Chapter3 Nuclear Security1 Introduction: Overall Trends in Nuclear Security in 2019
Chapter3
Nuclear Security1
Introduction: Overall Trends in Nuclear Security in 2019
Nuclear materials and other radioactive materials must not fall into the hands of malicious non-state actors such as international terrorists. If that happens, the efforts to manage nuclear material will not come to an end. Therefore, it can be pointed out that an ideal international nuclear security architecture is a system in which all countries can implement high standards of nuclear security at their own risk and maintain them for as long as they can see. With regard to the former, it was international forums for nuclear security that actually played a major role in achieving high-level political attendance, attracting media attention, and raising awareness at the policy level. Specific examples include the four nuclear security summits held during the Obama administration, and the International Conference on Nuclear Security (ICONS) held by the International Atomic Energy Agency (IAEA) every three years. On the other hand, it is hoped that clues for the realization of the latter will be found through the development of a nuclear security culture that the international community is now working on, the implementation of regular peer reviews such as through the International Physical Protection Advisory Service (IPPAS) by the IAEA, and involvement of nuclear security as a nation, which is institutionalized based on the participation of the Nuclear Security- Related Convention.
In this relationship, it can be pointed out that there is a sense of caution regarding nuclear terrorism, which is being raised internationally over cases directly related to nuclear security. Fortunately, so far, there have been no serious incidents that involve nuclear explosions of the types of nuclear terrorism indicated by the IAEA. However, there have been major media-covered nuclear security incidents, such as the attempted nuclear terrorism involving an Islamic State (IS) sympathizer, which was discovered in Belgium in 2016. When such an incident occurs even once, it is a fact that the rise of the level of nuclear security tends to raise the policy priority as an important issue for maintenance of public order, safe community, and national security. As long as nuclear power is used and nuclear materials and other radioactive materials are physically present, the famous warning that nuclear terrorism is a matter of when it will happen not if it happen will not fade. There is a constant need to consider how each country should make nuclear security sustainable and what an international nuclear security architecture should exist to support this.
In 2019, the number of individual efforts to strengthen nuclear security in each country and the dissemination of information at international conferences regarding the results of these efforts tended to decline. The reason for this is still unclear. This is perhaps because the legal base for nuclear security has already been fully established, and under the guidance of regulators in each country, individual efforts to implement the highest level of nuclear security have progressed. Alternatively, it might be because the degree of interest and priority to nuclear security has decreased, so that even the necessity of external information dissemination is not dared to be questioned. With the holding of the ICONS in February 2020 and the first review conference of the Amendment to the Convention on the Physical Protection of Nuclear Material (CPPNM/A) scheduled for 2021, it is highly expected that actual situations in which nuclear security in each country has been improved sustainably and positively will be disclosed. In particular, at the review conference on the CPPNM/A, there is also a debate2 that the conference itself should be used in the context of strengthening a global nuclear security architecture, rather than focusing solely on the implementation of the treaty amendment. In addition, expectations for the role of the IAEA are high. For example, at the 63rd IAEA General Meeting in 2019, Belgium and Norway expressed their expectation for the role of the IAEA toward the success of the CPPNM/A Operational Review Conference.3 The Netherlands mentioned the IAEA is providing the necessary assistance toward implementing nuclear security measures of member states.4
The Role of the IAEA in Building a Nuclear Security Architecture
