Priorities for nuclear security

THE WORLD INSTITUTE FOR NUCLEAR Security was formed in 2008 to address what the International Atomic Energy Agency (IAEA) Director General described as “an urgent gap” in the international nuclear security regime because there was no international forum for operators and other practitioners to discuss nuclear security concerns and potential risk reduction and mitigation strategies.

Almost ten years later, and with over 4200 members in 120 countries, WINS has exceeded the expectations of its founders and become that international forum. It has collaborated with its members to develop 36 best practice guides on nuclear (and radiological) security management that are based on over 80 international workshops and other events, and launched a certified professional development programme known as the WINS Academy. The WINS Academy currently has over 1000 participants enrolled from over 80 countries and is growing rapidly.

“Nuclear security continues to be a major concern of the international nuclear community, including the IAEA, its Member States and nuclear operators, but we are noticing a significant shift in priorities,” says Dr Roger Howsley, WINS executive director. He believes it is now beginning to be understood that nuclear security cannot be effectively managed as a stand-alone discipline, behind closed doors and focused primarily on traditional concepts of physical protection and the classification of sensitive documents.

“For years, security and safety have been seen as separate disciplines and managed in isolation from one another, with an unhealthy and unprofessional competition between the two. We have always argued against that situation. We believe that security has to be part of an integrated risk management framework and managed as such. In our opinion, security should be viewed as an extension of nuclear safety, recognising that there are important differences – however these differences do not in any way justify the security management arrangements being isolated.”

In WINS’ experience, the top issues facing the nuclear sector (and where radioactive sources are used in other industries) are:

• Cybersecurity and the potential for cyberattacks to cause major disruption to industrial control systems;
• Insider threats and the growth in violent extremism around the world;
• The interfaces between safety and security management – and how to integrate emergency planning and response arrangements into incident management and address the issues of command and control;
• The increasing costs of security at a time of financial pressures on the sector as well as the lack of performance metrics that assess whether security expenditure is effective;
• The security of radioactive sources used in medical, industrial and agricultural applications;
• The professional competence of security practitioners to help manage the complex technical and organisational issues facing the industry.

Howsley notes: “There isn’t one of these issues that can be managed by the security department on its own, and the security staff typically do not have the necessary knowledge or expertise to deal with the protection of, for example, complex industrial control systems. The only solution is cross-functional teamwork, trust, professional competence, and a clear understanding that security is a line management responsibility. No-one thinks that nuclear safety is the responsibility of the safety department, so why should they think any differently for nuclear security?”

The IAEA and national regulators are beginning to stress the importance of having integrated security plans – particularly in relation to cybersecurity and physical protection – but WINS thinks this is easier said than done: “It isn’t going to happen just because it’s a recommendation; it needs serious attention from senior management to reorganise departments, redefine responsibility, identify meaningful performance metrics and hold people to account. Only the very best nuclear companies are giving these issues the attention they deserve and it will take years or a major incident to compel the completion of that integration.”

WINS believes that years of isolation of security departments is the root cause of almost all of the potential security vulnerabilities.

“We see the same thing in relation to the command and control issues that would likely occur if there needed to be a major off-site armed response to an incident; who would be accountable for nuclear safety and how would that accountability be exercised on a nuclear site? Why does the industry and the World Association of Nuclear Operators (WANO) continue to focus on the governance and corporate oversight of nuclear safety and operations when there is an urgent need to integrate security into these oversight activities? How can anyone ever conclude that nuclear operations are safe unless the security arrangements are also assessed as effective? We need the same level of corporate peer review for security as has existed for years for nuclear safety and operations, and the same is true for radioactive sources used in the medical sector.”

WINS is working to promote a better understanding of these issues and how they can be addressed. But what other factors might encourage the industry to take more effective action?

“Security is getting ever more expensive and needs to add value to the organisation, not just be a constant drain on resources. We need to replace bureaucracy with smart technology and utilise the potential of big data and data analytics, to focus on security-by-design, not security-as-an-afterthought.

“There are so many opportunities for performance enhancement and cost reductions. Typically, nuclear operators spend more than 80% of their security budgets on security guards. The job of security guards is principally to identify, observe and report – automatic systems can do that at a fraction of the cost and remotely operated weapons systems, where they are deemed necessary, are being increasing considered. We need the full, professional engagement of the engineering and technical community to help find innovative and cost-effective solutions to security, as they will have to do for the advanced reactor technologies of the future.”

WINS launched a major research project last year to benchmark the nuclear and aviation sectors to see what can be learned from aviation.

“We have many of the same potential vulnerabilities but some obvious differences. Aviation has to handle millions of passengers going through airports each year and nuclear sites don’t. What that means is that aviation security has to be smart and fast in order to validate a person’s identity and rapidly identify the potential threats from terrorists. It is challenging work and only has any chance of success if it is fully integrated into the airports’ operations. That is one of the things we hope to better understand from the research project.

“Other areas of common interest are cybersecurity and the rapid and effective screening of materials and personnel that enter airports and nuclear facilities. And of course, many airports have the same issues as nuclear facilities associated with threat assessments, communicating threat information, multi-agency coordination and response, professional training requirements and certification, etc. We believe our research will lead to important changes in both sectors.

“One key difference between the aviation and nuclear sectors that we already know exists is the comparative approach to professional training and certification for security management. The aviation sector, largely in response to acts of terrorism, has introduced certified training courses and professional requirements for security managers, which are endorsed and promoted by the International Civil Aviation Organization (ICAO). By contrast, the IAEA is still at an early stage, spending its funding on awareness courses, in the belief that it is up to IAEA Member States to decide on professional requirements for security training. In our opinion this situation would change overnight if there were to be a serious nuclear security incident. However, it is just such a waste of resources and indicative of a poor, reactive attitude to wait for that to happen.”

WINS believes that training to professional, certified standards is at the heart of everything that needs to be done. Teaching the right things, promoting integration and governance, encouraging outcome-focused regulation, establishing leading performance metrics for security that can demonstrate resilience, promoting diversity in the workplace; these are the things that matter most.

And, on the subject of diversity and inclusion in the nuclear sector, WINS is at the forefront of promoting much more effective engagement with professionals with different backgrounds and with women, who are significantly under-represented in the nuclear security workforce.

“Diversity is the key to understanding the evolving security threats and how best to mitigate them; we need innovative thinking and to listen to people that have different perspectives. We need to enrich the security profession with scientists and engineers, with psychologists and social scientists, with economists and designers. We need to get the average age of professionals down to under 35 and stop security from being perceived as a comfortable second career for certain groups of people. And we need to address the gender imbalance; not because it’s politically correct or fashionable but because diversity has been proven to lead to more successful organisations.”