Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
NUCLEAR SECURITY SERIES NO. XX 1
2
3
4
5
6
7
8
PHYSICAL PROTECTION OF 9
NUCLEAR MATERIAL AND NUCLEAR FACILITIES 10
(IMPLEMENTATION OF INFCIRC/225/REV. 5) 11
DRAFT IMPLEMENTING GUIDE 12
13
14
15
16
17
18
19
INTERNATIONAL ATOMIC ENERGY AGENCY 20
21
VIENNA, 20XX 22
23
NST023
DRAFT, July 2014
STEP 8: Submission to Member States
for comment
Interface Document: NSGC, NUSSC,
RASSC, WASSC
FOREWORD 1
By Yukiya Amano, Director General 2
The IAEA’s principal objective under its Statute is “to accelerate and enlarge the contribution 3
of atomic energy to peace, health and prosperity throughout the world.” Our work involves both 4
preventing the spread of nuclear weapons and ensuring that nuclear technology is made available for 5
peaceful purposes in areas such as health and agriculture. It is essential that all nuclear and other 6
radioactive materials, and the facilities in which they are held, are managed in a safe manner and 7
properly protected against criminal or intentional unauthorized acts. 8
Nuclear security is the responsibility of each individual country, but international cooperation 9
is vital to support States in establishing and maintaining effective nuclear security regimes. The central 10
role of the IAEA in facilitating such cooperation, and providing assistance to States, is well 11
recognized. The Agency’s role reflects its broad membership, its mandate, its unique expertise and its 12
long experience of providing technical assistance and specialist, practical guidance to States. 13
Since 2006, the IAEA has issued Nuclear Security Series publications to help States to 14
establish effective national nuclear security regimes. These publications complement international 15
legal instruments on nuclear security, such as the Convention on the Physical Protection of Nuclear 16
Material and its Amendment, the International Convention for the Suppression of Acts of Nuclear 17
Terrorism, United Nations Security Council Resolutions 1373 and 1540, and the Code of Conduct on 18
the Safety and Security of Radioactive Sources. 19
Guidance is developed with the active involvement of experts from IAEA Member States, 20
which ensures that it reflects a consensus on good practices in nuclear security. The IAEA Nuclear 21
Security Guidance Committee, established in March 2012 and made up of Member States’ 22
representatives, reviews and approves draft publications in the Nuclear Security Series as they are 23
developed. 24
The IAEA will continue to work with its Member States to ensure that the benefits of peaceful 25
nuclear technology are made available to improve the health, well-being and prosperity of people 26
world-wide. 27
28
CONTENTS 1
1. INTRODUCTION ..................................................................................................................................... 1 2
1.1. Background ............................................................................................................................. 1 3
1.2. Objective ................................................................................................................................. 1 4
1.3. Scope ....................................................................................................................................... 2 5
1.4. Structure .................................................................................................................................. 2 6
2. OBJECTIVES OF THE STATE’S PHYSICAL PROTECTION REGIME ............................................. 3 7
3. ELEMENTS OF A STATE’S NUCLEAR SECURITY REGIME FOR PHYSICAL PROTECTION 8
OF NUCLEAR MATERIAL AND NUCLEAR FACILITIES ..................................................................... 5 9
3.1. State responsibility .................................................................................................................. 5 10
3.2. Assignment of physical protection responsibilities ................................................................. 6 11
3.3 Legislative and regulatory framework..................................................................................... 8 12
3.3.1. Regulatory approaches .................................................................................................... 8 13
3.3.2. System evaluation, including performance testing: requirements by the State ............. 11 14
3.3.3. Competent authority ...................................................................................................... 13 15
3.3.4. Responsibility of the licence holders ............................................................................. 16 16
3.4. International cooperation and assistance ............................................................................... 16 17
3.5. Identification and assessment of threats ................................................................................ 17 18
3.6. Risk-based physical protection systems ................................................................................ 19 19
3.6.1. Graded approach ............................................................................................................ 20 20
3.6.2. Graded levels of physical protection based on consequence of unauthorized removal . 20 21
3.6.3. Graded levels of physical protection based on consequences of sabotage .................... 26 22
3.6.4. Defence in depth ............................................................................................................ 30 23
3.7. Sustaining the physical protection regime ............................................................................. 31 24
3.7.1. Nuclear security culture ................................................................................................. 31 25
3.7.2. Quality assurance .......................................................................................................... 32 26
3.7.3. Confidentiality ............................................................................................................... 33 27
3.7.4. Sustainability programme .............................................................................................. 34 28
3.8. Planning and preparedness for and response to nuclear security events ............................... 35 29
4. DEVELOPING, IMPLEMENTING AND MAINTAINING AN INTEGRATED PHYSICAL 30
PROTECTION SYSTEM FOR NUCLEAR FACILITIES ........................................................................ 37 31
4.1. General responsibilities of the operator ................................................................................. 37 32
4.2. Security organization ............................................................................................................. 39 33
4.3. Process for developing and implementing a PPS .................................................................. 40 34
4.3.1. Approach for developing the PPS ................................................................................. 40 35
4.3.2. PPS life cycle ................................................................................................................. 41 1
4.4. Identifying the requirements for a PPS ................................................................................. 43 2
4.4.1. Target identification ...................................................................................................... 44 3
4.4.2. Threat definition ............................................................................................................ 45 4
4.5. Design and evaluation of the PPS ......................................................................................... 46 5
4.5.1. Design phase .................................................................................................................. 46 6
4.5.2. Evaluation phase ............................................................................................................ 49 7
4.6. Key functions of a physical protection system ...................................................................... 52 8
4.6.1. Deterrence ..................................................................................................................... 52 9
4.6.2. Detection ....................................................................................................................... 53 10
4.6.3. Delay ............................................................................................................................. 53 11
4.6.4. Response ........................................................................................................................ 54 12
4.7. Locating and recovering missing or stolen nuclear material ................................................. 54 13
4.8. Mitigating or minimizing radiological consequences of sabotage ........................................ 56 14
4.9. Physical protection measures ................................................................................................ 57 15
4.9.1. Protection areas and layers ............................................................................................ 58 16
4.9.2. Central alarm station ..................................................................................................... 60 17
4.9.3. Physical barriers ............................................................................................................ 62 18
4.9.4. Access control systems .................................................................................................. 62 19
4.9.5. Guards and response forces ........................................................................................... 63 20
4.9.6. Protection measures for stand-off sabotage attacks ....................................................... 65 21
4.9.7. Protection measures for airborne and waterborne attacks ............................................. 66 22
4.9.8. Transport of nuclear material ........................................................................................ 66 23
4.10. Nuclear material accounting and control (NMAC) for nuclear security ............................... 66 24
4.11. Security of sensitive information........................................................................................... 69 25
4.12. Protection of computer-based systems .................................................................................. 69 26
4.13. Safety–security interface ....................................................................................................... 71 27
4.14. Security plan .......................................................................................................................... 73 28
4.14.1. Security plan development ........................................................................................ 73 29
APPENDIX I. THE SECURITY PLAN ..................................................................................................... 75 30
APPENDIX II. THE ADDITION OF NUCLEAR MATERIAL OR AGGREGATION ........................... 86 31
APPENDIX III. CROSS REFERENCES TO RECOMMENDATIONS [1] .............................................. 90 32
REFERENCES ............................................................................................................................................ 92 33
34
1
1. INTRODUCTION 1
1.1. BACKGROUND 2
The IAEA Nuclear Security Series provides guidance for States to assist them in implementing a 3
national nuclear security regime, or in reviewing and if necessary strengthening an existing nuclear 4
security regime. The series also serves as guidance for Member States in carrying out their efforts 5
with respect to binding and non-binding international instruments. 6
The physical protection of nuclear material and nuclear facilities is a major part of the nuclear security 7
regime for those States that have such material and facilities. Nuclear Security Recommendations on 8
Physical Protection of Nuclear Material and Nuclear Facilities [1] were issued by the IAEA in 2011. 9
That Recommendations publication also serves as Revision of IAEA INFCIRC/225, the guidance for 10
Contracting Parties to the Convention on the Physical Protection of Nuclear Material (CPPNM) on 11
meeting their obligations under that Convention and, when the 2005 Amendment to the CPPNM 12
enters into force, under the amended Convention. 13
This publication is the lead Implementing Guide in a suite of guidance to States on implementing 14
those Recommendations [1] (hereafter referred to as NSS No. 13). Several existing Implementing 15
Guides and Technical Guidance publications address specific subjects relevant to the physical 16
protection of nuclear facilities, such as design basis threat, measures against insider threats, 17
identification of vital areas and nuclear security culture. This Implementing Guide presents some of 18
these major points and provides an introduction and overview of the subject, and as appropriate refers 19
to the topical guides for more specific guidance. 20
1.2. OBJECTIVE 21
The purpose of this publication is to provide guidance and suggestions to assist Member States and 22
their competent authorities in establishing or improving, implementing, maintaining and sustaining 23
their national physical protection infrastructure and their operator’s physical protection systems and 24
measures. These are essential components of the State’s overall national nuclear security regime. 25
Some parts of this publication are intentionally ambiguous in allocating responsibilities between the 26
State and its competent authorities. This ambiguity recognizes the differences among States with 27
respect to the assignment of responsibilities within their nuclear security regimes. States should be 28
precise and complete in assigning and documenting physical protection responsibilities for their 29
competent authorities. 30
2
1.3. SCOPE 1
This Implementing Guide applies to the physical protection of nuclear facilities and nuclear materials 2
in use and storage against: 3
— Unauthorized removal of nuclear material with the intent to construct a nuclear explosive 4
device, and 5
— Sabotage of nuclear material and nuclear facilities resulting in radiological consequences. 6
This Implementing Guide also provides some suggestions related to associated measures to participate 7
in a coordinated response for the: 8
— Location and recovery of missing nuclear material, and 9
— Mitigation or minimization of the radiological consequences of sabotage at nuclear facilities. 10
This publication does not include detailed guidance on: 11
— Physical protection of nuclear material during transport outside the nuclear facility, which is 12
addressed in specific guidance [2]; or 13
— Protection against unauthorized removal of nuclear material for potential subsequent off-site 14
dispersal, which is addressed in guidance on the security of radioactive material [3]. 15
This Implementing Guide does not provide detailed guidance in relation to nuclear security 16
considerations in site selection for a facility and its design. Integrating physical protection principles 17
as early as possible in the facility lifecycle is commonly referred to as ’security by design’. 18
States may decide to require nuclear material and nuclear facilities in their territory to be protected on 19
a variety of other grounds, such as the economic importance of these targets, the potential 20
consequences of loss of power generation or reputational reasons. This publication does not provide 21
guidance on addressing these additional national concerns. 22
1.4. STRUCTURE 23
The structure of this Implementing Guide is intended to follow broadly the structure of the parent 24
Recommendations [1], but does not do so exactly, for two reasons: 25
— Protection of nuclear material during transport outside of a nuclear facility is not within the 26
scope of this guide, and 27
— This guide describes, in a single section, an integrated, risk-based approach for protection 28
against unauthorized removal of nuclear material and protection against sabotage, which in the 29
Recommendations are presented separately in two different sections. 30
The structure of this publication is as follows. Following this Introduction, Section 2 describes the 31
objectives of physical protection and the overall approach to managing the risks of unauthorized 32
3
removal of nuclear material and sabotage of nuclear facilities. Section 3 provides guidance for the 1
State and its competent authorities regarding physical protection elements of the nuclear security 2
regime, based on the Fundamental Principles set out in the Recommendations [1]. Section 4 provides 3
guidance regarding the operator’s physical protection system, describing a systematic, integrated 4
approach. Appendix I gives an annotated outline of the typical contents of an operator’s Security Plan. 5
Appendix II provides a discussion of nuclear material aggregation related to the categorization of 6
nuclear material for determining the protection level against unauthorized removal. Appendix III 7
presents a table of paragraph cross references between the Recommendations [1] and this 8
Implementing Guide. A list of abbreviations used in the text is provided at the end of the publication. 9
2. OBJECTIVES OF THE STATE’S PHYSICAL PROTECTION REGIME 10
The four objectives of a State’s physical protection regime1 specified in [1] are based on the 11
Amendment to the Convention on the Physical Protection of Nuclear Material. 12
“The overall objective of a State’s nuclear security regime is to protect persons, property, 13
society, and the environment from malicious acts involving nuclear material and other 14
radioactive material. The objectives of the State’s physical protection regime, which is an 15
essential component of the State’s nuclear security regime, should be: 16
• “To protect against unauthorized removal. Protecting against theft and other 17
unlawful taking of nuclear material. 18
• “To locate and recover missing nuclear material. Ensuring the implementation of 19
rapid and comprehensive measures to locate and, where appropriate, recover missing 20
or stolen nuclear material. 21
• “To protect against sabotage. Protecting nuclear material and nuclear facilities 22
against sabotage. 23
• “To mitigate or minimize effects of sabotage. Mitigating or minimizing the 24
radiological consequences of sabotage.” (Ref. [1]; 2.1) 25
“The State’s physical protection regime should seek to achieve these objectives through: 26
1 Historically, the term “physical protection” has been used to describe what is now known as the nuclear security of nuclear
material and nuclear facilities, and. Ref. [1] (which is also Revision 5 of INFCIRC/225) uses the term physical protection
throughout (including using the term “physical protection regime” for those aspects of a nuclear security regime related to
unauthorized removal and sabotage of nuclear material and nuclear facilities). To aid understanding of this publication as
guidance on the implementation of INFCIRC/225 Revision 5, the term “physical protection” is used to refer to those aspects
of nuclear security relating to measures against unauthorized removal or sabotage of nuclear material and nuclear facilities.
Hence, for example, a State’s “physical protection regime” comprises those parts of its nuclear security regime that relate to
such measures.
4
• “Prevention of a malicious act by means of deterrence and by protection of sensitive 1
information; 2
• “Management of an attempted malicious act or a malicious act by an integrated 3
system of detection, delay, and response; 4
• “Mitigation of the consequences of a malicious act.” (Ref. [1]; 2.2) 5
“The objectives mentioned above should be addressed in an integrated and coordinated manner 6
taking into account the different risks covered by nuclear security.”(Ref. [1]; 2.3) 7
There are well known risks associated with the use of nuclear material and nuclear facilities. From a 8
nuclear security perspective the two primary risks are those associated with unauthorized removal of 9
nuclear material, for potential use in a nuclear explosive device, and with sabotage of the material 10
and/or facility resulting in unacceptable radiological consequences (URC). The management of these 11
risks is the primary basis for nuclear security in relation to nuclear material and nuclear facilities. If a 12
State has made the decision to accept nuclear material and nuclear facilities within its borders, it is 13
also accepting the responsibility to protect those materials from unauthorized removal and the 14
facilities and materials from sabotage resulting in a release of radionuclides. 15
Ref. [1] recommends that States should adopt a risk management approach in order to achieve the 16
objectives above relating to the protection against unauthorized removal and sabotage, by addressing 17
the three aspects for characterizing risk, namely the threat, potential consequences and vulnerability. 18
Ref. [1] contains recommendations relating to: 19
— Threat assessment and design basis threat; 20
— The potential consequences of unauthorized removal of nuclear material (through a material 21
categorization table) and of sabotage (through an approach of grading radiological 22
consequences), facilitating the use of a graded approach and the application of proportionate 23
physical protection measures; and 24
— Addressing, through an effective physical protection system, vulnerabilities at targets within a 25
nuclear facility that could otherwise be exploited by a threat to successfully complete a 26
malicious act. 27
By implementing the recommendations of Ref. [1], the State should be able to appropriately manage 28
the risk arising from malicious acts directed at a nuclear facility. However, to do this the State needs 29
to set its own detailed objectives taking into account the graded approach. 30
In order to reduce risk, an operator has the options to remove nuclear material that is more attractive 31
(to adversaries) and use less attractive nuclear material, to design nuclear facilities that use nuclear 32
materials that would result in lower radiological consequence in the event of sabotage, and/or to build 33
more robust physical protection systems. Additionally, competent authorities for intelligence and 34
nuclear security may work closely together to detect and interrupt adversaries planning malicious acts 35
5
before such plans are carried out at a nuclear facility. Implementing all of the Fundamental Principles 1
within the State’s nuclear security regime and implementing appropriate physical protection measures 2
at nuclear facilities serves the overall objective to protect the nuclear facility from malicious acts. 3
3. ELEMENTS OF A STATE’S NUCLEAR SECURITY REGIME FOR PHYSICAL 4
PROTECTION OF NUCLEAR MATERIAL AND NUCLEAR FACILITIES 5
Ref. [1] defines a State’s physical protection regime as including: 6
— The legislative and regulatory framework governing the physical protection of nuclear 7
material and nuclear facilities; 8
— The institutions and organization within the State responsible for ensuring implementation of 9
the legislative and regulatory framework; 10
— Facility and transport physical protection systems (PPSs). 11
The State’s nuclear security regime should also provide for appropriate management of the interfaces 12
between physical protection and nuclear material accounting and control (NMAC) and safety. The 13
State has the responsibility to ensure that NMAC, safety and nuclear security requirements do not 14
conflict with each other, and that these elements support each other as far as possible. 15
This section: 16
— Lists the Fundamental Principles and other essential elements of the State’s nuclear security 17
regime relevant to physical protection of nuclear material in use and storage and of nuclear 18
facilities, as presented in Refs [1] and [4]; and 19
— Provides guidance on the State’s implementation of each principle as it applies to the physical 20
protection of nuclear material and nuclear facilities. 21
In order to meet the objectives of a State’s nuclear security regime for nuclear material and nuclear 22
facilities, the State should institute requirements for the establishment, implementation, maintenance 23
and sustainability of its physical protection regime. The responsibilities of a State in this regard are 24
addressed in three separate sections (3, 4, and 5) of Ref. [1], but implementing guidance is 25
consolidated here in this single section. 26
3.1. STATE RESPONSIBILITY 27
“Responsibility of the State – The responsibility for the establishment, implementation and 28
maintenance of a physical protection regime within a State rests entirely with that State.” 29
(Fundamental Principle A, Ref. [1], 3.1–3.2) 30
“The State's physical protection regime is intended for all nuclear material in use and storage 31
and during transport and for all nuclear facilities. The State should ensure the protection of 32
6
nuclear material and nuclear facilities against unauthorized removal and against sabotage.” 1
(Ref. [1], 3.1) 2
The State fulfils its responsibility by establishing a legislative and regulatory framework, delegating 3
regulatory responsibility to one or more competent authorities, and assigning primary responsibility 4
for implementing PPSs to nuclear facility operators. 5
A comprehensive nuclear security regime for nuclear material extends beyond its use and storage 6
(including at nuclear facilities) to its physical protection during transport. The State should ensure that 7
a comprehensive physical protection system for transport is also established, implemented and 8
maintained. Such a system should apply to the on-site movement of Category I and II nuclear material 9
between two protected areas. A nuclear facility, as the shipper or receiver of nuclear material, may 10
also have certain responsibilities for the physical protection of nuclear material being transported into 11
or out of the facility. Further guidance is provided in Ref. [2]. 12
“The State’s physical protection regime should be reviewed and updated regularly to reflect 13
changes in the threat and advances made in physical protection approaches, systems, and 14
technology, and also the introduction of new types of nuclear material and nuclear facilities.” 15
(Ref. [1], 3.2) 16
An example of a reason for reviewing and updating the physical protection regime could be a decision 17
in a State, whose only existing nuclear facility is a small research reactor containing Category III 18
nuclear material, to construct a nuclear power plant. The higher level of physical protection needed for 19
the nuclear power plant would necessitate a review of the regime. Another example is a change in the 20
threat, as described in Section 3.5 below. 21
3.2. ASSIGNMENT OF PHYSICAL PROTECTION RESPONSIBILITIES 22
“The State should clearly define and assign physical protection responsibilities within all levels 23
of involved governmental entities including response forces and for operators and, if 24
appropriate, carriers. Provision should be made for appropriate integration and coordination 25
of responsibilities within the State’s physical protection regime. Clear lines of responsibility 26
should be established and recorded between the relevant entities especially where the entity 27
responsible for the armed response is separate from the operator.” (Ref. [1], 3.8) 28
The State should assign physical protection responsibilities to relevant competent authorities and other 29
government entities in relation, for example, to: 30
— Design basis threat (DBT) and/or threat assessment; 31
— Licensing/authorization of nuclear facilities and of nuclear material in use and storage; 32
— Inspection and evaluation of PPSs; 33
7
— Response to nuclear security events, including response forces and emergency response 1
organizations; 2
— Interface with NMAC; 3
— Interface with nuclear safety; 4
— Information and computer security relevant to physical protection of nuclear facilities and of 5
nuclear material in use and storage; 6
— Determination of the trustworthiness of personnel; and 7
— Enforcement actions related to compliance with licensing requirements and physical 8
protection regulations. 9
The State may consider establishing appropriate arrangements for coordination of these 10
responsibilities, such as a committee that includes governmental entities with assigned physical 11
protection responsibilities, which meets regularly for the purpose of promoting and ensuring adequate 12
communication, cooperation and coordination. 13
As part of the State’s responsibilities for physical protection, clear lines of responsibility should be 14
established for the appropriate competent authorities that provide the response forces for nuclear 15
facilities. Integration and coordination with the guards, response forces and all other involved 16
competent authorities should be established. The coordination between the guards and response forces 17
should be regularly exercised. 18
Each State will define response objectives and may have a different approach or strategy for using 19
response forces. This may depend on the type of nuclear material and facilities being protected and 20
potential objectives of adversaries (e.g., theft or sabotage). Three response strategies are: 21
— Denial of task, where the goal is for the response force to stop the adversaries (including 22
insiders) before they are able to successfully complete their task (e.g., sabotage). 23
— Denial of access, where the goal is for the response force to prevent adversaries from gaining 24
access to the target area. 25
— Containment, where the goal is for the response force to prevent adversaries from removing 26
the target beyond a specific point, such as the limited access area (e.g., theft), thus not 27
allowing nuclear material to become out of regulatory control). 28
The operator may conduct its own limited performance testing to assure adequate functioning of the 29
system, but the review of the overall effectiveness of the PPS through performance testing is the 30
responsibility of the regulatory body. 31
8
3.3 LEGISLATIVE AND REGULATORY FRAMEWORK 1
“Legislative and Regulatory Framework – The State is responsible for establishing and 2
maintaining a legislative and regulatory framework to govern physical protection. This 3
framework should provide for the establishment of applicable physical protection requirements 4
and include a system of evaluation and licensing or other procedures to grant authorization. 5
This framework should include a system of inspection of nuclear facilities and transport to 6
verify compliance with applicable requirements and conditions of the license or other 7
authorizing document, and to establish a means to enforce applicable requirements and 8
conditions, including effective sanctions.” (Fundamental Principle C, Ref. [1], 3.9–3.17) 9
“A State should take appropriate measures within the framework of its national law to establish 10
and ensure the proper implementation of the State’s physical protection regime.” (Ref. [1], 3.9) 11
3.3.1. Regulatory approaches 12
Various methods are available to States for the development and implementation of regulations. 13
States should structure their regulations consistently with the State’s legislative framework. Other 14
factors that will affect the regulations are the decisions taken by a State on the manner in which the 15
regulatory function is carried out, including the number of competent authorities involved in 16
supervising the physical protection regime. 17
The State is responsible for conducting threat assessments and the competent authority may be 18
responsible for developing a DBT, in consultation with other relevant authorities as applicable. In 19
either case, the competent authority uses its threat information as the basis for developing 20
requirements or performance objectives, and evaluation criteria for determining compliance or 21
effectiveness. Applying the graded approach, the competent authority defines physical protection 22
objectives and/or requirements for each category of nuclear material authorized by the State and for 23
each level of URC. 24
The State should base its nuclear security regime on a current evaluation of the threat, because the 25
physical protection of nuclear material and nuclear facilities needs to be effective against the threat. 26
There are three distinct approaches for specifying requirements within the regulatory framework to 27
address the threat. These approaches are the performance-based method, the prescriptive method and 28
a combination of the prescriptive and performance-based methods. Either method, or a combination, 29
may be useful depending on the situation, but the recommendations in Ref. [1] concerning evaluations 30
and performance testing are mostly relevant to the performance-based method, whether used alone or 31
in combination with the prescriptive method. 32
The performance-based method is a more quantitative approach to ensuring and verifying the 33
effectiveness of physical protection, and may be particularly useful when protecting higher risk 34
nuclear material against unauthorized removal and nuclear material and facilities against sabotage, 35
9
since either individual components of a PPS or multiple PPS components can be tested to demonstrate 1
defence in depth. This does not necessarily mean that the prescriptive approach alone is not suitable 2
for such cases: however, prescriptive requirements are often more easily applied to compliance 3
verification of individual physical protection measures, rather than a demonstration of systematic 4
effectiveness through performance testing. Regardless of the approach used, the requirements or 5
objectives will need to be specified and the effectiveness of the resulting measures verified by the 6
competent authority. 7
The regulatory requirements specified by the competent authority should be focused on addressing the 8
threat, as provided in the threat assessment or a DBT. The DBT serves as the basis for developing the 9
PPS. The PPS for a facility should be designed by the operator according to the regulatory 10
requirements, and be approved by the competent authority. 11
Performance testing of individual physical protection measures and of the PPS are recommended in 12
Ref. [1] for nuclear facilities possessing Category I or Category II nuclear material and for nuclear 13
facilities, including nuclear power plants, the sabotage of which could lead to high radiological 14
consequences (HRC). 15
3.3.1.1. Performance-based method 16
In the performance-based method, the State defines physical protection objectives to be met on the 17
basis of a threat assessment and, where applicable, a DBT taking into account the graded approach. 18
The State requires that the operator design and implement a PPS that achieves a specified level of 19
effectiveness in protecting against malicious acts and providing contingency responses. 20
The performance-based method allows flexibility for the operator to propose a facility-specific 21
combination of physical protection measures. For instance, an operator could develop a PPS that 22
provides only a short adversary delay time, but that compensates for this with a rapid and effective 23
response. The adequacy of these measures is performance tested against the threat assessment or DBT, 24
to ensure that the performance-based measures meet the set objectives based on an evaluation of the 25
PPS. 26
An advantage of this method is that it recognizes that an effective PPS can be achieved by many 27
different combinations of physical protection measures, and that each facility and its operational 28
circumstances can be unique. Proper use of the performance-based method should identify options for 29
a PPS that satisfies the physical protection objectives and requirements and also takes account of site-30
