Professional Documents
Culture Documents
Security of Advanced Reactor WEB
Security of Advanced Reactor WEB
Security of Advanced Reactor WEB
Security of
Advanced Reactors
August 2020
Acknowledgements 3
Foreword 4
Executive Summary 5
Introduction 6
1. International Perspective 9
Introduction 9
IAEA Nuclear Security Series Guidance 10
International Advanced Reactor Working Groups 11
Communicating International Guidance 15
2. Regulatory Issues 16
Introduction 16
Comparison of Regulatory Approaches 17
US Nuclear Regulatory Commission 17
UK Office for Nuclear Regulation 19 1
2
Security of Advanced Reactors
ACKNOWLEDGEMENTS
WINS acknowledges the generous sponsorship of the Nuclear Threat Initiative (NTI)
for the preparation of this report.
WINS is grateful to all subject matter experts who participated at the international
workshops in Vienna (March 2019) and Ottawa (2020). These events were the
foundation of this report.
WINS 20(25)
ISBN: 978-3-903191-75-4
These new reactors can be designed to incorporate modern security elements that make
it easier to prevent theft or sabotage – and their suitability for deployment should be
judged on the degree to which they do so. Because these advanced reactors operate
differently from the well-understood light-water fuel cycle around which most current
security concepts are designed, security experts must be involved early to understand
and guide designs to account for current and future security risks and threats.
To aid those at the early stages of reactor design and encourage the development of
future reactors with enhanced security, the Nuclear Threat Initiative and the World
Institute for Nuclear Security partnered to create this guide to nuclear security for
advanced reactors. Developed with input from advanced reactor developers and other
4
experts, the guide offers a toolkit for designers and others working to bring these
technologies to market, as well as for policy makers and regulators interacting with
these advanced reactor companies. We hope it will also spark new questions and point
the way towards developing answers.
The world cannot afford to miss this unique opportunity to incorporate security by
design into the next generation of advanced reactors. These new reactors have the
potential to play a huge role in slowing climate change and reducing the risk of nuclear
weapons proliferation, and we hope this guide serves as an important contribution
to making the expansion of nuclear energy beneficial for ourselves and for future
generations.
Recommendations:
1. The IAEA and other interested international governmental and non-governmental
organisations, such as NTI and WINS, should together identify the most effective way
of communicating international obligations and international guidance for security
5
to advanced reactor developers. Where needed, these stakeholders should work
collaboratively to develop new guidance to inform AR designers of the requirements
for effective security at the earliest stage of design.
2. Regulators should share security best practices and lessons learned in regulatory
approaches for advanced reactors through the establishment of an international
forum focused on security and regularly scheduled meetings. An independent
organisation could facilitate the arrangement of this forum.
opportunities and result in the development of best practice guides and enhanced
training packages for developers.
5. WINS is a strong proponent of peer review for nuclear security. For facilities in the
design stage, a security peer review using the SeBD methodologies available should be
considered. AR developers should assign staff to support peer reviews and share best
practices and lessons learned in SeBD. A forum for developers to facilitate reviews and
share information could be organised by NTI and/or WINS.
INTRODUCTION
“You can’t be in this business without paying attention to security.”
IAEA DIRECTOR GENERAL RAFAEL GROSSI1
As we enter the third decade of the 21st century, the nuclear industry has already
gone through significant changes. Early in the century, there was keen interest in a
“nuclear renaissance” driven by increasing fossil fuel prices and growing concern
about greenhouse gas emissions. This anticipation of a rebirth of the nuclear
industry was seriously damaged by the accident at the Fukushima Daichi Nuclear
Power Plant in Japan in 2011, as well as concerns about the commercial viability of
new or expanded nuclear power programmes in a number of countries.
However, support remains for nuclear technology, including for the next
generation of nuclear reactors, for reasons such as addressing the challenges of
climate change. The OECD Nuclear Energy Agency (NEA) states, “nuclear power
constitutes an established, reliable technology viewed by many countries as having
potential to be part of the solution for achieving robust low-carbon economies”.2
Likewise, the Global Nexus Initiative (GNI)3 asserts that, “driven by concerns about
energy security and greenhouse gas emissions, more countries are pursuing the
development of low-carbon energy sources. Nuclear power and renewable energy
6
technology will play an increasing role in global electricity production.”4
• Generation of power and heat for niche markets and micro-grids such as
military bases, data centres, offshore platforms, remote communities or
islands where expensive diesel is the only energy alternative
1 Dhal, F. (2020). Director General Grossi Outlines Plans to ‘Recalibrate’ IAEA. IAEA Office of Public Information and Communication.
2 OECD Nuclear Energy Agency. (2017). The strategic plan of the Nuclear Energy Agency 2017-2022.
3 GNI is a collaboration between the Nuclear Energy Institute and the Global Partnership for Security which is designed to explore the
linkages between climate change, nuclear power and global security issues.
4 Global Nexus Initiative. (2019). Advancing nuclear innovation: responding to climate change and strengthening global security.
5 Buongiorno, J., Parsons, J., Corradini, M., and Petti, D. (2018). The future of nuclear energy in a carbon constrained world - An
interdisciplinary MIT study. MIT Energy Initiative. Massachusetts Institute of Technology. www.energy.mit.edu/research/future-nuclear-
energy-carbon-constrained-world
It is also recognised that large, traditional light water reactors (LWRs) are
not necessarily the only or necessarily the most competitive option for these
applications. Reactor designs with significantly different features from traditional
LWRs could play an instrumental role in addressing these applications in the future.