It has been a long time since various aspects of the debate that nuclear security architecture should be built from the viewpoint of strengthening the level of global nuclear security were pointed out. Therefore, it can be seen that expectations regarding the role of the IAEA have tended to gradually increase from the statements of each country at the IAEA General Conferences. Expectations for the expanding role of the IAEA include important recommendations for the protection of nuclear materials and nuclear facilities, as well as the development of relevant guidelines. In addition to these, cooperation to minimize the use of Highly Enriched Uranium (HEU) and plutonium, technical support including the prevention of illicit transfers, nuclear forensics, capacity building support, human resource development, and the implementation of an international advisory mission (peer review) that directly leads to the proper implementation of nuclear security- related measures in each country are expected. In recent years, the IAEA has accumulated a number of achievements in nuclear security cooperation at large- scale events around the world, and in January 2019 the IAEA was involved in hosting World Youth Day for young Catholics in Panama.5 In October, the IAEA, together with Japan, held a nuclear security tabletop exercise for the 2020 Tokyo Olympics and Paralympics Chile, which was to host the APEC Leadership Summit and COP25 at the end of 2019, also announced that it has obtained the support of the IAEA in nuclear security and radioactivity detection.7
Regarding the IAEA’s various meetings related to nuclear security, some of them will be referred to individually in the section “(3) Efforts to Maintain and Improve the Highest Standards of Nuclear Security” later regarding this topic. Other key nuclear security-related meetings in 2019 were as follows. The IAEA Technical Meeting on Computer Security Approaches and Applications in Nuclear Security was held in Berlin, Germany in September.8 The International Nuclear Safety Group (INSAG) Forum was held in Vienna on the same month to discuss the development status and issues of safety and security interface with the IAEA.9
In 2019, a technical guidance titled Developing a Nuclear Security Contingency Plan for Nuclear Facilities was published by the IAEA.10 The guidance summarizes the developing and maintenance of emergency plans and assumes malicious activity, particularly as armed attacks, detection of unauthorized intrusion and insider threat, suspicion and detection of unauthorized removal of nuclear or other radioactive materials, and loss of power for physical protection systems. It covers various factors such as response planning, response force in the field and its rules of engagement, recapture and recovery, command, control, and communication. The technical guidance “Self-assessment of Nuclear Security Culture in Facilities and Activities” was also published in 2019. In this guidance, the IAEA model of nuclear security culture, the benefits of self-assessment of fostering nuclear security culture, and performance indicators for such self-assessment were presented.11
Emerging New Threats to Nuclear Security
The structure where new threats emerge as technology advances also applies to the field of nuclear security. In recent years, these threats, which are frequently addressed at IAEA and other international nuclear security relevant conferences, include internal threats, sabotage using drones, and cyber-attacks (computer security).
Fundamentally, strict measures for safety and security are required for nuclear facilities. However, there have been multiple reports of internal threat cases in many parts of the world. Some examples follow. In 1982, at the Koeberg nuclear power plant in South Africa, an insider detonated four bombs on the site as an apartheid opposition movement.12
In 2012, internal sabotage of a diesel generator occurred at the San Onofre Nuclear Generating Station in the United States.13 In 2014, at the Doel nuclear power plant in Belgium, a nuclear reactor was shut down as a result of the improper discharge of turbine lubricants by unsatisfied insiders. Thus, historically there are some serious known internal threat cases.14 According to a Fortinet study, the most common motives of the presumed internal threats were fraud (55%), monetary gain (49%), IP theft (44%), sabotage (43%), espionage (33%), professional benefit (15%), and to cause reputation damage (8%).15 In recent year, various discussions have been held to find countermeasures to address these internal threats. “Combating Conspiracy about Nuclear Terrorism” published by Kennedy School Belfer Center for Science and International Affairs in 2019 is suggestive. According to the report, it was pointed out that cases that occur should be made public, lessons should be exchanged regularly between the government and the business operator, creative and realistic vulnerability assessment and inspection should be carried out, and the reality of the occurrence of nuclear terrorism should be shared with the intelligence agencies of each country.16 An important point to mention here is that insiders may also be involved in the following drones and cyberattacks.