specific conditions. 31
The performance-based depends upon both the competent authority and the operator having high 32
levels of security expertise to establish requirements and implement systems, respectively, based on 33
physical protection evaluations. The performance-based approach also necessitates the State providing 34
10
some sensitive information from the threat assessment or DBT to the operator and the operator should 1
therefore have capabilities to provide adequate protection of this sensitive information. 2
3.3.1.2. Prescriptive method 3
In the prescriptive method, the State establishes specific physical protection measures to meet its 4
defined physical protection objectives for each category of nuclear material and each level of 5
unacceptable radiological consequences (URC). This then provides a set of ‘baseline’ provisions for 6
the operator to apply for each category of material and each level of URC. 7
Advantages of the prescriptive method include: simplicity in implementation for both the State and the 8
operator; elimination of the need for the State to transmit sensitive information to the operators in the 9
form of a threat assessment or DBT; and ease of inspection and evaluation. The use of the prescriptive 10
method may be particularly appropriate in cases where both the threat level and potential 11
consequences are low. An example is Category III nuclear material stored or used in a relatively 12
stable socio-political environment. The prescriptive approach may also be more appropriate in cases 13
where conducting a detailed threat assessment or establishing a DBT is not practicable. 14
The prescriptive method may lack flexibility to address specific circumstances. Furthermore, the 15
operator does not have responsibility for the effectiveness of the measures introduced to reduce the 16
risk: the prime responsibility for addressing risks belongs to the State, as the State prescribes exactly 17
what physical protection measures are needed to address the threat. The operator only has the 18
responsibility for effectiveness of the individual physical protection measures when operating and 19
maintaining the PPS. 20
3.3.1.3. Combined approach 21
The combined approach includes elements from both the prescriptive and performance-based methods. 22
There are many ways of applying the combined approach, of which two examples are provided below: 23
— The State may require application of a performance-based method for the nuclear materials 24
having the highest potential consequences of malicious use, while allowing application of a 25
prescriptive method for lower consequence nuclear materials. 26
— The State may require that a set of prescriptive requirements (e.g. confidentiality, 27
trustworthiness) be supplemented by using the performance-based method to address other 28
features of the PPS. 29
The main advantage of the combined approach is the flexibility it allows. The limitations of a 30
combined approach will be similar to those associated with the performance and prescriptive-based 31
methods and will depend on the specific implementation chosen by the State. However, a well-32
executed combined approach may be able to balance and reduce the limitations associated with each 33
of the other approaches. 34
11
3.3.2. System evaluation, including performance testing: requirements by the State 1
The recommendations in Ref. [1] emphasize the importance of evaluating PPSs, including 2
performance testing, for example: 3
— The legislative and regulatory framework should “provide for the establishment of applicable 4
physical protection requirements and include a system of evaluation” (Fundamental Principle 5
C). 6
— The legislative and regulatory framework should “ensure that evaluations include exercises to 7
test the physical protection system, including the training and readiness of guards and/or 8
response forces” (Ref. [1], 3.13). 9
— The competent authority should “ensure that evaluations based on performance testing are 10
conducted by operators at nuclear facilities” (Ref. [1], 3.21). 11
— The sustainability programme “should encompass performance testing and operational 12
monitoring” (Ref. [1], 3.57). 13
System evaluations, including performance testing, should be conducted by operators of all nuclear 14
facility PPSs, taking into account systems for NMAC, information security and computer security. 15
System evaluation generally consists of testing and analysis. Testing may be conducted at the 16
component, subsystem and system levels, including hardware/equipment, software, people and 17
procedures. Analysis may include qualitative and/or quantitative (numerical) methods and involve the 18
use of modelling and simulation. Modelling and simulation methods may include manual and 19
computer-based mathematical models, computer combat simulations, table top exercises, response 20
force exercises and force-on-force exercises. System evaluations should always include some 21
exercises. 22
There are differences and trade-offs between the methods regarding the amount and quality of data 23
needed, the type of information gained, the limitations of the method and the costs. Using the graded 24
approach, the competent authority should establish a minimum set of system evaluation measures, 25
including performance testing requirements. These regulatory requirements could address roles and 26
responsibilities, required and/or allowed methods, documentation requirements, and required 27
frequencies or periods for system evaluation including performance testing. For example, some tests 28
and exercises may be required at least on an annual basis, while more comprehensive exercises may be 29
conducted less frequently, not exceeding two to three years (such as force-on-force exercises). The 30
competent authority should review the system evaluations, including performance testing conducted, 31
for example by verifying that the data and methodologies supporting the evaluation and testing are 32
correct, and that the results of the evaluation and testing correctly characterize the PPS. 33
12
The competent authority may consider using an independent expert third party to conduct performance 1
testing. One example would be to perform delay tests of sample barriers using the adversary 2
capabilities defined by the threat assessment /DBT 3
3.3.2.1. Licensing and other procedures to grant authorization 4
“The State should license activities or grant authorization only when such activities comply 5
with its physical protection regulations. The State should make provision for a detailed 6
examination, made by the State’s competent authority, of proposed physical protection 7
measures in order to evaluate them for approval of these activities prior to licensing or granting 8
authorization, and whenever a significant change takes place, to ensure continued compliance 9
with physical protection regulations.” (Ref. [1].3.12) 10
Primary responsibility for implementing measures for the physical protection of nuclear material rests 11
with each operator, while control over physical protection by the State is exercised primarily through 12
government or regulatory licensing (or authorization). Hence, a primary task of the State is to define 13
licensing requirements in relation to PPSs, and to consider whether to approve applications for new 14
licences and renewals or amendments to existing licences. The operator’s security plan is submitted 15
by an applicant to the State as part of the nuclear facility licensing process. Compliance with an 16
approved security plan should be a condition of the licence once it is granted. The licence itself should 17
be an official document authorizing an activity or activities, such as operation of a facility. 18
Licensing is an ongoing process throughout all stages of the life of a nuclear facility. The licence may 19
be modified, suspended or revoked depending upon circumstances and the operator’s performance, but 20
always by and under the control of the State. 21
The State should license activities only when they comply with its physical protection requirements. It 22
is suggested that any licence issued include: 23
— Designation of the specific activity or activities licensed; 24
— Any constraints regarding the activities, such as specific requirements, conditions or time 25
limits; and 26
— Explicit statement of the responsibilities of the licensee. 27
The State should ensure that it has received, assessed and approved the applicant’s or operator’s 28
security plan for the activities to be licensed before the licence is issued and before nuclear material is 29
introduced into the facility. Assessment should be supported by a review of the PPS proposed for the 30
facility. Should any deficiencies be identified, the State may withhold the granting of the licence until 31
these deficiencies are corrected and the PPS verified to be acceptable or may approve the licence with 32
conditions requiring that the deficiencies be corrected within a specified time. 33
Further guidance on the licensing process is provided in Ref. [5]. 34
13
3.3.2.2. Regulatory enforcement 1
The State is responsible for managing the risk associated with possible malicious acts involving or 2
directed against nuclear materials and nuclear facilities through the implementation of an effective 3
nuclear security regime. Enforcement of physical protection regulations and licensing conditions 4
through an effective legal and regulatory framework is a necessary part of a State’s nuclear security 5
regime. For protection of nuclear material and of nuclear facilities, the State should assign the power 6
to initiate legal proceedings or to impose sanctions in accordance with the law. Such sanctions may 7
include suspension or revocation of a licence and/or other penalties against individuals or 8
organizations. 9
3.3.3. Competent authority 10
“Competent Authority – The State should establish or designate a competent authority which is 11
responsible for the implementation of the legislative and regulatory framework, and is provided 12
with adequate authority, competence and financial and human resources to fulfil its assigned 13
responsibilities. The State should take steps to ensure an effective independence between the 14
functions of the State’s competent authority and those of any other body in charge of the 15
promotion or utilization of nuclear energy.” (Fundamental Principle D, Ref. [1], 3.18–3.22) 16
Effective independence refers to the ability of the competent authority responsible for nuclear security 17
to enforce requirements and regulations necessary for nuclear security without interference from those 18
responsible for the promotion or utilization of nuclear energy or other nuclear applications. The 19
operations, funding and staffing of the competent authority should be independent of bodies associated 20
with such promotion or utilization . The competent authority will need to employ sufficient qualified 21
and competent staff, commensurate with the nature and number of nuclear facilities and activities to be 22
regulated, to perform its functions and to discharge its responsibilities. It is suggested that the 23
competent authority develop human resource plans that identify necessary levels of staffing and 24
training to adequately perform the competent authority’s functions. The competent authority will also 25
need to have access to sufficient financial resources for the proper discharge of its assigned 26
responsibilities. 27
3.3.3.1. Role of competent authority in requiring security plans 28
“The competent authority should review and approve the security plan, the implementation of 29
which should be then part of the licence conditions.” (Ref. [1], 3.27) 30
The competent authority should effectively communicate to licence applicants and operators those 31
requirements that they must satisfy in order to design and implement a PPS that will be acceptable to 32
the competent authority under the State’s legislative and regulatory framework for physical protection. 33
An important element is the operator’s development of and compliance with the security plan, 34
appropriate to the category of nuclear material being protected and the levels of potential radiological 35
14
consequences of sabotage. It is suggested that the competent authority issue instructions to operators 1
concerning requirements for a security plan that should ensure that all elements of a State’s physical 2
protection requirements are met. 3
The security plan is the primary reference describing the PPS intended to meet the requirements 4
specified by the competent authority. The State should specify what information in the security plan 5
needs to be protected and how it should be protected. An annotated outline for a comprehensive 6
security plan is presented in Appendix I as an example. 7
3.3.3.2. Role of competent authority in establishing an inspection programme 8
“The State’s competent authority should be responsible for verifying continued compliance with 9
the physical protection regulations and licence condition through regular inspections and for 10
ensuring that corrective action is taken when needed.” (Ref. [1], 3.20) 11
The objective of an inspection programme is to verify that the physical protection measures actually in 12
place are in compliance with regulatory requirements and applicable licence conditions. This should 13
include verifying effective implementation of the approved security plan and compliance with 14
regulatory requirements. In case of non-compliance, regulatory and/or enforcement action should be 15
considered and relevant and proportionate measures or sanctions may be applied. 16
The competent authority needs to ensure that inspectors are qualified, suitably trained and 17
experienced. The competent authority may specify qualification and training requirements for 18
inspectors. The inspection programme should include including both announced and unannounced 19
inspections (unannounced inspections help to ensure that the operator maintains arrangements in 20
accordance with the approved security plan at all times, not just when it is known that an inspection 21
will occur). Inspections may occur at any time, during or outside normal working hours, and include 22
all routine and non-routine operational activities undertaken at the nuclear facility, e.g. during reactor 23
shutdown for maintenance and refuelling. It is suggested that the inspection programme ensure that all 24
physical protection measures, including technical, procedural and administrative provisions are 25
reviewed and verified. Inspections are best carried out in a manner that does not unduly impede or 26
affect facility operations. If the inspection identifies any deficiencies in the physical protection system, 27
the competent authority should ensure that appropriate compensatory measures are employed by the 28
operator until the deficiency has been corrected and an sufficiently effective system has been achieved. 29
When inspections discover non-compliance or other issues, subsequent inspection procedures should 30
include verification of the follow-up of corrective actions required. It is suggested that the 31
consequences of such findings are graded and acted upon commensurate with the category of nuclear 32
material present and the potential consequences of sabotage. Inspectors will need to be assured that 33
corrective actions achieve appropriate effectiveness, through monitoring progress and verifying 34
follow-up actions that ensure they have been completed to an acceptable standard. In some cases, 35
return to normal operating conditions may not need to be explicitly approved, but notification of the 36
15
competent authority is necessary. The competent authority should approve corrective actions and 1
these should be included in an updated security plan. 2
The number of inspections planned for a facility may be facility-specific and determined by the 3
competent authority based on the category of material being protected, the levels of potential 4
radiological consequences of sabotage, the threat assessment or DBT, and any other relevant factors. 5
The operator’s history of compliance may also be taken in to account in determining inspection 6
frequency. Reactive inspections may be necessary from time to time, for example following a security 7
event at the nuclear facility or a change in the threat. 8
3.3.3.3. Timely reporting of nuclear security events 9
“The State’s physical protection regime should include requirements for timely reporting of 10
nuclear security events and information which enables the states competent authority to be 11
informed of any changes at nuclear facilities or related to transport of nuclear material that 12
may affect physical protection measures.” (Ref. [1], 3.22) 13
The State should determine the types of event that the operator is required to report to the competent 14
authority and acceptable time periods within which they must be reported. The competent authority 15
should receive timely information about any significant events concerning unauthorized actions 16
affecting the physical protection of nuclear material or nuclear facilities, for example: 17
— Actual or attempted intrusion into the facility or into a designated area; 18
— Malicious acts; 19
— Attempted or actual unauthorized removal, loss or unauthorized movement of nuclear 20
material, whether involving external adversaries or insiders; 21
— Discovery of prohibited items; 22
— Events involving individuals requiring reporting in accordance with the State’s trustworthiness 23
policy; 24
— Loss or unauthorized disclosure of sensitive information; 25
— Deviation from the approved security plan, e.g. loss of power supply to physical protection 26
equipment, weather damage to fences; 27
— Compromise or attempted compromise of computer systems used for physical protection, 28
nuclear safety or NMAC systems (see Ref. [6] for further guidance). 29
There may be a requirement for the competent authority to inform other government entities and 30
participate in a coordinated response to the security event. There may also be a requirement for the 31
operator or competent authority to investigate the incident to prevent a re-occurrence and to learn from 32
the experience. Enforcement action may also be required. 33
16
3.3.4. Responsibility of the licence holders 1
“Responsibility of the Licence Holders – The responsibilities for implementing the various 2
elements of physical protection within a State should be clearly identified. The State should 3
ensure that the prime responsibility for the implementation of physical protection of nuclear 4
material or of nuclear facilities rests with the holders of the relevant licences or of other 5
authorizing documents (e.g., operators or shippers).” (Fundamental Principle E, Ref. [1], 3.23–6
3.30) 7
This topic is addressed in Section 4.2, on general responsibilities of the operator. 8
3.4. INTERNATIONAL COOPERATION AND ASSISTANCE 9
It is important that each State consider whether, under what circumstances and to what extent it may 10
cooperate with other States, including the appropriate sharing of information and knowledge derived 11
from its national nuclear security regime, having regard to the need to protect sensitive nuclear 12
security information and to any international obligations or agreements to share information. 13
Ref. [1] provides two recommendations and one suggestion regarding international cooperation and 14
assistance, specific to the physical protection of nuclear facilities: 15
“In the case of unauthorized removal or sabotage or credible threat thereof, the State should 16
provide appropriate information as soon as possible to other States which appear to it to be 17
concerned, and to inform, where appropriate, the International Atomic Energy Agency and 18
other relevant international organizations.” (Ref. [1], 3.33) 19
Provision of such information to neighbouring States and the IAEA is especially important. 20
Information may be provided on a voluntary basis to the IAEA Incident and Trafficking Database. In 21
the case of unauthorized removal of nuclear material, the affected State may benefit from assistance 22
from neighbouring States to locate and recover the missing nuclear material if it may have entered or 23
passed through those States. Detection of the material will depend on the system for detection of 24
nuclear and other radioactive material out of regulatory control in the State where the material is. 25
Further guidance on this issue may be found in [7]. 26
“States should inform the International Atomic Energy Agency and other States as applicable, 27
of appropriate points of contact for matters related to the physical protection of nuclear 28
material and nuclear facilities.” (Ref. [1], 3.32) 29
State points of contact for physical protection, established in advance of a nuclear security event, are 30
especially important in the case of unauthorized removal or sabotage to be able to quickly and 31
accurately communicate essential information to neighbouring States and other concerned parties, 32
either directly or through the IAEA. These contacts may also be useful in communicating other 33
important physical protection information, such as information about new threats. 34
17
“States are encouraged to cooperate and consult, and to exchange information on physical 1
protection techniques and practices, either directly or through the International Atomic Energy 2
Agency and other relevant international organizations.” (Ref. [1], 3.31) 3
States with operating nuclear facilities have gained experience with physical protection and have 4
accumulated both good practices and lessons learned. Sharing these types of information among 5
States can benefit the global community by raising the overall level of physical protection of nuclear 6
material. While some facility-specific sensitive information may not be shared, much useful 7
information can be shared in workshops, training programmes and nuclear security conferences. The 8
IAEA is a useful vehicle for sharing such information, without a need for attribution. 9
3.5. IDENTIFICATION AND ASSESSMENT OF THREATS 10
“Threat – The State’s physical protection should be based on the State’s current evaluation of 11
the threat.” (Fundamental Principle G, Ref. [1], 3.34–3.40) 12
“The appropriate State authorities, using various credible information sources, should define 13
the threat and associated capabilities in the form of a threat assessment and, if appropriate, a 14
design basis threat. A design basis threat is developed from an evaluation by the State of the 15
threat of unauthorized removal and of sabotage.” (Ref. [1], 3.34) 16
States will have different levels of ability to identify and evaluate threats. Some States have extensive 17
and sophisticated security and intelligence capabilities that can assist the State in understanding the 18
nature and extent of threats, including those that might be directed toward nuclear material and nuclear 19
facilities. In other cases, general information about the national threat (e.g. areas of civil unrest, 20
criminal activities or terrorist presence) and international threats will need to be understood and 21
evaluated to identify the potential threat within the State. In all cases, there should be a competent 22
authority responsible for the development of the threat assessment, which will need cooperation 23
among all the State agencies that have responsibilities for understanding and responding to the threat 24
(e.g., intelligence services, police, military, customs and border control, local law enforcement 25
agencies) As this work will need the use of sensitive information, appropriate information security 26
measures should be applied to the threat assessment and any resulting DBT. 27
A threat assessment is an evaluation of the existing threats which describes the motivations, intentions 28
and capabilities of potential adversaries to commit malicious acts. The threat assessment considers 29
threats of terrorism and other crimes involving or directed against nuclear material and nuclear 30
facilities, particularly unauthorized removal of nuclear material and sabotage of nuclear material and 31
nuclear facilities, and includes both external and insider threat considerations. Threat assessment 32
makes use of domestic, transnational and global sources of information on the threats. 33
Further guidance on threat assessment and on defining a DBT based on the threat assessment is given 34
in Ref. [8]. The guidance includes considerations concerning the decision whether to use a DBT or an 35
18
alternative threat statement (the “alternative threat statement” noted in Ref. [8] represents a less 1
rigorous approach in defining the threat for the design of PPSs). 2
A DBT may be used by the competent authority in different ways. For a performance-based approach, 3
a DBT may be used by the operator for the design of the PPS and by the competent authority for 4
evaluation of the PPS. For the prescriptive approach a threat assessment may be sufficient for the 5
competent authority to define the physical protection measures which the operator will be required to 6
implement, except where Category I nuclear material is held and/or the sabotage of the nuclear facility 7
has potentially HRC. In these latter cases, the State’s physical protection requirements should be based 8
on a DBT specifically for unauthorized removal of Category I nuclear material and sabotage of 9
nuclear material and nuclear facilities. 10
“When considering the threat, due attention should be paid to insiders. They could take 11
advantage of their access rights, complemented by their authority and knowledge, to bypass 12
dedicated physical protection elements or other provisions, such as safety procedures. The 13
physical protection system should be assisted by nuclear material accountancy and control 14
measures to deter and detect the protracted theft of nuclear material by an insider.” (Ref. [1], 15
3.36) 16
The IAEA has published guidance [9] to assist States with such analysis. 17
Consideration of attacks on computer-based systems, including instrumentation and control (I&C) 18
systems, is also necessary and should encompass nuclear safety, NMAC and the PPS. Such systems 19
include databases, access controls and alarm management systems. When reviewing threats to such 20
systems, attacks such as manipulation and falsification of data also need to be considered by the State 21
as potential capabilities of the adversary, from both insider threat and external adversary perspectives. 22
See Ref. [6] for more information about this threat. 23
The threat assessment or DBT should consider possible stand-off attacks (Ref. [1], 3.40). A stand-off 24
attack is an attack carried out from a distance away from the nuclear facility, which does not involve 25
the adversary having hands-on access to the target or needing to overcome the PPS. Examples of 26
stand-off scenarios include the use of portable missile launchers or malicious aircraft impacts. The 27
State should determine which types of stand-off attack need to be considered by the operator. 28
The State should continuously review the threat and evaluate the implications of any changes in the 29
threat assessment or DBT. A good practice is for the State to decide annually whether the review of 30
the threat necessitates an update of the threat assessment. Regional, national or international security 31
events may lead to the State updating the threat assessment before the scheduled periodic review. The 32
State should review its physical protection requirements in light of any change to the threat assessment 33
or DBT. The operator will then need to review its PPS (including a review of potential sabotage 34
targets) and any changes to the design of the PPS should be submitted to the competent authority for 35
approval before implementation. 36
19
3.6. RISK-BASED PHYSICAL PROTECTION SYSTEMS 1
“The State should ensure that the State’s physical protection regime is capable of establishing 2
and maintaining the risk of unauthorized removal and sabotage at acceptable levels through 3
risk management. This requires assessing the threat and the potential consequences of 4
malicious acts, and then developing a legislative, regulatory and programmatic framework 5
which ensures that appropriate effective physical protection measures are put in place.” (Ref. 6
[1], 3.41) 7
In nuclear security, risk includes consideration of a threat, the likelihood that malicious acts could be 8
successfully carried out by this threat and the potential consequences resulting from such acts. 9
The State should use a risk management approach to ensure that its physical protection requirements 10
are keeping the risk associated with unauthorized removal or sabotage at an acceptable level. Risk 11
management consists of evaluating the threat and potential consequences of malicious acts and 12
ensuring that appropriate PPSs are put into place to prevent or sufficiently reduce the likelihood of a 13
successful malicious act. 14
Risk management takes into account an assessment of risk, which can be quantitative or qualitative. A 15
risk-based assessment involves determining the risk associated with a particular event as a function of 16
quantitative expressions of the probability of the event occurring and the expected consequences of the 17
event if it were to occur. Quantifying the probability of a malicious act being attempted, or of an 18
attempt being successful, is very difficult, if not impossible. In the absence of quantitative methods to 19
determine nuclear security risk, qualitative risk management approaches may be used to inform 20
decisions on physical protection. For planning purposes, it may be assumed that an attempt is certain 21
to occur. In this case the risk is called conditional risk, where the condition is that a malicious attack 22
is attempted. Qualitative risk management involves consideration of the likelihood of an attempt, the 23
probability of success of such an attempt, taking account of the vulnerability of the target(s) to the 24
threat, and the potential consequences of a successful attempt, in order to identify high risk 25
combinations of factors (e.g. high threat likelihood, high level adversary capabilities and severe 26
consequences) where efforts should be focused to reduce the risk most effectively. Similarly, low risk 27
combinations illustrate where security measures might not need to be so stringent. 28
The State, the competent authority and the operator should use the risk management approach to 29
ensure that the physical protection measures applied to nuclear materials and nuclear facilities keep the 30
risk of unauthorized removal of nuclear material and sabotage at an acceptable level. The State 31
determines the required criteria for acceptable performance of the PPS against unauthorized removal, 32
usually in relation to the DBT, because the State must accept the residual risk of any failure of the 33
PPS. The State should also determine what constitute URC and HRC to use as a basis for required 34
performance of the PPS against sabotage, both below and above the URC threshold (more detail is 35
provided in Section 3.6.3.1 below). Risk management practices provide a means to inform the 36
20
appropriate application of physical protection measures through the use of a graded approach, as 1
described further in Sections 3.6.1–3.6.3. 2
A risk assessment may identify risks that need to be further evaluated to determine whether additional 3
measures are required to reduce these risks. Risk can be managed through, for example, deterrence 4
(e.g. appearance of robust physical protection measures), strengthening physical protection measures 5
(e.g. additional defence in depth, adding blast walls) and reducing potential consequences (e.g. 6
changing the amount, type, dilution, chemical or physical form of the nuclear material), while 7
considering the safety implications of such changes. 8
3.6.1. Graded approach 9
“Graded Approach – Physical protection requirements should be based on a graded approach, 10
taking into account the current evaluation of the threat, the relative attractiveness, the nature of 11
the material and potential consequences associated with the unauthorized removal of nuclear 12
material and with the sabotage against nuclear material or nuclear facilities.” (Fundamental 13
Principle H, Ref. [1], 3.43–3.44) 14
The development of the State’s physical protection requirements and regulations should be structured 15
around a graded approach, which is used to provide higher levels of protection against events that 16
could result in higher consequences. 17
For protection against unauthorized removal of nuclear material for use in a nuclear explosive device, 18
the category of the nuclear material, as defined in Table 1 (from Ref. [1], reproduced below), reflects 19
the relative difficulty of producing a nuclear explosive device with such material. Therefore, in 20
accordance with the graded approach, Category I material should be protected with the most stringent 21
levels of physical protection, whereas nuclear materials below Category III need to be protected only 22
in accordance with prudent management practice. (Ref. [1], 4.12 and footnote c of Table 1) 23
For protection against sabotage, the State needs to consider the potential radiological consequences of 24
such acts and apply a graded approach. The State should consider how to protect nuclear facilities 25
taking into account their potential to cause URC and ensure that protection measures are required for 26
the targets within the facilities capable of producing such consequences. The State should also 27
consider the use of this concept to define the graded levels of other physical protection measures, such 28
as confidentiality of sensitive information and trustworthiness of individuals. 29
3.6.2. Graded levels of physical protection based on consequence of unauthorized removal 30
3.6.2.1. Nuclear material categorization for unauthorized removal 31
“The primary factor in determining the physical protection measures for unauthorized removal 32
of nuclear material is the nuclear material itself. Table 1 categorizes the different types of 33
nuclear material in terms of element, isotope, quantity and irradiation. This categorization is 34
21
the basis for a graded approach for protection against unauthorized removal of nuclear 1
material that could be used in a nuclear explosive device, which itself depends on the type of 2
nuclear material (e.g. plutonium and uranium), isotopic composition (i.e. content of fissile 3
isotopes), physical and chemical form, degree of dilution, radiation, radiation level and 4
quantity.” (Ref. [1], 4.5) 5
Table 1 from Ref. [1], reproduced below, specifies the type of nuclear material (e.g. plutonium and 6
uranium), its irradiation level, isotopic composition (i.e. content of fissile isotopes), and the quantity 7
that establishes the thresholds for three categories. 8
TABLE 1 – CATEGORIZATION OF NUCLEAR MATERIAL 9
Material Form Category I Category II Category IIIc
1.Plutonium a Unirradiated b
2 kg or more
Less than 2 kg but
more than 500g
500 g or less but
more than 15g
2.Uranium-235 Unirradiatedb
- uranium enriched to 20% 235U or more
- uranium enriched to 10% 235U
but less than 20 % 235U
- uranium enriched above
natural, but less than 10 % 235U
5 kg or more
Less than 5 kg but
more than 1 kg
10 kg or more
1 kg or less but more
than 15g
Less than 10kg but
more than 1 kg
10 kg or more
3. Uranium-233
Unirradiatedb 2 kg or more Less than 2 kg but
more than 500g
500 g or less but
more than 15g
4. Irradiated fuel
(The categorization of
irradiated fuel in the
table is based on
international transport
considerations. The
State may assign a
different category for
domestic use, storage,
and transport taking all
relevant factors into
account.)
