONAL CONGRESS ON PHYSICAL PROTECTION IN PETROLEUM INSTALLATIONS I
SECURITY PLANNING IN THE U.S. NUCLEAR IN_DUSTRY 4
Loren L. Bush, Jr.
U.S. Nuclear Regulatory Commission Urif ted States of America i
l 8107090056 810707
.... _,., ~. _ -. _ _. _.. _. _ _. -, _ _ _. _..... -... - _ _ _ _ - _.. _ _ _ - _ _. _ - _ -.. _ _ _. _ -. _ _.. - -... _ _ _. _... _. _ _ -. _. -.... _ _ -. _..,
Security Planning in the U.S. Nuclear Industry Loren L. Bush, Jr.
Chief, Physical Security Section Office of Inspection and Enforcement U.S. Nuclear Regulatory Commission The United States Nuclear Regulatory Commission (USNRC), requires its licensees to develop and implement programs that will ensure that the public t.ealth and safety are not endangered by the ncclear industry. One of the many programs required is, an overall safeguards program that includes physical security. This paper, in describing heet the USt!RC and its licensees develop a physical security program, will include such planning steps as:
(1) identification of resources to be protected, (2) identification of threat,
~
i.e., types of acts and adversary capabilif.ies, (3) program design, and (4) program implementation.
It is important that we first establish the basic responsibilities of government and industry. The USNRC is responsible for regulating the nuclear industry in the United States to assure that the public health and safety are protected.
Our goal is to ensure that the existence of the nuclear industry will not signi-I ficantly increase the overall risk to society.
It is recognized that everything
(
we do contains a certain amount of risk - even getting out of bed and going to work.
I know of no other industry regulated with such an idealistic obj ective.
1 i
l l
This paper was prepared by an employee of the United States Nuclear Regulatory Commission, and is encompassed by the U.S. Copyright Act as a " United States l
Government Work".
It was written as a part of official duties, and cannot be copyrighted.
l
The industry, on the other hand, is responsible for fully implementing the requirements for protecting the public health and safety as prescribed by the USNRC in Title 10 Code of Federal Regulations.
In addition, the industry must concern itself with their stockholders aad other investors, and ta a significant extent, the utility rate payers.
The industry must protect itself aSainst economic loss; the USNRC has no legal authority to require programs to prevent economic loss. To give you some concept cf the economics involved, any action, or failure to take proper or adequate action, that results in a shutdown of a nuclear power plant could cost $100,000 per day (or more) in lost revenue. This alone should be enough incentive for the industry to take earnest precautions and to stimulate intense management interest.
Thsre are many otker costs that could be incurred because of failure to protect against an adversary; some of these are:
(1) cost of repairing or replacing equipment and facilities, (2) law suits, (3) increased insurance premiums, (4) possible loss or decrease in employee productivity due to poor morale, (5) increased wages and fringe benefits to restore morale and reattract applicants for employment, and (6) the costs in human life and suffering to their own employees and executives.
Another area that the USNRC cannot involve itself--in fact, as an industry regulator must not--is the need for the nuclear industry to maintain public confidence. As with any other industry that may be controversial and unpopular with certain segments of society, the nuclear industry needs to protect itself from being discredited to the degree that public confidence is lost. Without public confidence and support a.ny industry can be forced out of existence.
-.. ~ -. - _.
Although protection of the public health and safety is only a portion of tFOse responsibilities, that is where my experience is concentrated, and will be the subject of this paper.
It should be noted that the NRC regulated programs, when properly implemented, afford the industry a substantial contribution with respect to its normal responsibilities for protecting corporate assets and managing its operations in a proper manner.
The first step in security planning is to identify the resources to be protected.
In traditional security planning the resources usually include such things as valuable materials, information, activities, and people.
In nuclear security, the resources to be protected are limited to two basic types:
(1) certain combinations
.of isotope fraction and element weight of special nuclear material - generally called a formula quantity - which could be used to fabricate a nuclear weapon, and (2) materials and activities that could potentially create a public health and safety hazard if the proper controls are not exercised.
