The PRO-X program is actively supporting the design of nuclear systems by developing a framework to both optimize the fuel cycle infrastructure for advanced reactors (ARs) and minimize the potential for production of weapons-usable nuclear material. Three study topics are currently being investigated by Sandia National Laboratories (SNL) with support from Argonne National Laboratories (ANL). This multi-lab collaboration is focused on three study topics which may offer proliferation resistance opportunities or advantages in the nuclear fuel cycle. These topics are: 1) Transportation Global Landscape, 2) Transportation Avoidability, and 3) Parallel Modular Systems vs Single Large System (Crosscutting Activity).
Security engineering approaches can often focus on a particular domain—physical security, cyber security, or personnel security, for example. Yet, security systems engineering consistently faces challenges requiring socio-technical solutions to address evolving and dynamic complexity. While some drivers of this complexity stem from complex risk environments, innovative adversaries, and disruptive technologies, other drivers are endogenous and emerge from the interactions across security engineering approaches. In response, INCOSE's Systems Security Working Group identified the need to better coordinate “disparate security solutions [that] operate independently” as one of eleven key concepts in their IS21 FuSE Security Roadmap. From this perspective, this need for “security orchestration” aligns with the perspective that security is a property that emerges from interactions within complex systems. Current efforts at Sandia National Laboratories are developing a systems security engineering approach that describes high consequence facility (HCF) security as a multidomain set of interacting layers. The result is a multilayered network (MLN)-based approach that captures the interactions between infrastructure, physical components, digital components, and humans in nuclear security systems. This article will summarize the MLN-based approach to HCF security and describe two preliminary results demonstrating potential benefits from incorporating interactions across disparate security solutions. Here, leveraging the logical structure of networks, this MLN model-based approach provides an example of how security orchestration provides enhanced systems security engineering solutions.
Advances on differentiating between malicious intent and natural "organizational evolution"to explain observed anomalies in operational workplace patterns suggest benefit from evaluating collective behaviors observed in the facilities to improve insider threat detection and mitigation (ITDM). Advances in artificial neural networks (ANN) provide more robust pathways for capturing, analyzing, and collating disparate data signals into quantitative descriptions of operational workplace patterns. In response, a joint study by Sandia National Laboratories and the University of Texas at Austin explored the effectiveness of commercial artificial neural network (ANN) software to improve ITDM. This research demonstrates the benefit of learning patterns of organizational behaviors, detecting off-normal (or anomalous) deviations from these patterns, and alerting when certain types, frequencies, or quantities of deviations emerge for improving ITDM. Evaluating nearly 33,000 access control data points and over 1,600 intrusion sensor data points collected over a nearly twelve-month period, this study's results demonstrated the ANN could recognize operational patterns at the Nuclear Engineering Teaching Laboratory (NETL) and detect off-normal behaviors - suggesting that ANNs can be used to support a data-analytic approach to ITDM. Several representative experiments were conducted to further evaluate these conclusions, with the resultant insights supporting collective behavior-based analytical approaches to quantitatively describe insider threat detection and mitigation.
Security assessments support decision-makers' ability to evaluate current capabilities of high consequence facilities (HCF) to respond to possible attacks. However, increasing complexity of today's operational environment requires a critical review of traditional approaches to ensure that implemented assessments are providing relevant and timely insights into security of HCFs. Using interviews and focus groups with diverse subject matter experts (SMEs), this study evaluated the current state of security assessments and identified opportunities to achieve a more "ideal" state. The SME-based data underscored the value of a systems approach for understanding the impacts of changing operational designs and contexts (as well as cultural influences) on security to address methodological shortcomings of traditional assessment processes. These findings can be used to inform the development of new approaches to HCF security assessments that are able to more accurately reflect changing operational environments and effectively mitigate concerns arising from new adversary capabilities.
Traditional systems engineering demonstrates the importance of customer needs in scoping and defining design requirements; yet, in practice, other human stakeholders are often absent from early lifecycle phases. Human factors are often omitted in practice when evaluating and down-selecting design options due to constraints such as time, money, access to user populations, or difficulty in proving system robustness through the inclusion of human behaviors. Advances in systems engineering increasingly include non-technical influences into the design, deployment, operations, and maintenance of interacting components to achieve common performance objectives. Furthermore, such advances highlight the need to better account for the various roles of human actors to achieve desired performance outcomes in complex systems. Many of these efforts seek to infuse lessons and concepts from human factors (enhanced decision-making through Crew Resource Management), systems safety (Rasmussen's “drift toward danger”) and organization science (Giddens' recurrent human acts leading to emergent behaviors) into systems engineering to better understand how socio-technical interactions impact emergent system performance. Safety and security are examples of complex system performance outcomes that are directly impacted by varying roles of human actors. Using security performance of high consequence facilities as a representative use case, this article will outline the System Context Lenses to understand how to include various roles of human actors into systems engineering design. Several exemplar applications of this organizing lenses will be summarized and used to highlight more generalized insights for the broader systems engineering community.
