A) Accession status to nuclear security-related conventions

This section examines the accession status of the surveyed countries to international conventions related to nuclear security and safety, namely: the Convention on the Physical Protection of Nuclear Material (CPPNM); the Amendment to the CPPNM (A/CPPNM); the International Convention for the Suppression of Acts of Nuclear Terrorism (ICSANT); the Convention on Nuclear Safety (CNS); the Convention on Early Notification of a Nuclear Accident; the Joint Convention on the Safety of Spent Fuel Management and on the Safety of Radioactive Waste Management; and the Convention on Assistance in the Case of Nuclear Accident or Radiological Emergency. Some, if not all, of these nuclear safety-related conventions have provisions on physical protection measures from the perspective of safety. As these measures can also serve for nuclear security purposes, those nuclear safety-related conventions are regarded as nuclear security-related conventions in this report. Table 3-4 shows the adherence status of each surveyed country to the six conventions mentioned above.

The latest status of international conventions related to nuclear security are as follows:

➢ CPPNM86 (entered into force in 1987): 164 signatories. No new signatories; the number of new signatories since 2016 has been two to three almost every year and has continuously increased, but there was no increase in 2022 and 2023.
➢ A/CPPNM87 (entered into force in 2016): 134 countries ratified. New ratifications by Belarus, Laos and Zimbabwe. The number of new ratifying countries in recent years has been continuously increasing: 15 in 2016, 7 in 2017, 3 in 2018, 5 in 2019, 2 in 2020, 2 in 2021 and 4 in 2022.
➢ ICSANT88 (entered into force in 2007): 122 States Parties. Newly ratified by Albania and Zimbabwe. In recent years, the number of new States Parties has been 6 in 2017, 1 in 2018, 2 in 2019, 1 in 2020, 1 in 2021 and 2 in 2022.
➢ CNS89 (entered into force in 1996): 93  States Parties as of September 2023. Newly ratified by Egypt and Zimbabwe. No ratification in 2022.
➢ Convention on Early Notification of a Nuclear Accident90 (entered into force 1986): 132 States Parties as of February 2023. No country ratified in 2023; One ratification in 2022.
➢ Convention on Assistance in the Case of Nuclear Accident or Radiological Emergency91 (entered into force 1987): 128 States Parties as of November 2023. Newly ratified by Turkmenistan. Three countries ratified in 2022.
➢ Joint Convention on the Safety of Spent Fuel Management and on the Safety of Radioactive Waste Management92 (entered into force in 2001): 89 parties as of February 2023. Newly ratified by Turkey. Two States Parties ratified in 2022.

 

In 2023, there was an increase in the number of ratifications for all conventions except the CPPNM and the Convention on Early Notification of a Nuclear Accident. Egypt and Turkey, two countries in the Middle East, have ratified the relevant conventions, while Zimbabwe ratified three conventions. In recent years, there has been progress in accession to the relevant conventions by the countries of the Global South due to persistent efforts to universalize the conventions. With regard to the countries covered by this study, Turkey, whose first nuclear power plant is due to be commissioned by 2025, has ratified the Joint Convention on the Safety of Spent Fuel Management and on the Safety of Radioactive Waste Management.

During the 67th IAEA General Conference held in September, among the surveyed countries, France, Japan, Norway, the UAE, and the United Kingdom expressed their support for the universalization of international legal documents related to nuclear security, including the A/CPPNM and the ICSANT and pledged to continue their efforts towards this end. Also, they called for the full implementation of the conventions.93 On the other hand, the preamble of the “Nuclear Security Resolution” adopted at the IAEA General Conference included a new paragraph (c) bis, stating, “Respecting that participating in and joining international nuclear security instruments is a voluntary and sovereign decision of a state, while noting efforts towards the widest possible participation.”94

Sharing information with improved transparency and protection of sensitive information is also encouraged as an international assurance of the implementation of nuclear security-related conventions by states, as shown in Table 3-5.

