Physical Protection of Nuclear Facilities and Materials

Abstract

This chapter offers perspectives on protecting nuclear facilities and materials from external threats and how these approaches have evolved over time. The authors also identify new technologies and practices to mitigate threats to facilities and materials. Indian author Anil Kumar argues that physical protection systems must employ defense in depth and follow a graded approach, increasing or decreasing with the potential threat to various materials and systems. Kumar specifically focuses on the challenge of transporting nuclear and radiological materials safely. U.S. authors James McCue and Alan Evans describe the Design Evaluation Process Outline (DEPO) process through which U.S. physical protection systems are constructed and discuss how it could be improved. They explain how the DEPO process applies to physical protection systems in ICBM launch facilities as well as to transportation scenarios.

5.1 An Indian Perspective

• Anil Kumar 

In the current global scenario with emerging international security challenges, it is a distinct possibility that nuclear or other radioactive materials could be maliciously employed. Nuclear security is fundamental in the management of nuclear technologies and in applications where nuclear or other radioactive material is used or transported. An effective national nuclear security regime consists of the implementation of relevant international legal instruments; information protection; physical protection; material accounting and control; detection of and response to trafficking in such material; national response plans; and contingency measures.¹ Each state carries full responsibility for nuclear security; specifically, to provide for the security of nuclear and other radioactive material and associated facilities and activities; to ensure the security of such material in use, storage, or transport; to combat illicit trafficking and the inadvertent movement of such material; and to be prepared to respond to a nuclear security event.² Physical protection against unauthorized removal of nuclear material and against the sabotage of nuclear facilities or transports has long been a matter of national and international concern as well as an  area of cooperation.³

5.1.1 Components of Physical Protection Regime and Indian Commitments

The overall objective of a state’s nuclear security regime is to protect persons, property, society, and the environment from malicious acts involving nuclear and other radioactive material. The objectives of the state’s physical protection regime, which is an essential component of the state’s nuclear security regime, are⁴:

• To protect against unauthorized removal, including theft and other unlawful taking of nuclear material

• To locate and recover missing nuclear material rapidly and comprehensively

• To protect nuclear material and facilities against sabotage

• To mitigate or minimize the radiological consequences of sabotage.

The state’s physical protection regime is intended for all nuclear material in use, in storage and during transport, and for all nuclear facilities.⁵ The regime should be reviewed and updated regularly to reflect changes in the threat and advances made in the physical protection approaches, systems, and technology, and also the introduction of new types of nuclear material and nuclear facilities.

During international transport of nuclear material, particularly Category 1 material, the responsibility for physical protection measures should be the subject of written arrangements accepted by the states concerned. The relevant competent authority of the shipping, receiving, and transit states, and the flag state of the conveyance should establish specific measures to ensure the continued integrity of the shipment, and to ensure that responsibility for response planning and capabilities is defined and fulfilled. Additionally, any sensitive information shared by the states concerned should be protected and the overall arrangements for the shipment should be in accordance with the relevant states’ national laws. The point at which responsibility for physical protection is transferred from one state to another should be determined in advance, to enable the relevant state to make adequate physical protection arrangements.

India is committed to provide for the security of nuclear and other radioactive materials, and associated facilities and activities, either in use, storage, or transport. It is also fully prepared to respond to any nuclear security event arising due to illicit trafficking or inadvertent movement of such materials. India follows INFCIRC/225/Rev.5, which contains recommendations issued by the International Atomic Energy Agency (IAEA) for the information of all member states.⁶ For an effective physical protection system, every state needs to determine its requirements. The overall Physical Protection System (PPS) requirement should be evaluated for protection performance against a particular threat level. This threat level should be well defined by the country, as mentioned in INFCIRC/225/Rev.5.⁷ The threat of unauthorised removal of nuclear materials or sabotage of nuclear facilities, against which the facility owner is responsible for designing and providing protection, is known as Design Basis Threat (DBT).

India has developed DBT in a very meticulous manner, and it was reviewed in 2009 after the terrorist attack on Mumbai in November 2008. On the basis of the national Design Basis Threat, every facility prepares its own DBT for which it designs a Physical Protection System and gets concurrence from the nuclear regulator. The DBT is reviewed when a very prominent and probable change in the threat scenario occurs.

Adversaries posing a threat to nuclear materials and facilities can be separated into three classes—outsider, insider, and outsider in collusion with insider. These threats could manifest using the tactics of deceit, force, or stealth while infiltrating into facilities. The national DBT recognizes these categories of adversaries and their capabilities as a comprehensive aspect of nuclear threat analysis.

5.1.2 Considerations for Designing a PPS

The physical protection system (PPS) of any facility depends on a proper combination of three factors: technology, procedures, and security personnel. Every physical protection system should be evaluated against a defined maximum threat level for which the facility owner will secure its facility and materials.

The potential targets in each facility should be identified according to the attractiveness of unauthorised removal or sabotage for an adversary. In a reactor complex, a vital area is defined as a set of equipment, systems, devices, or materials whose failure, destruction or misuse could result in radiological release endangering the public. An inner area is defined as a set of targets attractive for unauthorised removal.

The regulator specifies the physical protection system’s requirements after obtaining full information regarding facility characterisation, threat definition, and target identification. Optimal solutions come from synergizing all three requirements for a viable physical protection system through a combination of fences, vaults, sensors, procedures, communication devices, and response force personnel. Every PPS should have the primary functions of⁸:

• Deterrence of an adversary

• Detection of an adversary

• Delaying an adversary in reaching the target

• Defeating the adversary by Response Force

• Mitigation of radiological consequences

The following general guidelines and principles should be adhered to while designing a PPS:

• Detection should be as far as possible away from the targets

• Delay mechanisms should be placed near the target

• Alarms must be reliably communicated to the response force

• Levels of protection should follow a graded approach, increasing or decreasing with the potential hazards, and attractiveness to adversaries, of materials and systems

• The PPS should employ defence in depth, with multiple layers of increasingly robust protection

• Each layer of a physical protection system should have same level of strength against adversary penetration at all points

5.1.3 Nuclear Security and Physical Protection in India: An Overview

5.1.3.1 Historical Perspective

The Department of Atomic Energy in India was established in 1954. It was mandated to develop nuclear-power technology, with an aim to develop and research applications of radiation technology in the fields of Agriculture, Industry, Medicine, and Basic Sciences. The Atomic Energy Regulatory Board was constituted in 1983 to carry out regulatory and safety work. Later, in 2009, it was also empowered to regulate and supervise the security of the nuclear facilities. India’s first nuclear research reactor became critical in 1956 and its first nuclear power reactor achieved criticality in 1969. Presently, 22 nuclear power reactors in India are operational. India has an accumulated experience of operating of nuclear power reactors of more than 500 reactor-years without any major security, safety, or safeguard breach. Many of its reactors have achieved record days of continuous operation. Recently, a 700 MW Nuclear Power Reactor achieved criticality without any issues. In light of the above experience, it can be well presumed that India’s Nuclear operators and regulators have shown their capabilities and established their credentials in this field.