Depleted or natural
uranium, thorium or
low-enriched
fuel(less than 10%
fissile content)d,e
Note: This table is not to be used or interpreted independently of the text of Ref. [1]. 10 a All plutonium except that with isotopic concentration exceeding 80 % in plutonium-238. 11
b Material not irradiated in a reactor or material irradiated in a reactor but with a radiation level equal to or less than 12 1 Gy/h (100 rad/h) at 1 m unshielded. 13
c Quantities not falling in Category III and natural uranium, depleted uranium and thorium should be protected at 14 least in accordance with prudent management practice. 15
d Although this level of protection is recommended, it would be open to States, upon evaluation of the specific 16 circumstances, to assign a different category of physical protection. 17
e Other fuel which by virtue of its original fissile material content is classified as Category I or II before irradiation 18 may be reduced one category level while the radiation level from the fuel exceeds 1 Gy/h (100 rad/h) at 1 m unshielded. 19
22
The categorization in Table 1 makes use of the nuclear material attributes cited in para. 4.5 of Ref. [1]: 1
nuclear material type, isotopic composition, quantity and irradiation. Table 1 does not describe how to 2
use other attributes mentioned in para. 4.5, such as physical and chemical form and degree of dilution, 3
as a basis for graded protection against unauthorized removal. However, Ref. [1] mentions that a State 4
can take into account all of these attributes. An explanation of the categorization of irradiated fuel is 5
provided below, together with further nuclear security considerations which arise from material form 6
or dilution and aggregation. 7
3.6.2.2. Categorization of irradiated fuel 8
Row 4 of Table 1 addresses irradiated fuel, which is defined in footnote b as material irradiated in a 9
reactor with a radiation level greater than 1 Gy/h (100 rad/h) at 1 metre unshielded. This row places 10
irradiated fuel that was composed before irradiation of depleted or natural uranium, thorium or 11
uranium enriched to less than 10% uranium-235 in Category II, despite none of these fuels being 12
placed higher than Category III before irradiation. The reason for this change in categorization is that, 13
during irradiation in a reactor, plutonium (mostly plutonium-239) is produced by the capture of 14
neutrons in the uranium-238 in uranium-based fuels and uranium-233 is similarly produced in the 15
thorium fuel. The percentage of plutonium or thorium produced as a result of irradiation is relatively 16
small (typically around 1% of the total weight of fuel in the case of plutonium). However, as this 17
irradiated fuel is typically stored in large quantities, it contains a Category I quantity of nuclear 18
material (i.e., more than 2 kg of plutonium or uranium-233). In common with the guidance in footnote 19
e, these irradiated fuels may be reduced by one category level (to Category II) because of their reduced 20
attractiveness due to their radiation level. 21
Row 4 also states that, upon evaluation of the specific circumstances, States may assign a different 22
level of physical protection to the above-mentioned irradiated fuels while in domestic use, storage and 23
transport. An example of such circumstances is a location (such as a post-irradiation examination 24
facility) where only a small number of irradiated fuel rods are held. Because of the smaller overall 25
quantity of material, the irradiated fuel rods may contain less than 2 kg plutonium or uranium-233, in 26
which case it would be appropriate to assign a Category III level of protection to the irradiated fuel. 27
(Records maintained for NMAC will confirm whether this is the case, as they should contain an 28
estimate of the quantity of plutonium or uranium-233 within irradiated fuel, as well as the quantity of 29
other nuclear material in this fuel.) 30
Footnote e states that other fuel in Category I or II before irradiation may be reduced by one category 31
after it becomes irradiated fuel. This footnote is applicable in the following circumstances for the 32
reasons stated: 33
— The main plutonium-based fuels, mixed oxide fuel and fast breeder reactor fuel, typically 34
contain around 7% and 30% plutonium respectively. Although irradiation in a reactor will 35
reduce the plutonium content to some extent, this will not substantially reduce the overall 36
23
content by weight of plutonium in the irradiated fuel, which itself is normally stored in large 1
quantities. Thus, a Category I quantity of plutonium will normally remain in the irradiated 2
fuel. This fuel may be reduced one category to Category II, in accordance with footnote e, 3
because of its reduced attractiveness due to its radiation level. The irradiation in a reactor of 4
high enriched uranium (HEU) fuels (i.e. those containing uranium enriched to 20% uranium-5
235 or more) will reduce the uranium-235 content by a few percentage points. However, this 6
will not normally reduce the enrichment level to below 20% following irradiation. Thus, the 7
irradiated fuel will continue to comprise mostly uranium enriched to 20% or more. As a 8
result, irradiated HEU fuel held at one location which in total contained 5 kg or more 9
uranium-235 before irradiation may be reduced one category to Category II, and HEU fuel 10
which contained more than 1 kg but less than 5 kg uranium-235 before irradiation may be 11
reduced one category to Category III, in accordance with footnote e, because of their reduced 12
attractiveness due to their radiation level. 13
— Similarly, irradiation in a reactor of fuels originally containing uranium enriched to 10% 14
uranium-235 but less than 20% uranium-235 (e.g. research reactor fuel, which is commonly 15
enriched to around 19.5% uranium-235 before irradiation) will not normally reduce the 16
uranium-235 enrichment level to below 10%. The irradiation of fuel enriched to these levels 17
does not result in the production of a significant quantity of plutonium because of the reduced 18
level of uranium-238 in the fuel, and the relatively small quantities of it used in research 19
reactors. Hence, the primary drivers for the categorization of this fuel, once irradiated, remain 20
its quantity and enrichment level. Therefore, if the total quantity of this fuel held at one 21
location contained 10 kg or more uranium-235 before irradiation, it may be reduced one 22
category to Category III once it becomes irradiated fuel, in accordance with the footnote, 23
because of its reduced attractiveness due to its radiation level. 24
It should be noted that the general option for States to assign a different category of physical 25
protection to that indicated in Table 1 (footnote d) does not appear to apply to irradiated fuel that 26
originally contained a Category I or II quantity of plutonium or uranium enriched to 10% or more. It 27
should also be noted that radiation levels of all types of irradiated fuel will reduce over time, which 28
may necessitate a re-evaluation of the material categorization. 29
As noted above, States have the option under footnote e of Table 1 to reduce by one category the 30
physical protection measures against unauthorized removal of nuclear material if that nuclear material 31
has a total external radiation dose rate in excess of 1 Gy/h at a distance of 1 m from any accessible 32
surface without intervening shielding. This criterion is a dose rate at which an individual attempting to 33
handle the material would begin to suffer serious deterministic health effects from radiation exposure 34
within a time period of less than an hour. Using simple theft scenarios, it was concluded that a 35
radiation dose rate at this level would act as at least an effective deterrent to the theft of radioactive 36
material. However, contemporary adversaries have proven their willingness to risk death to achieve 37
24
their missions. Thus, while footnote e of Table 1 does provide this option of reducing the nuclear 1
material category for irradiated fuel by one category, States should carefully consider whether or not 2
this is an acceptable modification in determining their physical protection requirements. 3
3.6.2.3. Considerations in setting graded protection requirements based on material form or dilution 4
Many States have historically used a three-factor methodology to categorize unirradiated nuclear 5
material for the purpose of applying appropriate physical protection against unauthorized removal. 6
With this methodology, for any nuclear material, the element (plutonium or uranium), the isotopic 7
composition and the quantity are the three factors considered in determining the level of physical 8
protection required to protect against unauthorized removal. This methodology is simple to implement, 9
but there are situations in which it may result in overly conservative protection requirements for the 10
material being protected. It is therefore suggested that the State consider other attributes of the 11
material which might provide additional impediments to an adversary in potential theft scenarios, such 12
as dilution or extensive material separation issues. 13
The recommendations in Ref. [1] already recognize the need for consideration of other factors: 14
— For nuclear material in general, the categorization from Ref. [1] “is the basis for a graded 15
approach for protection against unauthorized removal of nuclear material that could be used in 16
a nuclear explosive device, which itself depends upon the type of nuclear material (e.g. 17
plutonium and uranium), isotopic composition (i.e. content of fissile isotopes), physical and 18
chemical form, degree of dilution, radiation level, and quantity” (Ref. [1], 4.5) 19
— For waste: “Nuclear material which is in a form that is no longer usable for any nuclear 20
activity, minimizes environmental dispersal and is practically irrecoverable, may be protected 21
against unauthorized removal in accordance with prudent management practice.” (Ref. [1], 22
4.7) 23
— For irradiated fuel, footnote e of Table 1 would allow reduction of category based on radiation 24
level. 25
Material that is in a dilute form will force an adversary to acquire much larger volumes and masses of 26
material to obtain a significant quantity of nuclear material. The adversary may also be faced with 27
more difficulties in recovering the nuclear material, needing to perform more processing steps to 28
convert the nuclear material to a form usable to construct a nuclear explosive device. Given these 29
additional challenges for the adversary, a State may want to consider the dilution in the categorization 30
of nuclear material. Hence, possible additional parameters could be the concentration of nuclear 31
material and the homogeneity of the concentration within the material. This could encourage the 32
processing and storage of nuclear material forms that are less attractive to an adversary. 33
If the material itself is considered to have intrinsic factors reducing its attractiveness or other 34
characteristics which may be considered in determining appropriate response force reactions, a 35
25
documented evaluation should be performed before such factors are applied to physical protection 1
measures. Otherwise, the three-factor methodology of categorization should be applied. 2
3.6.2.4. Additional considerations based on adding nuclear material together 3
“In determining the levels of physical protection in a facility, which may consist of several 4
buildings, the operator may identify, in agreement with the State’s competent authority, part of 5
the nuclear facility which contains nuclear material of a different category and which is 6
therefore protected at a different level than the rest of the nuclear facility. Conversely, 7
consideration may need to be given to adding together the total amount of nuclear material 8
contained in a number of buildings to determine the appropriate protection arrangements for 9
this group of buildings.” (Ref. [1], 4.8) 10
Consideration may need to be given to adding together, or aggregating, the total amount of nuclear 11
material contained within a nuclear facility, group of buildings or group of rooms when assigning 12
physical protection levels for that facility, group of buildings or group of rooms against unauthorized 13
removal of nuclear material. The method for adding nuclear materials together, also known as nuclear 14
material aggregation, is an important element in deciding on (and potentially increasing) the required 15
levels of physical protection. 16
A key consideration is what an adversary could plausibly collect and remove in a single attack 17
scenario. Para. 4.8 of Ref. [1] addresses the possibility that quantities of nuclear materials may be 18
removed by the adversary from several locations or buildings during a single adversary attack. 19
In some facilities, nuclear material of the same type (for example, uranium enriched to more than 20% 20
uranium-235) may be located in several different buildings, for different purposes or at different stages 21
of a process. For example, there may be 4 kg of such material in one building and another 4 kg of 22
similar material in another building within the same protected area. Considered individually, each 23
quantity of material is Category II. However, if the whole 8 kg could be taken during a single 24
adversary attack, the material should be designated as Category I and the PPS should be 25
correspondingly robust. 26
Nuclear materials of different types (e.g. plutonium and uranium with different levels of enrichment in 27
233U and/or
235U ) may be co-located in the same nuclear facility. The total amount of nuclear material 28
in the facility should be considered in determining the categorization of the nuclear material in any 29
specific location, and hence in identifying the appropriate physical protection measures to apply to the 30
nuclear material. There are several mathematical approaches for calculating the category for 31
aggregated quantities of different nuclear materials, and the State should decide which approach it will 32
use. One mathematical approach for aggregation of different types of nuclear material uses a set of 33
formulas derived from Table 1: see Appendix II for further details. However, enhanced protection 34
against unauthorized removal from different locations within a nuclear facility may not be required if 35
26
the competent authority approves a determination by the operator that unauthorized removal of 1
separate quantities of materials from the different locations by a single adversary is unlikely because: 2
— The separate locations are protected by separate PPSs and guards and/or response forces are 3
able to effectively counter attacks by adversaries to both locations; and 4
— The separate locations are managed by and under control of different groups of employees, 5
thereby limiting the threat from an insider to only one of the locations. 6
The operator may also consider how much nuclear material an adversary could acquire in a specified 7
time period to inform the decision as to what level of physical protection is considered appropriate for 8
an aggregated amount. The operator should then propose appropriate physical protection measures to 9
reduce an adversary’s ability to aggregate nuclear material, or apply appropriate physical protection 10
measures if the aggregation of nuclear material results in a higher category. Any proposals for a 11
reduced level of protection should be verified and approved by the competent authority before being 12
implemented. 13
3.6.3. Graded levels of physical protection based on consequences of sabotage 14
“For protection against sabotage, the State should establish its threshold(s) of unacceptable 15
radiological consequences in order to determine appropriate levels of physical protection 16
taking into account existing nuclear safety and radiation protection.” (Ref. [1], 3.44) 17
Unlike Table 1 for the unauthorized removal of nuclear material, there is no simple classification 18
scheme for sabotage targets: the nuclear material category for unauthorized removal bears no relation 19
to the potential consequences of sabotage of the material or of the facility in which the material is. For 20
example, fresh HEU fuel (Category I) is of great concern in relation to its possible theft, but is of very 21
little concern from a sabotage perspective because the radiation levels from the material are low. 22
However, HEU fuel that has been used (irradiated) in a reactor may be less of a concern in relation to 23
theft because the high radiation levels from fission products would make theft difficult and dangerous, 24
but may be a more attractive target for sabotage. 25
The State should establish the regulatory basis for physical protection against sabotage, which requires 26
the State to define URC. This basis should then be used by the operator to develop physical protection 27
measures against sabotage. As noted in section 3.6.3.1, States should also define the threshold for 28
HRC above which it is recommended that vital areas are identified and protected at a higher level, as 29
specified in Ref. [1], paras 5.20–5.42. 30
3.6.3.1. Unacceptable and high radiological consequences (URC and HRC) 31
The potential consequences of sabotage are considered in relation to a level of radiological 32
consequences defined to be unacceptable (URC). The definition of URC may be quantitative or 33
qualitative. The URC are generally defined by the State, and may include criteria for the release of 34
27
radionuclides (e.g., release exceeding some identified level), dose criteria (e.g., release sufficient to 1
lead to the radiation dose to an individual located at some point, generally off-site, exceeding a defined 2
limit) and design limits (e.g., sabotage that may result in significant core damage in a reactor). The 3
same URC should apply to the potential radiological consequences of sabotage for all radioactive 4
material at nuclear facilities. The State’s definition of URC will, in turn, permit identification of 5
targets, the sabotage of which could lead to such consequences and which should therefore be 6
protected. Defining consequences considered to be URC (and HRC; see below) will include safety 7
considerations, and should be determined in close consultation with safety authorities. For example, 8
the definitions of URC and HRC might be linked to intervention levels used for emergency planning. 9
The lower threshold of URC may be set at level corresponding to a relatively small release of 10
radionuclides confined to a localized area within the nuclear facility. Targets with the potential to 11
cause only these low consequences may require a correspondingly low level of protection. At the 12
other extreme, targets for which sabotage could potentially result in a substantial radiological release 13
significantly affecting the population and environment well beyond the boundaries of the nuclear 14
facility need the highest level of protection. Such a severe event is referred to in Ref. [1] as having 15
“high radiological consequences” (HRC). 16
Therefore the State should also define the threshold for HRC. If the potential consequences of 17
sabotage are assessed to be greater than the HRC threshold, vital areas need to be identified and 18
protected as recommended in paras 5.20–5.42 of Ref. [1], using the design process described in paras 19
5.9–5.19 of those Recommendations. If the radiological consequences fall between the URC and 20
HRC levels, the State may define graded protection requirements based on the potential consequences, 21
and protection should be provided using the design process described in Ref. [1] paras 5.9–5.19. If the 22
potential consequences are below the URC threshold, the operator should still protect safety related 23
equipment and devices by controlling access to them and securing them, as recommended in para. 5.7 24
of Ref. [1]. The relationship between URC and HRC and the levels of protection are represented in 25
Figure 1. 26
High
Radiological
Consequences
Unacceptable
Radiological
ConsequencesNo specific requirements for physical protection
Secure and control access to safety-related
equipment
Graded protection requirements based on level
of potential consequences
Protect vital areas as specified in NSS No. 13
Co
nse
qu
en
ces
27
FIG. 1. Relationship between URC and HRC and graded levels of protection. 28
28
3.6.3.2. Sabotage consequence ranges 1
The assessment of the attractiveness of sabotage targets to potential adversaries is based on the State’s 2
thresholds for URC and HRC, and is independent of the category of nuclear material defined on the 3
basis of the threat of unauthorized removal. Radiological consequences resulting from sabotage will 4
depend strongly on the inventory of radioactive material and the ease with which the material can be 5
dispersed (e.g. the dispersal mechanism triggered by the sabotage and the form of the material). 6
Potential radiological consequences resulting from sabotage may be graded to reflect several ranges of 7
severity, each range requiring correspondingly graded levels of protection. 8
The likelihood that a sabotage event will result in URC at a nuclear facility depends on characteristics 9
of the facility (e.g. the type of installation, its use, design, construction, operation and layout) and on 10
the sabotage act itself. The factors that should be taken into account for determining whether or not 11
URC are possible at a facility include the characteristics described below (as applicable): 12
— The amount, type and status of radioactive material at the nuclear facility (e.g. solid or liquid, 13
in process or storage); 14
— The intrinsic hazard associated with the physical processes (e.g. criticality) and chemical 15
processes that normally take place at the nuclear facility; 16
— The thermal power capacity and nuclear fuel irradiation history (for a nuclear reactor); 17
— The configuration of the nuclear facility for different kinds of activities; 18
— The spatial distribution of radioactive material in the nuclear facility (e.g. for research 19
reactors, most of the radioactive inventory is in the reactor core and fuel storage pool, while in 20
processing and storage plants it may be distributed across the site); 21
— The presence (or otherwise) of active safety systems and/or operator actions to cope with 22
postulated accidents, and the characteristics of engineered safety features for preventing 23
accidents and mitigating their consequences (e.g. containment and confinement systems); 24
— The characteristics of processes or engineering features that may become unstable in case of 25
an attack; 26
— The characteristics of the nuclear facility relevant to the consequences of the dispersal of 27
radioactive material to the atmosphere and the hydrosphere (e.g. size, design, construction, 28
demographics and land and water features of the region); and 29
— The potential for off-site versus on-site radiological contamination (which will depend in part 30
on the location of the radioactive material relative to the site boundaries). 31
Although graded physical protection measures for different levels of radiological consequences below 32
HRC are not be defined in detail here, a parallel may be drawn between the ranges for sabotage and 33
the three protection levels (corresponding to nuclear material Categories I, II and III) for unauthorized 34
29
removal defined in Ref. [1]. Sabotage-specific protection requirements could be set for three levels of 1
URC, and many of these requirements may be similar to those set for unauthorized removal, but they 2
will need to be modified for the different threat. 3
One method of developing a graded approach for sabotage is based on the State defining levels of 4
radiation exposure at the boundary of the nuclear facility, taking into account the implications for the 5
health and safety of the public and the need to implement an emergency plan to protect them, and 6
levels of physical protection to be applied for material that could lead to consequences at these levels. 7
The operator is then required to carry out an assessment of all possible sabotage targets to determine 8
whether dispersal of relevant inventories of radioactive material by the DBT would cause radiological 9
consequences above these defined levels. The outcome of this assessment is used to identify the vital 10
area at the facility, taking into account the DBT’s capabilities. 11
Table 2 shows another example of how graded physical protection levels for potential radiological 12
consequence ranges might be set. This less sophisticated approach provides a starting point for 13
developing a PPS for sabotage based on consequence levels corresponding to the suggested hazard 14
categories for facilities and practices described in IAEA safety standards on preparedness for a nuclear 15
or radiological emergency [10]. The table is based on the assumption that there is a positive 16
relationship between the thermal power level of a reactor and the inventory of radioactive material that 17
might be released during a sabotage attack. This approach is more applicable to the prescriptive 18
method of regulation. 19
TABLE 2. EXAMPLE OF GRADED APPROACH TO SABOTAGE PROTECTION 20
REQUIREMENTS 21
Consequence Level A Consequence Level B Consequence Level C1
Sabotage that could give rise to
severe deterministic health effects
off site, such as:
Facilities with inventories of
dispersible radioactive material
sufficient to result in severe
deterministic effects off-site
Reactors with power levels
exceeding 100 MW(th) (e.g.
nuclear power plant, nuclear
ship, research facility)
Spent fuel pools that may contain
some recently discharged fuel
and a total of more than about
0.1 EBq of Cs-137 (equivalent to
inventory in a 3000 MW(th)
reactor core)
Sabotage that could result in doses
to persons off-site that warrant
urgent protective actions off-site,
such as:
Facilities with inventories of
dispersible radioactive material
sufficient to result in doses
warranting urgent protective
actions off-site
Reactors with power levels of
100 MW(th) or less, but more
than 2MW (th)
Spent fuel pools requiring active
cooling
Facilities with potential for
uncontrolled criticality within
0.5 km of the site boundary
Sabotage that could result in doses
or contamination that warrants
urgent protective action on-site,
such as:
Facilities with inventories of
radioactive material sufficient
to result in doses warranting
urgent protective action on-site
Facilities with potential, if
shielding lost, of direct external
(shine) dose rates of more than
100 mGy/h at 1 m
Facilities with potential for an
uncontrolled criticality more
than 0.5 km from the off-site
boundary
Reactors with power levels of
less than or equal to 2 MW(th)
1 Consequences falling below Level C should be protected at least in accordance with prudent management practices. 22
30
Table 2 outlines three sabotage thresholds based on potential consequences and provides an example 1
approach for ranking facilities for potential radiological consequences. Using this table, a State may 2
determine that consequences of sabotage of nuclear power reactors at Consequence Level A are HRC 3
and would require identification of vital areas [11]. Consequence Levels B and C would represent 4
URC that are important, but of less concern than HRC. PPS for this level of sabotage threat may 5
include a protected area. Further information about how to determine sabotage effects for nuclear 6
power plants is given in Ref. [12]. The methods described in Ref. [12] can be applied to other types of 7
nuclear facilities. 8
Ref. [8] suggests that a DBT be developed and implemented whenever a State needs greater assurance 9
that protection is adequate to prevent URC. Following the consequence level example above, a DBT 10
should be used when developing protection for Consequence Level A targets where potential HRC 11
may occur, as recommended in para. 3.37 of Ref. [1]. The DBT could also be used for Consequence 12
Level B targets and for Consequence Level C targets at the discretion of the State. 13
3.6.4. Defence in depth2 14
“Defence in Depth – The State’s requirements for physical protection should reflect a concept 15
of several layers and methods of protection (structural, other technical, personnel and 16
organizational) that have to be overcome or circumvented by an adversary in order to achieve 17
his objectives.” (Fundamental Principle I, Ref. [1], 3.45–47) 18
“State requirements for physical protection should be based on the concept of defence in depth. 19
The concept of physical protection is one which requires a designed mixture of hardware 20
(security devices), procedures (including the organization of guards and the performance of 21
their duties) and facility design (including layout).” (Ref. [1], 3.45) 22
The State should require that the defence in depth approach be followed in the design of the PPS for 23
each of the functions of detection, delay and response. Within each function, the system design should 24
have independent capabilities so that failure of one capability does not mean loss of that function. For 25
example, detection may rely on observation by personnel and/or the use of electronic measures. Delay 26
may be provided by multiple, independent and diverse physical barriers that must be overcome to gain 27
access to the target, such as fences, barricades and hardened buildings. Response may be provided by 28
on-site guards and local police response as well as on and off-site response forces. 29
2 The term “defence in depth” is used in this publication as defined for nuclear security contexts in Ref. [1], to mean the
combination of multiple layers of systems and measures that have to be overcome or circumvented before physical protection
is compromised. This definition describes a concept that is similar in principle to that of “defence in depth” in safety, but it
should be noted that the specific definition is not the same as that used in safety standards.
