Keywords

Nuclear safety and security—the protection of nuclear facilities, weapons, technologies, and materials against accidents or attacks—is an understudied area of international security studies.Footnote 1 Periodically, the subject has received high levels of attention. Following the fall of the Soviet Union, for example, scholars and policymakers worried intensely about the fate of its nuclear arsenal and infrastructure.Footnote 2 The problem again came to the fore following the September 11, 2001 attacks, which raised the specter of terrorists gaining access to nuclear weapons or materials.Footnote 3 Much of this post-9/11 focus was directed at South Asia, where the Pakistani nuclear program’s potential vulnerabilities to militants and other religious extremists were a major concern for the United States and the international community.Footnote 4

Despite these periods of interest, however, the problem of nuclear safety and security has generally received only modest scholarly attention. Most scholars and analysts of nuclear-related matters have focused their attention elsewhere, such as the ways in which nuclear weapons can generate deterrence and how they might contribute to coercive success in the event of conflict.Footnote 5 A significant cohort studies nuclear proliferation, including the reasons why states acquire nuclear weapons, ways to prevent them from doing so, and proliferation’s effects on the behavior of newly nuclear states.Footnote 6 Others study the normative aspects of nuclear weapons, debating whether their use can ever be justified, as well as the role of moral concerns in preventing their use in the past.Footnote 7

To be sure, these are important areas of inquiry, helping us to assess the effects of nuclear weapons on the likelihood of war and peace, to limit their spread, and to grapple with the difficult moral questions that their possession and potential use inevitably raise. However, a nuclear-related disaster is more likely to result from a peacetime mishap or a terrorist operation at a power plant than from a nuclear war. Improving our understanding of ongoing, day-to-day means of protecting the entire nuclear enterprise, ranging from civilian power plants to military applications—in other words, the study of nuclear safety and security—is therefore essential.

Joint studies, in which experts work with colleagues from partner states to address key challenges in protecting the nuclear enterprise, can be a fruitful means of enhancing our knowledge in this area. Such projects create valuable learning opportunities, enabling partners to share experiences, identify best practices, and develop new ideas for jointly tackling common problems. They also build trust, as experts from the two countries share ideas and information in their efforts to address some of their most sensitive security concerns.

The United States and India are particularly promising candidates for these types of projects. Both countries are longstanding nuclear states with significant nuclear infrastructure. Both have suffered attacks on parts of their nuclear enterprise, revealing weaknesses that required further attention. And both countries are deeply concerned about threats to the safety and security of their nuclear enterprises, and determined to take concrete steps to mitigate them.

This is an opportune moment for such a joint U.S.-India project. A series of nuclear-security summits during the Obama Administration raised awareness of the issue, and led states to take steps to promote nuclear safety and security, including the issuance of joint communiques, repatriation of nuclear material, improved training of personnel, and efforts to combat the trafficking of nuclear and radiological materials.Footnote 8 Recent incidents like the Colonial Pipeline and Solar Winds attacks, though not nuclear-related, have highlighted the importance of threats to critical national infrastructure, as well as the centrality of supply-chain security.Footnote 9 At the same time, India and the United States’ burgeoning bilateral strategic relationship has significantly increased the two countries’ level of mutual trust, enabling them to work together in areas that would have been prohibitively sensitive just a few years ago.

This volume capitalizes on these opportunities by bringing together experts from the U.S. and India to address six nuclear safety and security issues that are of central and enduring interest to both countries. The project grew out of an annual dialogue on U.S.-India strategic relations, organized by the U.S. Naval Postgraduate School and the Observer Research Foundation and sponsored by the Defense Threat Reduction Agency (DTRA). The dialogue addresses a range of strategic issues critical to the U.S.-India partnership. Over time, across several meetings, nuclear safety and security emerged as a recurring topic. The quality of the exchanges between Indian and U.S. participants on this extremely sensitive topic convinced the dialogue organizers and their sponsors to take the project one step further. They subsequently commissioned a series of papers from U.S. and Indian experts, many of whom had participated in the earlier dialogues, on a core set of nuclear security and safety-related challenges. Those papers became the chapters of this book.

The chapters address six substantive issues of relevance to all nuclear states: insider threats and personnel reliability; organizational culture within the nuclear enterprise; emergency response and crisis communications; physical protection of nuclear material; control of radioactive sources; and cyber security and nuclear infrastructure. Each chapter consists of two papers, one from an Indian perspective and one by a U.S. perspective. The contributors are established experts with deep experience in their fields, and include a mix of retired and active civil servants, military officers, and academics.

Few single-volume publications cover the breadth of topics that this project addresses, and none of them bring together Indian and U.S. authors to engage these issues from their national socio-political perspectives. Government agencies, including the U.S. Department of Energy and the U.S. Congressional Research Service, and international organizations, such as the International Atomic Energy Agency, have published technical white papers on specific aspects of nuclear security, such as ensuring the physical security of reactors or designing personnel reliability programs.Footnote 10 These studies tend to be narrowly focused, however, ignoring other important safety and security problems, as well as the socio-political context in which states’ decision-making occurs. Governmental and non-governmental organizations have issued reports on specific crises, such as the Fukushima disaster, and analyses of particular states’ safety and security regimes.Footnote 11 These reports lack a broader scholarly perspective, however, as well as inputs from national experts who could better explain their state’s policy choices. Within the academic discipline of international relations, scholars have developed concepts like strategic culture to understand the differences between states’ approaches to nuclear weapons.Footnote 12 As noted earlier, however, this research has focused primarily on deterrence, proliferation, and normative issues, with much less attention paid to the day-to-day challenges and tradeoffs of nuclear safety and security, or to the ways in which domestic politics conditions states’ approaches to protecting nuclear technologies, materials, facilities, and weapons.