India has been facing threats from a hostile external neighbourhood, as well as from home-grown extremist groups. In the 1980s, the country suffered from Sikh terrorism, which included the assassination of Prime Minister Indira Gandhi. There was also a constant threat in the southern part of the country from various groups that supported another terrorist group, the Liberation Tigers of Tamil Elam (LTTE). Eastern India has also faced various separatist/extremist movements, which have orchestrated a long-drawn Maoist insurgency against the Government. Finally, the 2008 Mumbai terrorist attack, executed by highly trained militants who were receiving clear directions from Pakistan, resulted in significant loss of life and property.

5.1.3.2 Security Architecture in India: General Considerations

With the above backdrop in mind, let us visit the security architecture in nuclear facilities in India. Nuclear installations in India are under well-guarded multilevel security systems right from the border of the country to the site of the facility. Security of nuclear assets has long been of paramount importance to India, as is evident from provisions relating to security of facilities and materials included in the Atomic Energy Act of 1948.

Nuclear facilities are declared “Prohibited Areas” under the Atomic Energy Act, which allows regulation of movement in and around them. The Indian Official Secrets Act also restricts photographing or drawing nuclear facilities. In addition, the Government of India has declared “No Fly Zones” and “No Fishing Zones” around nuclear facilities. The security environment is continuously reviewed by inter-ministerial committees. These committees meet at regular intervals to share and review security information and ensure smooth inter-agency coordination with each other.

Specific components of physical protection systems in India include:

• Strict access control measures for personnel, vehicles, and materials

• Robust perimeter defence with watchtower and patrolling track

• Early detection capabilities

• Continuous monitoring and intrusion detection in operating island, as well as vital/inner areas

• Securely located, continuously manned Central Alarm Station

• Well-trained and equipped, round-the-clock federal response force

A model layout of the physical protection system of a power reactor, clearly depicting its multilayer security structure, is shown in Fig. 5.1. The Exclusion Zone Boundary is the first layer of defense, where entry is restricted through a manned gate. The area between the Main Plant Boundary and Exclusion Zone Boundary is a no man’s land. The Main Plant Boundary (MPB) has access control portals for personnel, vehicles, and material. Watchtowers are also located along the MPB, and a continuous patrol is kept up. The Operating Island, including the Vital/Inner Area, is double-fenced, with intrusion detection devices between the two fences.

Fig. 5.1

Layout of model physical protection system

The following security practices are essential to an effective physical protection system:

• Need-to-Know and Need-to-Go: Every stakeholder in a facility should be given only the information that he needs to know at that moment, including information regarding security systems. Similarly, areas within nuclear facilities should be compartmentalised according to their security significance. Personnel should be allowed entry only into specifically permitted areas of movement.

• Security systems should facilitate smooth functioning of the facility; they should not inhibit it. There should be perfect synergy between facility operation, safety requirements, and security requirements.

• Security personnel should understand that the security environment is dynamic, and they should act according to its changing requirements.

• Security personnel should continuously monitor vulnerabilities and should enhance security measures accordingly.

• Security personnel must remain alert. Uneventful periods can create a sense of complacency. Remedial measures include rotating posts, briefing and debriefing, discussing security incidents elsewhere, and making preemptive arrangements to thwart emerging security threats. The arrangement of very light refreshment at the duty-post in dull hours can help keep the security forces alert in addition to boosting their morale.

• All safety incidents should be considered potential security incidents.

• Root-cause analysis of all incidents, accidents, and near-miss situations should be meticulously done and should be shared with other facilities and the regulator.

• There should be a continuous schedule of training and mock drills for the response force.

• There should be self-auditing of PPS equipment and infrastructure. The gadgets should be in an operational condition and if found otherwise, then appropriate measures should be taken to rectify or compensate for the situation. There should be a strict timeline for replacement of a faulty equipment and accountability should be ensured.

• Security guards should be alert to possible cyber-hacking of PPS gadgets and control panels.

Stakeholders should make a conscious effort to improve nuclear safety and nuclear safety and security culture. They can do so by:

• encouraging employees and security personnel to strictly adhere to SOPs

• encouraging employees to communicate any suspicious incident, behaviour, or conduct

• supporting activities that enhance stakeholders’ pride in the organisation

• keeping a transparent grievance redressal mechanism

• improving the Personnel Reliability Programme (PRP)

These procedures and principles are codified in a manual and SOPs. They are used to sensitize appropriate stakeholders to their role in nuclear security on a strict need-to-know basis.

5.1.3.3 Emergency Preparedness and Response

Physical protection systems should be able to mitigate the consequences of radiation release for workers, the public and the environment. They should also be able to locate lost or stolen material. India has a complete system for dealing with nuclear or radiological emergencies. This system is an integral part of the national disaster mitigation architecture.

In nuclear power plants, the plan for off-site emergency mitigation is part of the documents for regulatory approvals. This plan is also shared with local administrative authorities and with the Government of India. The area around a nuclear power plant is divided into an Emergency Planning Zone, a Sterilized Zone, and an Exclusion Zone. The Exclusion Zone is an area around the plant with a radius of 1 km. In this area, no habitation is allowed. The Sterilized Zone is an area with a radius of 5 km from the plant. In this area, any new industrial or commercial activity which attracts new population is forbidden. The emergency planning zone is an area around the facility with a radius of 16 km. Emergency exercises are held periodically, as per the regulator’s requirements.

Mitigation plans for emergencies arising out of other nuclear or radiological accidents are planned according to the guidelines of the National Disaster Management Authority. In any such incident, technical guidance is given to the local law enforcement authority or to the National Disaster Response Force by Crisis Management Group (CMG) of Department of Atomic Energy, which consists of experts of various disciplines. If local law enforcement authority requires on-site assistance of technical experts, it is provided from the nearest Emergency Response Centre. These Emergency Response Centres (ERCs) are located at 30 different locations across India. The Department of Atomic Energy has also established a 24 × 7 Emergency Communication Room (ECR) and alternate ECRs with multiple redundant modes of communication.

A model layout for planning an emergency response system is provided in Fig. 5.2. Following a radiological emergency, the premises are triaged into the inner cordoned area, decontamination area, outer cordoned area, and staging area. Access control between these areas is of paramount importance. The response is coordinated by an incident commander, who is assisted by the response force and local authorities. He also helps in setting up the medical response base, radiological monitoring and assessment centre and evacuee monitoring and registration area, while also interfacing with the public information centre.