Protecting high consequence facilities (HCF) from malicious attacks is challenged by today’s increasingly complex, multi-faceted, and interdependent operational environments and threat domains. Building on current approaches, insights from complex systems and network science can better incorporate multidomain interactions observed in HCF security operations. These observations and qualitative HCF security expert data support invoking a multilayer modeling approach for HCF security to shift from a “reactive” to a “proactive” paradigm that better explores HCF security dynamics and resilience not captured in traditional approaches. After exploring these multi-domain interactions, this paper introduces how systems theory and network science insights can be leveraged to describe HCF security as complex, interdependent multilayer directed networks. A hypothetical example then demonstrates the utility of such an approach, followed by a discussion on key insights and implications of incorporating multilayer network analytical performance measures into HCF security.
The design and construction of a nuclear power plant must include robust structures and a security boundary that is difficult to penetrate. For security considerations, the reactors would ideally be sited underground, beneath a massive solid block, which would be too thick to be penetrated by tools or explosives. Additionally, all communications and power transfer lines would also be located underground and would be fortified against any possible design basis threats. Limiting access with difficult-to-penetrate physical barriers is a key aspect for determining response and staffing requirements. Considerations considered in a graded approach to physical protection are described.
Nuclear power plants must be, by design and construction, robust structures and difficult to penetrate. Limiting access with difficult-to-penetrate physical barriers is going to be key for staffing reduction. Ideally, for security, the reactors would be sited underground, beneath a massive solid block, too thick to be penetrated by tools or explosives with all communications and power transfer lines also underground and fortified. Having the minimal possible number of access points and methods to completely block access from these points if a threat is detected will greatly help us justify staffing reduction.
Nuclear power plants must be, by design and construction, robust structures and difficult to penetrate. Ideally, for security, the reactors would be sited underground, beneath a massive solid block, too thick to be penetrated by tools or explosives with all communications and power transfer lines also underground and fortified. Limiting access with difficult-to-penetrate physical barriers is going to be key for determining response and staffing requirements.
Part of the Presidential Policy Directive 21 (PPD-21) (PPD 2013) mandate includes evaluating safety, security, and safeguards (or nonproliferation) mechanisms traditionally implemented within the nuclear reactors, materials, and waste sector of critical infrastructure—including a complex, dynamic set of risks and threats within an all-hazards approach. In response, research out of Sandia National Laboratories (Sandia) explores the ability of systems theory principles (hierarchy and emergence) and complex systems engineering concepts (multidomain interdependence) to better understand and address these risks and threats. Herein, this Sandia research explores the safety, safeguards, and security risks of three different nuclear sector-related activities—spent nuclear fuel transportation, small modular reactors, and portable nuclear power reactors—to investigate the complex and dynamic risk related to the PPD-21-mandated all-hazards approach. This research showed that a systems-theoretic approach can better identify inter-dependencies, conflicts, gaps, and leverage points across traditional safety, security, and safeguards hazard mitigation strategies in the nuclear reactors, materials, and waste sector. Resulting from this, mitigation strategies from applying systems theoretic principles and complex systems engineering concepts can be (1) designed to better capture interdependencies, (2) implemented to better align with real-world operational uncertainties, and (3) evaluated as a systems-level whole to better identify, characterize, and manage PPD-21's all hazards strategies.
Existing security models are highly linear and fail to capture the rich interactions that occur across security technology, infrastructure, cybersecurity, and human/organizational components. In this work, we will leverage insights from resilience science, complex system theory, and network theory to develop a next-generation security model based on these interactions to address challenges in complex, nonlinear risk environments and against innovative and disruptive technologies. Developing such a model is a key step forward toward a dynamic security paradigm (e.g., shifting from detection to anticipation) and establishing the foundation for designing next-generation physical security systems against evolving threats in uncontrolled or contested operational environments.