This project, by contrast, addresses nuclear safety and security as a unique problem, nested within national socio-political structures. In doing so, it helps to identify specific ways to protect the nuclear enterprise, while enhancing our broader understanding of variation in states’ approaches to the challenges of nuclear safety and security. From a policy perspective, the volume highlights opportunities for India and the United States to learn from and cooperate with each other as they seek to mitigate the threats and risks posed by expanding nuclear infrastructure. For academics and students, it offers a useful primer on the ways states approach the myriad challenges associated with ensuring nuclear safety and security and the critical tradeoffs they must make.

Below, we outline each of the papers’ main arguments. We then identify some broad themes that emerge from the papers, highlighting similarities between the challenges that the United States and India face, as well as similarities in the two countries’ efforts to address them. Finally, we identify areas for collaboration between U.S. and Indian experts on nuclear safety and security at both the scholarly and the policy levels.

1.1 Mitigating Insider Threats

This chapter focuses on the human side of physical security, discussing the problem of insider threats and examining ways to protect against them, including personnel reliability programs, access controls, and defensive forces. What are the challenges and impediments in detecting and assessing insider threats? How can states ensure the reliability of the personnel who manage or use nuclear or radiological materials? What role does technology play in helping to ensure the reliability of personnel within the nuclear enterprise?

On the Indian side, Rajeswari Pillai Rajagopalan argues that insider threats are the most serious dangers to critical infrastructure, including nuclear facilities. This is the case for several reasons. First, insiders are likely to know a facility’s strengths and weaknesses and have a sense of what vulnerabilities can be exploited. Some may even have privileged access to multiple elements of the facility’s security systems. Second, insiders may escape their colleagues’ suspicion because they are known and trusted employees. Finally, insiders are able to plan their operations over a prolonged period, with opportunities to choose targets, times, and materials based on ongoing observations. Insiders’ access levels and ability to avoid detection will vary based on their occupation and seniority. But any individual with legitimate reason to access the facility is more of a potential threat than a complete outsider.

Rajagopalan argues that cultures of complacency are a key problem that must be overcome if the risks of insider threats are to be mitigated. Among senior leaders in an organization, a culture of complacency can drive an inability or refusal to recognize the possible presence of insider threats. Rajagopalan identifies cognitive dissonance, perception bias, and overconfidence as serious challenges; if senior leaders believe their safety mechanisms are foolproof, they are likely to overlook or misinterpret any warning signs. Historically, she says, Indian officials were inclined to believe insider threat was primarily a problem for security guards, though this has evolved in last 10–15 years.

Insiders can threaten the facility itself, but they also pose a broader danger if they exfiltrate information or material that would facilitate nuclear or radiological attacks elsewhere. Insider threats to India can manifest themselves in many ways: passing information to adversaries about the transportation of nuclear materials, such as the agencies involved and the routes used; theft of small quantities of nuclear materials for sale in black markets; or the use of cyber technologies that could damage or destroy not only the installation’s data but even the facility itself. Senior leaders must consider ways to layer defenses and to compartmentalize access in a way that allows for a greater likelihood of early detection of a potential insider attack.

Identifying and mitigating inside threats, Rajagopalan notes, requires an ever-evolving suite of tools and approaches. The factor that allows insiders to pose a threat—authorized, ongoing access to the facility—can also limit the effectiveness of simple material or kinetic security measures, such as gates and guards. Leaders must therefore develop alternative approaches. In this vein, stringent personnel reliability programs have been a primary area of effort for India, with positive results. Rajagopalan identifies two potential areas of improvement for these programs: more thorough vetting of temporary migrant laborers and persistent monitoring of employees’ online activities to detect radicalization.

In the U.S. paper, Todd Burbach and Patrick Lynch begin by noting that diverse United States agencies, as well as international nuclear bureaucracies, define “insiders” somewhat differently, given their divergent missions and foci of concern. Nonetheless all of these organizations agree that an insider is an individual with authorized access to sensitive materials, facilities, or information, who can use this position of trust to commit harmful acts. Echoing Rajagopalan, they note that while necessary to the operation of the nuclear enterprise, trusted status, and the access it affords, can pose significant threats to nuclear safety and security.

Burbach and Lynch point out that insiders’ motivations to commit harmful acts can vary widely, ranging from ideology to greed, to ambition, to ego, to blackmail. Despite these multiple possibilities, insider attacks against the nuclear enterprise have not happened often; the historical record of such events is thin. Nonetheless, the insider danger is still serious, because one trusted malign actor with access to sensitive systems, facilities, or information could inflict enormous damage. Therefore, rigorous programs to mitigate insider risk are essential.