Fig. 5.2

Conceptual plan for emergency operations

India has already shown its expertise in Goiania, Brazil, and Afghanistan in locating lost radioactive sources. India has been a signatory of IAEA’s Convention on Early Notification of a Nuclear Accident⁹ and Convention on Assistance in the case of a Nuclear Accident or Radiological Emergencies.¹⁰

5.1.3.4 The Role of Technology in Nuclear Security in India

Technology enhances nuclear security in India.¹¹ In addition to RF-based identity cards, secure communication systems, radiation detection portals, networked systems of cameras with video analytic software, sensors, and barriers and access control measures, India has adopted policies of “Closed Fuel Cycle” and “Reprocess to Reuse for Plutonium,” with strict no-stockpiling rules. India is also working on proliferation-resistant technology such as vitrification of high-level nuclear waste, and vitrified cesium pencils. These proliferation-resistant technologies add an additional layer of security apart from existing physical protection systems. In reactor technology, India is working on a Design-Basis-Security concept, where reactor design itself will provide a required level of security. India’s forthcoming indigenous Prototype 300 MW Advanced Heavy water Reactor will have many such advanced features designed and inbuilt to enhance security of the reactor and its systems.

5.1.4 Security of Radioactive Materials in Nuclear Facilities

Radioactive materials are provided “cradle to grave” security. It improved tremendously after the regulator deployed an e-LORA (e-Licensing of Radiation Applications) portal. This portal not only keeps a registry of radioactive sources but also provides authorisation for procurements and movement of sources, self-audit reports regarding accounting of sources, and return of disused sources either to a government depository or to its manufacturer.

The security of radioactive materials in nuclear facilities depends on the same principles as that of nuclear materials. The threats associated with radioactive materials are less concerning than those posed by nuclear materials because radiological materials cannot be used to fashion an Improvised Nuclear Device. Radiological materials can be used to construct either a Radiological Dispersal Device (RDD) or Radiological Explosive Device (RED), however.

The Physical Protection System for radiological materials takes a graded approach. Radioactive materials are characterised in five categories of descending danger, from the most-dangerous Category I to the least-dangerous Category V.¹² Category V material is managed through measures such as a security plan, safe storage area, proper accounting, access control, continuous monitoring, and periodic regulator audits. The graded approach builds on this foundation to provide enhanced levels of security as the danger of radiological material increases.

5.1.5 Transport Security of Nuclear and Radioactive Materials

5.1.5.1 Security of Radioactive Materials in Transit

Radioactive sources find widespread application in industry, medicine, and agriculture. As such, there is a significant need for safe transport of these materials because of the potential hazards of mishandling. The United Nations has issued a model regulation for security during transport of dangerous goods.¹³ India’s Atomic Energy Regulatory Board (AERB) has adopted the UN guidelines.¹⁴

Radioactive materials must be packaged to ensure that no significant radiological emissions occur during a transit accident. Types of packaging depend on the hazard value of the radioactive materials as defined in the IAEA’s document NSS 9.¹⁵ Certain Low Specific Activity (LSA) materials that involve low risk of radiological exposure, like uranium ore or its concentrate, are transported in industrial packages. These strong, light containers will protect LSA materials during normal shipping activities. Radiopharmaceuticals are packed for transport in type A packages, which have demonstrated, through a series of tests, the ability to protect their contents under normal transportation conditions. Materials with high radioactive content, which pose a significant danger if released, are shipped in type B packages, which will maintain their integrity even under severe accident conditions.

The IAEA has grouped all sealed sources into five categories. Sources in Category I are highly radioactive and considered to be the most “dangerous”; they can pose a very high risk to human health if not managed safely and securely. At the lower end of this spectrum is Category 5, the least-dangerous materials. A second method of categorisation, employed by the Atomic Energy Regulatory Board (AERB)¹⁶ in India, is based on ease of operation for repeated transportations and covers all types of radioactive materials including sealed sources, unsealed sources, and irradiated nuclear fuels. This categorisation of radioactive materials aims to aid the consignor or consignee in determining the security arrangements necessary for safe transportation. A list of commonly transported radioactive materials is given below in increasing order of radioactivity and hazard potential¹⁷:

1. i.

   Reference sources

2. ii.

   Consumer products (like smoke detectors, luminous painted dials, tritium light sources)

3. iii.

   Uranium/thorium ores or ore concentrates, depleted uranium, unirradiated natural uranium fuel assemblies and other RAM defined as

4. iv.

   LSA I/II/III in AERB’s safety code AERB/SC/TR-1, Safety Code for the Transport of Radioactive Materials

5. v.

   Surface contaminated objects defined as SCO I / II in AERB’s safety code document AERB/SC/TR-1, Safety Code for the Transport of Radioactive Materials

6. vi.

   Radiopharmaceuticals

7. vii.

   Nucleonic gauges

8. viii.

   Neutron sources used in oil-well logging

9. ix.

   Manually handled brachytherapy sources

10. x.

    Industrial Radiography Sources

11. xi.

    Remotely handled brachytherapy sources

12. xii.

    Teletherapy sources

13. xiii.

    Gamma irradiator sources

14. xiv.

    Decayed sealed sources for disposal

15. xv.

    Uranium hexafluoride (enriched)

16. xvi.

    Wastes arising from the nuclear fuel cycle

17. xvii.

    Unirradiated enriched nuclear fuel

18. xviii.

    Special nuclear material in different types of packages

19. xix.

    Irradiated nuclear fuel

The radioactive and nuclear materials being transported differ in their attractiveness for IED and RED, radiological dispersal devices depending on their hazard potential or radioactivity content. Hence, on the principles of the graded approach, the AERB identifies three levels of appropriate security arrangements:

• Level 1: Prudent Management Practices—This is applicable to materials of type (i) to (iv). Level 1 requires that consignor or consignee should adhere to security practices like maintenance of a minimum level of security; maintenance of a formal system of accounting of material; using a formal system of selection of transport; ensuring prompt notification to consignee regarding the dispatch and receipt of the material, and any untoward incident enroute; keeping track of consignment while in the public domain; and avoiding movement of consignment at night.

• Level 2: Basic Security Measures—This applies to the transportation of materials v to viii and xiii. The recommended security measures for Level 2 supplement the previously described prudent management practices. This level requires appropriate background checks to establish the trustworthiness of the transporter.