The Gulf Nuclear Energy Infrastructure Institute (GNEII—pronounced "genie") seeks to develop expertise among future leaders of Gulf-region nuclear power programs in global standards, norms and best practices in nuclear energy programs. More specifically, the institute aims to contribute to the enhancement of nuclear security, safety, and safeguards (the so-called nuclear "3S") by providing an avenue for regional nuclear interaction, technical collaboration, lessons-learned discussions, and best-practices sharing. It is a multidisciplinary human capacity development institute offering education, research and technical services to support responsible nuclear energy programs in the Gulf and Middle East regions. In this Joint Report, Chapter 2 discusses GNEII's origins (including drivers, milestones, and design principles), Chapter 3 discusses GNEII's objectives (including goals, mission, and vision), Chapter 4 discusses GNEII's operations (including education, research, and technical service pillars), Chapter 5 discusses major insights and next steps, and Chapter 6 provides a list of publications offering additional depictions and details of GNEII's evolution. Though only one piece of a multi-faceted, multi-national effort to develop human infrastructure needs for nascent nuclear energy programs, GNEII offers a model that addresses the socio-technical attributes of nuclear 3S that can be replicated globally.
This article discusses likely future contexts of, and options for, global threat-reduction activities to support nonproliferation goals over the next five to ten years. Threat-reduction activities span a continuum from unilateral actions that the United States might take with little cooperation and transparency at one end to cooperative actions associated with negotiated treaties and agreements at the other. This study focuses on cooperative approaches embodied in the Cooperative Threat Reduction (CTR) program, which has been the most visible program reducing the threats posed by weapons of mass destruction for over two decades. Here, we argue that CTR’s evolution can be described in terms of the relationship between the desired US influence on outcomes, the ability to generate a common threat definition, and appetite for collaboration on threat reduction. To that end, this article provides an introduction and overview of CTR initiatives over its twenty-seven-year history and a review of relevant legislation and trends. After introducing and describing the CTR Possible Futures Framework, this article offers five possible options for—and discusses the implications of—CTR’s future evolution.
Security at nuclear power plants (NPPs) in the United States is currently based on vital area identification (VAI)-a procedure to determine locations within a nuclear facility that need to be defended from adversaries in order to avoid damage to the facility and/or release of radionuclides to the environment. This procedure heavily leverages a Level 1 probabilistic risk assessment (PRA) which identifies combinations of events that can lead to core damage. Current approaches to VAI for NPPs, however, are determined on a “snapshot-in-time,” and therefore unable to include the time-dependent effects of safety systems within a NPP A novel “leading simulator (LS) / trailing simulator (TS)” methodology is proposed to integrate the thermal hydraulic-based safety analysis of a NPP with a physical security analytical tool to model vital area boundaries and related potential consequences. The methodology will use dynamic event trees to systematically explore the uncertainties in an adversary attack scenario at a hypothetical NPP while incorporating the timing and repair effects that are not captured using the available modeling approaches to physical security practices. Ultimately, the LS/TS methodology will enable NPPs to incorporate the full complement of safety systems and procedures when performing security analyses.
Coupling interests in small modular reactors (SMR) as efficient and effective method to meet increasing energy demands with a growing aversion to cost and schedule overruns traditionally associated with the current fleet of commercial nuclear power plants (NPP), SMRs are attractive because they offer a significant relative cost reduction to current-generation nuclear reactors-- increasing their appeal around the globe. Sandia's Global Nuclear Assurance and Security (GNAS) research perspective reframes the discussion around the "complex risk" of SMRs to address interdependencies between safety, safeguards, and security. This systems study provides technically rigorous analysis of the safety, safeguards, and security risks of SMR technologies. The aims of this research is three-fold. The first aim is to provide analytical evidence to support safety, safeguards, and security claims related to SMRs (Study Report Volume I). Second, this study aims to introduce a systems-theoretic approach for exploring interdependencies between the technical evaluations (Study Report Volume II). The third aim is to demonstrate Sandia's capability for timely, rigorous, and technical analysis to support emerging complex GNAS mission objectives. This page left blank intentionally
Solodov, Alexander; Williams, Adam D.; Al Hanaei, Sara; Goddard, Braden
Unmanned aerial vehicles (UAV) are among the major growing technologies that have many beneficial applications, yet they can also pose a significant threat. Recently, several incidents occurred with UAVs violating privacy of the public and security of sensitive facilities, including several nuclear power plants in France. The threat of UAVs to the security of nuclear facilities is of great importance and is the focus of this work. This paper presents an overview of UAV technology and classification, as well as its applications and potential threats. We show several examples of recent security incidents involving UAVs in France, USA, and United Arab Emirates. Further, the potential threats to nuclear facilities and measures to prevent them are evaluated. The importance of measures for detection, delay, and response (neutralization) of UAVs at nuclear facilities are discussed. An overview of existing technologies along with their strength and weaknesses are shown. Finally, the results of a gap analysis in existing approaches and technologies is presented in the form of potential technological and procedural areas for research and development. Based on this analysis, directions for future work in the field can be devised and prioritized.