In nuclear security, we can discount theft of irradiated material to fabricate a weapon because it would be lethal to those stealing it. We can also discount sabotage of unirradiated special nuclear material as being a significant threat to public health and safety because it would be about as dangerous as sabotaging a couple of lead bricks. We therefore end up with security programs whose purposes are to protect against:
(1) radiological sabotage:
a deliberate act which could endanger the public by exposure to radiation, and (2) theft or diversion of formula quantities of special nuclear material.
Formula quantity means strategic special nuclear material in any combination in a quantity of 5,000 grams or more computed by the formula:
grams = (grams contained U-235)
+ 2.5 (grams U-233 + grams plutonium). This means, for example, that 2 or more kilograms of plutonium i.ust be protected from theft or diversion. We also have
-~
. modest security programs to protect against theft or diversion of less than a formula quantity, primarily intended LC* prevent multiple thefts that would result in a cumulative loss of a formula quantity to an adversary.
The second step in security planning is to identify the threat, that is, the types of adversary's acts that could be perpetrated against the resources ana the adversary's characteristics and capabilities in carrying out those acts. This step is essential to properly design the security program and to evaluate the need for such things as number of guards and their duties, level of training, security equipment, etc. Much effort is traditionally devoted to the gathering of intelligence to identify specific threats. Although that data is important to overall planning, it is dangerous to rely on the accuracy of that data. Many Limes adversaries are not identified prior to their action against you.
- Further, it takes too long to plan and implement a good security program to wait until a specific threat is identified.
I've already folded a part of this step into the first. As you recall, the USNRC is concerned about such acts as theft, diversion, and sabotage.
In traditional security planning, these acts plus such things as narcotics and alcohol abuse, fraud, blackmail, kidnapping and even murder must be considered.
In nuclear security we are concerned with single or multiple thefts of nuclear material that could be used for extortion, publicity, or acts of terrorism for political or financial gain. We also are concerned that, for the same purposes, highly irradiated nuclear material could be dispersed either dur.ng shipment or in resid6nce at a reactor.
I should point out that radiological sabotage of a nuclear power reactor would be difficult to achieve ever, if there were no security nrogram. Reactors are very complex and have many redundant safety systems. A successful saboteur would have to know what specific systems he would have to disrupt to carry out a successful act of sabotage.
In many cases he would hdve to carry out this disruption of systems in the proper sequence, and within fairly narrow time constraints. Otherwise the automatic safety systems and other accident miti-Sating processas would frustrate his efforts. As said earlier, many things can be done to create sensational publicity and cause loss of public confidence -
but to actually endanger the public health and safety is something else.
For example, the accident at Three Mile Island on March 28, 1979 caused a lot of sensational publicity and some 'oss of public confidence. However, the public was not exposed to a significant or a dangerous level of radiation.
A good security planner should establish, as a reasonable basis:
(1) the number of adversaries to which the system should respond, (2) whether or not employees must be protected against, (3) whether the employees woult' enter into a conspiracy, and (4) whether violence can be expected.
If violence can be' expected, he must determine what types of weapons, explosives, and vehicles j
might be used to attack the system. Also, the planner should estimate how knowledgeable, intelligent, dedicated, organized, and efficient the adversary might be.
l The NRC has established what we call a design basis threat that the domestic nuclear industry is required to protect against. This design basis threat t
is specified as:
. - ~ - -
1.
A determined violent external assault, attack by stealth or deceptive action by spyeral persons with the following attributes, assistance, and equipment:
(A) Well trained, dedicated f adividuals who have cilitary training and skills.
(B)
Inside assistance, which may include a knowledgeable individual who attempts to participate in a passive role (e.g., provide information), an active role (e.g., facilitate entrance and exit, disable alarms and communications, and participate in violent attack), or both.
(C) Suitable weapons, up to and including hand-held automatic weapons, i
with silencers and having effective long-range accuracy.
(D) Hand-carried equipment, including incapacitating agents and explosives for use as tools of entry or for destroying vital systens...
- and, 2.
An internal threat of an insider, including a'i employee in any position.
1 For protection against theft or diversion of a formula quantity of special nuclear material, the above design basis threat is expanded to include the following attribute of the adversary making an external assault:
1 (E)
The ability to operate as two or more teams.
l The internal threat is expanded as follows:
l 3.