  • Operators should be alert to any unanticipated threats that may emerge during the transport. There should be a robust mechanism for tracking and recovery of lost consignments, which should be put into motion as soon as an incident occurs. If materials are at any point kept in temporary storage, the security measures employed should match those employed during transport or in their permanent facility. The consignment should be carried in a closed vehicle or in an otherwise sealed and secured manner. The integrity of locks and seals should be verified by the security contingent enroute as well as by the consignee on receipt of the material.

  • All personnel involved in the transport of radioactive materials should be trained and retrained regarding security procedures and responsibilities. Each crew member of the conveyance carrying radioactive materials should have positive identification and transport vehicle should also be checked thoroughly for its fitness and road worthiness. The vehicle should be searched to ensure that there has been no tampering of any sort with the packages or the vehicle. The personnel operating the transport should be briefed in their own language regarding emergency procedures. A Transport Emergency Card (TREM CARD), containing basic precautions and emergency contact numbers, should be kept in the vehicle.

• Level 3: Enhanced Security Measures—Level 3 measures, which are to be implemented in addition to measures under Levels 2 and 3, apply to materials ix to xv. These measures include proper carrier identification; preparation of a formal security plan, which should be commensurate with the current threat scenario; and measures for continuous tracking and communications link with the transport convoy.

  • The security plan identifies the responsibilities of security personnel and establishes a chain of command. It specifies the number of security guards, the quantity and type of weapons they carry, their training, briefing and debriefing procedures, arrangements for continuous watch even during halts and temporary storage, well-defined routes with predetermined overnight stops, and other operating practices, equipment and resources required to mitigate the security risks. The security plan should also establish clear procedures to report threats and security incidents. During transportation, the consignment should be subject to continuous monitoring, to ensure that it has not deviated from its assigned route. The security plan should also have a provision for periodic review and audit.

5.1.5.2 Security of Nuclear Materials in Transit

Physical protection of nuclear materials during transit/transport is one of the most difficult and challenging tasks. Materials must transit through areas with which the security contingent is not very familiar. The occasional need for temporary storage and the transition of guard forces and territorial authorities at jurisdictional borders further compound the security risks.

NSS 26¹⁸ and NSS 9¹⁹ along with NSS 13²⁰ are IAEA guides for Physical Protection of Nuclear and radioactive materials during transport. Atomic Energy Regulatory Board (AERB) has also issued a guideline titled TS/SG-10²¹ for security of radioactive materials during transport, which augments the provisions of the IAEA guide. Physical protection of nuclear materials during transport should be capable of preventing unauthorised removal of material and locating and recovering missing material. In addition, it should prevent sabotage and mitigate the radiological consequences of any sabotage on individuals, the public, and the environment.

A comprehensive security plan for the domestic or international transport of nuclear materials requires meticulous planning and inter-agency coordination. It is devised by the consignor on the orders of competent authority for nuclear material transport. This plan clearly defines route and alternate routes, places of temporary stoppages and night-halts if required, routine and emergency communication procedure, handing over arrangement at the destination and defines the responsibility of each person involved in the transport. It should be reviewed when threat perception or the technical environment changes. The international transport of nuclear materials additionally requires extensive coordination between the consignor’s country, the consignee’s country, the flag country of the conveyance, and other countries with territorial jurisdiction for either temporary storage or passage. The countries must also agree regarding the use of firearms by security personnel, and arrangements for locating and recovering lost material, as well as mitigating the consequences of any radiation exposure.

5.1.5.3 Special Security Measures

Consignment of materials xvi to xviii should be provided special measures of security during transport. This level of security is over and above Level 3 “enhanced security measures” listed above. The consignor must submit a shipment plan along with a detailed security plan to the competent authority for prior approval. The security plan should consist of details of route, carrier, security, and escort, tracking mechanism and communication equipment. The plan should also include procedures and places for hand-over of material between security agencies and proper vetting of all the personnel involved in transportation.

Packages and vehicles should be specially designed to counter the threat of sabotage and associated radiological consequences. Consignor should give advance notice to the consignee and the competent authority before starting the shipment regarding the mode of transport and a detailed timeline of the transport with an expected date of arrival to the consignee. Consignor should start the shipment after receipt of confirmation regarding readiness to receive the consignment. Consignor should also contact local law enforcement, through whose jurisdiction the consignment will pass, to assist smooth passage of shipment, and agree on contingency plans in case of a security incident.

All personnel should receive written instructions specifying their role and responsibilities and be thoroughly briefed on them prior to commencement of the operation. There should be an arrangement for automated tracking of the shipment during transport, which should be monitored at the transport control centre. Vehicles must be inspected to ensure roadworthiness and to detect any evidence of tampering, and then placed under armed guard. Finally, after handing over the consignment to the consignee, personnel should be de-briefed, for the purpose of making future operational improvements.

5.1.6 Conclusion and Future Initiatives

Physical protection systems consist of equipment and infrastructure, procedures, and security personnel. A short-coming or vulnerability in any of these three areas renders the whole system vulnerable. PPS is a dynamic and ever-changing system, which needs to adapt and evolve constantly in the light of emerging threat scenarios and ongoing technical advancements.

There are many new technologies that make physical protection more cost effective and robust. We must try to include these in our system based on the experience of our American partners. A system of continuous bilateral dialogue and organisation of bilateral symposiums to showcase these technologies could provide an excellent platform for cross pollination of ideas among like-minded international partners.

DAE installations in India employ a force of personnel who are primarily trained for general industrial security. The generalist training that is currently imparted to this cadre may be insufficient to address the unique and highly specialized security challenges that arise in the nuclear sector. There is a growing need for specific training in this critical sector, where every countermeasure has to be deployed discretely and judiciously, keeping in mind the possibility of serious radiological emergencies. Close engagement and cooperation with our security counterparts in the U.S. can help these efforts; both sides can benefit through sharing of mutual experiences. Threat simulations on the lines of joint military exercises could go a long way in training of security personnel and improving their efficiency.

Despite having multiple Emergency Response Centres across the country, in a real-world emergency scenario on the scale of Fukushima or Chernobyl, emergency response equipment would need to be decontaminated before it could be employed again. As such, a large redundancy of emergency response equipment is needed for tackling a large-scale contamination. The existing emergency response system of one nation may be overwhelmed in this type of situation. Anticipation of such a scenario requires states to foster close cooperation with international partners and start formalizing plans for a regional emergency response centre, so that any emergency requirement of one nation may be supplemented. Expressions of political support in international forums may help to advance this effort.

The infrastructure of the Indian road transport sector was not designed meet the requirements for transportation of dangerous goods, and the personnel involved often lack the literacy and knowledge base to understand the requirements of this sector. Thus, there is a need to develop a specialised road transport sector for transporting nuclear and radiological materials. Staff must be trained about the requirements of transport and sensitized to the relevant security threats, and conveyances appropriately modified to enhance their security. Indian stakeholders may benefit hugely from the experience of their U.S. counterparts in this field.