 

B) INFCIRC/225/Rev.5

Application status of each surveyed country of the measures recommended in INFCIRC/ 225/Rev.5

In 2011, the IAEA published the fifth revision of the “Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities” (INFCIRC/225/Rev.5) as IAEA Nuclear Security Series Document No. 13.
The introduction and implementation of physical protection measures in accordance with the recommended measures in INFCIRC/225/Rev.5, as well as the identification of issues and the formulation of individual measures, are entirely the responsibility of states and are left to the efforts of national regulatory authorities and operators. Therefore, it is important for states to disseminate information on the introduction and application of the measures recommended in INFCIRC/225/Rev.5. However, the amount of such information dissemination has gradually declined since the end of the 2016 Nuclear Security Summit process.

Regarding efforts related to apply recommended measures outlined in INFCIRC/225/Rev.5 by each country under this survey, actions have been taken to date by all countries except North Korea for which there is no information. However, the extent and level of application vary among the respective countries.

 

In the following sections, the actions and initiatives taken in 2023 by the countries under this survey, as well as trends in international efforts coordinated by organizations, regarding the implementation of main recommended measures in INFCIRC/225/Rev.5.

 

Development of national laws and regulations

Each country is responsible for establishing and maintaining a national regulatory framework to govern physical protection.

➢ Canada95: In response to proposals received during the International Physical Protection Advisory Service (IPPAS) mission in 2015, aimed at improving the regulatory framework for nuclear security in line with international nuclear security principles and recommendations, amendments to regulations are being undertaken. Specifically, revisions are being pursued for aspects such as nuclear security culture, interface between nuclear material accountancy and control (NMAC) and nuclear security, protection of sensitive information in physical and digital media, two-person rule in the Central Alarm Station. The existing regulations do not contain explicit requirements for security culture, interface of safety, security and safeguards, or the protection of sensitive information.
➢ Turkey96: After going through amendments, the Regulation on Nuclear Regulation Authority Administrative Sanction was enacted in January 2023.

 

Identification and assessment of threats (including insider threats)

It is recommended that physical protection in a country should be conducted based on each country’s latest assessments of threats. When considering threats, particular attention should be given to insider threats, as individuals within the organization, with access rights, authority, and knowledge, pose a different risk compared to external threats. Insiders can bypass measures for nuclear security and safety procedures, given their ability to utilize access rights and knowledge.

➢ Belgium97: As a follow-up to the “International Symposium on Mitigating Insider Threats” held in 2019, Belgium is organizing a new symposium in 2024. The objective of this symposium is to continue raising awareness about insider threats.
➢ Canada98: “With the legalization of cannabis in early 2021, as part of its proactive efforts to enhance nuclear safety and security at high-security-level nuclear facilities, the Canadian Nuclear Safety Commission (CNSC) introduced new regulatory requirements for pre-assignment inspections and random inspections of personnel. These requirements ensure that Canada is adhering to international best practices and allows the CNSC to impose the highest safety standards possible on licensees operating high-security-level nuclear facilities.”
➢ UAE99:The Federal Authority for Nuclear Regulation (FANR) hosted the National Training Course on Preventive and Protective Measures against Insider Threat to Nuclear Material, which was being organized in cooperation with the IAEA in May. FANR has issued FANR REG 08 “Physical Protection for Nuclear Materials and Nuclear Facilities.” “The Regulation requests the lincences to implement an insider threat mitigation programme, including requirement for an access authorization program, a fitness-for-duty programme and the Cyber Security Plan.”
➢ The United States100: The National Intelligence Office designated September as “National Insider Threat Awareness Month” and called for cooperation from government agencies, including the Nuclear Regulatory Commission (NRC), in detecting, deterring, and mitigating insider threat risks. This initiative emphasized the importance of remaining vigilant against such threats and encouraged collaboration through the distribution of policy memos to administrative agencies.

In the 2023 edition of the NTI Nuclear Security Index, it is noted that, since the previous index issued in 2020, there has been no progress in enhancing measures for insider threat mitigation and strengthening nuclear security culture among countries possessing weapons-usable nuclear materials and nuclear facilities.101 Furthermore, it suggests that while national governments need to strengthen efforts in establishing and enhancing programs to identify and mitigate insider threats, addressing this vulnerability is not sufficient through government actions alone. Therefore, there is an emphasis on the need for enhancing nuclear security culture by entities such as operators, as this is considered essential in addressing this vulnerability.
In October 2023, IAEA organized an international training course on insider threats at the newly established Nuclear Security Training and Demonstration Center (NSTDC) in Seibersdorf.102 This training course “introduces the concepts that underlie the evaluation of preventive and protective measures and explains how these should be applied to enhance nuclear security with regard to insider threats.”

