Insider Mitigation Program for Nuclear Plants (22 Slides)

ML22209A037
Person / Time
Issue date:	07/28/2022
From:	Mark Resner Office of Nuclear Security and Incident Response
To:
References
Download: ML22209A037 (23)
v • d • e

Text

Insider Mitigation Program for U.S. Nuclear Power Plants Mark Resner Office of Nuclear Security and Incident Response U.S. Nuclear Regulatory Commission

Concept of the Insider Threat Is Not New

• Quis custodiet ipsos custodes? is a Latin phrase attributed to the Roman poet Juvenal (55-127 AD) from his Satires (Satire VI, lines 347-8), which is literally translated as Who will guard the guards themselves?.

• While the concept of the insider threat is not new, an insider mitigation program must be a graded, risk informed approach adaptable to meet the challenges of an ever-changing global threat environment.

1

Who Is The Insider ?

• A person who has been granted unescorted access or unescorted access authorization under the requirements of 10 CFR 73.56 or has the ability to access information systems that (1) connect to systems that connect to plant operating systems or (2) contain sensitive information that may assist in an attempted act of sabotage.

• Active Insider - A person, who while in an unescorted access status within the protected area, takes direct action to assist a design-basis threat (e.g., participates in planning, uses an authorized key card to open a controlled access door, creates an operational or security diversion, or impedes a response to the threat).

2

Who Is The Insider ?

(continued)

• Active Violent Insider - a person, who while in an unescorted access within the protected area, takes direct action to harm plant components, a member of the security force, or plant staff with intent of preventing the operation of equipment or of preventing the person harmed from participating in protective or recovery strategies, or who takes action to engage or divert operations or security resources from normal protective or recovery strategies.

• Passive Insider - a person who provides or attempts to provide safeguards information or other relevant information about a licensees physical configurations, designs, strategies, or capabilities to any person who does not have a functional operational need to know.

3

Objective of the NRC Insider Mitigation Program (IMP)

• Licensee oversight and monitoring of the initial and continuing trustworthiness and reliability of individuals by minimizing the potential for an insider to directly or indirectly have an adverse impact on the licensees capability to prevent significant core damage or spent fuel sabotage.

• Applies to all individuals following licensees initial unescorted access (UA) and unescorted access authorization (UAA) determination and/or certification of UA & UAA.

• Applies to individuals who retain UA or UAA.

• Shall be described in the licensees physical security plan.

4

Legislative & Regulatory Authority Important to Success of Programs

• Insider mitigation programs are more effective with standards that have a basis in law and are codified within a regulatory framework.

- Establishes minimum requirements which can be inspected by an independent regulatory body to ensure processes and procedures within programs are functioning as intended.

- Provides oversight and clarity for the facility owners and/or operators

- Public confidence is enhanced with an independent regulator

- Regulatory frameworks benefit from processes that provide a means to accommodate changes as necessary.

• Rulemaking

• Orders & Generic Communications

• Guidance documents 5

Key Legislative Authority

• Atomic Energy Act of 1954, as amended

• Energy Reorganization Act of 1974, as amended The Public Health And Welfare 42 U.S.C. § 2201 (General Duties of the Commission) - promulgation of regulations

• Nuclear Non-Proliferation Act of 1978

• Energy Policy Act of 1992

• Energy Policy Act of 2005 §652 & Order EA-07-305 6

Background of the IMP At the NRC

• Information Notice (IN) 83-27 Operational Response to Events Concerning Deliberate Acts Directed Against Plant Equipment Provided licensees with information about program activities that licensees should consider for preparation and response to insider acts.

• IN 96-71 Licensee Response to Indications of Tampering, Vandalism, or Malicious Mischief Report known or unexplained plant conditions inconsistent with routine operations to NRC Operations Center within 1 hr. (10 CFR Part 73.71 -

Reporting of Safeguards Events).

• Order EA-03-086 in 2003 required licensees to address the insider threat.

Licensees upgraded their security plans in response to the Order.

• 10 CFR 73.55 (b)(9) - IMP - included in 2009 rulemaking Establishes the objective and minimum criteria for an IMP program.

7

Background of the IMP At the NRC (continued)

• Executive Order 13587, "Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, issued in October 2011.

o All Federal agencies to establish and implement an insider threat program (ITP) to cover contractors and licensees who have exposure to classified information.

• National Industrial Security Program Operating Manual (NISPOM) o On February 24, 2021, NISPOM became effective as federal rule 32 CFR Part 117 (NISPOM Rule). Requires that cognizant security agencies (CSA),

including the NRC, ensure that all cleared individuals for whom the agency is the CSA implement an ITP consistent with the NISPOM ITP requirements. It also incorporates SEAD-3 reporting requirements.

• Security Executive Agent Directive Agent-3 from ODNI Issued December 14, 2016.

8

Defense-In-Depth Strategy

• 10 CFR 73.1 - Purpose and Scope (a) (1) E (ii) - An Internal threat

• 10 CFR 73.55(b)(9)(i) - Methodologies employed by licensees to implement an IMP must include elements from:

The access authorization program described in 10 CFR Part 73.56.

The fitness-for-duty program described in 10 CFR Part 26.

The cyber security program described in 10 CFR Part 73.54.

The physical protection program described in 10 CFR Part 73.55.

• 10 CFR 73.56 (f) & 10 CFR 26.33 - Behavior observation Behavior observation program includes elements from the IMP, AA, and FFD Implementation by licensees is documented in the physical security plans that are a condition of their license.