Burbach and Lynch explain that trustworthiness programs designed to determine employee reliability are an important means of risk mitigation. Such programs can identify personnel with disqualifying characteristics; help to select personnel with desirable traits; and imbue a workforce with pride in their positions and confidence in their colleagues. Program components include measures such as arrest checks, drug tests, and work verifications. As Burbach and Lynch point out, the process of ensuring trustworthiness is ongoing; personnel are reviewed periodically, and any concerning findings can be flagged and trigger a deeper investigative process.

In addition, trustworthiness programs must be combined with other tools, including technical measures such as large-volume data review and profiling, in the effort to mitigate insider threats. And such combinations of techniques, even if successful, cannot remain static. Managers must stay abreast of new capabilities and approaches, and evaluate existing policies periodically, even if these policies appear to be successful.

Finally, Burbach and Lynch argue that successful mitigation of insider threats depends on the cooperation of the workforce. One of its most important aspects of such cooperation is self-reporting. This enables the enterprise to catch problems that it otherwise would miss and address them before it is too late. Often, this can save an employee’s career. To encourage self-reporting, managers must maintain an environment where employees are comfortable admitting their problems and mistakes. Overly punitive policies will discourage such honesty, and ultimately be counterproductive.

1.2 The Role of Organizational Culture in Nuclear Security

Organizations within the nuclear enterprise must develop strong cultures of safety and security, where individuals feel empowered and responsible to do what is necessary to prevent emergencies or accidents. This chapter discusses what constitutes a strong culture of security and how cultural changes in organizations can best be implemented. How can the organizations charged with ensuring nuclear safety and security stave off complacency and stagnation? What can we learn about the role of culture, and how cultures can be changed, from the experiences and approaches of the agencies that comprise the nuclear enterprise in India and the United States?

From an Indian perspective, N.K. Joshi argues that organizational culture develops through organizational practices learned on the job and consists of observable and unobservable values, beliefs, attitudes, and behaviors. Joshi posits that a shared sense of vulnerability among all members of the organization is critical to establishing a strong nuclear security culture. Employees must be motivated to follow established procedures, comply with regulations, and take the initiative when they detect a potential breach or threat. Building a strong culture of nuclear security is a key responsibility of an organization’s leaders, who must promote the beliefs and ideas necessary to create and maintain this culture.

Fostering an environment in which all personnel feel like part of a team is also critical to maintaining and expanding a culture of nuclear security. Scientists and engineers should support and contribute to security objectives rather than feeling like they are simply the passive victims of security rules and regulations. Similarly, security professionals should be treated as full partners with their peers in the nuclear safety community, not as subordinates or outsiders. Joshi suggests this may help mitigate the difficulties associated with national cultures and social norms that emphasize obedience to authority, which can lead to a reluctance to raise alarms proactively.

Joshi also highlights how a culture of security, which relies on compliance and discretion, can be at odds with a culture of scientific enquiry, which prioritizes openness and change and requires sharing of knowledge and lessons learned. While compartmentalization and maintaining a need-to-know policy can be beneficial, Joshi argues, a need-to-share approach can build trust and goodwill, and sharing information can help avert crises. While there is a natural tendency toward secrecy about nuclear matters, too much secrecy, in the form of denying problems or failing to share lessons learned, can undermine nuclear security culture if the organization’s members come to believe the risks are minimal or fully resolved. Security systems must be adaptable if they are to remain effective in the face of evolving threats, which requires leaders to prioritize continual learning and recursive feedback from all stakeholders.

On the U.S. side, Cristina F. Lussier and Karen Kaldenbach argue that the attitudes, values, and behaviors that together comprise culture are critical to the operational success of the nuclear enterprise, and to building trust between the enterprise and the public. Both operational success and trust are critical.

As a result, U.S. authorities take seriously the development of culture within the nuclear enterprise. For example, to help create a culture of openness and transparency, authorities have taken steps like declassifying the Nuclear Posture Review. They believe that an environment that promotes the free exchange of ideas in this manner can facilitate the solution of the complex, dynamic problems that the nuclear enterprise regularly faces. Similarly, the Nuclear Regulatory Commission tries to create a culture that promotes safety, preventing apathy and promoting agility in the workforce. To this end, it has promulgated a nine-part Safety Culture Policy Statement emphasizing the personal and organizational traits essential to the safe and secure operation of nuclear facilities.

These types of statements offer broad guidance, which departments and organizations use to impel cultural shifts that strengthen their establishments. They do this in a variety of ways. For example, the Department of Energy has created a Safety Culture Improvement Panel, to help outline DOE safety attributes and practices. And the Department of Defense Nuclear Weapon System Surety Policy has stressed the need to provide surety throughout the life cycle of a nuclear weapon.

Despite this diversity, the authors identify some common themes across organizations with healthy security cultures. They include the importance of surface indicators, such as proper execution of security protocols upon facility entry; personnel properly wearing credentials; and polite but alert security personnel; standardized expectations regarding the execution of plans and procedures, with leadership held responsible both for their own performance and that of their teams; hiring personnel with right qualifications for specific tasks; collective emphasis on the need for leadership to model good values and behavior; prompt problem identification, evaluation, and resolution; personal accountability; well-defined work processes; continuous learning across the organization; an environment conducive to questioning attitudes and open to raising concerns; effective safety communications; and a respectful work environment. Finally, healthy organizations recognize that creating a safety culture is not the responsibility just of security personnel; it is a top-to-bottom responsibility of all employees, with management communicating clearly and the workforce providing operational feedback from the ground up. Such measures and qualities cannot create a positive safety culture overnight. But with time, they can play a crucial role in creating an environment that promotes safety and security within an organization.