 

Cybersecurity

➢ Canada103: The existing nuclear security regulations do not contain provisions related to cybersecurity or the protection of digital information. Therefore, in the cybersecurity program, revisions are underway to address cybersecurity risks identified in threat and risk assessments, protect computer-based systems and components affecting or impacted by the functions of nuclear safety, nuclear security, emergency response, and safeguards from cyber attacks. The revisions also aim to require license applicants and licensees to identify and protect confidential information, in physical or digital form, throughout its lifecycle, safeguarding it from threats identified in the licensee’s threat and risk assessments.
➢ Kazakhstan104: In February and May, training courses on the application of information security for nuclear facilities were conducted with the cooperation of the U.S. Defense Threat Reduction Agency’s (DTRA) Global Nuclear Security (GNS) program. This course is part of the ongoing trainer development efforts by DTRA-GNS, aiming to establish a sustainable and growing nuclear security curriculum and a pool of leaders in Kazakhstan.
➢ France105: In March, France held the IAEA international workshop in Paris on instrumentation and control (I&C) as well as computer security for small modular reactors.
➢ Japan and United States106: In March, a workshop titled “Japan-U.S. Collaboration for Building Cybersecurity Capabilities” was co-hosted by the Integrated Support Center for Nuclear Nonproliferation and Nuclear Security (ISCN) of the Japan Atomic Energy Agency’s (JAEA) and the U.S. Department of Energy in Washington D.C. Discussions revolved around challenges in training personnel involved in computer security.
➢ Norway107: Expressed their commitment to contribute to the IAEA’s technical assistance to member states in improving their regulator capacity for cybersecurity inspections of nuclear facilities.
➢ The United States108: The Nuclear Regulatory Commission (NRC) has issued Revision 1 of Regulatory Guide (RG) 5.71, titled “Cybersecurity Program for Nuclear Reactors.” This revision aims to clarify guidance on deep defense for cybersecurity, incorporating content based on the latest guidelines from the National Institute of Standards and Technology (NIST) and the IAEA.

Additionally, although not part of the countries under investigation, Egypt, Ghana, and Nigeria are implementing programs, with the support of the IAEA, to develop and strengthen computer security regulations to appropriately protect various types of nuclear facilities, including research reactors, from computer-based malicious activities. Many African countries are learning from the experiences of these three nations in this regard.109

 

Nuclear security culture110

It has been increasingly recognized in recent years that fostering and maintaining a nuclear security culture is extremely important to ensure the continued effectiveness of nuclear security measures, including for cybersecurity and insider threat. All organizations related to nuclear energy, including regulatory agencies and operators, are required to recognize the existence of the threat of nuclear terrorism and the importance of nuclear security, and to ensure that each individual is aware of their role and responsibilities in nuclear security.

➢ Canada111: The existing Nuclear Security Regulations do not contain explicit requirements for security culture. The work to change the regulations is underway. Specifically, Canada is working to amend the regulations to require licensees to develop, implement, and promote nuclear security culture measures and practices at their facilities. These efforts were supported by an IPPAS mission that Canada hosted in 2015, which proposed “improving the CNSC’s nuclear security regulatory framework and suggested better alignment with important international nuclear security fundamental principles and recommendations.”
➢ Japan112: In January, JAEA/ISCN, in collaboration with the World Institute for Nuclear Security (WINS), organized a domestic workshop on Self-Assessment of Nuclear Security Culture with 30 participants from nuclear operators, regulatory authorities, etc. The workshop employed a “drama-based session,” utilizing scenes from various plays to extract challenges related to nuclear security culture, initiating discussions among participants on self-assessment. Additionally, IAEA regional workshop on the practical aspects of nuclear security culture was conducted in Tokai-mura from February to March.113
➢ The United Kingdom114: In 2022, the Office for Nuclear Regulation (ONR) conducted a stakeholder survey on ONR’s nuclear security culture. The stakeholders expressed continued confidence (93%) in ONR’s mission to “protect society by ensuring the safe operation of nuclear facilities.” The survey results concluded that ONR had a positive impact on public safety and influenced improvements in nuclear safety and security culture among licensees and dutyholders.