A conspiracy between individuals in any position who may have:
(A) Access to and detailed knowledge of nuclear power plants, facilities possessing formula quantities of strategic special nuclear material, or intransit operations, or (B)
Items that could facilitate theft (e.g., small tools, substitute 1
A
~
7-material, false documents, etc.),
(C) or both.
For security reasons, the exact number of adversaries in the design basis threat is not identified specifically.
However, we believe that a security program that gives a high assurance of success against several persons with the capabilities descHbed in the design basis, will probably succeed - with a lower level of assurance - against a greater adversary.
To provide more definitive planning guidance that the licensees should use when designing their security program, the NRC staff developed the following set of adversary characteristics:
Individual and Group Skills Nuclear Materials Identification and Handlire Radiation Monitoring and Safety Communications Intelligence and Security (Reconnaissance Including Detailed Knowledge of the Facility, Surveillance and Alarm Systems, etc.)
Tactical Operations (Combat Experience)
Pioneer (Demolition, Structure and Barrier Breeching)
Transportation Managerial f
^
Equipment Semi-automatic Pistols and Rifles Automatic Pistols and Rifles Submachine Guns
d Equipment - cont'd Shot Guns Hand Grenades Dynamite Plastic Explosives Shaped Charges Citizens Band Radios Two-Way Radios General and Special Purpose Vehicles Tear Gas, Mace, etc.
The third step in security planning is to design a program that will protect the resources against the threat.
If you have low value resources and not much of an adversary to contend with,you may be content with nothing more than a chain link fence with occasional spot checks by the local police.
Typically, even basic industrial security programs are more complex than this, and those in the nuclear industry are possibly the most complex.
The U.S. Nuclear Regulatory Commission, as a regulator of the nuclear industry, plays an even more complex part in the program. We develop the rules and regulations that provide the legal basis for regulating the program.
We develop standards and technical guidance so that a minimum level of quality and uniformity is achieved. We license the programs; that is, because of performance oriented rules, we must determine whether a proposed program is technically adequate before legal permission is
,-.._,,m.m
..~n.
-..-._,-.,._m_
m
9-given to the licensee to operate. And to complete the NRC prcgram, we inspect the licensee's operations from time to time to ensure that the program is properly implemented and adequate, and we take action to see that any problems are corrected.
We have established what is called Acceptance Criteria to assist the licensees and our technical' licensing reviewers. The acceptance criteria describe some methods of meeting the legal requirements that would be acceptable to the NRC staff.
In designing our program, as reflected in Title 10, Code of Federal Regulations and the acceptance criteria, it is important to note that there are key differences between protecting against theft versus sabotage:
(1) for sabotage the primary emphasis must be to prevent access to the resource being protected; and (2) for theft the primary emphasis is on preventing removal of the resource, which can include preventing access. Therefore, to prevent sabotage by an external adversary you get one chance and a relatively short amount of time to respond, but with theft you get two chances and usually more time.
This means that there is less time to detect and respond to an act of sabotage than to a l
l thtft, which means less reliance on external support to protect against sabotage. A philosophy conmon to the program for both theft and sabotage is redundancy and protection in depth.
This is most evident in use of two i
barriers, two ' alarm systems, and two communications systems.
The other common philosophy is to detect the adversary as early as possible, delay his action as long as possible, and respond as quickly - and strongly - as possible.
l l
l*
l
[
. Title 10 Code of Federal Regulations describes some basic elements of an acceptable program, and incluaes sucn tnings as:
1.
A physical security organization
- supervision,
- tr>.ining and qualification standards, and
- an ability to perform all duties.
2.
Physical barriers fence, isolation zone, and illumination for the protected area, a barrier of substantial construction around vital areas, and means for early detection of an adversary to assure adequate response.
3.
Access requirements personnel and vehicle access points controlled, identification and search made, and authorization checked, persons, packages, and vehicles searched, access to vital areas limited to those authorized and only j
when required, l
visitors and vehicles escorted, l
l l
delivery vehicles off-loaded at designated areas, and locks and keys administratively controlled.
l l
4.
Detection aids redundant, continuously manned alarm stations with no interfering activities for the ~ operators, and
- alarm sensors at the protected area perimeter and for unoccupied vital areas.
5.