The Indian system of physical protection of nuclear and radiological materials has come a long way since its inception and has displayed a commendable track record. International cooperation will ensure that the Indian best practices can be emulated by others and the Indian system can be refined continuously by drawing upon others’ experience as we all move towards the collective goal of a safe and secure nuclear world.

5.2 A U.S. Perspective

• James McCue &
• Alan Evans 

Nuclear weapons programs require credible safety and security systems—especially when the programs include nuclear warheads. In this chapter, we apply a systems engineering approach to explain Physical Protection System (PPS) design. We also provide two examples of U.S. nuclear security conditions to highlight key elements for systemic improvement. In this chapter, we discuss a methodology from the civil nuclear sector with the Sandia National Laboratories’ (SNL) Design Evaluation Process Outline (DEPO). This design concept has been used extensively across the world for civil nuclear security programs, and military programs, and relies heavily on the work of Mary Lynn Garcia.²² This methodology was specifically developed for securing nuclear assets, including nuclear weapons, nuclear power plants and other high-consequence facilities (HCFs). While civilian nuclear material protection is an important topic, this paper focuses on nuclear weapons. These assets represent the ultimate high-consequence risk, justifying the highest protection effort and so offer the most depth for discussion.

This chapter explains the DEPO methodology and offers some suggested changes. These proposed amendments include new elements for added analysis such as budgetary restraints, security system reputation, and threat capabilities defined in conjunction with enemy mission goals. We then apply this method to analyze Inter-Continental Ballistic Missile (ICBM) security performed under two different configurations and security situations. We consider warhead security while “on alert” in underground silos and look at how effective security concepts operate during transport for maintenance. We identify several system design challenges such as vulnerability of static doctrine, planning factors for conscripted personnel, and risk from outdated threat concepts. We show how vestigial Cold War security goals can deny theft yet result in programmatic failure through political or financial loss. This paper’s modified DEPO method is designed to account for these problems and create enduring security success through performance-based evaluation to defeat current and future threats.

5.2.1 DEPO Method Overview

The Design Evaluation Process Outline (DEPO) methodology has been used for many years to design and evaluate physical protection systems. This methodology employs a system engineering approach to provide a framework that captures guiding regulations, facility characteristics, and stakeholder needs. The second PPS design phase is integration of people, procedures, and equipment to maximize security effects of the overall system.²³ This methodology does not then end. Rather, it continues through evaluation to complete the process, making a continual cycle that keeps the security system perpetually updated. This continuous evaluation approached creates a forward-looking, threat-anticipating system, rather than a backwards-justified, regulation-focused security enterprise. DEPO-type evaluation uses a variety of analysis techniques such as path analysis, probability of interruption and neutralization analysis, scenario analysis, tabletop exercises, and force-on-force exercises to ensure effectiveness and provide regular feedback from both human and computer-originated analysis. Figure 5.3 is adapted from the National Security Training Center’s curriculum and illustrates these phases, the elements within each phase, and the components of each element.

Fig. 5.3

Adaptation of DEPO methodology

The Define Requirements phase identifies the physical and environmental conditions of the site as well as the asset(s) under protection. A properly designed physical protection systems avoids impeding mission operations as much as possible, though some trade-offs between security and operational efficiency can be expected. This phase also identifies the litany of regulatory requirements that establish the minimum capabilities required at the international, national, and local levels. For the United States this means considering IAEA, U.S. Nuclear Regulatory Commission rules, DOD, and DOE instructions as well as having to comply with the EPA/OSHA, state, and county rules for hazard prevention, and even traffic laws. Whether civil or military, each nuclear possessor state’s risk tolerance will set the relationship between ease of operations security stricture.

The U.S. began building its nuclear triad soon after WWII in a relatively risk-accepting time, with safety technology and security concepts for these weapons in their infant stages. It would take half a century, and be almost a decade after the 9/11 attacks, before a major investment in U.S. nuclear “modernization” brought remote video surveillance to ICBM launch facilities.²⁴ The attacks on 9/11 made clear that there was now a capable, dedicated threat to nuclear security systems. Yet this environment, and the desire to “do something,” caused designers to rush. This led to costly measures such as an upgrade for the brand new Remote Visual Assessment system.²⁵ This restraining effect is why we add budgetary planning for the entire system life cycle as a stand-alone element within the first phase of DEPO analysis. Additionally, significant changes in threats or other restraints such as risk tolerance should trigger programmatic redesign, rather than just patching. Comprehensive requirement assessment ensures capturing interactive effects as well as second-order impacts.

The Design phase is based on three components at the heart of the PPS: Detection, Delay and Response. For a security system to succeed, the combined effects of the first two elements must result in a protection time longer than time the adversary needs to gain access to the facility, so that security personnel can interdict it. In other words, the facility must take longer to break into than it takes a responding team to arrive.

It is important to understand that detection is not an action; it is the compilation of efforts among the many sensors and trusted communications that bring about a declared security situation. Detection is the realization of the adversary’s action, not just the effort of looking.²⁶ Designers need to also consider that delay can be created in two ways: through passive delay barriers (i.e., doors, windows, walls, fences, etc.) and through active delay barriers (i.e., pop-up vehicle barriers, dispensable barriers, etc.). Delay barriers increase the adversary task time and increase the complexity of the attack for the adversary force. The final element, response forces, consists of a variety of security teams with differing capabilities and purposes such as periodic patrols, initial interruption forces and the neutralizing team that defeats the adversary.

Design is both art and science requiring the balancing of conflicting requirements as well as competing strategies. One such oppositional set of security concepts are containment and denial. Containment focuses on the asset and keeping it within a specific boundary, while denial centers on the adversary and preventing it from gaining access to a restricted area. Denial further breaks down into access denial and task denial. Access denial often imposes a cost in operational efficiency. This reduces risk from a few potential threat actors, but imposes operational costs for even valid users with lost work time satisfying entry procedures. Alternatively, task denial creates delay by forcing an adversary to complete a series of difficult tasks or changing the task conditions after an unauthorized access attempt is detected. Containment strategies are often the least expensive to design, build, and maintain. Access denial is usually the costliest both financially and operationally. Containment and denial can be complimentary design concepts, but each consumes budgetary resources and addresses different threat types and goals and creates different delay effects.

Another double-edged security strategy is secrecy and surprise. Secrecy can be either an alternative or supplement to delay. A secrecy-based design relies on hiding an asset rather than locking it away in a safe.²⁷ Secret routing, a lock’s combination, and randomly leaving missile silos or transporters empty are security concepts that all rely on varying degrees of secret information to create security effects. Surprise is another supplement to PPS’s that can provide cost-efficient security effects. Secrecy ensures surprise. But this inherently creates a problem, since the goal of security is deterrence and an unknown threat cannot deter. Nonetheless, secrecy and surprise deter by eroding  a would-be attacker’s confidence.