In Japan, the deterioration of the nuclear security culture became an issue in 2020 at TEPCO Holdings’ (TEPCO) Kashiwazaki-Kariwa Nuclear Power Station due to incidents of ID card misuse and partial loss of nuclear material protection functions (see Hiroshima Report 2022, pp. 118-119). In December 2023, TEPCO released an improvement measures implementation report on its efforts to strengthen nuclear material protection since September 2021.115 TEPCO has identified three root causes, drawn up improvement measure plans with 36 items, and has been taking remedial measures, according to the report. In the process, TEPCO re-evaluated the cause analysis pertaining to both incidents and identified three root causes: weak risk awareness, weak understanding of the actual situation at the site, and weak organizational capacity to correct the situation. In addition, it evaluated the implementation provisions and effectiveness of the improvement measure plans. TEPCO also established an improvement mechanism for issues pointed out by the Nuclear Regulation Authority, such as the practice of non-transitory efforts, and completed corrective actions after confirming the results of the efforts.
In a statement to the IAEA Board of Governors in March, the EU stressed the importance of nuclear security culture in preparation for the IAEA International Conference on Nuclear Security (ICONS) to be held in 2024, saying that “efforts must be maintained to strengthen nuclear security and nuclear security culture, which are essential for the development of peaceful uses of nuclear energy.”116
As noted above, NTI states that no progress has been made beyond 2020 in efforts for nuclear security culture by states with weapons-usable nuclear materials or nuclear facilities.117 It also states that nuclear operators should develop programs to strengthen nuclear security culture, and that regulatory agencies, intelligence agencies, law enforcement agencies, industry, and nongovernmental organizations should improve information sharing on nuclear security matters.118

---

86 The Convention requires the criminalization of acts such as receipt, possession, use, transfer, alteration, disposal or dispersing nuclear material without lawful authority and which causes or is likely to cause personal or property damage, and theft of nuclear material. Efforts to universalize the Convention, including countries that do not have nuclear programs, continue to be important.
87 This is the only legally binding international agreement on the protection of nuclear materials and facilities for peaceful purposes.
88 It obliges States Parties to criminalize the possession or use of radioactive materials or nuclear explosive devices with malicious intent, the use of nuclear facilities in a manner that leads to the emission of radioactive materials, or the destruction of such facilities.
89 This Convention aims at ensuring and enhancing the safety of NPPs. State Parties are required to take legal and administrative measures, to report to the review committee established under this convention, and to accept peer review in order to ensure the safety of NPPs under their jurisdiction.

90 This Convention obligates State Parties to immediately report to the IAEA when a nuclear accident has occurred, including the type, time, and location of the accident as well as relevant information.
91 This Convention establishes an international framework that enables the provision of equipment and dispatch of experts with the goals of preventing and/or minimizing nuclear accidents and radiological emergencies.
92 The Joint Convention calls for its State Parties to take legal and administrative measures, report to its review committee, and undergo peer review by other parties, for the purpose of ensuring safety of spent fuel and radioactive waste.

93 “Statements to IAEA General Conference,” IAEA, https://www.iaea.org/about/governance/general-conference/gc67/statements.
94 IAEA, “Nuclear Security Resolution,” September 2023, p. 1.

95 “Canada Gazette, Part I, Volume 156, Number 46: Nuclear Security Regulations, 2023,” November 22, 2022, https://gazette.gc.ca/rp-pr/p1/2022/2022-11-12/html/reg1-eng.html.

96 “National Submission of Türkiye,” February 8, 2023, https://www.un.org/en/sc/1540/documents/ TurkiyeReport8Feb2023.pdf.
97 “Statement by Belgium,” at the 67th IAEA General Conference, September 25, 2023.
98 CNSC, “CNSC statement on the Federal Court decision to uphold pre-placement and random alcohol and drug testing of workers in safety-critical positions at high-security nuclear facilities,” June 12, 2023, https://www.canada.ca/en/nuclear-safety-commission/news/2023/06/cnsc-statement-on-the-federal-court-decision-to-uphold-pre-placement-and-random-alcohol-and-drug-testing-of-workers-in-safety-critical-positions-at.html.
99 “The Federal Authority for Nuclear Regulation Hosts National Training Course,” Federal Authority for Nuclear Regulation, May 10, 2023, https://www.fanr.gov.ae/en/media-centre/news?g=846214EB-3965-4D8B-9D2C-1928D1BF72AF.