31
Combining the principles of graded protection and defence in depth, in cases of higher category theft 1
targets and higher consequence sabotage targets, the physical protection measures for detection, delay 2
and response may use more layers and may use more effective components. 3
3.7. SUSTAINING THE PHYSICAL PROTECTION REGIME 4
Sustaining the nuclear security regime is one of the Essential Elements set out in the Nuclear Security 5
Fundamentals [4]. In simple terms sustainability refers to those features that contribute to an 6
enduring, effective nuclear security regime. Ref. [1] recognizes four elements that particularly 7
contribute to sustaining physical protection: 8
— Nuclear security culture: the definition of nuclear security culture explicitly includes the 9
phrase “sustain nuclear security”; 10
— Quality assurance: this provides confidence that the physical protection requirements are 11
satisfied on a continuing basis; 12
— Confidentiality: this prevents disclosure of sensitive information that could compromise 13
physical protection; and 14
— Sustainability programme: a programme that specifically addresses the maintenance, resources 15
and infrastructure, including financial, human, and technical, needed for effective physical 16
protection. 17
3.7.1. Nuclear security culture 18
“Security Culture – All organizations involved in implementing physical protection should give 19
due priority to the security culture, to its development and maintenance necessary to ensure its 20
effective implementation in the entire organization” (Fundamental Principle F, Ref. [1], 3.48–21
3.51) 22
Implementing guidance on nuclear security culture is provided in Ref. [13]. Nuclear security culture 23
is defined as: 24
“The assembly of characteristics, attitudes and behaviour of individuals, organizations and 25
institutions which serves as means to support, enhance and sustain nuclear security.” [1, 13] 26
The State has the responsibility to foster an effective nuclear security culture through role models, 27
training, positive reinforcement and systematized processes in its regulatory and policy documents. 28
The development of a strong nuclear security culture involves individuals in a diverse range of 29
disciplines and organizations who need to work together in order to be effective. This depends upon 30
all organizations applying the State’s nuclear security policy, for which its legal and regulatory 31
framework establishes the basis. Organizations need to develop appropriate management structures, 32
allocate sufficient resources and put in place appropriate management systems. The managers of these 33
32
organizations have a key role to play in influencing culture through their leadership and management 1
practices which include motivating staff and seeking continuous improvement. The outcome of an 2
effective nuclear security culture should be that all individuals adopt a strict and prudent approach to 3
physical protection, are vigilant with a questioning attitude and react quickly and correctly when the 4
need to do so arises. 5
3.7.2. Quality assurance 6
“Quality Assurance – A quality assurance policy and quality assurance programmes should be 7
established and implemented with a view to providing confidence that specified requirements 8
for all activities important to physical protection are satisfied.” (Fundamental Principle J) 9
“The quality assurance policy and programmes for physical protection should ensure that a 10
physical protection system is designed, implemented, operated and maintained in a condition 11
capable of effectively responding to the threat assessment or design basis threat and that it 12
meets the State’s regulations, including its prescriptive and/or performance based 13
requirements.” (Ref. [1], 3.52) 14
A quality assurance programme provides guidance on acquiring data on a process or system, 15
systematically comparing the acquired data with a standard, and monitoring the process or system, all 16
with the goal of reducing errors. Quality assurance is one element of an integrated management 17
system. 18
In order to ensure continuous effectiveness of the established PPS, it is suggested that the State, 19
competent authority and operators: 20
— Maintain the quality assurance aspects of a management policy and programme that are 21
applicable to the physical protection of nuclear material and nuclear facilities against 22
unauthorized removal and sabotage. 23
— Make their responsibilities on quality assurance known and understood in a statement of 24
policy to demonstrate the commitment of its management, as well as providing guidelines to 25
the staff and setting out the organization’s objectives on quality. 26
— Design the management programme in such a way as to provide direct reporting on quality 27
assurance to the highest management level in the organization. 28
— Develop management programmes for their respective organizations that require the 29
identification and evaluation of deficiencies and the creation and tracking at all levels of 30
corrective action plans. 31
It is suggested that management programmes ensure that PPS designed to performance-based 32
standards have adequate supporting documentation demonstrating their effectiveness. This 33
information is particularly important when establishing compensatory measures and implementing 34
33
corrective actions. Such programmes should also ensure that timely reporting of nuclear security 1
events will be made to the competent authority (see Section 3.3.3.3). 2
It is also suggested that management programmes encompass all security related activities (technical, 3
procedural and administrative) and be reviewed and updated periodically. Management programmes 4
play a significant role in configuration management of the PPS to ensure continuity of these systems 5
and understanding of decisions to make changes. 6
3.7.3. Confidentiality 7
“Confidentiality – The State should establish requirements for protecting the confidentiality of 8
information, the unauthorized disclosure of which could compromise the physical protection of 9
nuclear material and nuclear facilities.” (Fundamental Principle L, Ref. [1], 3.53–3.55) 10
“The State should take steps to ensure appropriate protection of specific or detailed information 11
the unauthorized disclosure of which could compromise the physical protection of nuclear 12
material and nuclear facilities. It should specify what information needs to be protected and 13
how it should be protected, using a graded approach.” (Ref. [1], 3.53) 14
Implementing guidance for the State on information security is provided in Ref. [14]. According to 15
this guidance: 16
“Sensitive information is information whose unauthorized disclosure (or modification, 17
alteration, destruction or denial of use) could compromise the security of a State, of facilities 18
associated with nuclear material or other radioactive material, of nuclear programmes, or may 19
otherwise assist in the carrying out of a malicious act against a nuclear site, facility, 20
organization or transport. Such information may refer, for example, to the physical protection 21
regime at a nuclear facility, the location and transport of nuclear material or other radioactive 22
material, or details of an organization’s personnel.” 23
The State sets the information security requirements for the operator to meet, based on guidance and 24
policies from national security authorities. The State defines what constitutes sensitive information 25
and, using a graded approach, defines associated protection requirements for the holders of such 26
sensitive information. An example of a protection categorization scheme for nuclear security 27
information is provided in Ref. [14]. 28
Protecting the confidentiality, availability and integrity of information depends on applying security 29
measures to sensitive information to ensure that it is not obtained or modified by unauthorized 30
individuals or organizations. Information security includes the system, programme and set of rules in 31
place to ensure the protection of information in any form. It includes as a minimum the following: 32
— Security of information on physical and electronic media; 33
— Security of computer systems (computer security); 34
34
— Security of communication systems and networks; 1
— Security of information about facility employees and third parties (e.g., contractors or 2
vendors); 3
— Security of intangible information, e.g., knowledge of the above. 4
Organizations with sensitive information should ensure that the State’s information security policy is 5
enforced and that all employees are fully aware of the need for security and follow their organization’s 6
rules. 7
Each organization needs to establish its internal policy, plans and procedures for protecting the 8
confidentiality, integrity and availability of its sensitive information in compliance with the national 9
information security policy. 10
“Management of a physical protection system should limit access to sensitive information to 11
those whose trustworthiness has been established appropriate to the sensitivity of the 12
information and who need to know it for the performance of their duties. Information 13
addressing possible vulnerabilities in physical protection systems should be highly protected.” 14
(Ref. [1], 3.54) 15
Information to be protected may include that relating to the design and operation of the PPS, including 16
possible vulnerabilities in the protection system, location of NMAC systems, and the specifics of 17
response force tactics and actions in contingency plans. 18
The State should clearly define the provisions that an operator should follow for ensuring the 19
confidentiality of information and systems relating to the PPS. These provisions should identify 20
information that needs to be protected and the required level of protection commensurate with the 21
sensitivity of the information and the consequences of its loss. The operator’s measures to meet these 22
provisions should be documented in the operator’s security plan and periodically evaluated by the 23
operator. 24
“Sanctions against persons violating confidentiality should be part of the State’s legislative or 25
regulatory system.” (Ref. [1], 3.55) 26
Information about the sanctions against persons violating confidentiality should be communicated to 27
individuals who are given authorized access to sensitive information and should be severe enough to 28
act as a deterrent against such actions. States should make such offences punishable by appropriate 29
penalties that take into account their potentially grave nature. 30
3.7.4. Sustainability programme 31
Guidance on sustaining a nuclear security regime, including the elements of a State’s sustainability 32
programme, is provided in Ref. [15]. 33
35
The State should ensure that the legal and regulatory framework provides for sustaining the physical 1
protection infrastructure and systems and measures as part of the nuclear security regime. Two good 2
practices are for the State to provide the infrastructure for the training of both State and operator 3
physical protection personnel, and whenever practical to provide facilities for the testing and 4
evaluation of physical protection equipment. Such testing can inform the State and operators on 5
practices to sustain physical protection measures and equipment at the necessary levels of 6
performance. 7
3.8. PLANNING AND PREPAREDNESS FOR AND RESPONSE TO NUCLEAR SECURITY 8
EVENTS 9
“Contingency Plans – Contingency (emergency) plans to respond to unauthorized removal of 10
nuclear material or sabotage of nuclear facilities or nuclear material, or attempts thereof, 11
should be prepared and appropriately exercised by all licence holders and authorities 12
concerned.” (Fundamental Principle K, Ref. [1], 3.58–3.62, 4.52-–-4.53, 4.55–4.56, 5.46–5.48, 13
5.50– 5.52) 14
This Fundamental Principle implies that contingency plans are the same as emergency plans. In 15
practice there are differences among States in the definition and use of these terms. In Ref. [1], the 16
contingency plan relates to the response of physical protection personnel to malicious acts. In IAEA 17
safety standards [16], the emergency plan relates to the response to a nuclear or radiological 18
emergency, whether that emergency is caused by an accident or a malicious act. However, the 19
implementation of contingency plans and the emergency plan will require coordinated response by 20
physical protection, NMAC and safety personnel. Finally, it should be noted that from the physical 21
protection perspective, contingency plans are part of the overall security plan. 22
During the response to a nuclear security event, it is essential that all organizations involved in 23
response are prepared to respond appropriately at local and national levels. Measures that a State 24
should take for planning and preparing for and responding to a nuclear security event are described in 25
Ref. [4]. The State and operator have shared and complementary responsibilities to locate and recover 26
missing nuclear material and to mitigate and minimize the effects of sabotage. For actions to locate 27
and recover nuclear material following theft , the operator may have little or no authority outside the 28
nuclear facility and thus the State is likely to have the sole or primary responsibility for off-site 29
location and recovery. Similarly for mitigation actions following a sabotage event, the State is likely 30
to have the sole or primary responsibility for off-site mitigation and minimization of effects. 31
The goals of contingency planning are to ensure a timely and effective response at all levels in the 32
event of a malicious act involving or directed at a nuclear facility (a nuclear security event) and to 33
maintain physical protection during other events, such as an accident involving a release of 34
radionuclides, a medical emergency or a natural disaster. The correct actions need to be taken and 35
decisions made at the right time to adequately respond to the event and resolve the situation. In the 36
36
event of a nuclear or radiological emergency, arrangements should be made to ensure the continued 1
effectiveness of the PPS during implementation of the emergency plan. 2
The State and the competent authority should ensure that contingency plans contained in the operator’s 3
security plan are consistent with those developed at the State level. This may be assisted by the 4
development of protocols (or other type of written record such as a memorandum of understanding) 5
between the government entities involved in response and the operator, which clearly identify, for 6
example, the roles and responsibilities of each entity. The necessary level of coordination is achieved 7
only by conducting joint training and exercises using the contingency plans and the scenarios they are 8
designed to address. 9
The State, the appropriate competent authorities and the operator should have a comprehensive set of 10
contingency plans that address different types of nuclear security event. Examples of such events that 11
may require contingency plans are provided in Section I.4.2 in Appendix I. 12
The State should ensure exercises are conducted to help verify the effectiveness of the contingency 13
plans within the framework of the overall nuclear security regime. These exercises should include 14
scenarios for both unauthorized removal and sabotage which are within the scope of the threat 15
assessment or DBT. 16
Additional information regarding response to locate/recover activities is contained in Ref. [7]. 17
18
37
4. DEVELOPING, IMPLEMENTING AND MAINTAINING AN INTEGRATED PHYSICAL 1
PROTECTION SYSTEM FOR NUCLEAR FACILITIES 2
This section provides guidance on implementing the Recommendations [1] addressed to the operator 3
for the physical protection of nuclear material and nuclear facilities against unauthorized removal and 4
sabotage. These recommendations are generally found in paras 3.23–3.30 and Sections 4, and 5 of 5
Ref. [1]. 6
Ref. [1] recommends implementing the physical protection requirements for protection against both 7
the unauthorized removal of nuclear material and sabotage in an integrated manner; implying that the 8
PPS should be a single system effective against both threats. Furthermore, Ref. [1] recommends 9
designing the PPS in a manner that will ensure effectiveness against whichever threat, unauthorized 10
removal or sabotage, requires the most stringent physical protection requirements. (Ref. [1], 4.4, 5.3, 11
5.17) 12
This section suggests a design approach, based on systems engineering principles, for a single PPS 13
effective against both the threat of unauthorized removal and sabotage. The phased design approach 14
presented in this section applies principles of systems engineering to physical protection — identifying 15
physical protection requirements, designing against these requirements and evaluating the 16
effectiveness of the PPS — which are generally not found in Ref. [1]. There may be other ways to 17
define elements of a systematic engineering approach for physical protection, but the process 18
presented in this section is consistent with the methodology promoted by the IAEA and is intended to 19
provide users with a basic framework for designing and implementing their PPS. 20
4.1. GENERAL RESPONSIBILITIES OF THE OPERATOR 21
“Responsibility of the Licence Holders – The responsibilities for implementing the various 22
elements of physical protection within a State should be clearly identified. The State should 23
ensure that the prime responsibility for the implementation of physical protection of nuclear 24
material or of nuclear facilities rests with the holders of the relevant licences or of other 25
authorizing documents (e.g., operators or shippers).” (Fundamental Principle E) 26
“The operator, shipper and carrier should cooperate and coordinate with all other State 27
entities having physical protection responsibilities, such as off-site response forces.” (Ref. [1], 28
3.25) 29
In fulfilling these responsibilities, operators should comply fully with the State’s legal and regulatory 30
framework. Compliance and implementation may require the operator to have protocols (or other type 31
of written record such as memoranda of understanding) with local law enforcement, national police, 32
and military and other organizations, such as local and national emergency responders, border patrols, 33
customs, intelligence and other domestic security organizations. 34
38
The operator has the primary responsibility for the development and implementation of the PPS for 1
nuclear material at its facilities. The operator should prepare a facility-specific security plan (see 2
section 4.14). Appendix 1 provides an example of a suggested format for the security plan. 3
“Whenever the physical protection system is determined to be incapable of providing the 4
required level of protection, the operator, shipper and/or carrier should immediately implement 5
compensatory measures to provide adequate protection. The operator and/or shipper should 6
then — within an agreed period — plan and implement corrective actions to be reviewed and 7
approved by the competent authority.” (Ref. [1], 3.30) 8
Compensatory measures are short term actions taken to compensate for degraded or inoperable 9
security related equipment, systems and components until these can be repaired or replaced. One 10
approach to providing compensatory measures is to add extra guards and/or response forces to cover 11
the deficiency as soon as it is identified. It is suggested that compensatory measures are documented 12
and approved, and are closely coordinated between the State, competent authority, operator and 13
response forces before they are implemented. 14
“For a new nuclear facility, the site selection and design should take physical protection into 15
account as early as possible and also address the interface between physical protection, safety 16
and nuclear material accountancy and control to avoid any conflicts and to ensure that all three 17
elements support each other.” (Ref. [1], 3.28) 18
Careful consideration needs to be given to the implications for nuclear security of the siting of nuclear 19
facilities. Local infrastructure, site layout and other local conditions might all influence nuclear 20
security. Site layout, particularly for multiple units, may need to take account of the need for 21
sufficient space for the physical protection infrastructure to provide adequate defence in depth. 22
Nuclear facilities should also be designed to facilitate nuclear security. Design approaches for 23
achieving these ends are termed ‘security by design’. Implementing such approaches may lead to 24
reduced physical protection costs over the life cycle of the nuclear facility while simplifying the task 25
of maintaining an effective PPS over that life cycle. 26
The intent of security by design is to design a new nuclear facility so that the required level of security 27
is provided in a cost-effective way that is compatible with operations, safety and NMAC. Security by 28
design is best implemented through a structured approach by which a State’s nuclear security 29
objectives are considered and fully integrated for the entire life-cycle of the facility, starting with 30
facility planning and scoping and through the design, construction, operational and decommissioning 31
phases. 32
A good practice is to start integrating the design of the PPS against both unauthorized removal of 33
nuclear material and sabotage of a nuclear facility into the overall facility design as early as possible in 34
the design process. Early consideration includes making decisions concerning siting and layout of the 35
facility taking account of how they may influence the design and effectiveness of physical protection 36
39
systems. It is important to minimize conflicts with other design requirements while taking advantage 1
of opportunities for complementary and synergetic design, for example by engineering out potential 2
vulnerabilities. 3
The highest levels of the operator’s management need to be aware of and endorse the integration of 4
physical protection measures into facility operations to encourage a strong nuclear security culture as 5
described in [13] and discussed briefly in Section 3.7.1. 6
For an integrated approach to implementation of physical protection, the operator of a nuclear facility 7
identifies all potential targets for unauthorized removal and sabotage and implements all the required 8
protection measures in a graded manner based on the State’s regulatory approach. Depending on the 9
type of nuclear facility, either the sabotage or the unauthorized removal targets may require a higher 10
level of protection, but in all cases the appropriate levels of protection should be implemented for all 11
targets. This is what is intended by the recommendation to apply the “more stringent applicable 12
requirements” in (paras 4.4 and 5.3 of Ref. [1]). 13
Nuclear security considerations in the construction of nuclear facilities are not specifically addressed 14
in the Recommendations [1]. However, good practice suggests that prior to construction, the operator 15
(or applicant) identifies how physical protection will be implemented during all construction phases. 16
If an adjacent nuclear facility exists, any additional physical protection measures to protect the 17
existing, operating facility can be identified and implemented by both operators in close coordination 18
before construction commences. Safety and quality assurance audits can be used to also protect 19
against sabotage by detecting any acts intended to facilitate future sabotage such as the deliberate 20
introduction of defects or hidden devices. At the end of the construction phase, a final assessment is 21
suggested to confirm the effectiveness of the physical protection arrangements before active plant 22
commissioning commences. 23
4.2. SECURITY ORGANIZATION 24
The duties and responsibilities for security should be established within the framework of the 25
integrated management system, and may be divided into three complementary units: 26
— Security management. This unit has the overall responsibility for physical protection and 27
includes: managers who interface with the competent authority and the facility manager; 28
planners who are responsible for developing and maintaining the security plan; designers who 29
are responsible for designing or updating the PPS to satisfy the competent authority’s 30
requirements; and analysts who are responsible for evaluating the performance of the PPS 31
against the design requirements. The allocation of responsibilities for safety–security 32
interfaces is also part of security management (see Section 4.13). 33
— Security operations. This unit is responsible for: security relating to personnel (trustworthiness 34
and access authorization); information security; computer security; and the guards and 35
40
response forces (in accordance with responsibilities assigned by the State), whose duties 1
include access control and escorting, central alarm station (CAS) operation, patrols and 2
response to nuclear security events. 3
— Technical security. This unit includes technical staff, — who conduct installations and 4
upgrades, performance testing (assisted as appropriate by security operations staff), preventive 5
maintenance, unscheduled repairs and replacement — and provides support and input to the 6
security management and operations units as appropriate. 7
4.3. PROCESS FOR DEVELOPING AND IMPLEMENTING A PPS 8
This section outlines the approach for designing, developing and implementing a PPS for construction 9
of a new nuclear facility (and construction of new installations on existing nuclear facilities), 10
upgrading existing PPSs, and reviewing the effectiveness of existing PPSs. 11
4.3.1. Approach for developing the PPS 12
The development of the PPS is best achieved using a systematic approach that consists of three phases. 13
These three phases are: 14
1. Identify the objectives and requirements for the PPS; 15
2. Design the PPS to meet the objectives and requirements as identified in Phase 1; and 16
3. Analyse and evaluate the effectiveness of the PPS designed in Phase 2 in meeting the 17
objectives and requirements identified during Phase 1. 18
The sequencing of these three phases and a broad summary of the activities under each phase are 19
illustrated in Figure 2 (noting that the activities do not necessarily need to be carried out in the order 20
shown). 21
22
FIG. 2. Process for developing the PPS design. 23
41
Applying these three phases, which are discussed in more detail below and in Section 4.4, will 1
produce a PPS design to protect against the threats of unauthorized removal and sabotage of nuclear 2
material and meet any other facility-specific objectives that may apply. 3
4.3.2. PPS life cycle 4
After the PPS has been designed and evaluated using this development process, the next steps in the 5
PPS life cycle are: to implement the design; to operate, maintain, and sustain the resulting PPS; and to 6
plan appropriate redesign(s) of the PPS based on changes in the threat, changes in the facility 7
configuration or operations or potential targets, or based on performance monitoring. These life cycle 8
steps are illustrated in Figure 3.(as for Figure 2, the activities are not intended to be in sequential 9
order). 10
11
12
FIG. 3. Physical protection system life cycle process. 13
4.3.2.1. Sustaining the PPS 14
“Operators, …should establish sustainability programmes for their physical protection system. 15
Sustainability programmes should encompass: 16
• “Operating procedures (instructions). 17
• “Human resource management and training. 18
• “Equipment updating, maintenance, repair and calibration. 19
• “Performance testing and operational monitoring. 20
42
• “Configuration management (the process of identifying and documenting the 1
characteristics of a facility's physical protection system — including computer 2
systems and software — and of ensuring that changes to these characteristics are 3
properly developed, assessed, approved, issued, implemented, verified, recorded and 4
incorporated into the facility documentation). 5
• “Resource allocation and operational cost analysis.” (Ref. [1], 3.57) 6
Taking into account the State’s approach to sustaining the nuclear security regime, operators should 7
ensure that the necessary resources — trained and knowledgeable personnel, reliable equipment, 8
associated infrastructure, quality assurance and funding — are provided to sustain their PPS as part of 9
a sustainability programme. Additional information about an operator’s sustainability programme is 10
provided in Ref. [15]. 11
4.3.2.2. Implementation of the State’s requirements 12
Before beginning the three-phase process shown in Figure 3, the operator or applicant needs to 13
understand the relevant aspects of the State’s nuclear security regime as covered in Section 3. Of 14
particular relevance are several aspects that affect how the operator or applicant designs the PPS and 15
applies for State approval for the design. Such aspects include: 16
— The legislative and regulatory framework of the State, including the regulatory approach 17
selected by the State for specifying requirements to address the threat as defined in Section 18
3.3.1.1. 19
— The requirements specified by the State and based on a graded approach, as described in 20
Section 3.6.1. 21
— The licensing process for approving applications for new licences and renewals or 22
amendments to existing licences, as described in Section 3.3.1.3. 23
Depending on the regulatory approach adopted by a State, whether the performance-based method, the 24
prescriptive method, or the combined approach (all described in Section 3.3.1.1), the operator’s or 25
applicant’s approaches for meeting the requirements will be different. 26
For the performance-based method, the physical protection requirements are based on the overall 27
objectives of the physical protection system that are defined by the State. In this approach the operator 28
or applicant proposes a particular combination of physical protection measures that are considered 29
effective against the adversary capabilities in the threat assessment or DBT. The competent authority 30
confirms (or otherwise) the adequacy of these measures. For the prescriptive method, the State 31
identifies specific physical protection measures to meet its defined physical protection objectives. 32
This approach provides a set of required ‘baseline’ provisions for each category of material or level of 33
radiological consequence. The operator or applicant creates a PPS design incorporating all of these 34
43
measures, which is submitted to the competent authority for approval. The combined method includes 1
elements from both the prescriptive and performance-based methods. 2
Figure 4 shows tasks that the operator or applicant should perform, depending on the regulatory 3
approach. For a combined approach, it will be necessary to follow both flows as appropriate. Note 4
that Figure 3 describes how the design is developed and evaluated, while Figure 4 depicts other 5
activities that the operator or applicant performs and approvals that the State makes. 6
CA issues requirementsCA issues requirements
Operator Identifies Graded Protection Parameters
Unauthorized Removal Categorization
Consequence Levels of Sabotage Targets
Operator Identifies Graded Protection Parameters
Unauthorized Removal Categorization
Consequence Levels of Sabotage Targets
Is the prescriptive
method used?
