By Timothy E. Lambka, Director of Security Projects, Critigen
The world is in a quest for new energy sources to feed its unquenchable appetite for more and more energy. Not just more energy, but more clean energy, which has led to a “nuclear renaissance” in the nuclear power industry in the United States and internationally.
An abundance of energy has become synonymous with economic growth and stability, which in turn has become a matter of national security. The nuclear renaissance demands that we look at the nuclear power industry from top to bottom to see how it adapts to new technologies, new regulations and sadly, new threats.
The terrorist attacks against America on Sept. 11, 2001 sent ripples through all levels of government. It was the impetus for the creation of a new cabinet department at the national level, the Department of Homeland Security and ultimately resulted in a flurry of new security regulations being imposed by almost every branch and agency of the federal government. Nuclear facilities are no exception.
The U.S. Nuclear Regulatory Commission (NRC) is tasked with ensuring nuclear safety and commercial nuclear security. Pre-9/11 security protections were most often thought of as classified information security. In the case of commercial nuclear reactors, this is no longer at issue—the technology of commercial reactors has long since left the confines of the classified world. Enrichment technology is one of the few remaining focuses of classified nuclear secrets.
Today, government regulations impacting nuclear facilities are largely defined by the Department of Energy for Classified Restricted Data, the Department of Homeland Security for Chemical Facility Anti-Terrorism Standards (CFATS) and the Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corp. (NERC) security for cyber-security, just to mention a few.
As the world’s threats have changed so have the security regulations, forcing the existing nuclear power plants to adapt and retrofit systems into their facilities. All too often, security has been forced to settle for less than ideal solutions to fit changing regulations into existing environments. The opportunity exists today to develop security on the ground floor of the planning process for new facilities.
Master Planning for Security
Security master planning is a methodical approach to security that examines assets, vulnerabilities, threats and countermeasures. The output of this planning results in a combined physical security plan that is acceptable to both the NRC and the owner/operator(s) of the nuclear facilities. The balance between government regulations and the commercial operations—and associated budget constraints—are the driving factors of the plan.
Whether it’s called security master planning, operations security, graded approach or risk management, the systematic approach to planning is key to its success. The primary mission of the security plan is to focus on the assets, both tangible and intangible, that are required for the facility’s continued safe operation. A vast array of issues must be analyzed before security countermeasures are selected and implemented ensuring an appropriate distribution of resources while not creating new exposures in the process.
Security master planning is a systematic approach for looking at a facility that is designed to help the security practitioner:
- Identify assets or functions
- Identify threats to those assets
- Identify and evaluate vulnerabilities
- Select countermeasures to identified vulnerabilities.
The security master plan takes a holistic approach based on the knowledge that a facility is a complex structure of interrelated components that must be understood individually in order to understand the whole.
Phase One—Asset Definition
During the project’s asset definition phase, the security planner dissects the facility into manageable parts. The planner develops two separate views: a macro-view outlining the nuclear enterprise’s purpose and an internal view of the practices and assets used to accomplish the purpose discovered in the macro-view. While some assets are readily identifiable, some are not so obvious, such as intellectual knowledge, corporate image or employee morale.
During the discovery process for the macro-view, the planner has to find out what makes this enterprise tick by conducting literary searches: looking for what the enterprise itself as well as the world in general says and feels about the enterprise. Some good sources for these types of information are stock reports, strategic plans, business plans, Internet searches, professional journals, legal records and interviews with senior management and operating personnel.
The discovery process should answer the following questions:
- What is the nuclear facility’s business? Is it nuclear fuel enrichment, production of fuel rod/fuel rod assemblies, power production or reactor development?
- Who are its customers?
- What are the long-range goals?
- Does it have a strategic plan?
- What are its key resources?
Personnel interviews should draw from a cross section of operating departments such as accounting, data processing, security, personnel, facilities and operations. Based on the enterprise view of the company previously developed, the planner will compile a short list of questions to ask all interviewees. What does the enterprise/company do? How does your department contribute to successful completion of stated goals/objectives? What, in your opinion, is the single most important company asset? The loss of which single asset would shut the company down?
The last phase of asset definition is prioritization based on the asset’s criticality. Security master planning uses three groupings: vital, important and secondary.
The vital group: Loss of a vital asset would prove fatal to the operation.
The important group: Loss of an asset would be disruptive, but not catastrophic.
The secondary group: Loss would be unpleasant, but relatively insignificant.
The resulting asset definition report provides senior management with insights into the enterprise description noting its goals and objectives, a synopsis of future plans and long- range strategic plans and a classification of assets, listed by their criticality grouping.
Phase Two—Threat Definition
The second step in the process is threat definition. Every facility, large and small, faces a multitude of potential threats, all with varying degrees of harmful consequences. The goal of this phase is to identify and analyze potential threats to the facility and then to further classify those threats by degree of probability. This process groups threats into three different categories: Criminal, natural and accidental.
Criminal Threats: The analysis of the criminal threats is made simpler in nuclear facilities because for certain nuclear facilities the government has produced a design basis threat (DBT). DBT defines the number, armament and capabilities of the terrorist “bad guys.”
Analysis of criminal threats at the local and regional level review losses and/or incidents experienced by the facility itself and a review of the historic crime rates for the community at large. These reviews use multiple data sources: facility and parent company records, state and local crime reports, Federal Uniform Crime Reports (UCR) and the National Crime Survey (NCS).