100 Office of the Director of National Intelligence, “September 2023 is National Insider Threat Awareness month,” NCSC-23-00047, 2023, https://www.dni.gov/files/NCSC/documents/features/NCSC% 20NITAM%20MEMO_230047_SIGNED.pdf.
101 The 2023 NTI Nuclear Security Index, Nuclear Threat Initiative, July 2023, p. 9.
102 “International Training Course on Insider Threat Using the Shapsha 3D Model,” https://www. tenmak.gov.tr/attachments/article/3755/23-03568E_Encl.pdf.
103 “Canada Gazette, Part I, Volume 156, Number 46: Nuclear Security Regulations, 2023,” November 22, 2022, https://gazette.gc.ca/rp-pr/p1/2022/2022-11-12/html/reg1-eng.html.

104 “DTRA’s Global Nuclear Security Program Partners with Kazakhstan’s Nuclear Security Stakeholders,” U.S. Embassy & Consulate in Kazakhstan, February 21, 2023, https://kz.usembassy.gov/dtras-global-nuclear-security-program-partners-with-kazakhstans-nuclear-security-stakeholders/; “DTRA Partners with Kazakhstan’s Civilian Nuclear Stakeholders to Conduct a Computer Security Training,” U.S. Embassy & Consulate in Kazakhstan, May 23, 2023, https://kz.usembassy.gov/dtra-partners-with-kazakhstans-civilian-nuclear-stakeholders-to-conduct-a-nuclear-facility-computer-security-training/.
105 IAEA, Nuclear Security Report 2023, September 2023, p. 17.
106 “Report on the JAEA/ISCN-US/DOE co-hosted workshop ‘US-Japan Cooperation for Building Computer Security Capability’,” ISCN Newsletter, No. 0317, May 2023, pp. 51-52.
107 “Statement by Norway on Nuclear Security: Nuclear Security Review 2023,” at the IAEA BoG, March 2023.
108 “88 FR 9117 – Cyber Security Programs for Nuclear Power Reactors,” Federal Register Volume 88, Issue 29, February 13, 2023, https://www.govinfo.gov/app/details/FR-2023-02-13/2023-02941; “NRC Updates Guidance on Cybersecurity Programs for Nuclear Power Reactors,” UP & ATOM, February 24, 2023, https://www.morganlewis.com/blogs/upandatom/2023/02/nrc-updates-guidance-on-cybersecuri ty-programs-for-nuclear-power-reactors.

109 Andrea Rahandini, “IAEA Assists African Countries in Developing Computer Security Regulations,” IAEA Bulletin, June 23, 2023, pp. 10-11.
110 According to the definition by the IAEA, nuclear security culture is “the assembly of characteristics, attitudes and behaviours of individuals, organizations and institutions which serves as a means to support, enhance and sustain nuclear security.” IAEA, IAEA Nuclear Safety and Security Glossary 2022 (Interim) Edition, October 2022, p. 140.
111 “Canada Gazette, Part I, Volume 156, Number 46: Nuclear Security Regulations, 2023,” November 22, 2022, https://gazette.gc.ca/rp-pr/p1/2022/2022-11-12/html/reg1-eng.html.
112 IAEA, Nuclear Security Report 2023, September 2023, p. 8.
113 “Report on ISCN-WINS Joint Workshop ‘Self-assessment of nuclear security culture,’” ISCN Newsletter, No. 0315, March 2023, pp. 30-31, https://www.jaea.go.jp/04/iscn/nnp_news/attached/0315_en. pdf#page=31.
114 Office for Nuclear Regulation, Annual Report and Accounts 2022/23, HC186, 2023.

115 On these two incidents, see TEPCO, “Efforts to Strengthen Nuclear Material Protection and Improve Nuclear Safety at the Kashiwazaki-Kariwa Nuclear Power Station,” December 28, 2023, https://www. tepco.co.jp/niigata_hq/data/publication/pdf/2023/2023122802p.pdf.
116 “EU Statement on Nuclear Security Review 2023,” at IAEA BoG Meeting, March 7, 2023.
117 The 2023 NTI Nuclear Security Index, p. 9.
118 Ibid.