The authors show, through a detailed discussion of the Y-12 incident, that failure to cultivate a healthy safety and security culture in nuclear organizations can be catastrophic. In 2012, intruders were able to breach the Y-12 nuclear facility, defacing the building and remaining on the site for several hours. Subsequent investigation revealed a litany of failures, including poor maintenance, faulty communication, poor discipline, and weak adherence to security protocols. The investigation linked these failures directly to cultural shortcomings, with facility personnel focusing on a culture of compliance rather than one of performance.

The authors argue that the Y-12 incident should be a wakeup call for the United States nuclear enterprise. It demonstrates that attention to cultural health within nuclear organizations is crucial. This is the case not just because of the dangers inherent in nuclear operations, but also because of the challenge of rising Chinese and Russian nuclear capabilities. In today’s strategic environment, the U.S. must be able to rely unquestioningly on its nuclear deterrent capabilities.

1.3 Emergency Response and Crisis Communications

As nuclear infrastructure grows, the risks of radiological or nuclear emergencies will increase as well. It is critical to be prepared to respond to potential crises in a timely and coordinated fashion. This chapter addresses best practices in emergency response and crisis communication, with an emphasis on holistically considering the need for procedures and policies, communications systems, networks of trained personnel, and emergency exercise execution and appraisal programs. How can organizations learn to work together effectively before crises? How does the nuclear enterprise approach the challenge of managing public opinion and preventing panic during a crisis?

On the Indian side, R.S. Sundar emphasizes the importance of building trust and familiarity among the local population to improve the acceptability of nuclear power plants. Establishing a positive, trusting relationship with the public begins even before the plant is constructed, and must remain a high priority during normal plant operations as well as during crises. Nuclear power projects must use print and electronic media and find ways to explain the project and answer questions in non-technical language. Sundar provides a detailed overview of how the Kudankulam Power Plant (KPP) approached the challenge of public relations. By using media appearances, reaching out to and through academics, and printing leaflets that answered common questions in an approachable way, KPP was able to assuage many of the fears and objections that had been raised by the local population in the wake of the Fukushima disaster.

Sundar then turns to emergency response and how nuclear site operators can approach communications during crises. Plants are required to have emergency preparedness plans and procedures in place before they achieve criticality. Part of the planning process involves exercises, of which there are three types: plant emergency exercises, which focus on the plant’s response within the facility; site emergency exercises, which involve all facilities within a 16 km radius; and off-site emergency exercises, which involve district authorities as well as plant personnel to test and clarify crisis roles and responsibilities beyond the plant’s boundaries. Because the characteristics of the radioactive material that could potentially be released from a nuclear power plant are known, response actions for mitigation of consequence can be planned in advance, though this does not obviate the need for exercises to practice the response.

The early phase of an emergency is the most important to get right. It is also, Sundar notes, the most challenging: there are high levels of uncertainty, particularly regarding plant conditions and field measurements, and sudden changes in assessments are frequent. There is often a lack of sufficient external technical support. As a result, decision-makers can under-react or overreact to the evolving situation.

Improving decision-making in the early phase of an emergency therefore requires nuclear power plants to establish criteria to classify emergencies in a timely manner. Classification requires a strong baseline understanding of plant conditions to determine when deviation from the norm is truly an emergency. By developing Emergency Action Levels in this way, plants are better prepared to take appropriate and necessary protective actions to reduce radiological consequences. These protective actions needed will depend on the amount, time, composition, and frequency of release.

Finally, Sundar notes that India has moved away from an exercise methodology that was based on known, rehearsed accident scenarios and coordinated field responses, toward more unpredictable scenarios and responses that emphasize early-phase decision-making. This methodology provides more realistic challenges to nuclear plant operators, district authorities, and federal agencies with responsibility for oversight and emergency response. It also provides an opportunity for iterative learning, as post-exercise reports can be analyzed for ways to improve.

On the U.S. side, Daniela Helfet Cooper, Michael Hornish, and Alisa Laufer show that although nuclear emergencies are especially dangerous events, many of the techniques that the United States employs to respond to them come from other, more ordinary types of crises. For example, a mainstay of nuclear crisis response is a tiered response structure that stretches across local and federal entities. This structure is not unique to the nuclear domain; it comes from the National Response Framework (NRF), which was developed in response to a series of storms, including Hurricane Katrina, which hit the southern United States in 2005. The NRF now governs U.S. responses to domestic emergencies that require federal support to augment state or local efforts. It specifies roles, terminology, and incident-management principles that enable multi-level coordination. The framework operates according to the principle that all responses should be handled first at the lowest possible jurisdictional level, receiving higher-level support only as needed. A dedicated annex specifies how these principles and practices would apply to nuclear or radiological incidents.