As for drone threats, an oil facility of Saudi Arabia’s state-owned company Aramco was attacked by military drones in September 2019.17 Of course, drones vary in size, flying abilities, and armament, making it difficult to discuss them as a rising threat. The incident revealed that terrorists could also utilize a similar tactic to severely damage critical infrastructure. Yemen’s Houthis group issued a statement claiming responsibility for the attack.18 However, given the precision of the attack and the multiple number of drones and cruise missiles employed, Iran was widely assumed to have been responsible.19 The Houthis group also has previously issued a statement that it had attacked the UAE’s nuclear power plant with cruise missiles in December 2017. On the other hand, the UAE officials denied that such an attack had taken place.20 The threat of drones to nuclear power plants has already been reported in July 2018 in the case of drone intrusion by Greenpeace, an environmental protection NGO, into the Bugey nuclear power plant in France. In response to the incident, Électricité de France (EDF) drew attention when it issued a statement that the drone was not a threat to the French nuclear power plant.21 In an unclassified summary published in October 2019, the U.S. Nuclear Regulatory Commission (NRC) expressed that nuclear power plants “do not have any risk-significant vulnerabilities that could be exploited” by drone attacks that would result in “radiological sabotage” or theft of special nuclear material, while the NRC said it would continue evaluating the impact of drone technologies. 22
However, although it was not an attack on a nuclear facility, there is something that cannot be ignored in the political impact of drone attacks on Saudi’s Aramco, and it is difficult to deny the possibility that technological advancements could benefit those who are carrying out terrorist attacks. On the other hand, there is a positive point that the spread of drone technology also brings advantage in strengthening nuclear security. For example, IAEA expert Charles Massey said that drones will promote the optimization of human resources in safety and security on nuclear power plants. Moreover, Massey pointed out that if system integration using sensors and so forth works well, it will be possible to respond quickly in the command post, even in an emergency situation.23
In the case of cyber threats, it became clear that a malware-used cyber-attack was carried out at the Koodankulam nuclear power plant of the Nuclear Power Corporation of India Limited (NPCIL), which attracted media attention internationally. In a cyber-attack on India’s largest nuclear power plant in September 2019, facility staff connected a malware-infected private computer to the isolated network of the plant. According to reports, the act resulted in allowing the attacker to enter the network.24 The method of operating a pivotal facility under an isolated network is commonly referred to as an “air gap.” However, it has been debated since the Stuxnet case against Iran25 that such an approach is not perfect against targeted cyberattacks. As an example of this argument, the Nuclear Threat Initiative (NTI) report “Outpacing Cyber Threats,”26 published in 2016 and attracting attention by revealing that 23 cyber-attacks have occurred in a quarter of a century at the world’s nuclear facilities, was highly suggestive. In general, it is said that the cyber-attack cases that have been reported are just “the tip of the iceberg” and far from the actual number of incidents, and it is also feared that parties affected by these cyber-attacks are reluctant to disclose the facts so as not to reveal their vulnerabilities.27 In the NTI report described earlier, the following four points were pointed out to address these threats: threats should be systematically addressed, proactive cyber measures should be implemented, the complexity of digital systems must be eliminated, and the most critical systems need to be converted entirely into non-digital systems. It was pointed out that the risk of being unable to quantitatively evaluate due to the complexity of the system should be conducted with a major transformational study, such as developing a system that is difficult to penetrate.28
In view of the factors mentioned above, this report surveys the following items to evaluate the implementation of nuclear security-related measures of each country. In order to assess the nuclear security risks of each country, this report considers: indicators of the presence of nuclear material that may be “attractive” for malicious intent, facilities that produce such material, and related activities. It also examines the accession status to nuclear security-related international conventions, the implementation status of existing nuclear security measures and proposals to enhance them, and official statements related to nuclear security approaches, in order to evaluate the nuclear security performance and status of each county.
1 This chapter was written by Ichimasa Sukeyuki.
2 Seebelowforanexample.JonathanHerbachandSamanthaPitts-Kiefer,“MoreWorktoDo:APathway for Future Progress on Strengthening Nuclear Security,” Arms Control Today, October 2015.