The Evaluate phase of the DEPO methodology tests the effectiveness of PPS’s during design and throughout its life cycle. Evaluation of the physical protection system ensures that the system behaves as designed (or gets rejected for redesign) and gives feedback over time. This enables growth and relevance in the face of evolving threats, resource availability, and risk tolerance. Performance-based approaches to PPS’s ensures asset defense at a level effective against the postulated threat.

5.2.2 Applying the DEPO Method

Using the DEPO method to analyze two operational nuclear security challenges helps draw out important nuances and operational considerations difficult to see with only theoretical examination. Reflecting on the security conditions of U.S. ICBM launch facilities and warhead transportation shows how physical protection works in practice and reveals ways to leverage new technologies.

Designing for physical-security system effectiveness requires clearly defining the program’s strategic purpose. The nuclear weapon PPS objective is to negate unauthorized warhead access obtained by breaching physical barriers and/or neutralizing security personnel. This definition clarifies what is, and what is not, a physical security concern. Personnel reliability programs, cyber defense, and other security related considerations are vital for the success of the overall nuclear security enterprise. However, those considerations are beyond the scope of physical security. Precisely defining the nuclear physical security task and purpose also enables performance evaluation and analysis techniques such as analogy and comparison. Security industries with similar challenges provide useful points of departure and the have a longer history of both successes and failure to draw from.

It is important to note that each security situation has an ideal attack outcome as well as a limited series of bad ones. Bad outcomes may have different paths, and each must be understood so that all can be defended without risking bad assumptions regarding lesser-included threats. This spectrum of bad outcomes must be understood to avoid creating an exquisite system immune to total failure but fragile in its propensity to fail partially (Fig. 5.4).

Fig. 5.4

Potential undesirable results of an attack

5.2.3 Defining System Requirements

5.2.3.1 Asset(s) Under Protection

The International Atomic Energy Agency (IAEA) regulates security of civilian nuclear material and nuclear facilities worldwide. The IAEA employs three tiers of security requirements based on the quantity and type of nuclear materials in storage. The IAEA standards are tiered to allow for a graded approach to physical protection measures in civilian security design. However, military responsibility begins at a tier well above even the highest IAEA consequence scenarios based on the presence of weapons-grade nuclear material. The adversary must be prevented from accessing this material. If that fails, then the plutonium, uranium, and other key nuclear materials must not be stolen. Partial success in preventing access or theft, though suboptimal, is more survivable for the enterprise than total failure regardless of whether the adversary seeks physical or political objectives.

Extreme weather is not itself a security threat, but it is a part of defining the conditions within which a security system must operate. Weather events can decrease the effectiveness of the security system and may slow responders. Extreme weather events can lead to damage or disruption of critical security components such as intrusion detection systems, barriers, or assessment capabilities. U.S. nuclear silos were initially designed and evaluated without regard to this challenge and instead were placed to maximize survivability for use in a second strike against the Soviet Union. Including weather-related contingency and compensatory measures in system design minimizes costs and reduces second-order effects. Tabletop exercises and simulations are helpful design tools for exploring this problem set.

Across the U.S. nuclear triad, the assets under protection are quite similar. However, the security conditions vary considerably. The storage and maintenance facilities all create a similar degree of protection, but there are significant differences among the distances security personnel must travel during response. Long transit is the largest factor in the time required to respond, and thus drives delay requirements. In this respect the nuclear ICBM poses a unique and extremely difficult security challenge; distances between warheads and security personnel are much greater than in other weapon security conditions.

Most modern nuclear warheads rely on limited-life components requiring regular maintenance.²⁸ U.S. warheads must be moved between silos and the main base or, less frequently, be transferred to the Department of Energy for laboratory work. Both the Defense Department and Energy Department must perform this transport on public roads. They perform this mission with nearly inverse security strategies, each employing tactics optimized for their very different security conditions.

5.2.3.2 Defining System Constraints and Restraints

The process of defining both what the security system can’t do (constraints), and what it must do (restraints) typically starts with review of the applicable high-level international regulations alongside national and provincial mandates. The U.S. appetite for risk has decreased over the past half century. Much of this change occurred as a result of the 9/11 attacks and the accident at the Fukushima nuclear power plant in 2011. Over the lifetime of the U.S. nuclear enterprise, and with each new generation of nuclear weapons over the decades, a plethora of new safety and operational requirements have emerged. Risk reduction is now so difficult, yet so desirable, that the generation of weapons currently under development are likely to cost five times more than the original Manhattan project, in large part because of the emphasis on and difficulty of risk reduction.

Military security regulations and doctrine for each of the nuclear weapon possessor states are understandably classified. However, a series of recently concluded nuclear security summits provides some public information regarding international protection standards and design concepts for securing nuclear material from “terrorist groups and smugglers.”²⁹ From international down to local security expectations and limits, the totality of physical, financial, and political constraints and restraints establishes the security conditions within which the system must operate. Therefore, the system designers must be well acquainted with these rules.

Transitioning from designing on paper to concrete reality means overcoming restraints such as budgetary limits. Successful budget planning includes many components such as initial facility design and security system design, but also incorporates operational budgeting. Some initial budgetary considerations for physical protection systems include initial system design, technology research, installation construction, and performance testing. Likewise, recurring costs such as personnel, facility maintenance, and operational costs must also be included to ensure long-term financial viability. Budgeting should be for the entire engineering lifecycle of the nuclear program. This timeline is typically 50 years for a nuclear power plant, but the US’s ICBM and B-52 planning horizon have expanded out to around a century.³⁰ Domestic privacy rules can limit detection options and up-front investment for delay features can be difficult to squeeze between regulatory restraints and budgetary constraints. But designers should approach this difficulty conservatively as high redesign costs or budgetary overrun can lead to program failure. These security conditions bound the PPS design space and require extensive research alongside iterative planning to mitigate risk.

The security industry has reduced costs significantly by replacing people with technology; it has long been known that people make bad sensors.³¹ Active delay systems, new sensor concepts, increased security-force lethality, new less-than-lethal options, digital communications, and automation all work together to reduce the number of personnel needed for an effective PPS.³² U.S. military training costs have also been lowered in various fields through modeling and simulation tools that reduce training needs.³³ Combining modern remote sensing with computerized training and threat analysis tools reveals new compensatory options. This narrows the scope and frequency of expensive field testing and operational training. Simulation tools may not provide the same experience that field exercises offer, but they can greatly reduce the costs, time, and risk. In the near future, this concept could be expanded to include reducing costs by using smaller numbers of staff in more roles, such as site maintenance, through use of augmented reality.