The authors explain that a central challenge with crisis response is that, within organizations, it is often unclear who is authorized to make decisions regarding the authority to request and approve assistance. The problem is exacerbated as emergencies become more complex. This challenge was evident during the 1995 Aum Shinrikyo attacks in Tokyo, when paramedics had difficulty securing the necessary clearance from higher medical authorities to treat victims. One means of mitigating this problem, the authors note, is to delegate authority to request and approve assistance to the lowest possible level within an organization, and to identify the personnel with that authority in advance. Another solution is to identify circumstances under which restrictions will be waived and authorities delegated. The efficacy of this approach was seen in the U.S. response to the COVID-19 crisis, when some states provided waivers allowing out-of-state healthcare personnel to practice in them.

The authors explain that one of the most effective ways of ensuring a good emergency response is to prepare thoroughly for it. This involves devising a response plan and conducting exercises to practice its implementation. Realistic exercises enable responders to ensure that they can perform their missions in the event of a real crisis, without referring to written plans and procedures. They also can expose weaknesses in existing plans, pointing up areas requiring additional training and resources. And they help personnel to network across agencies and jurisdictions. The familiarity and trust that this networking builds can be invaluable in responding to a crisis.

In addition to responding directly to emergencies, government agencies must communicate with the public to explain the situation, combat misinformation, and prevent dangerous public reactions. Quickly providing clear, accurate information can help to ensure public safety. Some ways they can do this include pre-scripted communications plans and emergency guidance adaptable to the specifics of a crisis. It is important for government stakeholders to build consensus around them ahead of time. This will help to ensure timely and orderly dissemination of information.

One of the most difficult aspects of crisis communication is striking a balance between the accuracy of information and the speed of its dissemination. Appointing a lead authority for public messaging, whom the public trusts, can help to ensure consistent communications across diverse government agencies. Also, government must be honest with the public, avoiding speculation, admitting when its understanding of a situation is incomplete, acknowledging that information can change, and explaining why any departures from earlier guidance have occurred.

The authors illustrate their arguments with discussions of two major nuclear disasters—Three Mile Island in 1979, and Fukushima Daiichi in 2011. These cases demonstrate the difficulty of coordinating multi-sectoral responses to fast-moving emergencies. They also show how a number of the principles that the authors identify emerged as best practices, to facilitate more effective crisis response.

The authors close by identifying opportunities for United States-India cooperation in the area of nuclear crisis response. These include expert exchanges, bilateral dialogues, and tabletop exercises. Such measures would enhance expertise on both sides, and build relationships necessary to advance collaboration in the future.

1.4 Physical Protection of Nuclear Facilities and Materials

Nuclear facilities and materials must be protected from a range of external threats, including attack, theft, and diversion. This chapter asks how the United States and India seek to do so, and how their approaches have evolved over time. In addition, the chapter seeks to identify new technologies or practices that can mitigate external threats in the future.

Anil Kumar offers an Indian perspective on this problem. He notes that physical protection regimes have four primary purposes: to guard against unauthorized removal, including theft and other unlawful taking of nuclear material; to locate and recover missing nuclear material rapidly and comprehensively; to protect nuclear material and facilities against sabotage; and to mitigate or minimize the radiological consequences of sabotage or accidents. The effectiveness of a physical protection system (PPS) for a nuclear facility depends on a combination of three factors: technology, procedures, and security personnel. Every physical protection system should be evaluated against a defined maximum threat level for which the facility owner will secure its facility and materials.

Kumar argues that for a PPS to serve its main functions—deterring, detecting, delaying, and defeating adversaries, as well as mitigating radiological consequences—it should employ defense in depth, with multiple layers of increasingly robust protection. Detection should be as far as possible away from the targets, while delay mechanisms should be placed near the target. The levels of protection should follow a graded approach, increasing or decreasing with the potential threats and how attractive various materials and systems may be to adversaries. Kumar provides a model for the physical protection of nuclear facilities that details the multiple layers of security precautions. He argues that effective physical protection requires compartmentalization of physical spaces, with individuals granted access only to areas and information they need to perform their jobs. Nevertheless, security systems must not be allowed to inhibit the smooth functioning of the facility.

Security personnel must remain vigilant to changes in the threat environment. To avoid complacency, personnel should be kept alert through exercises, briefings on incidents elsewhere, and rotation between posts and responsibilities. As noted, emergency preparedness is a critical planning concern for physical security systems. As the personnel closest to the scene of an incident, security teams will be required to assist with triage and maintaining access control in a complex and fast-paced environment. This requires regular exercises of varying scopes.

Finally, Kumar addresses the specific challenges associated with transportation of nuclear and radiological material. Protection of materials in transit requires careful planning, with consideration given to such diverse issues as the packaging used to contain the materials; the legal and regulatory requirements of areas being transited; and how materials will be stored and guarded if there is an overnight halt. Kumar notes that in addition to the IAEA’s categorizations, India’s Atomic Energy Regulatory Board has developed its own system to identify the proper level of security needed. Because radiological materials differ in their hazard potential, degree of radioactivity, and attractiveness to adversaries, the AERB has identified three levels of increasingly stringent security arrangements. Kumar points out that transporting nuclear materials adds another layer of complexity. Materials may need to transit through areas with which the security contingent is not very familiar. The occasional need for temporary storage, the transition of guard forces, and the interaction with territorial authorities at jurisdictional borders further compounds the security risks.