In addition to reviewing statistical data, the security planner should conduct interviews with federal, state and local law enforcement agencies. Personal interviews can help the planner gain an insight into the criminal element present in the local community and the threat to the facility that it represents.
Natural Threats: The threat posed to a facility by natural phenomena can be the most devastating of all. Natural threats range from tornadoes, hurricanes and floods to earthquakes. While the planner should collect historic data on the occurrence of such natural phenomena, it is likely that this data has already been collected as part of the license application process and the on-going requirement to collect weather data. Examples of the items that need to be examined are flood maps, to determine if the facility is in a flood plain, and tornado maps, to see if the location is in a tornado-prone area.
The National Weather Service can also supply statistical data about the number of storm days per year, the number of average lightning strikes and the average rain and snowfall amounts. They can also provide trending information to determine the probability of changes in the current weather patterns.
Accidental Threats: Accidents are major threats to any facility and can range in severity from a small chemical spill to a devastating fire. Historic accident data should be gathered from safety and Occupational Safety and Health Administration (OSHA) records for the both facility and the industry.
An additional problem for the security planner is an accident that can occur off-site and out of the facility’s control that may spill over and affect the facility. This threat can be from neighboring facilities, transportation routes or utility lines.
Once potential threats are identified, they must be prioritized. Potential threats are categorized into the following:
- Likelihood of Occurrence
- Probable: Expect event will occur
- Possible: Circumstances are conductive for an event
- Possible, but unlikely: An event does not appear imminent
- Severity of Occurrence
- Devastating: Disastrous, interruption in service
- Moderate: Survivable, impact to daily operations limited
- Insignificant: Relatively inconsequential, little or no interruption
Phase Three—Vulnerability Analysis
During vulnerability analysis, the assets are correlated with the identified potential threats to identify potential avenues of attack against a particular asset. In this process, corrective measures may be identified and implemented to counter or impede the vulnerability. The most effective methodology is to place the assets and their corresponding threats into a matrix. (See Figure 2.)
In addition to the correlation of assets to threats, the process of victimization is also defined as the method by which an asset may be victimized by a particular threat. The plan should establish scenarios by which the assets could be attacked.
Over the years various software modeling tools have been developed to aid in the process of victimization. The technology can model attacks by a selected number of attackers and selectable weapons, calculate delay times and evaluate the effectiveness of additional delays.
Phase Four—Selecting Countermeasures
The final phase of the plan applies specific security measures to counter the exposed points of vulnerability. The selection of these measures is predicated on the vulnerability analysis and is intended to channel resources to protect the most vital assets against the most probable threats.
Countermeasures are broken into four categories: policy and procedures, electronic security systems, physical barrier systems and security personnel.
Policy and Procedures In today’s business environment of quality and ISO registration, policy and procedures have become part of mainstream business practices. Within the nuclear industry, certain standard procedures are required by the NRC depending on the type of facility. Enrichment and nuclear reactor facilities are requirement to produce the following plans:
- Guard force training and qualification
- Physical security
- Safeguards contingency.
It is best to keep required security plans as simple as possible. Once approved, facilities will be inspected against the plan. If the plan stipulates action on, say, the 15th of the month, but it’s performed on the 14th or 16th instead, there could be a deficiency at the next audit/inspection. It may be beneficial to stipulate “once a month” rather than a specific date.
Electronic Security Systems: As electronic security systems and the technology of those systems have matured, they have become integral parts of most security programs. Electronic systems have risen in popularity for various reasons, most relating to cost savings and increased reliability.
During this stage of the master plan, the intent it is not to specify a make and model; instead, it is to establish system deliverables or list of tasks the system is designed to accomplish such as access control, intrusion detection, perimeter intrusion detection and/or video assessment.
Physical Barrier Systems: Physical barriers are designed to identify property boundaries, restrict access and ultimately delay the determined adversary. Barriers within the nuclear facility can be either passive or active and range from traditional wire mesh fencing, vehicle barriers systems, hardened (ballistic and explosive) walls and doors to bullet resistant laminates. Active barriers such as cold smoke and sticky foam are also affective barriers deployed in the industry.
It is important to evaluate the breaching methods and time-to-breach data when evaluating the effectiveness of a barrier or a series of barriers. It is also imperative to know the standards/regulations for particular barriers. Depending on the type facility and the design-basis threat, it may be required to stop a vehicle of a certain weight moving at a certain rate without any penetration.
Security Personnel: The most expensive component of any nuclear security program is that of security personnel. Personnel cost can eat up large portions of the security budget and, as a result, programs are always trying to save on these costs by reducing fixed posts, competitively bidding security contracts and looking to do more with fewer resources. But the armed officer is the last line of defense and cannot be eliminated completely. Electronics and barriers are used to detect and delay the adversary. But the response necessary to stop the attacker is ultimately up to the on-site security personnel.
Using this methodical approach will help you develop a comprehensive security program that will help strike a balance between the needs for security and the requirement to operate the facility as a profitable enterprise. Part of the security practitioner’s objective is to ensure that balance is maintained. It’s great to have a secure site, but if we make it so difficult that production and operations staff cannot function then we have failed at our job just as if we allowed the adversary to simply walk in. That’s why it’s vital that security become a partner/member of the design team.
Author: Timothy E. Lambka is the director of security projects for Critigen. He is a Certified Protection Professional (CPP), International Certification by the American Society for Industrial Security and has designed security master plans for the nuclear industry for 21 years. Contact him at [email protected].