5.2.3.3 Defining the Threat

The final component of requirements analysis is determining plausible threat capabilities and goals. The U.S. nuclear security enterprise traditionally approached this problem from a capabilities perspective. This method requires planning against an adversary’s potential means of carrying out an attack. This focuses on factors like equipment and skills but ignores intent. Consequently, this policy may discount scenarios in the middle of the risk spectrum and thereby create niche vulnerabilities. Defending against a wider range of risk demands analysis of adversary goals as well as capabilities by the system designer and response force trainer.

Characterizing threat actors by capability identifies key features such as the number of attacking personnel, their sophistication in thwarting detection, likely vehicles or weapons used, and familiarity with tools for breaching applicable delay features. Mission objectives and strategic purpose are then knowable through normal intelligence analysis. These mission goals do not readily change. If a nation is willing to “eat grass” in order to secure a nuclear capability, it is unlikely to give up due to technical setbacks.³⁴ Highly risk averse states that are less interested in nuclear weapons, by contrast, are more susceptible to compellence.³⁵ Characterizing adversaries by capability and motivation provides a clearer understanding of potential threats and allows the system to mount a successful defense on either level.

An adversary must be capable of defeating the physical delay systems and challenging the response force to be considered a credible threat for theft or sabotage. Protestors and non-credible attackers can threaten the enterprise, but do not present a plausible chance of succeeding at theft. To gain this higher-level credibility, would-be thieves must operate with basic military organization and discipline. Such a plausible threat group would be operating with the benefits, as well as the limitations, of a raiding party. In this vein, several recent terror attacks have displayed the tactics and equipment normally reserved for professional militaries.³⁶ More concerning is the increasing ease of target surveillance and growing adversary lethality, as well as the difficulty of determining state sponsorship.³⁷

Likening potential attackers to a raiding party highlights potential countermeasures. The small size, minimal depth, and light footprint of a raiding party give it mobility and a low signature, but also render it vulnerable to well-trained and equipped security patrols or immediate response forces. Viewing the adversary as a capable yet limited enemy with specific mission goals—in other words seeing the enemy as a raiding party—is therefore a helpful heuristic for improving threat analysis.³⁸ Regardless of the threat type and security conditions, the more comprehensively that all requirements are defined, the better the security system can and will be designed and operate.

5.2.4 Design: Delay, Detection, and Response

This section discusses the three main design elements of physical security and shows how U.S. ICBM security balances each to maximize synergy and resiliency.

5.2.4.1 Detection

Given enough time, every castle wall can be breached by hammer, shovel, or ladder. Therefore, PPS’s must have mobile, capable response forces. Yet without a timely alert, these forces will be ineffective. Moreover, if an alarm sounds and no one hears it, then it is ineffective. That is why detection is graded for both sensing and communication.

The best detection systems are built with a variety of complimentary sensors installed to achieve overlapping fields of regard. Successful adversaries will have to defeat the combined effects of multiple sensor types covering the same physical space. Complimentary sensing means fields of regard overlap such that defeating one type of sensor makes the target more vulnerable to the other kind of sensing. For example, a motion sensor might be defeated by exceptionally slow movement. Camera surveillance of the same area compliments motion detection because the slow movement to defeat motion sensors ensures that an attacker will spend an exceptionally long time on the video screen. Linear layering of zones then enables defenders to monitoring attack progress to support decision-making. Ideally, each layer or zone employs these complimentary sensors on independent secure communication links, feeding redundant monitoring stations.

Sensor outputs are now rarely binary because of advances in technology. This provides a higher volume and quality of detection information. Observable sensors may be intimidating but are likely to be destroyed once the adversary abandons its efforts at stealth.³⁹ Designers should plan for a number of covert sensors to ensure continuous monitoring across layered zones throughout the attack sequence. This affords vital intelligence for the response force, such as which layers of delay have been breached. When combined with timing information and video images, it reveals what special equipment the adversary may have, or may still require in order to gain access. Independent lines of communication add to this information, and if one is compromised this provides information regarding the attacker’s sophistication and likely goals.

The nature of nuclear material transportation does not lend itself stationary physical barriers such as multi-ton concrete doors. The need for mobility forces defenders to adopt active measures. The Department of Defense responds by convoying several escort vehicles with heavy firepower. By contrast, the Department of Energy chooses more clandestine movement. This low-signature approach is facilitated by DOE’s relatively small number of missions along a large variety of routes.⁴⁰ Maintaining secrecy is becoming harder, however, in the age of social-media connected plane spotter groups.⁴¹ Secrecy is a beneficial security add-on but should not be the primary means for creating security effects in a world of cell phones and AI-supported search algorithms.

5.2.4.2 Delay

The delaying element ensures that adversary task time is long enough for the defender’s response component to defeat an attack. An intruder is slowed by having to penetrate multiple layers of delay infrastructure. Ideally, security design avoids creating multiple entry routes, as the adversary will then be able to choose the most advantageous path. In practical terms, however, three-dimensional objects can hardly avoid offering multiple routes, as we show below. Instead, proper design balances each path so that all options provide similar task complexity and delay. In a well-designed facility, all paths of entry should be equally difficult and time consuming (Fig. 5.5).

Fig. 5.5

Adapted from physical security areas (SAND2021-0176 TR)

Delay features are graded in terms of the time it takes an uninterrupted and knowledgeable attacker to defeat them.⁴² A key-card locked door is a simple example of a delay system with inherent filtering of unauthorized users. The more frequently credentials must be checked the more difficult it is to delay an adversary without degrading operations. One tactic for harmonizing these competing access/security interests is through situationally dependent time delay, such as time locks. Such a system opens only during pre-set times, such as when security personnel are expected to be present. Alternatively, it might be set to open only 30 minutes after a correct code is entered.⁴³ Layered defenses best increase security effects when they require a variety of breaching methods and equipment. Additionally, surprise delay features can add outsized effects. For example, using non-standard or even random locations for security door locking pins makes it harder to guess where on the door to drill.

Though initially intended to defend against nuclear strikes, the hardening of ICBM silos can delay intruders and enable security forces to respond.⁴⁴ The “lid” on a Minuteman silo is more than 12 feet across, several feet thick and made up of concrete and rebar meant to withstand a near miss nuclear strike.⁴⁵ Cutting through this massive obstacle requires special equipment and skills and cannot be done with simple hand tools. Alternatively, active delay systems, such as sticky foam, can be effective in mobile scenarios, slowing an attack on a nuclear weapon transport vehicle.⁴⁶ It is important to note that delay features can only slow—not stop—a credible attacker. Therefore, the suite of sensors that underpin a detection system also demands extensive consideration by PPS designers.