In the U.S. paper, James McCue and Alan Evans offer a systems engineering approach to Physical Protection System (PPS) design. They discuss a methodology called Design Evaluation Process Outline (DEPO), which has been widely used to design and evaluate both civil and military physical protection systems. Though they cannot directly discuss military applications, DEPO enables McCue and Evans to convey to the reader how physical protection challenges might be approached on the military side.

The authors describe in detail the dynamic process through which a physical protection system is constructed. Steps in this process include defining requirements based on the nature of the facility to be protected, regulatory standards, available resources, threats, and budgets; and designing physical protection elements based on a series of principles including detection, delay, and response. In addition, systems are evaluated through exercises, analysis, evaluations, and threat updates.

If a planned system fails this evaluation, it is redesigned, and the process starts again. If it passes, the system is built. But even in this scenario, the evaluation and design process does not stop; the system is continually evaluated against rigorous performance standards. This can lead to minor changes, or to the system’s wholesale redesign, which starts the entire process over again.

The authors illustrate their points with applications of the DEPO method to physical security systems in U.S. ICBM launch facilities, and in nuclear warhead transportation. In addition to explaining how each step of the existing DEPO methodology applies to these examples, the authors make a number of suggestions for changes to the DEPO process. These include the addition of new analytic elements such as budgetary restraints, security system reputation, and threat capabilities defined in conjunction with the enemy’s goals. The authors also recommend a move from compliance-based to more forward-looking, performance-based evaluation, which will help security managers to leverage the high quality of today’s personnel, and stay abreast of emerging technologies. Changes such as these, they argue, can ensure the continued dynamism of the DEPO process, and help to make it even more effective in the future.

1.5 Controlling and Managing Radioactive Sources

Uncontrolled or orphaned radioactive sources pose serious dangers, yet effective regulation of the disparate types and users of radioactive material is a daunting task. How can states ensure that radioactive sources are appropriately regulated and adequately secured at all times? How have the United States and India addressed the challenge of locating, recovering, securing, and recycling orphan sources?

On the Indian side, N. Ramamoorthy provides a panoramic view of the uses and importance of radioactive materials for a wide variety of industrial and medical purposes. He argues that different applications of radioisotopes come with different vulnerabilities, and it is therefore not possible to create a one-size-fits-all approach to security. Ramamoorthy provides an overview of the properties of radioisotopes that make them so useful for applications ranging from cancer treatments, to sterilization of medical products, to disinfestation of food products, to manufacturing of advanced materials, to mitigation of certain pollutants. Some of these uses inherently carry security risks, however; Ramamoorthy raises the example of industrial radiography, which requires transportation of devices with radioactive sources at short notice by companies operating in a fiercely competitive economic space. Effectively controlling and managing the use of radioactive sources requires ongoing attention to the multifarious threats and risks these sources may pose, from accidental loss of sources to intentional usage in an improvised radiological device.

Ramamoorthy notes that the production of radioisotope-based sources and equipment containing radioisotopes (RI) has been confined to a limited number of countries at national centers and in private industry. Their deployment, however, has been extensive, both geographically and across a wide variety of facilities, including at hospitals, industrial sites, academic centers, and research labs. Movements of packages containing these types of sources are routine throughout the year, with some occurring more frequently based on the half-life of RI involved and the need for source replacement or replenishment. The volume of sources and their regular movement can create opportunities for diversion or loss. To mitigate that likelihood, India has developed a web-based system, e-licensing of radiation applications (e-LORA), to facilitate registration, applications, approvals, accountability, and tracking by the Atomic Energy Regulatory Board. Ramamoorthy also highlights the problem of legacy and orphaned sources, which have resulted in high-profile accidents in several countries. In the 2010 Mayapuri incident, for example, eight people were injured and one died after a research irradiator owned by Delhi University was sold to and dismantled by a scrap-metal dealer who was unaware of the hazard.

Because there will always be some risks associated with the use of radioactive sources, Ramamoorthy argues, discouraging the use of these sources where alternatives are available will be the logical first option. Technological, economic, and logistical issues create barriers to this approach, however, and its feasibility varies across issue areas. For applications where a non-radiological alternative does not exist, improving source security is likely to require better accountability and more proliferation-proof designs. Where alternatives do exist, government will need to partner with industry to make the use of these alternatives more attractive and achievable.

U.S. authors Christopher Boyd and Anne Wiley explain that sealed sources, radioactive materials intended to remain enclosed in a capsule or bonded in solid form, are widely used in life-saving medical treatments and infrastructure applications. But, in the wrong hands, they can be deployed as weapons, providing the radiological material needed to make “dirty bombs.” This problem is particularly concerning because sealed sources are commonly used in relatively lax security environments, such as healthcare organizations and academic institutions. Sealed sources therefore require careful attention and management.

In the United States, dealing with the problem of sealed sources is difficult in part because of the complexity of the regulatory landscape, which features overlapping federal and state jurisdictions, and involves multiple entities. These entities include the Nuclear Regulatory Commission (NRC) and Agreement States, to which the NRC has relinquished portions of its regulatory authority. The Organization of Agreement States (OAS), in turn, facilitates interaction between Agreement States and the NRC, seeking to minimize conflicts between individual states and the NRC and create a role for states in national-security matters.