Is the prescriptive
method used?
Operator develops design using State-specified physical protection measures
Operator develops design using State-specified physical protection measures
Design acceptable to
the CA?
Design acceptable to
the CA?
CA approves the PPS designCA approves the PPS design
Operator develops design using the performance-based approach
Operator develops design using the performance-based approach
Operator performs an evaluation to verify the effectiveness of the PPS design
Operator performs an evaluation to verify the effectiveness of the PPS design
Evaluation acceptable to the
CA?
Evaluation acceptable to the
CA?
Operator redesign
Operator redesign
Operator receives plans, PPS design
Operator receives plans, PPS design
Yes
No
Yes
No
No
Yes
7 8
FIG. 4. PPS design process. 9
4.4. IDENTIFYING THE REQUIREMENTS FOR A PPS 10
Phase 1 in the development and evaluation of a PPS design by the operator or applicant is to determine 11
how the State’s requirements for physical protection apply to the specific site, nuclear facility and 12
PPS. The operator or applicant needs to perform several steps to identify these requirements: 13
— Characterization of the facility operations and conditions. This involves: describing the 14
processes and operations within the facility; developing a thorough description of the facility, 15
including the location of the facility boundary, building locations, floor plans, structure 16
elevations and access points; and, if an existing facility or design, identifying features or 17
44
systems that may be used as PPS elements. Information about the facility can be drawn from 1
all relevant sources, including existing documentation, such as facility drawings and process 2
descriptions, and from facility observations and interviews. PPS designers will need detailed 3
knowledge of this facility information, as well as any facility-specific constraints (such as 4
safety constraints) that may be encountered during design. 5
— Interpretation of the threat information provided by the State to the operator or applicant to 6
serve as the basis of the design (see Section 3.5). This step is specific to the performance-7
based or combined approach. In the prescriptive approach the State generally does not provide 8
threat information to the operator. 9
10
— Identification of the targets, and their location in the facility, that need to be protected from the 11
adversary as defined by the State, based on its categorization of nuclear material and/or the 12
sabotage consequence levels (see Sections 3.6.2 and 3.6.3). 13
Important capabilities of an effective adversary that need to be countered by the PPS, and hence need 14
to be considered by the operator or applicant, include: 15
a. Knowledge of the PPS, 16
b. Skills that would be useful in an attack, and 17
c. Tools and weapons that could be used in an attack. 18
4.4.1. Target identification 19
Target identification determines what material and/or equipment needs to be protected from the 20
adversary. There are four steps for the process of target identification: understand applicable physical 21
protection goals and objectives; identify the types of nuclear and other radioactive materials and 22
systems important to safety (including computer based systems and information) that should be 23
protected from unauthorized removal and/or sabotage; identify the appropriate material categories 24
and/or consequence levels that apply for each unauthorized removal and sabotage target; and develop 25
a target list for the facility, including target description, category and location to be protected . The 26
target list should be protected as sensitive information. 27
Some types of nuclear material could be used directly to build a credible nuclear explosive device 28
while others would need processing before the material could be used for such a purpose. 29
Recommended protection measures for each nuclear material category are specified in Ref. [1] (paras 30
4.9–4.49). 31
For sabotage events, the State should first determine the threshold levels of potential radiological 32
consequences that are defined as URC and HRC (see Section 3.6.3). 33
45
“For each nuclear facility, an analysis, validated by the competent authority should be 1
performed to determine whether the radioactive inventory has the potential to result in 2
unacceptable radiological consequences as determined by the State, assuming that the sabotage 3
acts will be successfully completed while ignoring the impact of the physical protection or 4
mitigation measures.” (Ref. [1], 5.4) 5
This analysis addresses two types of acts of sabotage that may lead to URCs: direct and indirect 6
sabotage, as discussed in Ref. [12]. Direct sabotage introduces energy from an external source, such 7
as conventional explosives, to disperse the nuclear or radioactive material, whereas indirect sabotage 8
uses energy from processes within the nuclear or radioactive material (e.g. heat from fission or 9
radioactive decay) or the process being applied to the material to cause dispersal. An example of a 10
direct attack is the dispersal of plutonium through an explosive charge, while an indirect attack might 11
be aimed at causing fuel within the core of a nuclear power plant to melt by damaging cooling 12
systems. A conservative analysis should be performed to determine the potential radiological 13
consequences of the complete release of each nuclear or other radioactive material inventory at the 14
facility. For indirect sabotage the adversary may be able to cause a release by disrupting normal 15
conditions and/or disabling process control or safety measures. 16
Nuclear facilities generally undergo extensive safety analyses to ensure that their operations are safe. 17
The information contained in the deterministic and probabilistic safety analysis can be very useful, for 18
instance, in identifying structures, systems and components that need to be protected from sabotage. It 19
is also important to consider other possible causes of failure due to malicious acts. The consequence 20
level for sabotage targets is then used to determine physical protection requirements for those targets 21
as follows: 22
— If potential radiological consequences exceed the HRC threshold, then vital areas should be 23
identified and protected; 24
— If potential radiological consequences fall between the URC and HRC thresholds, then the 25
State will specify graded protection requirements based on the level of potential 26
consequences; 27
— If radiological consequences fall below the URC threshold then there may be no specific 28
requirements for physical protection but the operator should still secure and control access to 29
safety related equipment and devices. 30
4.4.2. Threat definition 31
As part of the identification of the PPS objectives and requirements, the threat to the facility should be 32
defined by the State through either a threat assessment or by developing a DBT. Relevant information 33
should be provided to the operator who should use this information as a basis for designing and 34
evaluating the PPS. 35
46
4.5. DESIGN AND EVALUATION OF THE PPS 1
After the PPS objectives and requirements are identified (phase 1), the operator or applicant knows the 2
objectives of the PPS — that is, what to protect (targets) against what (threat), and how well 3
(requirements). The next step (phase 2) is to design the new system or re-design the existing system to 4
provide the physical protection measures for detection, delay and response sufficient to meet the 5
objectives of the system. After the PPS is designed or characterized, it should be analysed and 6
evaluated (phase 3) to ensure that it meets the physical protection requirements. Evaluation should 7
consider the effectiveness of the system of elements working together to assure protection, rather than 8
regarding each element separately. 9
4.5.1. Design phase 10
4.5.1.1. General design considerations 11
During this phase, the designer determines how best to combine physical protection measures such as 12
fences, vaults, sensors, procedures, communication devices and response force personnel into a PPS 13
that can satisfy the protection requirements, taking into account safety and operational considerations 14
so that both physical protection and safety objectives are met. The overall objective is to ensure that, 15
regardless of the physical protection strategy chosen by the operator, the PPS fulfils the protection 16
requirements through appropriately balancing the functions of detection, delay and response. 17
Figure 5 illustrates the design principles and shows the timeline used to determine whether, for a 18
defined PPS, the response force is reliably notified early enough to respond before the adversary 19
completes all the tasks needed to cause a malicious act. The top line depicts the time sequence of the 20
adversary attack from when the attack begins to its completion. The ‘PPS response time’ is portrayed 21
on a timeline lower in the diagram: this measures the time from the first successful sensing of 22
adversary activity at T0 until the adversary can be interrupted at TI. In this diagram, sensing occurs 23
early enough to allow the adversary to be interrupted by the response force before the time TC when 24
the adversary would have successfully completed the attack. (The adversary task time remaining after 25
first sensing depends critically upon the amount of delay provided by the PPS between the point where 26
the adversary is sensed and the target – see Section 4.6.3). 27
47
1
FIG. 5. Comparison of adversary and response timelines. 2
Good practice in physical protection design includes: 3
— Defence in depth, such that the adversary needs to deceive, avoid or defeat several protection 4
measures in sequence to succeed. This is generally implemented by layered protection, where 5
a series of protection layers exist around targets may include a combination of physical 6
measures such as controls on access to areas (see Section 4.9.1) and administrative measures 7
such as protection of sensitive information and trustworthiness. This may involve taking 8
advantage of the strengths of each physical protection component and using equipment in 9
combinations that complement the strengths or compensate for the limitations of each. 10
— Balanced protection, meaning that the adversary will encounter equally effective elements of 11
the PPS, whenever, wherever or however the malicious act is attempted. 12
— High reliability, meaning that the PPS will have a high probability of operating effectively 13
during an adversary attack, which is typically accomplished by incorporating redundancy and 14
diversity in the design. 15
The time needed for the adversary to achieve their goal is the ‘adversary task time’ (see Figure 5). 16
The primary role of barriers is to increase the adversary task time by introducing impediments along 17
any path the adversary may choose. An adversary should have to penetrate several separate barriers 18
before gaining access to a particular target. The times to penetrate each of these barriers may not 19
necessarily be equal, and the effectiveness of each may be quite different, but each can be selected to 20
necessitate a separate and distinct act as the adversary moves along the path. The effect produced on 21
the adversary by a system that is designed to provide defence in depth will be to: 22
48
— Increase the adversary’s uncertainty about the system; 1
— Require additional tools and more extensive preparations prior to attacking the system; and 2
— Create additional steps where the adversary may fail or decide to abandon the attack. 3
For detection and assessment systems, reliability can be attained by the use of a combination of 4
multiple complementary sensors and human surveillance to complicate the adversary’s planning. To 5
be complementary, sensors at a particular layer or barrier are chosen so that attempts to defeat one 6
sensor are detectable by the others, different sensors do not respond to the same sources of nuisance 7
alarms , and the adversary cannot predict when the collective set of sensors will have degraded 8
performance. Adding human detection through random or continuous surveillance adds uncertainty, 9
making planning and executing a successful attack more difficult. 10
The PPS design needs to be compatible with the facility operations systems important to safety and to 11
allow the staff to carry out their duties in a safe and secure manner. If there are physical protection 12
measures that are too difficult for the staff to follow, they may find ways to complete their tasks more 13
easily by circumventing the protection measures. Building a thorough understanding of the operations 14
of the nuclear facility and applying that knowledge during the design of the PPS will help to balance 15
the physical protection needs with safety and operations. 16
The above design approach was developed for and is applied to protection against external 17
adversaries. There are additional and/or different factors to consider for designing a PPS against 18
insider adversaries. 19
4.5.1.2. Additional design considerations for insider threats 20
An insider is defined as one or more individuals with authorized access to nuclear facilities who could 21
attempt unauthorized removal or sabotage, or who could aid an external adversary to do so. An 22
insider threat is an insider with an intention to carry out such an act. An insider may be in any position 23
at a facility and may have authorized access to any of the controlled areas or materials. Insiders may 24
include, but are not limited to: management, regular employees, service providers, visitors and 25
inspectors. 26
The capabilities of an insider are typically defined by three types of attribute: 27
— Authorized access: which areas of the facility they may or may not enter during different 28
facility states, e.g. normal work shift, non-operational periods, maintenance outage, or during 29
a security or safety event; 30
— Authority over other people or over certain tasks and equipment; 31
— Knowledge of targets, facility layout, the PPS, and/or how to acquire and operate special tools 32
and equipment found at the facility. 33
49
Insider threats present unique problems compared to the outsider threat because they can take 1
advantage of these attributes to bypass some technical and administrative physical protection measures 2
to commit theft or sabotage. Insider threats can also complete their objectives through a series of 3
separate actions over an extended time period to minimize their chance of detection and maximize 4
their likelihood of success. Furthermore, insider threats may have more opportunities to select the 5
most vulnerable target and the best time to perform the malicious act. 6
To protect the targets against malicious acts consistent with the State’s threat assessment or DBT, the 7
PPS design should include features to deny access of unauthorized persons or equipment to the targets 8
and to minimize the opportunity of insiders who have such access to commit malicious acts. For 9
example, the installation of barriers, in combination with an effective response, will serve to deny 10
external adversaries access to targets, whereas locking a piece of target equipment creates a delay even 11
for insiders who have authorized access to the area within which it is located and is especially 12
effective when the area is under continuous surveillance. 13
Ref. [9] presents a systematic approach for protecting against insider threats, covering preventive 14
measures to minimize the insider’s opportunity to initiate a malicious act and protection measures to 15
detect, delay, respond to and mitigate the effects of an insider-initiated act. 16
Protection measures to counter an insider attack begin with detection of the attack by one or more 17
available sources, including physical protection measures, process controls, safety alarms, alarms 18
generated by the facility’s NMAC system and observation of personnel by co-workers or supervisors. 19
4.5.2. Evaluation phase 20
“The operator should develop and implement means and procedures for evaluations, including 21
performance testing, and maintenance of the physical protection system.” (Ref. [1], 3.29) 22
During phase 3, the PPS design from phase 2, whether a new or existing system, is evaluated to 23
determine whether it meets the requirements identified in phase 1. Reasons for evaluating the PPS 24
include: 25
— Verifying that the PPS as designed, or as characterized (for an existing system), satisfies the 26
physical protection requirements. 27
— Identifying any system deficiencies in the design or implementation that need to be addressed 28
in order to meet the system requirements. 29
— Analysing possible upgrades that may be necessary to address identified deficiencies and 30
improve system performance. 31
— Repeating the evaluation of PPS effectiveness on an annual or other regular basis to take into 32
account any changes in targets, system performance or requirements. 33
50
The PPS provides detection, delay and response functions through structural, technical and personnel 1
elements. The interaction of these elements with the hardware and procedures makes the evaluation of 2
PPS effectiveness a challenging task. 3
In the evaluation phase, data are collected concerning the performance of PPS measures and used to 4
evaluate the overall effectiveness of the PPS. 5
4.5.2.1. Physical protection evaluation and performance testing by the operator 6
Ref. [1] emphasizes the evaluation and performance testing of PPS, e.g.: 7
— Operators should “develop and implement means and procedures for evaluations including 8
performance testing” (Ref. [1], 3.29) 9
— For Category I and II nuclear material, “evaluations, including performance testing, of the 10
physical protection measures and of the PPS, including timely response of the guards and 11
response forces should be conducted regularly” (Ref. [1], 4.35) 12
— For Category I nuclear material: “At least annually, performance testing of the PPS should 13
include appropriate exercises, for example force-on-force exercises” (Ref. [1], 4.49) 14
— For sabotage of targets with potential to result in HRC, “evaluations, including performance 15
testing, of the physical protection measures and of the PPS, including timely response of the 16
guards and response forces, should be conducted regularly. Performance testing of the PPS 17
should include appropriate exercises, for example force-on-force exercises.” (Ref. [1], 5.41) 18
This suggests that the operator plans, conducts and documents the evaluation and performance testing 19
of its PPS in a manner designed and implemented to satisfy the regulatory requirements. Appropriate 20
parts of this activity should be considered throughout the nuclear facility lifecycle, i.e. during design, 21
construction, licensing, operations, changes or upgrades, decommissioning and management of 22
radioactive waste and spent fuel. 23
The operator should consider using independent third-party experts to review its system evaluation 24
and performance testing for Category I nuclear material and sabotage with potential to cause HRC. 25
4.5.2.2. Methods for system evaluation 26
A number of performance-based methods are available to evaluate the effectiveness of the PPS, 27
whether against insiders who have authorized access to the nuclear facility, or outsiders, who do not 28
have authorized access. Performance-based evaluation methods include: 29
— Path analysis. This involves building timelines, such as that shown in Figure 5, for different 30
adversary paths, to determine whether there is high assurance that the attack will be detected 31
while there is enough time remaining in the adversary task time for the response force to 32
interrupt the adversary. Typically, the task times and response times are measured or 33
51
estimated quantitatively and the measure of the effectiveness of detection features are 1
probabilistic estimates of ‘timeliness’ based on performance tests. 2
— Simulation. These include computer based simulations of the PPS and table-top exercises that 3
allow consideration of security and contingency plans as well as decision-making by the 4
adversary and facility response forces. These tools are generally used to judge the overall 5
performance (detection, interruption and neutralization) of the PPS, taking all measures into 6
account. Simulations may also be used to focus on the effectiveness of the response force in 7
neutralizing the adversary, i.e., preventing the adversary from completing theft or sabotage 8
after detection and interruption of the adversary. The adversary is ‘neutralized’ if the response 9
force arrests, captures or kills the adversary, or causes them to flee. 10
— Exercises. These range from limited exercises, addressing the response to an alarm, to force-11
on-force exercises that address the effectiveness of the entire PPS against a simulated 12
adversary attack. Simulations may overlook practical aspects and may miss important aspects 13
of attack scenarios. Simulations therefore cannot fully replace exercises involving facility 14
personnel and response forces on the ground. 15
Simulations and exercises are typically performed as part of scenario analysis, in which very detailed 16
postulated attacks (‘scenarios’) are identified and then simulated or used as a basis for exercises to 17
determine how effectively the PPS functions in the scenario. Scenario analysis typically builds on path 18
analysis by considering specific methods for defeating sensors, barriers and communication systems, 19
and possible diversion or elimination of part of the response force. Scenario analysis may be used to 20
identify scenarios in which insiders collude with outsider adversaries, to the extent that such scenarios 21
fall within the DBT. 22
System effectiveness may be measured either quantitatively or qualitatively. The State should decide 23
which approaches should be used for different types of targets, threats and scenarios. It is suggested 24
that the overall PPS effectiveness be conservatively defined as the lowest quantitative or qualitative 25
effectiveness of the PPS that still meets regulatory objectives, when all adversary paths and credible 26
scenarios have been considered. 27
Evaluations against outsider threats consider adversary attributes such as the numbers of attackers, 28
their equipment, weapons and explosives, and their skills that might help them to defeat physical 29
protection measures. Typically, specialized tools are included in the path analysis. Scenario analysis 30
is typically performed by using subject matter experts to develop the scenarios and then using 31
exercises and/or simulations to qualitatively or quantitatively determine system effectiveness. 32
Scenario analysis may use information about the path timelines created during path analysis. 33
There are two general classes of scenario: unauthorized removal and sabotage. For unauthorized 34
removal, the adversary needs to gain access to the location of the target material and then to remove 35
the nuclear material to a location off-site. In the case of Category I nuclear material, an effective 36
52
response strategy would be to deny access to the nuclear material or, if access is achieved, to contain 1
the adversaries before they leave the site with the nuclear material. For sabotage, the adversary needs 2
to gain access to the target material and/or vital areas and then directly sabotage the material or 3
indirectly cause a release of radionuclides by sabotaging equipment. In this case, a response strategy 4
would be to deny access to the material or equipment at least for the time required to complete the 5
sabotage act. 6
4.5.2.3. Additional evaluation considerations for insider threats 7
Evaluations should also analyse the vulnerability of the PPS against insider threats. Guidance for 8
performing such evaluations is provided in Ref. [9]. For analysis purposes, insider threats may be 9
categorized by whether they are passive (for example, merely gathering sensitive information) or 10
active, and if they are active whether they are willing to use force against a target or person. Taking 11
into account the threat assessment or DBT, the evaluation may include an insider colluding with 12
another insider or with outsiders. 13
Path timelines for insider threats are used to determine whether there is adequate timely detection in an 14
insider scenario for the response to stop the insider before a malicious act is completed. The path 15
timeline for an active insider might involve a continuous series of tasks, similar to the timeline for the 16
outsider threat (see Figure 5) or a non-continuous series of tasks, where some tasks are separated by a 17
time interval and/or at different locations. An example of a scenario with a continuous timeline might 18
be abrupt theft where the insider attempts to complete theft of nuclear material in an uninterrupted 19
scenario. An example of a non-continuous insider attack would be protracted theft, where the insider 20
attempts to steals a series of small amounts of nuclear material by separate thefts over several days or 21
weeks. 22
4.6. KEY FUNCTIONS OF A PHYSICAL PROTECTION SYSTEM 23
The PPS meets physical protection requirements and accomplishes physical protection objectives by 24
deterrence and a combination of detection, delay and response. Sections 5.4–5.7 of Ref. [17] provide 25
additional, more detailed guidance on these key functions of a PPS. 26
4.6.1. Deterrence 27
Deterrence is achieved when potential adversaries regard a facility as an unattractive target and decide 28
not to attack it or abandon their attack plans. To promote deterrence the operator may implement 29
observable protection measures such as a visible guard presence patrolling around the facility, bright 30
lighting at night, bars on windows and vehicle barriers. Deterrence may be helpful in discouraging 31
attacks but the effectiveness of deterrence is difficult, if not impossible, to measure. 32
53
4.6.2. Detection 1
Detection is a process in a PPS that begins with sensing a potentially malicious or otherwise 2
unauthorized act and is completed when the cause of the alarm has been assessed. 3
Figure 6 shows the sequence of events associated with detection and illustrates that detection is not a 4
single, instantaneous event. To detect an action by a potential adversary, all the steps in the sequence 5
need to occur. Information needed for making accurate assessments of alarms include details such as 6
who triggered the alarm, by doing what, where, and how many people may be involved. The first 7
three events in Figure 6 — sensor activated, alarm signal initiated and alarm reported — comprise 8
‘sensing’, while the final event, alarm assessed, is necessary to complete the detection process. 9
Sensor ActivatedAlarm Signal
InitiatedAlarm Reported Alarm Assessed
10
FIG. 6. Detection function in a PPS. 11
The detection sequence starts when a sensor of some kind is activated by any cause. Activation of a 12
sensor may be the triggering of a hardware sensor in the PPS or may be a report by an individual, such 13
as a guard. 14
The effectiveness of the PPS in providing detection depends upon the capabilities of the sensor, alarm 15
reporting and assessment systems as well as the performance of the CAS operators and any guards or 16
response force members that have a role in detection. Technological systems increase the efficiency 17
of all stages of the detection process. Where technology is used, the detection system should employ 18
sensors and video systems to provide data on sensing and assessment. 19
Detection effectiveness is a function of both the probability of detection and the time for detection to 20
be completed. The probability of detection consists of the probabilities that the action is sensed, that 21
the alarm is then generated and reported, and that the alarm is then correctly assessed. The detection 22
time (see Figure 5) is the sum of the times for each of the four events in Figure 6 to occur. The closer 23
the assessment time is to the time when the sensor was activated, the more likely it will be that the 24
cause of the alarm can be assessed and the guards can be deployed to interrupt the adversary, if 25
needed. A long delay between sensing and assessment favours the adversary by allowing further 26
progression towards the target before the response force has been notified of the attack. 27
4.6.3. Delay 28
Delay is the function of the PPS that seeks to slow down an adversary’s progress towards a target, 29
thereby providing more time for an effective response. Delay can be accomplished by distances and 30
areas that have to bed crossed, and by barriers that need to be defeated, including fences, gates, 31
portals, doors, locks, cages and activated delay systems. Barriers may deter or defeat the adversary, if 32
54
they are unable to penetrate the barrier. Barriers should be considered as obstacles to delay well 1
equipped and determined adversaries. 2
Each type of barrier takes time for the adversary to penetrate or defeat. These delay times are factors 3
to be considered when designing the PPS. Guards or response forces may provide further delay if they 4
are appropriately positioned, armed and well-protected. 5
The measure of effectiveness of a delay element is the time needed by the adversary, after detection, to 6
pass the element providing the delay. Any delay that the adversary encounters prior to detection is of 7
no value to the effectiveness of the PPS because it does not provide additional time to respond to the 8
adversary. (However, external barriers may serve other purposes such as deterrence and mitigating the 9
effects of stand-off attacks). Delay is especially critical in cases where response forces are not 10
routinely located nearby: sufficient delay needs to be provided for the response force to be able to 11
deploy in time to prevent completion of the malicious act. 12
4.6.4. Response 13
Response is the function of the PPS that seeks to interrupt and neutralize an adversary in the 14
commission of a malicious act. Guards are the personnel who are entrusted with responsibility for 15
controlling access, escorting individuals, monitoring and assessing alarms in the CAS, patrolling 16
and/or providing the initial response. These guards may not be prepared or permitted to provide an 17
armed response. The response force consists of persons on-site or off-site who are armed and 18
appropriately equipped and trained to interrupt and neutralize an adversary attempting unauthorized 19
removal or an act of sabotage. 20
4.7. LOCATING AND RECOVERING MISSING OR STOLEN NUCLEAR MATERIAL 21
The operator should, depending on the State’s legal and regulatory framework, perform a number of 22
steps in support of measures to locate and recover missing or stolen nuclear material, detailed in Ref. 23
[1] as follows: 24
“The operator should ensure that any missing or stolen nuclear material is detected in a timely 25
manner by means such as the system for nuclear material accountancy and control and the 26
physical protection system (e.g. periodic inventories, inspections, access control searches, 27
radiation detection screening). 28
“The operator should confirm any missing or stolen nuclear material by means of a rapid 29
emergency inventory as soon as possible within the time period specified by the State. A system 30
for nuclear material accountancy and control should provide accurate information about the 31
potentially missing nuclear material in the facility following a nuclear security event. 32
“The operator should notify the competent authority and other relevant State organizations of 33
missing or stolen nuclear material as specified by the State. 34
55
“The operator’s measures to locate and recover missing or stolen nuclear material should be 1
included in its contingency plan and should be regularly tested and evaluated. Appropriate joint 2
exercises should be held with the competent authority and other State organizations. 3