Communications requirements continuous communication between each member of the security organization and both alarm stations, ar-redundant communications with local law enforcement agencies.
6.
Testing and maintenance security equipment must be tested frequently and adequately maintained, compensatory measures must be taken immediately in the event the equipment fails or its effectiveness is lessened, and independent power sources for equipment.
7.
Response requirement liaison with the local law enforcement agencies, response force consisting of nominally 10 personnel,
- upon detection of unknown activity, take immediate action to assess the potential threat, communicate with response i
organizations, and implement response actions to counter the adversa ry.
I r
Since there was a need for " site specific design", the NRC staff l
established the following factors for determining the size of the response force:
l i
Selection, Training, and Motivation of Response Force Availability and Construction of Defensive Positions l
Availability and Knowledge of Weapons and Other Equipment l
l l
12 -
Individual Site Considerations, Including Size, Topography.
Configuration, Geography, Weather, and Number of Nuclear Power Plant Units Location and Rekiability of Initial Detection Devices Consideration of Local Law Enforcement Agencies Response Vital Area Hardening, Including Plant Design, Location of, and Access Control to Vital Areas Design and Construction of Protected Area Barriers Redundancy of Security Systems 4
Initial Clearance and Continuing Reliability Assessment of Personnel Security and Contingency Procedures The NRC staff also identified a 'ist of data that would be required for cal-culation of delay and response times:
Point in adversary action seque7ce that detection occurs (data has no effect on calculation but has major effort on result) l Barrier penetration time l
l Time to traverse shortest path from point of detection to target i
Time for receiving alarm Time for threat assessment and response force initiation l
Security force response time The licensee must convince the NRC licensing staff that he can detect and delay the adversary long enough for the response force to arrive and intervene, ~ even assuming that everything goes well fbr the adversary and not so well for the defenders.
~
m.
g-w-%-
3.i.-
mm-=
m-.
, ee
-w-
-yp--
nu gy w
-,.y-p 9
-p
- .n--
g
4 The fourth step in security planning consists of determining those-actions necessary to implement the designed program.
This step would include such things as final development of a site specific security plan; civil, electrical, and systems engineering of various equipment and facilities; the processir' and awarding of contracts; and overcoming the surprising number of problems that are encountered before the entire security system is fully operational.
Many of these problems can be traced to improper application, installation, or maintenance of security equipment.
One would think that final development of the site specific security plans would be simple and straight forward - quite the contrary.
Our current rule for security programs at power reactors was issued in February 1977.
The last plans were finally approved by the NRC in February 1979; in some cases after 5 or 6 revisions were submitted.
Many licensees were reluctant to do some phases of the engineering work until they had some assurance that the approach they were taking would be acceptable to the NRC. Those delays aside, many of our licensees still do not have all their equip-ment operating satisfactorily and are, therefore, required to implement costly interim measures to maintain an acceptable level of security. Al though no formal study to determine the cause has been taken by the USNRC - remember we are only interested in the fact that the lic.ensees are performing properly and we are not concerned with excuses or reasonable costs.
I have discussed the problem with many people who are involved.
I will report what they have l
l
... ~
told me, without having validated the information on an industry-wide basis.
I also realize that there may be a little.- bias.
The electrical utilities, being engineering oriented, did most of their own design work without requesting any advice from their own security staff.
As a result, some systems were designed so inadequately that they had to be completely replaced.
- Neither the utility engineers, the architect engineers (if used), nor the general contractors requested advice from equipment manufacturers.
The manufacturers stated that they believe the architect engineers and general contractors are incompetent in the area of safeguards and do not understand the requirements for security equipment.
The manufacturers state that they are willing to step in to save the reputation of their products, but they have no legal entre'e, and the architect engineers and general contractors are uncooperative.
- Contracts are frequently awarded to a low bidder without regard to the quality of the product or the ability of the bidder to properly install and maintain the equipment.
Installers lost incentive to complete their contracted for work because licensees typically pay a major portion of the contract price (usually 90%) once the equipment is in place.
However, alignment, calibration,
15 -
j and removal of " bugs" is a major part of security system installation, and can occur only after the equipment is in place.