Beyond this jurisdictional complexity, a number of additional factors make federal-state regulatory cooperation particularly difficult. For example, state regulations must be compatible with, rather than identical to, federal standards. Nonetheless, in practice, the NRC may require a level of conformity that requires essentially identical rules. This can impede states’ efforts to implement regulations that exceed federal standards, but are necessary because of their particularly high-risk profiles.

Performance-based approaches to determining state compliance with federal regulations give rise to additional challenges. For example, such approaches allow licensees flexibility in meeting regulatory intent. But their lack of specifics can create uncertainty about standards, and subjectivity in determining compliance.

Finally, both federal and state regulatory efforts focus on risk mitigation, rather than risk elimination. This approach suffers from a number of shortcomings. For instance, risk mitigation is costly, requiring large investments of human, economic, and political resources. And it relies on human factors such as norms and culture that can be difficult to influence.

Boyd and Wiley offer several solutions to these problems. They argue that while overregulation is bad, states must be able to exceed minimal regulatory standards. This may create some complexity, but also ensures that they are meeting the reality of their threat environment. The authors also maintain that while performance-based regulatory approaches promote flexibility, prescriptive approaches can be useful, reducing uncertainty and creating clear standards for compliance.

Finally, the authors offer a detailed argument in favor of risk elimination, arguing that, where viable options exist, governments should encourage the adoption of alternative technologies that do away with the risk of sealed sources entirely. As the U.S. experience replacing cesium blood irradiators demonstrates, such measures can be implemented even without a legislative mandate, through the voluntary replacement of dangerous technology. The authors argue that the U.S. experience can serve as a model for governments that wish to eliminate risky technologies in the absence of legal requirements to do so.

1.6 Cybersecurity and Nuclear Infrastructure

This chapter explores cyber threats to nuclear infrastructure, which have become more widespread and increasingly sophisticated with the digitization of the nuclear enterprise, even as states have sought to identify new ways to defend against them. What are the primary risks posed by cyber activities against nuclear facilities? How have the United States and India sought to prevent and prepare to recover from malicious cyber activities? What policy options exist to reduce the risk of a catastrophic cyberattack?

Pulkit Mohan describes the Indian context. She argues that serious Indian attention to cybersecurity is fairly recent, beginning roughly in 2013. Ironically, Indian concern was triggered by perceived dangers from the United States, as the Edward Snowden leaks revealed alleged U.S. spying on India. As Mohan explains, this led the Indian government to promulgate a National Cyber Security Policy, designed to create an ecosystem to defend against cyber threats and ensure the integrity of information and information structures. She then describes the structure and functions of government agencies charged with building and maintaining cybersecurity mechanisms within the country’s nuclear infrastructure. The importance of these agencies’ efforts has grown, Mohan points out, as India’s nuclear enterprise has that has become increasingly digitized.

Mohan then discusses the 2019 cyber breach at the Kudankulam Power Plant. She explains the nature of the attack, using malware known as Dtrack, which had previously been used to attack financial institutions, and the Indian government’s response, which included a robust official investigation, and the implementation of measures such as hardening intranet and internet connectivity, restricting the use of removable media, and blocking malicious websites and IP addresses. Mohan argues that this incident could have been much worse, as it was limited to the plant’s administrative network and did not affect its control systems. Still, it made clear the urgent need for improved security practices and structures in India’s nuclear enterprise.

Although India significantly increased its attention to cybersecurity in a relatively short period of time, Mohan argues that more needs to be done, as Indian entities are frequently the target of cyberattack, and the country’s nuclear infrastructure is increasingly digitized. At home, this will require increased attention to issues including the creation of a security culture, mitigating supply-chain vulnerability, increasing standards of personnel reliability, and enhancing industry-government cooperation. Internationally, India can benefit from strengthening agreements with likeminded countries, particularly in the areas of 5G technology, critical infrastructure, and supply-chain diversification.

In the U.S. article, the team of authors led by Clifford Glantz agrees with Pulkit Mohan that cybersecurity is becoming an increasingly important facet of nuclear safety and security, in large part because the nuclear enterprise relies more heavily on digital technology. In addition, they point out that an inconsistent regulatory environment, and the United States’ and other countries’ late recognition of the seriousness of the cyber threat, exacerbates cyber-related dangers. Not surprisingly, numerous attacks and breaches have occurred around the world, including in the U.S., Korea, Iran, and India.

Glantz’s team shows that the sources of cyber threats to the nuclear enterprise, and the potential consequences of attacks, are extremely diverse. Threat sources include nation-states, cyber criminals, terrorists, “hacktivists,” and insiders. Their malign activity can result in harm to public health, economic losses, environmental damage, increased regulation, and a loss of public confidence in the nuclear facility, or in nuclear power generally.

The authors offer a detailed discussion of U.S. regulatory approaches, tracing their evolution as the Nuclear Regulatory Commission issued regulations and guidance, based on continual learning, since the early 2000s. The authors also explain that although a robust regulatory regime is necessary for cybersecurity, more regulation is not necessarily better. For example, not all compliance-based controls are applicable in all situations. Some controls can be costly to implement, or they may limit licensee flexibility and creativity. Furthermore, controls can feature digital components that are themselves vulnerable to exploitation. Performance-based regulatory approaches can help to mitigate these problems by encouraging innovation, improving cost–benefit ratios, saving time, reducing paperwork, and promoting communication between groups within a facility. These approaches are harder for regulators to inspect, however. To address these problems, and strike a balance between two types of approaches, the Nuclear Regulatory Commission is now incorporating risk-based components into its compliance-based program.