“The operator should take all appropriate measures to locate, as soon as possible, any declared 4
missing or stolen nuclear material on-site and possibly off-site (in hot pursuit) in accordance 5
with the legal and regulatory framework and the contingency plan. 6
“As soon as possible after the missing or stolen nuclear material has been located and 7
identified, the operator should, in accordance with the contingency plan, secure this material in 8
situ and then return it to an appropriate nuclear facility with due authorization from the 9
competent authority. 10
“The operator should provide any other necessary assistance to the State organizations to 11
locate and recover nuclear material and should cooperate during subsequent investigations and 12
prosecution.” (Ref. [1], 4.57–4.63) 13
The first step for the location and recovery of missing and/or stolen nuclear material is to detect that 14
the nuclear material is not in its authorized location. Detection may start as a result of some malicious 15
act by an external adversary or an insider. For example: 16
— The PPS may detect an adversary attempting to steal nuclear material, and if the PPS is not 17
successful in preventing this act, then nuclear material may be removed from the facility. 18
— The NMAC system may detect that nuclear material is missing during operations, inventory 19
taking or inspection. 20
— Access control searches or radiation detection screening may detect that nuclear material is 21
being removed in an unauthorized manner. 22
— Facility personnel may observe and detect that someone is attempting to remove nuclear 23
material. 24
After the operator confirms that nuclear material is no longer in its authorized location, the relevant 25
competent authorities within the State should be promptly notified. Based on the contingency plans, 26
the operator may then continue an on-site search for the material and may also conduct off-site 27
activities as appropriate and in coordination with relevant competent authorities. The area where the 28
missing/stolen material was previously located should be secured and treated as a possible crime 29
scene. The physical protection of other nuclear material should also be checked. 30
All response actions should be conducted in accordance with the contingency plan and coordinated 31
with appropriate competent authorities. Once located and authorized by the competent authority, the 32
operator or another appropriate party should secure the nuclear material and return it to an appropriate 33
location. This will need to be done in close consultation with all relevant competent authorities, 34
including law enforcement, particularly if a criminal investigation has been initiated. 35
56
Arrangements for the coordination of recovery operations and protocols should be detailed in 1
operators’ contingency plans. These plans should include details of the competent authorities 2
responsible for all aspects of recovery operations. It is suggested that a follow-up review should be 3
conducted after the incident and lessons learned incorporated in modification of the contingency plans. 4
4.8. MITIGATING OR MINIMIZING RADIOLOGICAL CONSEQUENCES OF SABOTAGE 5
The response to a sabotage event may involve many competent authorities. In some cases, the 6
functions of these competent authorities — particularly those relating to emergency response — may 7
be the same as for a nuclear or radiological emergency due to an accident. In order to be effective, the 8
response to a potential sabotage event should be well coordinated and arrangements should be 9
appropriately integrated. 10
The operator has the following responsibilities in support of measures to mitigate or minimize 11
radiological consequences of sabotage, as detailed in Ref. [1]: 12
“The operator should establish a contingency plan. 13
“The operator should prepare facility personnel to act in full coordination with guards, 14
response forces, law enforcement agencies and safety response teams for implementing the 15
contingency plans. 16
“The operator should assess, on detection of a malicious act whether this act could lead to 17
radiological consequences. 18
“The operator should notify, in a timely manner, the competent authority, response forces and 19
other relevant State organizations of sabotage or attempted sabotage specified in the 20
contingency plan. 21
“Immediately following an act of sabotage, the operator should take measures to prevent 22
further damage, secure the nuclear facility and protect emergency equipment and personnel.” 23
(Ref. [1], 5.54–5.58) 24
Any responders need to be knowledgeable about the safety hazards (e.g., radiation exposure) that exist 25
within the nuclear facility and to comply with relevant safety measures. 26
Contingency plans need to identify the roles and responsibilities of all relevant bodies and include, for 27
example, provisions that: 28
— The on-site response is promptly executed and managed without impairing the continuing 29
performance of operational safety and physical protection functions. 30
— The off-site response is effectively managed and coordinated with the on-site response. 31
— Information necessary for making decisions on the allocation of resources is appraised 32
throughout the incident. 33
57
The operator should include in its contingency plan measures that focus on preventing further damage, 1
securing the nuclear facility and protecting emergency equipment and personnel. 2
Contingency plans should be developed and deployed to help limit the consequences of a sabotage 3
attack. Emergency response may encounter some particular problems in the case of malicious attacks. 4
Therefore it is necessary that contingency plans and emergency plans are complementary and jointly 5
exercised regularly to help ensure their effectiveness and compatibility. Care needs to be taken to 6
verify that activities of the response forces do not adversely affect safety and that physical protection 7
is not adversely affected during the implementation of safety measures. An example of a contingency 8
plan is included in the example security plan provided in Appendix I. 9
An emergency centre may be established at a nuclear facility to coordinate both the on-site and off-site 10
response to an emergency, regardless of its initiating event. It may also serve as the incident 11
command post for the emergency. In the case of the emergency being initiated by a nuclear security 12
event, consideration may be given to co-locating the command and control elements of the physical 13
protection response functions at the emergency centre. 14
4.9. PHYSICAL PROTECTION MEASURES 15
The PPS implemented at a nuclear facility should be in accordance with and described in detail in a 16
security plan. This plan includes all aspects of the physical protection measures found in the PPS 17
design. More detailed advice on the implementation of physical protection measures can be found in 18
[17]. 19
Physical protection measures may be classified by the function(s) they perform as described in section 20
4.6, including detection of adversary actions, access control, detection of prohibited items, alarm 21
communication and display, delay and response. Table 3 relates the recommendations in Sections 4 22
and 5 of Ref. [1] for each class of physical protection measure to the nuclear material category for 23
unauthorized removal and to the level of potential consequences for sabotage. The table also lists 24
evaluation and performance testing requirements for each protection layer. 25
The recommendations for physical protection measures in Ref. [1] are organized using the graded 26
approach. The measures recommended for Category II nuclear material also include the measures for 27
Category III, and the measures for Category I material also include the measures for Category II and 28
Category III. 29
30
58
TABLE 3. FACILITY PHYSICAL PROTECTION MEASURES: REFERENCES TO REF. [1]3 1
Threat concern Unauthorized removal for nuclear materials in
use and storage
Sabotage for
high consequence facilities
Material category Category III Category II Category I
Protection layer Limited
access area
Protected
area
Inner area Protected area Vital area
PP Measure
Detection 4.14, 4.15,
4.16,
4.14, 4.15,
4.16, 4.23,
4.31
4.14, 4.15, 4.16,
4.23, 4.31, 4.38,
4.46, 4.47, 4.48
5.14, 5.21, 5.36,
5.37
5.14, 5.26, 5.29,
5.33, 5.36, 5.37
Alarm Assessment 4.23, 4.30 4.23, 4.30, 4.47 5.21, 5.36 5.36
Access Control 4.14, 4.17 4.12, 4.17,
4.24, 4.25,
4.26, 4.27,
4.28, 4.30
4.12, 4.17, 4.24,
4.25, 4.26, 4.27,
4.28, 4.30, 4.38,
4.40, 4.42, 4.44,
4.45
5.14, 5.22, 5.23,
5.24, 5.25, 5.36
5.14, 5.26, 5.28,
5.31, 5.32, 5.34,
5.35, 5.36
Contraband
Detection
4.25 4.25, 4.43 5.14, 5.23 5.14
Central Alarm
Station
4.30, 4.31,
4.32
4.30, 4.31, 4.32,
4.47
5.36, 5.37, 5.38 5.36, 5.37, 5.38
Access Delay 4.23 4.23, 4.38, 4.39,
4.41, 4.46
5.14, 5.21 5.14, 5.26, 5.27,
5.30
Response 4.15, 4.19,
4.20
4.15, 4.19,
4.20, 4.30,
4.32, 4.33,
4.34
4.15, 4.19, 4.20,
4.30, 4.32, 4.33,
4.34, 4.49
5.14, 5.36, 5.38,
5.39, 5.40, 5.42
5.14, 5.36, 5.38,
5.39, 5.40, 5.42
Evaluation
Performance
Testing
4.20 4.20, 4.35 4.20, 4.35, 4.49 5.15, 5.16, 5.41 5.15, 5.16, 5.34,
5.41
4.9.1. Protection areas and layers 2
Figure 7 provides a conceptual drawing, based on the recommendations in paras 4.14, 4.22–4.27, 3
4.37–4.40, 4.42–4.46 and 5.20–5.35 of Ref. [1], of the different types of protection area to provide 4
defence in depth that may be found at a nuclear facility, depending on its nuclear material and 5
sabotage targets.. These protection areas are physically separated through each having its own 6
protection layer. Beginning with the innermost area, the requirements for each area’s protection layer 7
are discussed in terms of its location, access, detection, delay and response recommendations. 8
9
3 This Table is also relevant, as appropriate, to protecting against unacceptable radiological consequences at nuclear facilities.
59
FIG. 7. Nuclear facility layout. 1
4.9.1.1. Limited access area 2
A limited access area is a designated area, containing a nuclear facility, to which access is limited and 3
controlled for physical protection purposes. Any Category III material held in this area should be 4
protected with the measures listed in Table 3. (A further area of land outside the boundary of the 5
nuclear facility may also be a controlled area, in accordance with national decisions). 6
4.9.1.2. Protected area 7
Category II material should be secured within a protected area. As part of graded protection, a State 8
may consider securing sabotage targets with potential consequences between URC and HRC within a 9
protected area. All protected areas should be located within a limited access area and follow the 10
appropriate recommendations for physical protection measures listed in Table 3. A physical barrier is 11
specifically recommended at the perimeter of the protected area. 12
4.9.1.3. Inner areas and vital areas 13
Inner areas are areas containing Category I nuclear material and vital areas are areas containing 14
equipment and/or radioactive material, the sabotage of which could lead to HRC. An inner area may 15
Limited Access Area
Protected AreaProtected Area
Inner AreaVital Area
All other areas of nuclear facility, some of which may contain Category III Material, the outer blue line of which represents the perimeter of the nuclear facility
Category II Material, targets between the URC and HRC and Inner and/or Vital Area, the outer blue line of which represents the perimeter of the protected area
Contains Category I Material
Contain targets, the sabotage of which may lead to HRC
Green field area out side the facility
60
also be a vital area, in which case the measures for both unauthorized removal and sabotage should be 1
implemented. Inside the inner area, Category I nuclear material should be stored in a hardened room 2
or hardened enclosure. All inner and vital areas should be located within a protected area and follow 3
the appropriate recommendations for physical protection measures listed in Table 3. 4
4.9.2. Central alarm station 5
Central alarm stations (CASs) are recommended for nuclear facilities holding Category I and Category 6
II nuclear materials and/or having sabotage targets with potential consequences above HRC levels. 7
The following recommendation is associated with protection of Category I and II materials: 8
“A permanently staffed central alarm station should be provided for monitoring and assessment 9
of alarms, initiation of response, and communications with the guards, response forces, and 10
facility management. Information acquired at the central alarm station should be stored in a 11
secure manner. The central alarm station should normally be located in a protected area and 12
protected so that its functions can continue in the presence of a threat, e.g., hardened. Access 13
to the central alarm station should be strictly minimized and controlled.” (Ref. [1], 4.30) 14
For sabotage targets with potential consequences above the HRC level there is a recommendation that 15
essentially combines the recommendations from paras 4.30 and 4.47 of Ref. [1]: 16
“A permanently staffed central alarm station should be provided for monitoring and assessment 17
of alarms, initiation of response, and communications with the guards, response forces, and 18
facility management. Information acquired at the central alarm station should be stored in a 19
secure manner. The central alarm station should normally be located in a protected area and 20
protected so that its functions can continue in the presence of a threat, e.g., hardened. Access 21
to the central alarm station should be strictly minimized and controlled. Provisions, including 22
redundancy measures, should be in place to ensure that the functions of the central alarm 23
station in monitoring and assessment of alarms, initiation of response and communication can 24
continue during an emergency (e.g., a backup alarm station).” (Ref. [1], 5.36) 25
An alarm communication and display system is a primary component of the CAS. This system 26
facilitates monitoring and assessment of alarms at the CAS. As a minimum, the functions of the 27
system are to: 28
— Transmit alarm and video signals from the sensors and cameras to the CAS; 29
— Display this information to a security operator for decisions and action; and 30
— Assist the CAS operator to assess alarms. 31
Good practice for all categories of nuclear material is to design alarm communications paths that are 32
redundant (i.e. two or more communications systems) and diverse (e.g. the redundant systems use 33
different physical paths). Redundancy helps the communications system to be more reliable — as, if 34
61
one communications path ceases to function, the other(s) can take over that function — and to be more 1
secure, as the adversary must defeat or compromise at least two communications paths instead of one. 2
The following recommendations are associated with protection of Category I and II materials: 3
“Alarm equipment, alarm communications paths and the central alarm station should be 4
provided with an uninterruptible power supply and be tamper-protected against unauthorized 5
monitoring, manipulation and falsification.” Ref. [1], 4.31) 6
“Dedicated, redundant, secure and diverse transmission systems for two way voice 7
communication between the central alarm station and the response forces should be provided 8
for activities involving detection, assessment and response. Dedicated two way secure voice 9
communication should be provided between guards and the central alarm station.” (Ref. [1], 10
4.32) 11
For sabotage targets with potential consequences above HRC levels there are two similar 12
recommendations in paras 5.37 and 5.38 of Ref. [1]. 13
Physical protection measures can be designed and operated to maintain alarm communications and 14
display system integrity (denying access to the equipment and denying and detecting access to the 15
information) during nuclear security events. Tamper indicating sensors in junction boxes and in 16
equipment cabinets may provide an additional layer of physical protection. 17
The CAS operator is responsible for assessing alarms and initiating the appropriate response to events. 18
Because of this critical function, the CAS should normally be located within a protected area. Because 19
the CAS is the interface between the detection and response functions, the CAS operators should 20
ideally be members of the guards and/or response force, as they have sound knowledge and 21
understanding of the contingency plans. It is suggested that the functions of the CAS are regularly 22
exercised during normal operations and tested for more infrequent operations. 23
4.9.2.1. Continuity of monitoring and assessment of alarms 24
Further recommendations relating to Category I nuclear material and sabotage targets with potential 25
consequences above HRC are: 26
“Provisions, including redundancy measures, should be in place to ensure that the functions of 27
the central alarm station in monitoring and assessment of alarms, initiation of response and 28
communication can continue during an emergency (e.g. a backup alarm station).” (Ref. [1], 29
4.47, 5.36) 30
The critical functions of the CAS should be maintained when the primary console is under threat or 31
compromised, or the CAS is evacuated for safety reasons. A backup alarm station may provide 32
continuity of operations for the critical CAS functions in such circumstances. Such a backup station 33
62
therefore needs to be located separately from the CAS in a location that ensures continuation of this 1
function. PPSs with a CAS and a backup alarm station have the following advantages: 2
— Greater hardware reliability, through redundancy of equipment; 3
— System operation by one station with oversight surveillance from a backup station; 4
— The backup station can take over physical protection functions in the event of a hardware or 5
personnel failure at the primary station or in case of an attack on the primary station; 6
— Improved human reliability through observation of actions from a second alarm station. 7
4.9.3. Physical barriers 8
Physical barriers should be placed such that an adversary is delayed, thereby allowing the response 9
forces sufficient time to interrupt the adversary task. The balanced design concept ensures balanced 10
delay for different paths and scenarios to allow the response force sufficient time to defeat the 11
adversary. Under this concept, physical barriers are carefully planned to fit the particular location and 12
positioned in the path of the adversary. The degree of delay depends on the nature of the obstacles 13
employed. Multiple layers of different physical barrier types along all possible adversary paths are 14
suggested as ways to complicate the adversary’s progress by requiring a variety of tools and skills 15
consistent with the threat assessment/DBT. To aid both assessment and interruption of the adversary at 16
predictable locations, consideration should be given to installing physical barriers and detection 17
systems adjacent to each other so that the barrier is encountered at approximately the same time as a 18
sensor. This arrangement delays the adversary at the point of detection and increases the probability of 19
detection of an attack. It is suggested that physical barriers that are not covered by an intrusion 20
detection system are patrolled randomly or have another form of surveillance in order to detect attack 21
on or tampering with the barriers. 22
4.9.3.1. Gates and vehicle barriers 23
Vehicles can be driven through many types of fence, or gate and vehicle barriers. It is specifically 24
recommended to install vehicle barriers at an appropriate distance from vital and inner areas. To 25
minimize the probability of breaching any secured area, vehicle barriers can be designed and installed 26
in appropriate locations on land and water. The orientation of vehicle gates and their approaches can 27
be designed to reduce the probability of the gates being breached by vehicles ramming them. 28
Approach roads constructed with multiple turns on each side of the gate will reduce the speed of 29
vehicles near to the gate, thereby increasing the effectiveness of the vehicle barriers. 30
4.9.4. Access control systems 31
Access control systems consist of the hardware and procedures used to verify entry authorization and 32
to control the movement of people and material into and out of each area. Access control systems 33
63
manage who is allowed to enter, when they are allowed to enter and where the access will occur, and 1
determine the parameters for authorized entry. Because access control information is sensitive, access 2
control systems need to be suitably protected. 3
Access control systems can support the smooth and continuous entry and exit of authorized personnel, 4
material and equipment via normal routes while detecting and delaying the movement of unauthorized 5
personnel and contraband. The objectives of an access control system are to allow only authorized 6
personnel and vehicles to enter and exit, to detect and prevent unauthorized movement of material, 7
information or equipment into or out of the area, to provide information to the guard force to facilitate 8
assessment and response and to assist in authorization decisions and determine that personnel are 9
accounted for during nuclear security events and emergencies. 10
Access control systems need to be installed to control entry to the different areas at the nuclear facility, 11
keeping in mind the number of personnel that need to enter and exit at each portal and on what 12
schedule. Because the PPS is layered, moving from the limited access area to the protected area into 13
any inner areas and/or vital areas, the PPS provides different types of detection of increasing rigour. 14
As the number of authorized users will be smaller at each successive entry portal, this may influence 15
the selection of access control hardware and procedures. 16
4.9.5. Guards and response forces 17
The operator’s responsibilities for providing response, including guards and response forces, vary 18
widely among States, usually due to differences in national legislation relating to legal use of force 19
and arrest authority. In some States the operator has no responsibility for response forces and depends 20
on the State to provide these capabilities, consistent with the legal and regulatory framework. In some 21
other States the operator provides both the guards and the response forces, using its own staff and/or 22
contracted service providers. In such cases, operators retain full responsibility for the ensuring that 23
guards and on-site response forces employed by them, whether directly or under contract, fulfil their 24
respective duties, as instructed by the operator’s management and detailed in the security plan. 25
Even where operators have their own guards and response forces, there may also be a law enforcement 26
response by off-site response forces, particularly in the case of a serious security event. In such cases, 27
there need to be documented arrangements between the operator and external response force 28
organizations which detail the objectives, policy and concept of operations for response by all parties, 29
including responsibilities for a systematic coordinated and effective response. These documented 30
arrangements will help ensure the contingency plans of the operator are in full coordination with those 31
of the external response forces. The operator should encourage and facilitate the agreed response 32
arrangements being exercised periodically. 33
Whoever provides the response, the response forces need to be able to interrupt and neutralize an 34
adversary having the resources and capabilities described in the threat assessment or DBT. 35
64
Interruption begins with communication to the response force and is completed when a sufficient 1
number of appropriately trained and equipped members of a response force arrive at the appropriate 2
location in time to stop the adversary’s progress towards completing a malicious act. Neutralization is 3
the act, following interruption, of gaining control of the adversary before their goal is accomplished or 4
otherwise causing the adversary to abandon the attempt. For effective neutralization, the response 5
force needs to be superior to the adversary in terms of numbers, equipment and training. 6
Effective communications to the response force provides information about the adversary actions and 7
characteristics (including observed numbers and any information available about tools, equipment, 8
weapons and vehicles) and instructions for deployment. The effectiveness measures for 9
communications with the response forces are the probability of accurate communication and the time 10
needed to communicate to the response force. 11
The PPS may include a communications plan to ensure proper coordination of response actions. It is 12
suggested that the communication system used by the response force provide the capability for of any 13
responder to covertly send a duress signal. Furthermore, some form of communication needs to be 14
able to continue to operate if other forms are disabled. 15
A rigorous training programme is essential for an effective response. All guards and response forces 16
therefore need to participate in frequent training appropriate for their position and responsibilities. 17
Recommendations for both guards and response forces to address a nuclear security event are listed 18
below: 19
“The coordination between the guards and response forces during a nuclear security event 20
should be regularly exercised. In addition, other facility personnel should be trained and 21
prepared to act in full coordination with the guards, response forces and other response teams 22
for implementation of the plans.” (Ref. [1], 3.60) 23
Specific recommendations for response to unauthorized removal of Category I, II, and III nuclear 24
material are as follows: 25
“Provision should be made for detecting unauthorized intrusion and for appropriate action by 26
sufficient guards and/or response forces to address a nuclear security event.” (Ref. [1], 4.15) 27
“The State should ensure that response forces are familiarized with the site and nuclear 28
material locations and have adequate knowledge of radiation protection to ensure that they are 29
fully prepared to conduct necessary response actions, considering their potential impact on 30
safety.” (Ref. [1], 4.20) 31
To counter unauthorized removal of Category I and II nuclear material: 32
“A 24 hour guarding service and response forces should be provided to counter effectively any 33
attempted unauthorized removal… The guards and response forces should be trained and 34
adequately equipped for their functions in accordance with national laws and regulations. 35
65
“The guards should conduct random patrols of the protected area. The main functions of the 1
patrols should be to: 2
Deter an adversary; 3
Detect intrusion; 4
Inspect visually the physical protection components; 5
Supplement the existing physical protection measures; 6
Provide an initial response.” (Ref. [1], 4.33–4.34) 7
The recommendation quoted above from para. 4.34 of Ref. [1] is repeated in para. 5.40 in relation to 8
guards’ functions within protected areas to protect against sabotage. 9
It is good practice for patrols to cover the entire perimeter several times a shift, but at random times, 10
so as not to be predictable by an adversary observing the facility. During this time, they may also 11
check the integrity of fences, check that lighting is functioning and that all gates and doors are 12
appropriately secured. Other good practices are to use guards to test operation of sensors at the 13
perimeter of the protected area and elsewhere to verify functioning of the detection system, and to 14
provide compensatory measures until a failed sensor for example is fixed. 15
Sections 3.3.1.3 and 4.4.2.1 discuss recommendations concerning evaluations and performance testing 16
of response forces for unauthorized removal of Category I and II nuclear material and against 17
sabotage, for the State and operator, respectively. 18
Training for guard and response forces may include exercising of contingency plans, performance 19
testing, table top exercises, modelling and simulation, response force exercises and/or force-on-force 20
exercises. 21
4.9.6. Protection measures for stand-off sabotage attacks 22
For those stand-off attacks that are included in the threat assessment or DBT, the State decides which 23
types are the responsibility of the operator (see Section 3.5). The first step for the operator in 24
providing protection against stand-off attack scenarios is to identify the potential vulnerability to 25
stand-off attack of target areas and the material, equipment and systems within those areas. This 26
process includes development of sabotage scenarios based on the characteristics defined in the threat 27
assessment or DBT and an assessment of the impact of those scenarios on targets. Close cooperation 28
between safety and physical protection personnel is needed in this endeavour. The operator is 29
responsible for the design of protection measures against stand-off attacks which, following approval 30
by the competent authority, should be implemented. 31
Protection measures that may protect against or mitigate the consequences of a stand-off attack include 32
increasing the stand-off distance to exceed the range of weapons the adversary might use, obscuring 33
66
lines of sight to the target from potential stand-off attack areas, increasing detection and deterrence 1
through off-site patrols and surveillance, using barriers to intercept missiles or absorb blast or 2
fragments, modifying layouts of facilities to protect sensitive targets, and hardening facilities to resist 3
the attack. 4
4.9.7. Protection measures for airborne and waterborne attacks 5
The threat assessment or DBT may include adversaries who use airborne and/or waterborne vehicles 6
for transport in a theft or sabotage scenario (not to be confused with an aerial stand-off sabotage 7
attack). In these cases, the adversaries may arrive and/or depart the site by air or water and the 8
operator will typically have some responsibilities for protecting against these modes of attack. 9
Radar, acoustic and seismic sensors can all provide some aerial detection capability, but need to be 10
carefully located to provide good coverage with few nuisance alarms. Some types of aircraft may be 11
prevented from landing at the site due to its small or congested area, or by strategic positioning of 12
poles or other physical barriers. 13
Based on the DBT and State’s requirements, the operator may implement and operate equipment and 14
devices to detect such attacks. 15
4.9.8. Transport of nuclear material 16
The operator of a nuclear facility, as the shipper or receiver, has certain responsibilities for the 17
physical protection of nuclear material being transported into or out of the facility, e.g. providing 18
advance notification of planned shipments, prior agreement with the carrier concerning transfer of 19
physical protection responsibilities, search of conveyances, protecting the confidentiality of transport 20
information, checking the integrity of packages upon arrival and notifying the shipper of such arrival. 21
Furthermore, the operator should ensure that the on-site movement of Category I and II nuclear 22
material between two protected areas at the nuclear facility is protected in accordance with the State’s 23
requirements for the transport of such nuclear material outside the facility. Further comprehensive 24
guidance is available in Ref. [2]. 25
4.10. NUCLEAR MATERIAL ACCOUNTING4 AND CONTROL (NMAC) FOR NUCLEAR 26
SECURITY 27
Ref. [1] provides several recommendations for NMAC in relation to nuclear security: 28
4 Ref. [1] uses the term nuclear material accountancy and control, whereas Ref. [18] uses the term nuclear material
accounting and control. Except where quoting directly from Ref. [1], the latter term is used in this publication, but the terms
are considered to be interchangeable.