In response to the expansion of nuclear fuel cycle (NFC) activities (and the associated suite of risks) around the world, this effort provides an evaluation of systems-based solutions for managing such risk complexity in multi-modal (land and water), and multi-jurisdictional international spent nuclear fuel (SNF) transportation. By better understanding systemic risks in SNF transportation, developing SNF transportation risk assessment frameworks, and evaluating these systems-based risk assessment frameworks, this research illustrates interdependency between safety, security, and safeguards (3S) risks is inherent in NFC activities that can go unidentified when each “S” is independently evaluated. Two novel system-theoretic analysis techniques, dynamic probabilistic risk assessment (DPRA) and system-theoretic process analysis (STPA), provide integrated 3S analysis to address these interdependencies. This research suggests a need (and provides a way) to reprioritize United States engagement efforts to reduce global SNF transportation risks. Note: This paper is a summary of the final results found in Reference [1].
To support more rigorous analysis on global security issues at Sandia National Laboratories (SNL), there is a need to develop realistic data sets without using "real" data or identifying "real" vulnerabilities, hazards or geopolitically embarrassing shortcomings. In response, an interdisciplinary team led by subject matter experts in SNL's Center for Global Security and Cooperation (CGSC) developed a hypothetical case description. This hypothetical case description assigns various attributes related to international SNF transportation that are representative, illustrative and indicative of "real" characteristics of "real" countries. There is no intent to identify any particular country and any similarity with specific real-world events is purely coincidental. To support the goal of this report to provide a case description (and set of scenarios of concern) for international SNF transportation inclusive of as much "real-world" complexity as possible -- without crossing over into politically sensitive or classified information -- this SAND report provides a subject matter expert-validated (and detailed) description of both technical and political influences on the international transportation of spent nuclear fuel.
Safety-focused risk analysis and assessment approaches struggle to adequately include malicious, deliberate acts against the nuclear power industry's fissile and waste material, infrastructure, and facilities. Further, existing methods do not adequately address non- proliferation issues. Treating safety, security, and safeguards concerns independently is inefficient because, at best, it may not take explicit advantage of measures that provide benefits against multiple risk domains, and, at worst, it may lead to implementations that increase overall risk due to incompatibilities. What is needed is an integrated safety, security and safeguards risk (or "3SR") framework for describing and assessing nuclear power risks that can enable direct trade-offs and interactions in order to inform risk management processes -- a potential paradigm shift in risk analysis and management. These proceedings of the Sandia ePRA Workshop (held August 22-23, 2017) are an attempt to begin the discussions and deliberations to extend and augment safety focused risk assessment approaches to include security concerns and begin moving towards a 3S Risk approach. Safeguards concerns were not included in this initial workshop and are left to future efforts. This workshop focused on four themes in order to begin building out a the safety and security portions of the 3S Risk toolkit: 1. Historical Approaches and Tools 2. Current Challenges 3. Modern Approaches 4. Paths Forward and Next Steps This report is organized along the four areas described above, and concludes with a summary of key points. 2 Contact: rforres@sandia.gov; +1 (925) 294-2728
In response to the expansion of nuclear fuel cycle (NFC) activities -- and the associated suite of risks -- around the world, this project evaluated systems-based solutions for managing such risk complexity in multimodal and multi-jurisdictional international spent nuclear fuel (SNF) transportation. By better understanding systemic risks in SNF transportation, developing SNF transportation risk assessment frameworks, and evaluating these systems-based risk assessment frameworks, this research illustrated interdependency between safety, security, and safeguards risks is inherent in NFC activities and can go unidentified when each "S" is independently evaluated. Two novel system-theoretic analysis techniques -- dynamic probabilistic risk assessment (DPRA) and system-theoretic process analysis (STPA) -- provide integrated "3S" analysis to address these interdependencies and the research results suggest a need -- and provide a way -- to reprioritize United States engagement efforts to reduce global nuclear risks. Lastly, this research identifies areas where Sandia National Laboratories can spearhead technical advances to reduce global nuclear dangers.