3 “Statement of Belgium,” 63rd IAEA General Conference, September 2019; “Statement of Norway,” 63rd IAEA General Conference, September 2019.
4 “Statement of the Netherlands,” 63rd IAEA General Conference, September 2019.
5 “Panama, with IAEA Support, Ensures Nuclear Security at World Youth Day,” IAEA, March 1, 2019, https://www.iaea.org/newscenter/news/panama-with-iaea-support-ensures-nuclear-security-at-world- youth-day.
6 “Statement of Japan,” 63rd IAEA General Conference, September 2019.
7 “Statement of Chile,” 63rd IAEA General Conference, September 2019.
8 “Computer Security: From Function to Protection,” IAEA, October 24, 2019, https://www.iaea.org/newscenter/news/computer-security-from-function-to-protection.
9 “INSAG Forum Discusses Safety-Security Interface Developments and Challenges,” IAEA, September 16, 2019, https://www.iaea.org/newscenter/news/insag-forum-discusses-safety-security-interface-deve lopments-and-challenges.
10 IAEA, “Nuclear Security Series No. 39-T Technical Guidance, Developing a Nuclear Security Contingency Plan for Nuclear Facilities,” 2019.
11 IAEA, “Nuclear Security Series No. 28-T Technical Guidance Self-assessment of Nuclear Security Culture in Facilities and Activities,” 2019.
12 “The Enduring Need to Protect Nuclear Material from Insider Threats,” CRDFGlobal,April26,2017, https://www.crdfglobal.org/insights/enduring-need-protect-nuclear-material-insider-threats.
13 Matthew Bunnand Scott D. Sagan, “A Worst Practices Guide to Insider Threats: Lessons from Past Mistakes,” American Academy of Arts and Sciences, 2014, https://www.amacad.org/sites/default/ files/publication/downloads/insiderThreats.pdf.
14 “The Enduring Need to Protect Nuclear Material from Insider Threats,” CRDF Global ,April 26,2017, https://www.crdfglobal.org/insights/enduring-need-protect-nuclear-material-insider-threats.
15 “2019 Insider Threat Report,” Fortinet, https://www.fortinet.com/content/dam/fortinet/assets/ threat-reports/insider-threat-report.pdf.
16 Matthew Bunn, Nickolas Roth and William H. Tobey, “Combating Complacency about Nuclear Terrorism,” Policy Brief, March 2019.
17 Newsweek Japanese Edition, September 17, 2019.
18 AFP BB News Japanese Edition, September 14, 2019.
19 BBC News Japan, September 16, 2019.
20 Sankei Shinbun, December 3, 2017.
21 Reuters, July 3, 2018.
22 Kelsey Davenport, “NRC Will Not Require Drone Defenses,” Arms Control Today, December 2019,https://www.armscontrol.org/act/2019-12/news-briefs/nrc-not-require-drone-defenses.
23 TheInternationalForumonPeacefulUseofNuclearEnergy,NuclearNon-ProliferationandNuclear Security: Challenges on Nuclear Non-Proliferation & Security beyond 2020, December 4, 2019, Tokyo.
24 The Washington Post, November 4, 2019.
25 Caroline Baylon, Roger Brunt and David Livingstone, “Chatham House Report: Cyber Security at Civil Nuclear Facilities Understanding the Risks,” Chatham House, September 2015.
26 Alexandra Van Dine, Michael Assante and Page Stoutland, “Outpacing Cyber Threats: Priorities for Cybersecurity at Nuclear Facilities,” NTI, p.15.
27 Caroline Baylon, Roger Brunt and David Livingstone, “Chatham House Report: Cyber Security at Civil Nuclear Facilities: Understanding the Risks,” Chatham House, September 2015.
28 Alexandra Van Dine, Michael Assante and Page Stoutland, “Outpacing Cyber Threats: Priorities for Cybersecurity at Nuclear Facilities,” NTI, p. 23.