67
“The operator should ensure control of, and be able to account for, all nuclear material at a 1
nuclear facility at all times. The operator should report any confirmed accounting discrepancy 2
in a timely manner as stipulated by the competent authority.” (Ref. [1], 3.26) 3
“When considering the threat, due attention should be paid to insiders. They could take 4
advantage of their access rights, complemented by their authority and knowledge, to bypass 5
dedicated physical protection elements or other provisions, such as safety procedures. The 6
physical protection system should be assisted by nuclear material accountancy and control 7
measures to deter and detect the protracted theft of nuclear material by an insider.” (Ref. [1], 8
3.36) 9
“Defence in depth should take into account the capability of the physical protection system and 10
the system for nuclear material accountancy and control to protect against insiders and 11
external threats.” (Ref. [1], 3.47) 12
“The operator should ensure that any missing or stolen nuclear material is detected in a timely 13
manner by means such as the system for nuclear material accountancy and control and the 14
physical protection system (e.g., periodic inventories, inspections, access control searches, 15
radiation detection screening). 16
“The operator should confirm any missing or stolen nuclear material by means of a rapid 17
emergency inventory as soon as possible within the time period specified by the State. A system 18
for nuclear material accountancy and control should provide accurate information about the 19
potentially missing nuclear material in the facility following a nuclear security event.” (Ref. 20
[1], 4.57–4.58) 21
An NMAC system is designed to provide knowledge of the quantity, type, location, use, movement 22
and transformation of all nuclear material. The NMAC system provides deterrence and detection of 23
unauthorized removal of nuclear material by maintaining an inventory of all nuclear material, 24
including information related to its location. The nuclear material control function provides 25
containment and surveillance measures, which may detect malicious activities by an insider. Either or 26
both functions may initiate a response based on that detection, if nuclear material may possibly have 27
been removed without authorization or used in an unauthorized manner. A properly functioning 28
NMAC system enhances the ability of the operator to detect insider activities and to correctly assess 29
any irregularity involving nuclear material, whether initiated by insiders or outsiders. If nuclear 30
material is removed from the facility, the NMAC system should be able to identify the quantity and 31
characteristics of the nuclear material that has been removed. 32
The objectives of an NMAC system relevant for physical protection are to: 33
— Detect and assess unauthorized access to, or removal of, nuclear material; and 34
— Provide information about the locations, characteristics and quantities of nuclear material. 35
68
This allows the operator to: 1
— Communicate the unauthorized removal of nuclear material to the relevant competent 2
authorities; 3
— Provide accurate and timely information to assist in locating any material not in its authorized 4
location; and 5
— Provide assurance, in coordination with physical protection and material control measures, 6
that appropriate protection and controls are applied to nuclear materials, according to their 7
categorization 8
Material surveillance and monitoring may be used by the operator to detect the movement of nuclear 9
material, and to provide on-going information about the status of NMAC equipment and nuclear 10
material. Material surveillance and monitoring may include visual surveillance by operating personnel 11
and visual and remote monitoring by physical protection personnel as well as other technical means of 12
surveillance such as weight sensors, heat sensors, laser monitors, radiation monitors, radio-frequency 13
tags and motion sensors. 14
In order for visual surveillance to be effective, the person(s) observing needs to be capable of 15
recognizing unauthorized activities, correctly assessing the situation, and reporting the activities to 16
appropriate response personnel in time to prevent unauthorized removal. Visual surveillance, 17
including two-person rules, may be used as an administrative control. To be effective, the two 18
authorized individuals will need to have appropriate training, have unobstructed views of the material 19
and of each other, and be able to detect unauthorized or incorrect procedures. 20
Material containment measures and tamper indicating devices can be used to help ensure the 21
continuity of knowledge of nuclear material and indicate unauthorized access. The use of various 22
levels of containment such as cans, gloveboxes, storage cabinets and vaults, along with effective 23
tamper indication devices and surveillance, reduce the time needed to determine whether any nuclear 24
material is missing, and if so what material, in the event that an emergency or unscheduled inventory 25
is necessary. 26
It is suggested that the responsibilities for the separate functions of nuclear material accounting, 27
custody of nuclear material and physical protection are assigned within the management structure to 28
separate individuals or groups of individuals. 29
In all cases, timely detection is important. It is suggested that the operator review all possible means of 30
detecting that nuclear material is missing, stolen or otherwise removed in an unauthorized manner, 31
estimating the cumulative time for the various detection measures to determine whether or not it 32
satisfies requirements set by the competent authority. Further guidance on this topic can be found in 33
Ref. [18]. 34
69
4.11. SECURITY OF SENSITIVE INFORMATION 1
Adversaries wishing to plan or carry out any malicious act involving nuclear material or other 2
radioactive material or associated facilities may benefit from access to sensitive information. Such 3
information should therefore be identified, classified and protected with appropriate measures 4
Sensitive information is information, in whatever form, including software, the unauthorized 5
disclosure, modification, alteration, destruction or denial of use of which could compromise nuclear 6
security. 7
Confidentiality is the property that information is not made available or disclosed to unauthorized 8
individuals, entities or processes. As well as protecting the confidentiality of sensitive information, 9
information security also includes protecting the accuracy and completeness of the information (its 10
integrity) and the accessibility or usability of the information on demand (its availability). Protection 11
of these three qualities of sensitive information is the basis for information security. 12
Information security is a cross-cutting principle of nuclear security, and is a key element of the nuclear 13
security regime in a State. The State, through the competent authorities, sets the information security 14
requirements for the nuclear industry and other organizations, based on guidance and policies from the 15
national security authorities. 16
Operators need to establish internal policy, plans and procedures for protecting the confidentiality, 17
integrity and availability of the sensitive information they hold or handle, in compliance with the 18
national security policy and the relevant national laws and requirements. These plans need to be 19
incorporated in the security plan. The operator also needs to ensure that its contractors, whether on-20
site or off-site, are made aware of the sensitivity of any information passed to them by the operator 21
and are briefed on the procedures to appropriately protect such information. The operator may be 22
responsible for carrying out checks to ensure that contractors comply with these procedures and 23
ensuring that sensitive information is returned to the operator at the conclusion of the contract. 24
Frequent reviews of the information security programme may be used to determine the practices that 25
are working as intended and to enhance or correct deficiencies that have been identified. Breaches of 26
information security should be reported to the appropriate authorities in accordance with the State’s 27
requirements, to allow for investigation and corrective actions. Audits may be performed to provide 28
assurance that the information security programme is operating as intended. 29
Further guidance on information security, including an example classification guide to assist States 30
and operators in identifying sensitive information, can be found in Ref. [14]. 31
4.12. PROTECTION OF COMPUTER-BASED SYSTEMS 32
“Computer-based systems used for physical protection, nuclear safety, and nuclear material 33
accountancy and control should be protected against compromise (e.g. cyber-attack, 34
70
manipulation or falsification) consistent with the threat assessment or design basis threat.” 1
(Ref. [1], 4.10, 5.19) 2
The State has the responsibility to provide requirements on computer security and ensure that 3
operators provide assurance that computers and computer based systems are adequately protected 4
against cyber-attacks. Operators have the responsibility for implementing a computer security 5
programme in compliance with these regulations. 6
The overall objective is to protect computer systems against attacks aimed at facilitating the 7
unauthorized removal of nuclear material or sabotage. The operator is responsible for identifying those 8
computer-based systems that need protection against compromise so as to help prevent a successful 9
adversary attack. The operator then needs to establish a computer security policy and its 10
implementation plan. 11
The threat and attack vectors are multidimensional: 12
The attacker: 13
— Could be external; 14
— Could be internal; and/or 15
— Could be one or many individuals. 16
The attack: 17
— Could have an immediate impact causing damage to equipment or degradation in security 18
functions; 19
— Could be on-going, such as covert information collection; 20
— Could be delayed for a timed or triggered effect; and/or 21
— Could be synchronized with other activities, which may include physical attack. 22
Attack types might include: 23
— Denial of service or loss of function. This type of attack aims to block the operator’s 24
ability to observe and/or respond to changing system conditions by slowing the system 25
down. 26
— Interception (‘man in the middle). By intercepting and modifying data streams between 27
computer nodes, the attack aims to modify information feeds or command signals to 28
equipment. 29
— Unobserved system monitoring and data collection. Unauthorized file access and data 30
recording, message (information) interception and data exfiltration could provide 31
reconnaissance in planning and executing an attack. 32
71
— Operator spoofing leading to incorrect action. Through the insertion of unauthorized or 1
erroneous data streams, the attack aims to provide the operator with false system 2
indications, leading the operator to take incorrect action. 3
— Direct manipulation of computer/control system. The attacker aims to assume 4
independent control over processes and machinery. 5
— Modification to the operational characteristics of critical systems. Through the 6
modification of system logic, equipment configuration, set points or data, the attacks aim 7
to change the operational characteristics of the system leading to abnormal behaviour. 8
This could support an attack or could be the target of attack. 9
Defence against such attacks needs to follow a defence in depth approach that uses technical, 10
administrative and physical security controls. Computer security therefore needs to be integrated 11
within the overall framework of the security plan. 12
Detailed guidance on establishing an effective computer security programme at nuclear facilities is 13
found in Ref. [6] 14
4.13. SAFETY–SECURITY INTERFACE 15
“The operator should assess and manage the physical protection interface with safety and 16
nuclear material accountancy and control activities in a manner to ensure that they do not 17
adversely affect each other and that, to the degree possible, they are mutually supportive.” 18
(Ref. [1], 4.11, 5.18) 19
The interface between safety and security is an important element of both programmes, to ensure 20
appropriate physical protection of nuclear material and nuclear facilities and health and safety of 21
workers and the public. 22
The operator has the primary responsibility for the safety and physical protection of the nuclear 23
facility. It is suggested that operators adopt, through their integrated management system, an 24
integrated and coordinated approach to developing and implementing proposed changes in order to 25
avoid unintended degradation of safety and physical protection or of emergency preparedness 26
arrangements. Where potential adverse interactions are identified, the operator will need to 27
communicate them to appropriate personnel within the organization and consider alternative measures 28
or take compensatory and/or mitigating actions. 29
The operator needs to recognize safety–security interface issues and manage them appropriately 30
during design, construction and normal operations, as well as during nuclear security events and 31
emergencies, and decommissioning. These controls and processes may be implemented through 32
existing management controls, such as safety or security review boards, work planning and controls, 33
and configuration management. 34
72
Examples of such issues during nuclear security events and emergencies include: 1
— Coordinating the physical protection response to a nuclear security event with the safety 2
response to an emergency resulting from that event. 3
— Ensuring that physical protection response forces are familiar with the nuclear facility, 4
including the location of nuclear material and of equipment/systems important to safety, and 5
have adequate knowledge of radiation protection requirements. 6
— Ensuring radiation protection of response forces as they move in and through contaminated 7
areas during a sabotage attack. 8
— Protecting safety responders and facility personnel if they need to move in and through areas 9
where the response force are operating during a nuclear security event. 10
— Ensuring that physical protection barriers satisfy physical protection objectives without 11
compromising the ability of personnel to evacuate areas quickly in the event of a fire, 12
criticality or release of radionuclides, for example through the installation of internal quick-13
release locks on doors and gates coupled with alarms. Special physical protection 14
arrangements may be necessary which allow individuals to evacuate a protected area quickly 15
in an emergency but which still ensure they are subject to search before leaving the nuclear 16
facility. 17
— Requiring extensive inspections and searches prior to entry into a protected area, without 18
adequate consideration of the potential need for off-site emergency responders and vehicles to 19
enter quickly to assist in the event of a medical or other emergency. 20
Information regarding the interface between the emergency and contingency plans is provided in 21
Section 4.8, including the guidance that exercising both plans together is beneficial for improving 22
coordination. 23
An important aspect of managing the safety–security interface is ensuring that physical protection 24
personnel are notified of changes to the characteristics of the nuclear facility’s physical layout, the 25
configuration of facilities, structures, systems and components, and changes to the facility’s operations 26
or emergency planning. It is also helpful to have knowledgeable personnel review changes in these 27
areas before they are implemented. In particular, safety expertise is needed to determine any new 28
definitions of URC or changes to levels of URC to reflect changes in operations or threats (which 29
would then inform the necessary level of physical protection to be applied to existing or new sabotage 30
targets). Similar notification and review processes are helpful as inputs to review safety provisions in 31
the light of changes related to physical protection measures. 32
An effective interface between safety and physical protection includes implementing safety and 33
physical protection in such a way that they are mutually supportive. For example, safety procedures to 34
prevent safety incidents or accidents may also assist physical protection procedures against malicious 35
73
acts by insiders. Structures, systems and components important to safety may also be designed and 1
located in the nuclear facility in such a way that they simplify assignment of sabotage target protection 2
sets and compartmentalization of the nuclear facility for access controls. For instance, ensuring 3
adequate physical separation of safety equipment to provide redundancy also reduces the likelihood of 4
this equipment being damaged by a single act of sabotage. Reductions in inventories of nuclear 5
material and other hazard reduction measures reduce both safety and nuclear security risks. 6
4.14. SECURITY PLAN 7
“The operator should prepare a security plan as part of its application to obtain a licence. The 8
security plan should be based on the threat assessment or the design basis threat and should 9
include sections dealing with design, evaluation, implementation, and maintenance of the 10
physical protection system, and contingency plans. The competent authority should review and 11
approve the security plan, the implementation of which should then be part of the licence 12
conditions. The operator should implement the approved security plan. The operator should 13
review the security plan regularly to ensure it remains up to date with the current operating 14
conditions and the physical protection system. The operator should submit an amendment to 15
the security plan for prior approval by the competent authority before making significant 16
modifications, including temporary changes, to arrangements detailed in the approved security 17
plan. The competent authority should verify the operator’s compliance with the security plan.” 18
(Ref. [1], 3.27) 19
The security plan provides part of the basis for licensing of the nuclear facility by the State and 20
implementation of the security plan is a condition of the authorization to conduct operations at the 21
nuclear facility. It should therefore describe in detail all aspects of the PPS implemented for a nuclear 22
facility. It is suggested that it also include the physical protection arrangements for the on-site 23
movement of Category I and II nuclear material between two protected areas, as well as the 24
arrangements for the receipt and despatch of nuclear material to and from the nuclear facility. The 25
security plan describes the measures in place to meet the State’s physical protection objectives and 26
requirements. Security plans therefore need to be based on in-depth analysis and be supported by 27
adequate information to confirm that the physical protection requirements will be met when the plan is 28
executed. The security plan provides assurance that the PPS addresses the threats contained in the 29
threat assessment or DBT. 30
An example of the structure and suggested content of a security plan is provided in Appendix I. 31
4.14.1. Security plan development 32
It is suggested that the security plan include a list of the targets at the facility, indicating in each case 33
whether they are of concern for unauthorized removal and/or sabotage. 34
74
4.14.1.1. Review and update 1
The operator should keep the security plan up to date so that it reflects the existing conditions at the 2
nuclear facility as well as the extant threats. The operator therefore needs to have, within its integrated 3
management system, a security management system in place to provide for the development, 4
implementation and oversight of and updates to the security plan and associated procedures. 5
Implementation procedures may document the structure of the security organization, the use of 6
security measures such as technologies and procedures, training and qualification of security 7
personnel, and contingency plans. The security plan may describe, as necessary, the schedule for 8
implementing parts of the plan and address any activities that involve modification of the facility. 9
After the security plan has been developed and approved by the competent authority, it forms part of 10
the licensing basis for the nuclear facility. The competent authority approves changes to the security 11
plan and the operator may not implement proposed changes to the security plan prior to approval by 12
the competent authority. 13
The security plan should be periodically reviewed at intervals defined by the competent authority to 14
ensure that it continues to reflect the current circumstances. The security plan will also need to be 15
reviewed prior to changes in physical protection personnel, procedures, equipment or systems that 16
could potentially adversely affect physical protection. The introduction of new quantities or types of 17
nuclear material, changes in sabotage target sets and other significant changes to the PPS will be likely 18
to necessitate changes to the security plan. It is suggested that the results of such reviews, including 19
any resulting action plan, are documented and maintained for future audits. 20
4.14.1.2. Confidentiality of sensitive information 21
Information within the security plan is sensitive and its unauthorized release would compromise the 22
physical protection of the nuclear facility. The operator will therefore need to protect the security plan 23
against unauthorized disclosure. In accordance with the State’s requirements, access to sensitive 24
information should be provided only to those whose trustworthiness has been established and who 25
have a need to know for the performance of their duties. 26
The security plan may be divided into sections of different levels of sensitivity so that these sections 27
can be shared, as appropriate, with those that have different levels of need to know and 28
trustworthiness. 29
30
75
APPENDIX I. THE SECURITY PLAN 1
An example of the possible outline structure for a security plan is set out below. Following this 2
outline, there is a brief discussion of the suggested contents of each section. The State and its 3
competent authorities should review this proposed structure and modify it based on their requirements 4
and specific needs. 5
I.1. Administrative information 6
I.1.1. Introduction and schedule for implementation 7
I.1.2. Facility description 8
I.1.2.1. General facility description, mission and operations 9
I.1.2.2. Facility layout 10
I.1.3. Security policy 11
I.1.3.1. Management policy 12
I.1.3.2. Nuclear security culture 13
I.1.3.3. Quality assurance 14
I.1.3.4. Trustworthiness policy 15
I.1.3.5. Sustainability programme 16
I.1.4. Security organization 17
I.1.4.1. Security organization structure 18
I.1.4.2. Security management and allocation of responsibilities 19
I.1.4.3. Qualification requirements for security personnel 20
I.1.4.4. Security personnel training 21
I.1.4.5. Guards/response force armament and equipment 22
I.1.5. Information management 23
I.1.5.1. Computer security management 24
I.2. Defining the PPS 25
I.2.1. Objectives and requirements of the PPS 26
I.2.2. Target identification 27
I.2.3. Threat definition 28
I.2.4. Law enforcement liaison 29
I.3. Physical protection system 30
I.3.1. Facility protection strategies 31
I.3.2. Description of the PPS 32
I.3.2.1. Insider threat mitigation programme 33
I.3.3. Transport of nuclear material 34
I.3.4. PPS testing, evaluation and maintenance 35
I.3.4.1. Types of testing and evaluation 36
I.3.4.2. Frequency of testing and evaluation 37
76
I.3.4.3. Maintenance 1
I.3.4.4. Expansion and upgrade 2
I.3.5. Compensatory measures 3
I.4. Response planning 4
I.4.1. Organization and responsibilities 5
I.4.2. Security forces 6
I.4.2.1. Guards 7
I.4.2.2. On-site response force 8
I.4.2.3. Off-site response force 9
I.4.2.4. CAS staffing 10
I.4.3. Contingency plans 11
I.4.4. Incident communications, command and control 12
I.4.5. Response to higher threat conditions 13
I.5. Policies and operational procedures 14
I.5.1. Required elements of the security plan 15
I.5.2. Review, evaluation, audit and update of the security plan 16
I.5.3. Reporting of threats or incidents 17
I.6. References 18
I.7. Acronyms and Glossary 19
I.1. ADMINISTRATIVE INFORMATION 20
This section may include information on the complete legal name and address of the entity responsible 21
under law for the protection of the nuclear facility. Appropriate telephone, fax and e-mail addresses of 22
those who are applying for approval of the security plan may be contained in a covering letter. 23
I.1.1. Introduction and schedule for implementation 24
This section may include a short description of the facility’s mission and operations, maps of the 25
facility and other information to indicate on these maps the locations of the major activities. 26
The maps may depict terrain, any nearby towns, transport routes, nearby hazardous material facilities 27
and any other areas that may affect response activities. The maps may also indicate main and 28
alternative routes for law enforcement or other off-site responders. 29
I.1.2. Facility description (operations and layout) 30
This section may provide details of nuclear operations undertaken at the facility. 31
I.1.2.1. General facility description, mission and operations 32
77
A general description of the types of nuclear activity that take place at the facility and the nuclear and 1
other radioactive material used or generated by these activities. 2
I.1.2.2. Facility layout 3
A map, diagram or image of the facility, with key buildings and activities identified, may be provided 4
in this section. Block diagrams of the various operations may be useful in describing the facility’s 5
activities. 6
I.1.3. Security policy 7
This section contains the facility’s written security policy. 8
I.1.3.1. Management policy 9
This section describes the management system that provides oversight of the facility’s physical 10
protection, the purpose of which is to develop, revise, implement and oversee physical protection 11
procedures. It could also address how the safety–physical protection interface is managed. 12
I.1.3.2. Nuclear security culture 13
This section describes how the operator promotes nuclear security culture as an important part of 14
delivering its security policy to management, employees and contractors. 15
I.1.3.3. Quality assurance 16
This section describes the quality assurance aspects of the management policy and programme 17
applicable to physical protection. 18
I.1.3.4. Trustworthiness policy 19