5.2.4.3 Response

A competent response force will respond to an intrusion before the adversary can access a protected asset(s). Credibility in this role is the foundation of this element’s deterrence effect. Spoiling enemy objectives requires more than simply preserving mobility and lethal overmatch, however. The response element must be adaptable, unpredictable, and able to tackle unexpected problems that computer algorithms and battle checklists cannot solve. No matter how competent they may be, defenders face motivated adversaries. Terror groups regularly reaffirm their willingness to sacrifice their lives in pursuit of their political objectives. And attribution of state sponsorship of attacks on nuclear facilities is becoming harder, making it more tempting.⁴⁷

Even if defenders achieve deterrence, there is no guarantee that it will last. The human element of the PPS design must consider the possibility of being attacked and then having to reestablish credible deterrence. At the strategic level, nuclear security requires a tactical force capable of more than just fending off attack. The degree of an attack’s failure would largely shape the aftermath, the likelihood of follow-on attempts, political fallout, compensatory measures, and new regulations. PPS success, in this sense, can only be measured from the adversary’s perspective. Tactical success followed by strategic failure could also result from design that ignores sensitivities regarding disproportionate friendly force, inept responders, or high levels of civilian collateral damage. A resilient security design includes risk to reputation to account for the implications of partial success.⁴⁸

The security mission is by nature a defensive action and is unavoidably reactive, ceding initiative to the adversary. Internal predictability is mandatory for organized action, but deadly if allowed from the adversary’s perspective. Standard procedures, communications plans, and unit tactics are examples of internal predictability that ensure cohesive action and, when built and executed properly, increase the appearance of randomness. Increasing security force precision and range helps reduce predictability. Staging security teams in a variety of places ensures their arrival from multiple directions at different times. Random patrolling adds an irregular presence and creates outward randomness. Modernized command and control systems ensure this force can be quickly re-assigned to interrupt the adversary early in the attack.⁴⁹

Flexibility is what makes security personnel so valuable to creating security effects. Security forces trained in dynamic tactical decision-making are able to shift priorities and seize new opportunities; they can outthink as well as outgun the adversary. For example, a response force dispatched to perform initial disruption can become a neutralizing force, should the adversary be less capable than expected.⁵⁰ The inverse condition must also be trained for, so that a neutralizing force can fall back to performing disruption and self-preservation actions when appropriate.

Effective mobility of personnel is another security requirement, and therefore creates a potential vulnerability. The most effective responding vehicles are those least constrained by terrain, such as ATVs, snowmobiles, and planes or helicopter—both manned and unmanned. Commercially available unmanned aerial surveillance systems are nearing maturity and small military systems add lethal options to vastly increase the speed and security effects of response assets.⁵¹ Incorporation of these systems could cheaply and quickly add reliable, all-weather options for countering an attack.

Response forces require training to stay sharp and evolve with adversaries’ improving capabilities and changing mission goals. Viewing attackers as a raiding party offers defenders unique ways of defeating a threat. For example, defenders can leverage layered and redundant detection systems to learn about their enemy in real-time and adjust tactics or priorities as the attack unfolds. In this way, a properly trained security team becomes harder to defeat over the course of an attack.

5.2.4.4 Evaluate

Evaluation is an essential aspect of a training program and design process. It facilitates success over time by making growth an appendage of the system. Initial design evaluation can prevent cost overruns for major redesign as well as the much worse outcome of getting out-paced by the changing threat.

Evaluation standards must continually evolve alongside the larger institution the security system serves, to ensure security standards match the changing nature of the threat. Nuclear security is a national enterprise requiring whole-of-government treatment to stay aligned with shifting risk tolerance, fiscal priorities and changes to acceptable police or military tactics. Moreover, pre-attack threat detection comes from sources outside the U.S. military. Many intelligence and law enforcement elements of the US government authorized and equipped to interrupt this point of the attack cycle have limited interaction with the DOE or DOD elements responsible for security. Even a failed attack poses a major risk to national reputation, so deciding the right balance between intelligence sharing and privacy rightly falls to the highest level of state leadership. Effects-based evaluation ensures that detection standards are aligned to national trends.

Improving US nuclear security requires moving beyond rote security doctrine. Training for dynamic tactics and performance-based evaluations naturally incorporates the benefits of new technologies and the higher quality of an all-volunteer security force. Compliance-based assessment focuses on sets of rules and engenders a backwards view of individual actions during response, raising the question “what was I told to do?” In contrast, performance-based evaluation encourages predictive thinking centered on defeating the enemy with the resulting effect as the key grading consideration. It raises the question “how do I successfully defend?” The quality of response personnel is a major factor in which approach is feasible since high order thinking and judgement under fire may not be a reasonable expectation for the troops available. In the past, the U.S. was forced to employ a conscript army, or draft, and at that time the compliance-based approach was most appropriate. Increasing performance-based evaluation and emphasizing effects is one way to address the glacial speed of nuclear doctrine and equipment upgrades.

Performance-based evaluation, then, is the best means for judging security effectiveness. Taking a performance-based approach to assessment processes and device certification would help to keep pace with emerging lethal and supporting civilian technologies. Burdensome nuclear certification rules slow the adoption of new non-nuclear weapon-related equipment such as detection sensors, munitions, or communications systems, while centralized control of security personnel equipment has similarly deleterious effects. Recent advances in commercial imaging, processing, and automated target identification and tracking offer the adversary major improvements in surveillance capability.⁵² Change detection algorithms can help to cue security personnel and even dispatch them in their most effective response roles during facility-protection, convoy, or urban operations.⁵³ Building an evaluation system that grades security effects from technology or dynamic tactics is the most cost-efficient means to design for optimal security effects across all possible threats and their objectives.

5.2.5 Conclusion

The modified DEPO method that we discussed in this chapter offers simple yet robust optimization tools for iteratively designing a maximally effective security system. We showed, through application of our modified DEPO method to the U.S. nuclear security enterprise, several options for improving security in both static and mobile ICBM security scenarios.

This chapter also demonstrated the importance of properly characterizing the assets being protected at the tactical and strategic level, and of guarding both the warheads and the reputation of the security system. These assets must be protected within resource restraints and constraints, while balancing acceptable levels of risk outlined in a variety of regulatory sources. We also showed that viewing the threat as a raiding party helps the defender to identify key capabilities and dissect nested mission objectives. And we explained why designing security for effect is preferable to design for compliance. While the effectiveness of U.S. nuclear weapon security is currently without question, our modified DEPO methodology thus offers several opportunities for gaining cost efficiencies and improving security effects.