9

Defense-In-Depth Strategy (Continued)

• Guidance NRC Guidance RG 5.66 - Access Authorization Program for Nuclear Power Plants RG 5.77 - Insider Mitigation Program (currently under revision as DG-5044)

RG 5.76 - Physical Protection RG 5.71 - Cyber Industry Guidance (endorsed by NRC)

NEI 03 Nuclear Power Plant Access Authorization Program NEI-03 Guideline for Plant Access Training NEI-06 Fitness-for-Duty Program Guidance for New Nuclear Power Plants NEI 03 Security Plan Template 10

Minimum Criteria of NRCs IMP A security determination (UA & UAA) - Access Authorization (AA) program (criminal history check, background investigation).

Initial, random, for cause, and post-event testing - Fitness for Duty (FFD) program Psychological assessments which may include a medical evaluation - AA &

FFD programs Annual review by the immediate supervisor - AA program Periodic reinvestigation security determination - AA program

• 3-year for critical group and 5-year all others 11

Integration of Required Insider Mitigation Components 10 CFR 73.55 (b)(9)(i)(ii)(A)(B)(C)(D)

Initial Screening Background Investigation F.B.I Criminal History Check Goal Cyber Security T Fitness for Duty Program Program Trustworthiness Reliability Physical Protection Access Program Authorization Program NRC Inspection & Oversight 12

Advances in Technology Part of the Insider Mitigation Strategy

• Advances in technology used to adapt to the changing threat environment

- Biometric identity verification tools

• Hand geometry for access to protected areas

• Retina scans for access to protected areas

• Fingerprint scanning devices

• Facial recognition

- Access to criminal history data and other robust databases.

- State-of-the-art video surveillance

- Explosive and metal detection devices

- Detection devices for drug and alcohol use

- Continued research into behavior analysis tools

• Use of voice stress analysis

• Social media access 13

Behavior Observation Program (BOP) Component

• Training on warning signs of aberrant or other behavior not conducive to trustworthiness and reliability

• What to do if you observe aberrant behavior - see something, say something

• Processes in place to address aberrant behavior for the protection of the workers and the facility

• Hot line

• Employee assistance program; self-reporting requirement

• Annual supervisory reviews

• Random, for cause, and post-event drug and alcohol testing

• Fair and balanced application of a BOP

• Consent forms

• Appeal process 14

Examples of What to Look For In the IMP

• Tampering with equipment and/or systems

- Valves out of proper position

- Fluid levels (DORL 4 Belgium incident)

- Workers in areas where they have no business

• Aberrant behavior or unexplained absences from work

• Disgruntled employee

• Radicalization or extremist views

• Domestic Violent Extremists (DVEs) - Militias, anti-government, Racial

• Home Grown Violent Extremist (HVEs) - Shariff Mobley incident in 2010

• Muhammed Youseff Abdulazeez - denied access 2013 - Incident in 2015

• Social media posts monitored

• Drug or alcohol abuse

• Affiliations with criminal elements 15

Warning Signs Questionable Affiliations

• Security force member (Critical Group) at nuclear plant active member of outlaw motorcycle gang

- Never returned to work after being interviewed about his affiliations by access authorization staff at the plant.

16

Disgruntled Employees With Unescorted Access

• November 1979 - Two employees working at Surry Nuclear power plant attempted to damage new fuel assemblies.

- One employee had served aboard ship in the U.S. Navys nuclear program

- Both employees had been granted unescorted access to a vital area in the plant

- Both employees were convicted of intentional damage to a facility which furnishes electric power to the public and sentenced to two years in prison

- The Nuclear Regulatory Commission issued information notice 79-12 to all nuclear power plants to share the information with the licensees that own and operate the plants.

17

$ Socio-Economic Impact $

Tampering Incident At Belgian Nuclear Plant

• August 2014 - Belgian energy company Electrabel reported that its Doel 4 nuclear reactor would stay offline until the end of year after major damage to its steam turbine was caused by a leak of 65,000 liters of oil.

- Reuters news quoted a spokesman for GDG Suez which is the French parent company - There was an intentional manipulation.

- Prosecutors familiar with the incident would not confirm that it was sabotage, and they would not exclude sabotage either.

$ ~37 Million to repair turbine in Germany

$ Loss of ~ 1 gigagwatt of generating capacity to consumers during colder months & reduced company earnings for GDG Suez.

18

Offsite Behavior Matters

• NRC regulations require self-reporting of any criminal charges, arrests or judicial proceedings in which the individual is involved.

• Senior Reactor Operators (Critical Group) arrested for aggravated car-jacking and fled to Venezuela.

• Two Non-licensed Operators arrested for aggravated assault on and obstructing a peace officer at offsite party.

19

Public Perception About Safety & Security

• Article from October 11, 2013, Informable Nuclear News Four Exelon employees arrested in the last 18 months When Burhman was convicted in May of 2013, we questioned Exelons behavioral monitoring and screening program, which is designed to detect aberrant behaviors before they cause problems on-site. According to sources, Exelon has still not made changes to the behavioral observation program, despite the recent string of failures in the last 18 months.

20

IMP Enhancements Program Outreach

• Interaction and coordination with other Federal partners (FBI, DHS, TSC, DoD, and International counterparts).

(Advances in technology) Rap Back Program through FBI CJIS and ABIS through DoD, and IDENT/HART with OBIM/DHS.

SAVE system through Citizenship and Immigration Services

• Frequent interaction with industry and NEI Participation in access/fitness-for-duty quarterly task force meetings Annual, industry-wide conference

• On-going review and updates to regulatory guides and NRC endorsed NEI documents (industry standards).

RG 5.77 is being updated as part of the 5-year cycle NUREG/CR-7183 - Published June 2014 - Best Practices for Behavioral Observation Programs.

21

Questions/Comments 22