Glantz et al. also offer detailed discussions of U.S. approaches to risk assessment and cyber defense. Like cyber threats and consequences, these assessment and defensive approaches are diverse. The authors describe U.S. approaches to each of these measures in detail. Risk assessment include quantitative methods, focusing on such factors as asset values and risk of exploitation; qualitative processes, emphasizing discussions between subject-matter experts; and hybrid approaches, which combine elements of the previous two methodologies. The first two approaches are well established, while hybrid methods are still evolving.

Defensive measures include deterrence, detection, delay, and denial. Capabilities and techniques are extremely diverse, and include continuous monitoring programs; automated assessment of computer logs; honeypots, which lure attackers to attack decoy systems; and defense in depth, which employs multiple independent layers of security. As Glantz and his colleagues explain, all of these measures are essential components of an effective cybersecurity program.

The authors also discuss supply-chain security. They note that the integrity of supply chains is a longstanding concern of regulators and facility operators. Nonetheless, nuclear power plants have recently faced serious supply-chain problems. The authors illustrate the nature of the challenge with a discussion of the 2020 SolarWinds incident, in which attackers inserted malware into a popular network management system, opening a back door into the computer networks of clients ranging from top private companies, to government entities including the National Nuclear Security Administration. The section closes with a discussion of tools being developed to enhance supply-chain security, including a bill of materials, which can help identify vulnerabilities in commercially available firmware or software used in nuclear facilities.

Finally, Glantz et al. addresses the challenge of assessing cybersecurity. Auditors conduct checklist-based inspections of nuclear facilities to evaluate regulatory compliance. Failure to meet standards can result in further monitoring, as well as other penalties. Facilities will therefore wish to conduct self-evaluations, which the authors argue should include risk-based assessments to ensure compliance while avoiding excessive operational and business disruptions.

1.7 Conclusion

This series of papers provides many important details regarding the United States and India’s approach to nuclear safety and security. But a number of broad themes emerge from the papers as well. These themes can help us to identify similarities between the challenges that the U.S. and India face, and the two countries’ efforts to surmount them. This can suggest opportunities for cooperation between India and the United States as well as areas for further research. These broad themes include the following:

Safety and security, though important, are not infinitely valuable. Marginal safety and security increases may not always justify the resultant financial burdens, legal conundrums, and stifled creativity. The pursuit of safety and security, then, must be balanced against other goods that the nuclear enterprise seeks to achieve.

Although formal rules and regulations governing the operation of nuclear facilities are important, they are ineffective without workforce buy-in. Personnel must be willing to follow the letter and spirit of the rules voluntarily, even in situations where they could get away with breaking them. Thus the safety and security of the nuclear enterprise depends, to a considerable degree, on normative and social factors, which can be difficult to understand and to manipulate.

New technology can create efficiencies while also generating new categories of risk. Recognizing these risks can take time, creating windows of vulnerability across the nuclear enterprise.

Although safety and security failures can be potentially catastrophic, they provide lessons that can help to avoid similar incidents over the long term. Failures should be discussed as openly as possible, and leveraged as learning opportunities.

The nuclear enterprise exists within a social and political context. Public beliefs about the dangers of nuclear facilities, even if unfounded, can severely hamper their operation. Effective communication between the nuclear enterprise and the public is essential.

The nuclear enterprise also exists in an economic context; nuclear security must be affordable. Failure to design a security system that is economically viable is failure to design an effective security system.

Efforts to secure the nuclear enterprise will be futile if the components on which it is constructed are compromised. Ensuring that component supply chains are secure is essential to avoiding unseen vulnerabilities.

Sophisticated designs may not yield the best security systems. Multiple rudimentary systems can sometimes generate security more effectively than one exquisite system.

The absence of catastrophe does not mean that the nuclear enterprise is sufficiently safe and secure; unidentified failures could be occurring at any time, making disaster imminent. Self-evaluation within the enterprise must be rigorous and continuous.

Although the notion of universal best safety and security practices is attractive, it is not always helpful. Approaches that work in one national or regional context may not work elsewhere. We must take care to differentiate between principles that apply universally and those that are region- or country-specific.

These themes suggest a number of opportunities for cooperation and further research. For example, Indian and the United States experts might collaborate on strategies to address shared problems such as cyber vulnerabilities, which have become increasingly important as nuclear facilities have become digitized; the need to ensure that sensitive materials are transported safely, which appeared in a number of chapters; and the need to develop healthy cultural environments within their workforces, which was a common theme in many issue areas. They also can conduct joint studies of safety and security failures, learning from each other’s mistakes. And the two countries can explore ways to pool their resources and capabilities, along with those of trusted partners, to create secure supply chains for their nuclear infrastructure.

Above all, expert communities in the United States and India must continue their dialogue on these sensitive issues, sharing wisdom and experience, and building trust. This will not only help to secure their respective nuclear enterprises, but will also enhance the two countries’ broader strategic partnership. We hope that this volume constitutes a modest step in that direction.