To illustrate a few of these points, I was told the following story by an old friend. A closed circuit television system would not work properly after installation." The users went back to the engineers several times, spending many thousands of dollars over several months in futile attempts to get the equipment operational. My friend, upon hearing of the problem, suggested that they replace the television cameras with another brand.
The retort was, "they're the same cameras". My friend replied', "Yes, but the electrical connectors and terminations are differen+, and in this case, are the source of the problem." It seems that a desire to award the contract to the lowest bidder and reluctance te consult with knowledgeable security professionals, for a savings of about $27 per camera, resulted in a substantial additional cost and unnecessary delay in a simple security equipment installation.
In conclusion, there are several steps :nvolved in planning for security.
A good foundation must be established by identifying the resources to be protected and the threat, thereto.
The foundation must be topped by a sound design for the security program.
Lastly, but a very important key to the overall success of the effort, is the willingness of people in autilority to accept the professional advice of security professionals.
1
RS. N CLE AR REGUL ATORY COMMISStON (7 77)
BIBLIOGRAPHIC DATA SHEET 4 TITLE AND SUBTITLE (Add Voltme No., of apprcorratel
- 2. (Leave trianki Security Planning in the U.S. Nuclear Industry
- 3. RECiPi.;NT'S ACCESSION NO.
- 7. AUTHOR (S)
- 5. DATE REPORT COMPLF TED Loren L. Bush, Jr.
Dec.
1980
- 9. PERFORMING ORGANIZATION NAME AND MAILING ADDRESS (include Zip Codel DATE REPORT ISSUED Division of Safeguards &. Radiological Safety Inspection Dec' 1980 Office of Inspection and Enforcement 6~''" "'"
U.S. Nuclear Regulatory Commission
!!ashington, D.C.
20555 8 (teav, u,,,*i
- 12. SPONSORING ORGANIZATION N AME AND M AILING ADDRESS (/nclude Zip Codel
- 11. CONTR A OT NO.
- 13. TYPE OF REPORT PE RIOD COVE RED (inclus,ve dates)
Conference Paper - Published in American Sociaty for Industrial Secu,rity Management
- 14. ILeave tvanal
- 15. SUPPLEMENTARY NOTES
- 16. ABSTRACT (200 words or less)
The United States Nuclear Regulatory Commission (USNRC), requires its licensees to develop and implement programs that will ensure that the public health and safety are not endangered by the nuclear industry.
One of the many programs required is an overall safeguards program that includes physical security.
This paper, in describing how the USNRC and its licensees develop a physical security program, will include such planning steps as:
(1) identification of resources to be protected, (2) identification of threat, i.e., types of acts and adversary capabilities, (3) program design, and (4) program implementation.
11a. DESCHiPTORS
- 17. KE Y WORDS AND DOCUMENT AN ALYSIS Security planning, physical security, security program design, adversary capabilities.
g L&q M M in s
I 17h IDENTIFIERS'OPEN-ENDED TERM p
A ". s A
' 9 ', s lC#
C 19 SE CUH6T Y CLASS iTn s reporrl 21 NO of PAGE S P
unclassified 15 22 eso 4 / Frygg, i nETTsTIMhjpS <Tm vari N/A muscnmuun
BIBLIOGRAPHY Loren L. Bush, Jr.
Mr. Bush is Chief of the Physical Security Section, Office of Inspection and Enforcement, U.S. Nuclear Regulatory Commission.
He manages the NRC programs concerning the inspection of licensees' security programs to determine compliance with applicable laws and to determine adequacy in protecting the public health and safety.
He retired from the U.S. Anny in 1975, with over 15 years in Command and senior staff positions in security, law enforcement, and criminal investigt. tion.
His final military assignment (from 1970-1975) was Chief, Nuclear Security Division, Defense Nuclear Agency, where he was responsible for matters pertaining to nuclear weapons security, including development and evaluation of physical security equipment and concepts.
In 1975-76 he was with NUSAC (a consulting firm) and advised clients of appropriate methods for protecting nuclear materLis and facilities.
He has a Bachelor's Degree in Business Administration from the University of Florida and studied for his M.B.A. with Boston University. Mr. Bush is a member of the American Society for Industrial Security, and was Chairman of the Washington, D.C. Chapter in 1980.
1 1
1 1
l l
.m m.