This section describes the trustworthiness levels and requirements applied to employees and 20
contractors at the nuclear facility for access to specified areas within the facility (e.g. protected, inner 21
area and vital areas), to nuclear material and to sensitive information, as well as the measures taken to 22
assure continued trustworthiness. 23
I.1.3.5. Sustainability programme 24
This section describes the sustainability programme for the PPS. 25
I.1.4. Security organization 26
All individuals with security responsibilities may be identified with a brief description of their duties 27
and responsibilities. This section may include the requirements for selecting, training, equipping, 28
78
testing and qualifying individuals who will be responsible for protecting nuclear materials and nuclear 1
facilities. As appropriate to the operator’s assigned responsibilities and capabilities, this section needs 2
to state which parts of the security organization are provided by staff and which by external 3
contractors. For contractors, this section may briefly describe the written agreements between the 4
operator and contractors that describe how they will meet the requirements to protect the facility. The 5
level of detail included in the security plan may vary depending on the facility but needs to provide 6
enough information for a reader to understand the capabilities of the security forces for the facility. 7
The information provided seeks to confirm that the security organization is designed, staffed, trained, 8
qualified and equipped to implement physical protection. 9
I.1.4.1. Security organization structure 10
This section describes the structure of the security organization, including management, guards and 11
any on-site response force, technical security personnel and other persons responsible for physical 12
protection related functions. This section may also contain a description of each supervisory and 13
management position, including responsibilities and how lines of authority extend up to facility and 14
corporate management. 15
I.1.4.2. Security management and allocation of responsibilities 16
This section describes the specific physical protection responsibilities assigned to the facility’s 17
security organization. 18
I.1.4.3. Qualification requirements for security personnel 19
A description may be provided of the requirements for initial and continued suitability of individuals 20
who are assigned security duties and responsibilities. This section may also describe the process to 21
ensure that these personnel continue to be qualified to provide the required services. This section also 22
includes a description of the firearms qualification and requalification requirements for guards and on-23
site response force members. 24
I.1.4.4. Security personnel training 25
This section describes the training programme for guard and on-site response forces. It also describes 26
how they demonstrate their ability to carry out their assigned duties or responsibilities. For tactical 27
response forces a description of the training programme in response tactics may be included. 28
79
I.1.4.5. Guards/response force armament and equipment 1
This section describes the armaments assigned to members of the guards and on-site response force, 2
by position title. Other equipment available to the guards and response forces in order to provide 3
effective response capabilities may be described. 4
I.1.5. Information management 5
This section defines the measures that are taken to maintain the confidentiality, integrity and 6
availability of sensitive information. Information management procedures also need to describe how 7
the distribution of sensitive information is limited to appropriate individuals, whose trustworthiness 8
has been appropriately determined, on a need-to-know basis. Controls applied to sensitive information 9
may include records of its receipt, location, despatch and destruction. 10
I.1.5.1. Computer security management 11
This section describes the access control procedures, protocols and physical security arrangements in 12
place to ensure the confidentiality of sensitive information held on computers and computer-based 13
systems, as well as the integrity and availability of instrumentation and control systems. 14
I.2. DEFINING THE PPS 15
I.2.1. Objectives and requirements of the PPS 16
This section describes the objectives for protection of the different types of target, grouped according 17
to their level of sensitivity. 18
I.2.2. Target identification 19
This section lists the potential theft or sabotage targets and their location. It also lists the computer 20
systems important to physical protection, safety and NMAC, the compromise of which could help 21
facilitate a malicious act. 22
I.2.3. Threat definition 23
This section describes, in broad terms, the types of threat the PPS is designed to protect against and 24
references the threat assessment/DBT defined by the State. 25
I.2.4. Law enforcement liaison 26
Details may be provided of how routine liaison is maintained with law enforcement agencies in order 27
to help ensure early warning of potential security events. 28
80
I.3. PHYSICAL PROTECTION SYSTEM 1
This section is a description of the PPS at the facility. 2
I.3.1. Detailed description of the PPS 3
A facility map indicating the layer boundaries and protection measures such as personnel/vehicle 4
control points may be provided. The description of the protection measures needs to be provided for 5
each of the protective layers as described below. 6
Security areas/layers. This section identifies the physical protection areas (or layers) that exist at the 7
facility. 8
Access control. A description of the control and search of personnel, vehicles and material at each 9
access control point needs to be provided. This can also describe how access authorization and access 10
control systems will accommodate the rapid entry and exit of authorized individuals and vehicles 11
during emergencies or in situations that could lead to emergencies. Attention may be given to the 12
control of all keys, locks, combinations, passwords and related devices used to control access to 13
limited access areas, protected areas, inner areas, vital areas and physical protection equipment. 14
Physical barriers. This section describes the barriers in different security areas within the facility 15
(e.g., buildings, topography, fences, walls and doors). It may also contain a description of the vehicle 16
barriers, their placement and operation. 17
Detection and surveillance. This section describes the detection system and how alarms are 18
communicated to the CAS and assessed. It may also describe procedures to address situations in 19
which there are indications of tampering. It describes the methods to continuously survey, observe 20
and monitor facility areas to detect intruders and to ensure the integrity of physical barriers or other 21
components and functions of the PPS. 22
Lighting. This section describes how the operator maintains the minimum illumination levels for 23
selected applications, such as assessment following an alarm. 24
Communications. The communications capabilities for the guards and on-site response forces need to 25
be described, as well as the communications between the CAS and guard and response forces. This 26
section describes how a continuous communications capability is maintained to ensure effective 27
command and control with on-site and off-site response forces during both normal and emergency 28
situations. If there are areas of the facility where communication is limited, these need to be 29
identified. 30
CAS. This section describes the location of the CAS and any backup monitoring stations. It also 31
describes the CAS alarm communication and display systems, communications equipment, access 32
control arrangements and how the CAS is protected against attack. 33
81
I.3.2. Insider threat mitigation programme 1
This section should describe measures to protect against the insider threat. 2
I.3.3. Transport of nuclear material 3
This section describes the procedures for the on-site transport of different categories of nuclear 4
material, as well as the arrangements made on-site for the receipt and despatch of nuclear material to 5
and from the facility. 6
I.3.4. PPS testing, evaluation and maintenance 7
This section identifies the procedures for evaluating and testing the PPS. 8
I.3.4.1. Types of testing and evaluation 9
This section describes the testing and evaluation programmes that exist and how they are used to 10
assess the effectiveness of the facility PPS. 11
I.3.4.2. Frequency of testing and evaluation 12
Details need to be provided of the frequency with which the testing and evaluation programmes are 13
implemented. 14
I.3.4.3. Maintenance 15
This section describes the maintenance and calibration programmes for all physical protection 16
equipment. 17
I.3.4.4. Expansion and upgrade 18
This section is available to describe any schedule foreseen for implementing physical protection 19
measures related to new construction or significant physical modification of existing structures or 20
installation of equipment. 21
AI.3.5. Compensatory measures 22
This section identifies all compensatory physical protection measures applied when physical 23
protection barriers become degraded or equipment becomes inoperable, including during routine 24
testing or maintenance. In particular, the provision of standby power to all types of physical 25
protection equipment needs to be described. 26
82
I.4. RESPONSE PLANNING 1
I.4.1. Organization and responsibilities 2
This section provides details of the organization and responsibilities of the facility and off-site 3
response forces to maintain an effective response strategy for the various targets at the facility. 4
I.4.2. Security forces 5
This section provides an overview of the response forces available to deliver a coordinated response 6
strategy. 7
I.4.2.1. Guards 8
This section describes the number, location and duties of the guard force, including details of their 9
weapons, equipment and transport. 10
I.4.2.2. On-site response force 11
This section describes the on-site response force capacity and capability to respond to nuclear security 12
events in a timely manner, where such a force is employed. 13
I.4.2.3. Off-site response force 14
This section describes off-site response force capacity and capability to respond to nuclear security 15
events, including estimated response times. The process of documenting and maintaining agreements 16
for providing off-site response may be included. 17
I.4.2.4. CAS staffing 18
This section describes the minimum number, duties, responsibilities and rotation schedule of staff 19
employed in the CAS. 20
I.4.3. Contingency plans 21
This section lists the contingency plans for nuclear security events and for other events that may need 22
a physical protection response. It identifies specific people and/or positions that have the responsibility 23
and authority to carry out contingency plans should a nuclear security event occur. It details how and 24
when contingency plans are reviewed and exercised. 25
The list below suggests examples of these different types of contingency plan, and scenarios that may 26
be considered and addressed therein: 27
— Locate and recover missing nuclear material (including emergency inventory taking); 28
83
— Minimize and mitigate radiological consequences of sabotage; 1
— Discovery of an insider threat; 2
— Unauthorized intrusion into a nuclear facility; 3
— External threats, e.g. bomb warning; 4
— Stand-off attack; 5
— Airborne attack; 6
— Waterborne attack; 7
— Cyber-attack; and 8
— Compromise of sensitive information. 9
As each plan will contain sensitive information, it needs to be appropriately marked to indicate the 10
level of protection required. An example of a contingency plan is attached as an Annex to this 11
Appendix. 12
I.4.3.1. Incident communications command and control 13
The security plan describes how effective command and control will be exercised in response to a 14
nuclear security event by the agencies involved, where the on-site and off-site incident command and 15
control centre will be located and the communications facilities available at these locations. 16
I.4.3.2. Response to higher threat conditions 17
A list should be provided of the pre-planned enhancements to physical protection procedures that will 18
be put in place in the event of any increase in the overall level of threat within the State. 19
I.5. POLICIES AND OPERATIONAL PROCEDURES 20
This section lists the documented policies and operational procedures that govern physical protection 21
at the facility, including procedures for interfacing with systems that complement the PPS, such as the 22
safety and the NMAC systems. 23
I.5.1. Review, evaluation, audit and update of the security plan 24
Details need to be provided of the procedures and review processes (including their frequency) 25
employed to ensure that the security plan remains current, together with an assurance that all necessary 26
amendments to it will be submitted to the competent authority for approval prior their implementation. 27
84
I.5.2. Reporting of threats or incidents 1
The procedure for facility employees and contractors to report specified occurrences to the facility’s 2
security organization, and for their onward reporting to the competent authority, as appropriate, is 3
described. 4
I.6. REFERENCES 5
I.7. ACRONYMS AND GLOSSARY 6
ANNEX: Example of Contingency Plan 7
OBJECTIVE 8
This section describes the objective of the particular contingency plan. The objective may be to 9
prepare for a further response or to reduce the consequence of the adversary’s actions. 10
INCIDENT RESPONSE PROCEDURES 11
Rules of engagement 12
This section includes the rules of engagement that define when, where and what sort of force is 13
authorized under the law. 14
Response procedures 15
This section describes how the response is organized and coordinated. It identifies those indicators 16
that will be used to signal the initiation of a response under this contingency plan. The section may 17
include: 18
— All predetermined actions, areas of responsibility and timelines for the deployment of the 19
response force for theft and sabotage scenarios; 20
— Procedures that limit the exposure of the response personnel to possible attack; 21
— Timelines to be used for notifying the off-site response force; and 22
— The minimum number of responders 23
85
Recapture and recovery 1
This section states how the response is organized when the adversary has left the facility in a theft 2
scenario. It includes the protocols used to coordinate the different response teams, the chain of 3
command and any change in responsibilities. 4
Minimize and mitigate 5
This section states how the physical protection response is organized to help emergency responders 6
minimize and mitigate the consequences of a sabotage attack. 7
Command, control and communication 8
This section describes the arrangements as documented in protocols agreed with external response 9
organizations. It details which agency has the operational lead and the circumstances in which this 10
lead may be handed over to another agency. Details are provided of all communication links to be 11
used and the location of the incident control centres that may be used at different stages of the event, 12
taking into account prevailing circumstances and their strategic/tactical responsibilities. 13
EXERCISING THE CONTINGENCY PLAN 14
This section describes the type and frequency of exercises undertaken to test and practise 15
implementation of the contingency plan. This includes joint exercises with those to test and practice 16
implementation of the emergency plan, to test coordination between these plans. It also describes how 17
lessons learnt from these exercises are captured and used to further refine the contingency plan. 18
86
APPENDIX II. THE ADDITION OF NUCLEAR MATERIAL OR AGGREGATION 1
APPROACH 1 2
This example illustrates one way in which Table 1 in the main text may be used to categorize 3
aggregated nuclear material. Nuclear materials located in the same facility should be classified as: 4
Category I if: 5
( )
Category II if: 6
( )
( )
( )
Category III if: 7
( )
( )
( )
( )
( )
Below Category III if: 8
( )
( )
( )
or if the material consists only of Unatural or Udepleted or thorium. 9
In the above: 10
Pu is the mass (g) of all Pu except that with isotopic composition exceeding 80% in 238
Pu. 11
233U is the mass (g) of
233U. 12
235U(≥20%) is the mass (g) of
235U present in uranium enriched to 20%
235U or more. 13
235U(≥10%and <20%) is the mass (g) of
235U present in uranium enriched to 10%
235U or more 14
but less than 20% 235
U. 15
( ) is the mass (g) of
235U present in uranium enriched above natural 16
but less than 10% 235
U 17
These formulas relate to material that is not irradiated in a reactor or material irradiated in a reactor but 18
with a radiation level equal to or less than 1 Gy/h (100 rad/h at 1 m unshielded. 19
APPROACH 2 20
Another approach using Table 1 for determining the category of aggregated nuclear material uses the 21
following formula: 22
87
∑
1
Where: 2
fi (dimensionless) is the mass fraction of material type i of the mixture (mass of each material 3
type present divided by the total mass of material present). 4
Si (kg or g) is the mass threshold for material type i for the category being considered. 5
S (kg or g) is the mass threshold for the aggregation of material for the category being 6
considered. 7
The following are the mass thresholds for Category I: 8
— 2 kg of plutonium, all isotopes combined; 9
— 5 kg of uranium 235, of uranium enriched to 20% uranium 235 or more; 10
— 2 kg of uranium 233 isotope. 11
The following are the mass thresholds for Category II: 12
— 500 g of plutonium, all isotopes combined; 13
— 1 kg of the isotope 235, of uranium enriched to 20% uranium 235 or more; 14
— 10 kg of the isotope 235, of uranium enriched to 10% or more and less than 20% uranium 235; 15
— 500 g of uranium-233 isotope. 16
The following quantities are the mass thresholds for Category III: 17
— 15 g of plutonium, all isotopes combined; 18
— 15 g of the isotope 235, of uranium enriched to 20% uranium 235 or more; 19
— 1 kg of the isotope 235, of uranium enriched to 10% or more and less than 20% uranium 235; 20
— 10 kg of the isotope 235, of uranium enriched to less than 10% uranium 235; 21
— 15 g of uranium-233 isotope. 22
All plutonium isotopes and material is considered except that with isotopic concentration exceeding 23
80% in plutonium-238. 24
These thresholds relate to material that is not irradiated in a reactor or material irradiated in a reactor 25
but with a radiation level equal to or less than 1 Gy/h (100 rad/h) at 1 m unshielded. 26
To determine the applicable category, first determine (step 1) whether the aggregated material is 27
Category I: 28
A material, or a mixture of materials, is Category I if the aggregated mass is greater than or 29
equal to the Category I mass threshold calculated for the material or mixture. If it is not 30
Category I, proceed to step 2. 31
88
If the aggregated material is not Category I, determine (step 2) whether it is Category II: 1
A material, or a mixture of materials, is in Category II if the aggregated mass is greater than or 2
equal to the Category II mass threshold calculated for the material or mixture. If it is not 3
Category II, proceed to step 3. 4
If the aggregated material is not Category I or II, determine (step 3) whether it is Category III: 5
A material, or a mixture of materials, is in Category III if the aggregated mass is greater than 6
or equal to the Category III mass threshold calculated for the material or mixture. 7
If the mass of the material or mixture of materials falls below the Category III mass threshold, it is 8
“less than Category III”. 9
Example 1: 10
There is 5 kg of material consisting of 4 kg of uranium enriched to greater than 20% and 1 kg of 11
plutonium. The mass fraction of uranium enriched to greater than 20% is 4/5 and for plutonium is 1/5. 12
Step 1 13
The Category I mass threshold for this material is: 14
1/S = (4/5) / SU235 + (1/5) /SPu = (4/5) / 5 kg + (1/5) / 2 kg 15
Then S = 3.85 kg 16
Since the mass of the material (5 kg) is greater than S (3.85 kg), it is above the threshold for 17
Category I for this mixture and the material is a Category I quantity. 18
Example 2: 19
There is 3 kg of material consisting of 2.5 kg of uranium enriched to greater than 20% and 500 g of 20
plutonium. The mass fraction of uranium enriched to greater than 20% is 2.5/3 (or 5/6) and for 21
plutonium is 0.5/3 (or 1/6). 22
Step 1 23
The Category I mass threshold for this material is: 24
1/S = (5/6) / SU235 + (1/6) / SPu = (5/6)/5 kg + (1/6)/2 kg 25
Then S = 4 kg 26
The total mass is 3 kg which is below the mass threshold for the mixture for Category I. 27
Step 2 28
The Category II mass threshold for this material is: 29
1/S = (5/6) / SU235 + (1/6) / SPu = (5/6)/1 kg + (1/6)/0.5 kg 30
89
Then S = 0.86 kg 1
The total mass is 3 kg which is above the mass threshold for the mixture for Category II. 2
Therefore, the mixture is a Category II quantity. 3
4
90
APPENDIX III. CROSS REFERENCES TO RECOMMENDATIONS [1] 1
This reference table provides cross references between the paragraphs in Ref. [1] and the related 2
paragraphs in this publication. 3
Paragraph in Recommendations [1] Related section in this Guide
INTRODUCTION 1
Background (1.1–1.8)
Purpose (1.9–1.11)
Scope (1.12–1.18)
Structure (1-19–1.24)
OBJECTIVES OF A STATE’S PHYSICAL PROTECTION
REGIME (2.1–2.3)
2
ELEMENTS OF A STATE’S PHYSICAL PROTECTION
REGIME FOR NUCLEAR MATERIAL AND NUCLEAR
FACILITIES
State responsibility (3.1–3.2) 3.1
International transport (3.3–3.7) Covered in Ref. [2]
Assignment of physical protection responsibilities (3.8) 3.2
Legislative and regulatory framework (3.9–3.17) 3.3
Competent authority (3.18–3.22) 3.3.2
Responsibilities of the licence holders (3.23–3.30) 3.3.2, 4.3, 4.14
International cooperation and assistance (3.31–3.33) 3.4
Identification and assessment of threats (3.34–3.40) 3.5
Risk management (3.41–3.42) 3.6
Graded approach (3.43–3.44) 3.6.1, 3.6.2, 3.6.3
Defence in depth (3.45–3.47) 3.6.4
Security culture (3.48–3.51) 3.7.1
Quality assurance (3.52) 3.7.2
Confidentiality (3.53–3.55) 3.7.3
Sustainability programme (3.56–3.57) 3.7.4
Planning and preparedness for and response to nuclear security events
(3.58–3.62)
3.8
REQUIREMENTS FOR MEASURES AGAINST
UNAUTHORIZED REMOVAL OF NUCLEAR MATERIAL IN
USE AND STORAGE
4.1, 4.2, 4.4, 4.5, 4.7, 4.10, 4.11, 4.13
Basis for concern (4.1–4.4)
Categorization (4.5–4.8) 3.6.2
91
Paragraph in Recommendations [1] Related section in this Guide
Requirements for physical protection against unauthorized
removal in use and storage
General (4.9–4.12) 4.9, 4.11, 4.12
Requirements for Categories I, II and III nuclear material (4.13–4.20) 4.5, 4.9
Requirements for Categories I and II nuclear material (4.21–4.35) 4.5, 4.9
Requirements for Category I nuclear material (4.36–4.49) 4.5, 4.9
Requirements for measures to locate and recover missing or
stolen nuclear material
4.7
Requirements for the State (4.50–4.56)
Requirements for the operator (4.57–4.63)
REQUIREMENTS FOR MEASURES AGAINST SABOTAGE
OF NUCLEAR FACILITIES AND NUCLEAR MATERIAL IN
USE AND STORAGE
4.1, 4.2, 4.4, 4.5, 4.8, 4.11, 4.12, 4.14
General (5.1–5.3)
Basis for a graded approach for physical protection against sabotage
(5.4–5.8)
Embedded throughout
Requirements for the process to design a physical protection system
against sabotage (5.9–5.19)
4.12, 4.13
Requirements for physical protection against sabotage at nuclear
facilities
4.5, 4.9
Requirements for high consequence facilities including nuclear power
plants (5.20–5.42)
4.5, 4.9
Requirements for other nuclear facilities and nuclear material (5.43)
Requirements for associated measures to mitigate or minimize the
radiological consequences of sabotage
4.8
Scope and boundary (5.44)
Requirements for the State (5.45–5.53)
Requirements for the operator (5.54–5.58)
1
92
REFERENCES 1
[1] INTERNATIONAL ATOMIC ENERGY AGENCY, Nuclear Security Recommendations on 2
Physical Protection of Nuclear Material and Nuclear Facilities, IAEA Nuclear Security Series No. 13, 3
Vienna (2011). 4
[2] INTERNATIONAL ATOMIC ENERGY AGENCY, Security of Nuclear Material in 5
Transport, Implementing Guide in preparation (NST 017). 6
[3] INTERNATIONAL ATOMIC ENERGY AGENCY, Nuclear Security Recommendations on 7
Radioactive Material and Associated Facilities, IAEA Nuclear Security Series No. 14, Vienna (2011). 8
[4] INTERNATIONAL ATOMIC ENERGY AGENCY, Objective and Essential Elements of a 9
State’s Nuclear Security Regime, Nuclear Security Fundamentals, IAEA Nuclear Security Series No. 10
20, Vienna (2013). 11
[5] INTERNATIONAL ATOMIC ENERGY AGENCY, Establishing the Nuclear Security 12
Infrastructure for a Nuclear Power Programme, IAEA Nuclear Security Series No. 19, Vienna (2013). 13
[6] INTERNATIONAL ATOMIC ENERGY AGENCY, Computer Security at Nuclear Facilities, 14
IAEA Nuclear Security Series No. 17, Vienna (2012). 15
[7] INTERNATIONAL ATOMIC ENERGY AGENCY, Nuclear Security Recommendations on 16
Nuclear and Other Radioactive Material out of Regulatory Control, IAEA Nuclear Security Series No. 17
15, Vienna (2011). 18
[8] INTERNATIONAL ATOMIC ENERGY AGENCY, Development, Use, and Maintenance of 19
the Design Basis Threat, IAEA Nuclear Security Series No. 10, Vienna (2009). 20
[9] INTERNATIONAL ATOMIC ENERGY AGENCY, Preventive and Protective Measures 21
Against Insider Threats, IAEA Nuclear Security Series No. 8, Vienna (2008). 22
[10] INTERNATIONAL ATOMIC ENERGY AGENCY, Arrangements for Preparedness for a 23
Nuclear or Radiological Emergency, Safety Guide, IAEA Safety Standards Series No. GS-G-2.1, 24
Vienna (2007). 25
[11] INTERNATIONAL ATOMIC ENERGY AGENCY, Identification of Vital Areas at Nuclear 26
Facilities, IAEA Nuclear Security Series No. 16, Vienna (2012). 27
[12] INTERNATIONAL ATOMIC ENERGY AGENCY, Engineering Safety Aspects of the 28
Protection of Nuclear Power Plants, IAEA Nuclear Security Series No. 4, Vienna (2007). 29
[13] INTERNATIONAL ATOMIC ENERGY AGENCY, Nuclear Security Culture, IAEA Nuclear 30
Security Series No. 7, Vienna (2008). 31
[14] INTERNATIONAL ATOMIC ENERGY AGENCY, Security of Nuclear Information, 32
Implementing Guide in preparation (NST022). 33
93
[15] INTERNATIONAL ATOMIC ENERGY AGENCY, Sustaining a Nuclear Security Regime, 1
Implementing Guide in preparation (NST020). 2
[16] INTERNATIONAL ATOMIC ENERGY AGENCY, Preparedness and Response for a 3
Nuclear or Radiological Emergency, Safety Requirements in preparation (DS457). 4
[17] INTERNATIONAL ATOMIC ENERGY AGENCY, Handbook on the Physical Protection of 5
Nuclear Materials and Facilities, IAEA TECDOC-1276, Vienna (2002). 6
[18] INTERNATIONAL ATOMIC ENERGY AGENCY, Use of Nuclear Material Accounting and 7
Control for Nuclear Security Purposes at Facilities, Implementing Guide in preparation (NST021). 8
9