ANS IHLRWM 2017 - 16th International High-Level Radioactive Waste Management Conference: Creating a Safe and Secure Energy Future for Generations to Come - Driving Toward Long-Term Storage and Disposal
Transportation of spent nuclear fuel (SNF) is expected to increase in the future, as the nuclear fuel infrastructure continues to expand and fuel takeback programs increase in popularity. Analysis of potential risks and threats to SNF shipments is currently performed separately for safety and security. However, as SNF transportation increases, the plausible threats beyond individual categories and the interactions between them become more apparent. A new approach is being developed to integrate safety, security, and safeguards (3S) under a system-theoretic framework and a probabilistic risk framework. At the first stage, a simplified scenario will be implemented using a dynamic probabilistic risk assessment (DPRA) method. This scenario considers a rail derailment followed by an attack. The consequences of derailment are calculated with RADTRAN, a transportation risk analysis code. The attack scenarios are analyzed with STAGE, a combat simulation model. The consequences of the attack are then calculated with RADTRAN. Note that both accident and attack result in SNF cask damage and a potential release of some fraction of the SNF inventory into the environment. The major purpose of this analysis was to develop the input data for DPRA. Generic PWR and BWR transportation casks were considered. These data were then used to demonstrate the consequences of hypothetical accidents in which the radioactive materials were released into the environment. The SNF inventory is one of the most important inputs into the analysis. Several pressurized water reactor (PWR) and boiling water reactor (BWR) fuel burnups and discharge times were considered for this proof-of-concept. The inventory was calculated using ORIGEN (point depletion and decay computer code, Oak Ridge National Laboratory) for 3 characteristic burnup values (40, 50, and 60 GWD/MTU) and 4 fuel ages (5, 10, 25 and 50 years after discharge). The major consequences unique to the transportation of SNF for both accident and attack are the results of the dispersion of radionuclides in the environment. The dynamic atmospheric dispersion model in RADTRAN was used to calculate these consequences. The examples of maximum exposed individual (MEI) dose, early mortality and soil contamination are discussed to demonstrate the importance of different factors. At the next stage, the RADTRAN outputs will be converted into a form compatible with the STAGE analysis. As a result, identification of additional risks related to the interaction between characteristics becomes a more straightforward task. In order to present the results of RADTRAN analysis in a framework compatible with the results of the STAGE analysis, the results will be grouped into three categories: • Immediate negative harms •Future benefits that cannot be realized •Additional increases in future risk By describing results within generically applicable categories, the results of safety analysis are able to be placed in context with the risk arising from security events.
As grid energy storage systems become more complex, it grows more difficult to design them for safe operation. This paper first reviews the properties of lithium-ion batteries that can produce hazards in grid scale systems. Then the conventional safety engineering technique Probabilistic Risk Assessment (PRA) is reviewed to identify its limitations in complex systems. To address this gap, new research is presented on the application of Systems-Theoretic Process Analysis (STPA) to a lithium-ion battery based grid energy storage system. STPA is anticipated to fill the gaps recognized in PRA for designing complex systems and hence be more effective or less costly to use during safety engineering. It was observed that STPA is able to capture causal scenarios for accidents not identified using PRA. Additionally, STPA enabled a more rational assessment of uncertainty (all that is not known) thereby promoting a healthy skepticism of design assumptions. We conclude that STPA may indeed be more cost effective than PRA for safety engineering in lithium-ion battery systems. However, further research is needed to determine if this approach actually reduces safety engineering costs in development, or improves industry safety standards.
Port security is an increasing concern given the significant role of ports in global commerce and today’s increasingly complex threat environment. Current approaches to port security mirror traditional models of accident causality – ‘a series of security nets’ based on component reliability and probabilistic assumptions. Traditional port security frameworks result in isolated and inconsistent improvement strategies. Recent work in engineered safety combines the ideas of hierarchy, emergence, control and communication into a new paradigm for understanding port security as an emergent complex system property. The ‘System-Theoretic Accident Model and Process (STAMP)’ is a new model of causality based on systems and control theory. The associated analysis process – System Theoretic Process Analysis (STPA) – identifies specific technical or procedural security requirements designed to work in coordination with (and be traceable to) overall port objectives. This process yields port security design specifications that can mitigate (if not eliminate) port security vulnerabilities related to an emphasis on component reliability, lack of coordination between port security stakeholders or economic pressures endemic in the maritime industry. This article aims to demonstrate how STAMP’s broader view of causality and complexity can better address the dynamic and interactive behaviors of social, organizational and technical components of port security.
The Gulf Nuclear Energy Infrastructure Institute (GNEII) was established collaboratively by Sandia National Laboratories, Texas A&M University, and the United Arab Emirates’ (UAE’s) Khalifa University of Science, Technology and Research in 2011 to provide a regional mechanism for developing responsible nuclear energy infrastructure. By combining education and research, GNEII helps increase knowledge and expertise about nuclear energy infrastructure—including safety, safeguards, and security—among Gulf and Middle East professionals working in regional nuclear-power programs. GNEII has been recognized by the White House as a major achievement in enhanced science and technology partnerships with the developing world.