Some of these reactors are referred to as advanced reactors.
There is no general consensus on what exactly falls into the category of AR. For
example, the IAEA includes light water small modular and large Generation III+
reactors in the AR category, together with Generation IV and other non-light water
reactors. On the other hand, GNI, in a June 2019 report6, only included reactors that
use molten salt as a fuel, have TRISO-based fuel or a fast neutron spectrum.
Reactors with molten salt in the fuel are subdivided into two
types. The first type has a dissolution of uranium in molten
salt, which acts simultaneously as fuel and coolant, that
moves around a set of plena. The second type has fuel in a
World Institute for Nuclear Security
6 Global Nexus Initiative. (2019). Advancing nuclear innovation: Responding to climate change and strengthening global security.
The deployment of new AR designs may address long-term challenges of nuclear
technology including cost and competitiveness, potential proliferation issues, long-
lived radioactive waste, safety and security. The last issue is the focus of this report.
As noted by NEA,“the effectiveness of government and the international community
to address any concerns related to the security of nuclear material and facilities
[is] one of the factors that will determine the degree to which nuclear power will
contribute to addressing long-term energy supply needs.”7 In the same vein, GNI
asks, “If nuclear power is going to be a significant contributor to successfully
addressing climate change, how do we manage the expansion of nuclear facilities
and materials, including their spread to new, less stable regions in a way that
maximises safety and security and builds international confidence?”8
4. Explore common security challenges that will need to be resolved in the future
At the conclusion of each chapter, the report provides a recommendation for the
future. These recommendations are further reviewed at the conclusion of the report.
For simplicity, the report examines the same reactor designs as those contained
in the GNI report (Figure 1). Appendix 1 contains a broader list of AR designs under
development and their applications in terms of those identified in the introduction
to this report as well as summarising the main parameters that are relevant for
security considerations.
Security of Advanced Reactors
Introduction
It is well understood that the security of reactors is not just an issue for the country
in which the reactor is sited, constructed, operated and eventually decommissioned.
Effective security is a concern for all countries in relation to the transport of nuclear
material, the protection of nuclear facilities against sabotage, the protection of
nuclear material against unauthorised removal and the combatting of trafficking of
nuclear material. As a consequence, the international community is part of the fabric
of binding and non-binding international instruments, cooperating through their
membership in the IAEA and the UN.
The only binding international legal instrument that deals with the physical
protection of nuclear material and nuclear facilities is the Convention on the
Physical Protection of Nuclear Material (CPPNM) and its Amendment (CPPNM-A).
The Amendment to the CPPNM includes 12 Fundamental Principles of Physical
Protection. Below are some of the more relevant principles that may guide the
development of a regulatory framework for licensing AR designs within a country.
1. Risk of unauthorized removal with the intent to construct a nuclear explosive device;
3. Risk of sabotage.
Risk management requires that the physical protection systems be able to establish
and maintain the risk of unauthorised removal and sabotage at acceptable levels.
Risk can be managed by:
1. Reducing the threat: The threat may be reduced, for example, through
the deterrence provided by robust physical protection measures or the
confidentiality of sensitive information.
In relation to the design of any reactor, NSS 13 has the following general guidance:
For a new nuclear facility, the site selection and design should take physical protection
into account as early as possible and also address the interface between physical
protection, safety and nuclear material accountancy and control to avoid any conflicts
and to ensure that all three elements support each other.
The IAEA also provides detailed implementing guidance in NSS 35-G: Security During
the Lifetime of a Nuclear Facility. In this guide, the IAEA suggests incorporating
nuclear security in the early design stage and integrating security with safety,
safeguards, operations and other requirements. Integrating nuclear security
and safety measures helps to ensure neither has a negative impact on the other. 11
Including security experts in the design team will allow any potential conflicts
between nuclear safety, security, and safeguards to be identified and resolved.
NSS 35-G provides recommended design goals and actions for the state, competent
authority and the operator that are summarised in Table 1.
NSS-35G recognises that between the conceptual design and final design a cycle of
activities is repeated. These design actions are applicable to all reactors, including
ARs. It is recommended that all AR developers review this guidance.
Competent Ensure that a design basis threat or representative threat statement and
Authority relevant regulatory requirements for nuclear security are provided to the
Actions operator for development of nuclear security input for use during the design
of the facility, if required.
Ensure that any design modifications remain in compliance with applicable
regulatory requirements for nuclear security and safety.
Conduct a technical assessment of the final design of a facility to ensure
that it meets applicable requirements for nuclear security and safety before
licensing activities or granting authorisation.
Ensure that trustworthiness checks are implemented for personnel with
access to sensitive information.
Operator Identify the category of nuclear material to be protected against unauthorised
Actions removal as well as the possible radiological consequences of sabotage in
order to ensure that nuclear security design requirements are met.
Account for applicable regulatory requirements for nuclear security during
the design stage, including for computer security, sustainability, contingency
planning, emergency preparedness, incident reporting, trustworthiness,
quality assurance, nuclear security culture and nuclear materials accounting
12
and control, as applicable.
Ensure that all organisations with nuclear security responsibilities relating
to the facility should participate in facility design activities. Coordinate
nuclear security measures to be incorporated in the design with measures to
be incorporated for other disciplines (e.g. safety, safeguards and operations)
in order to compare relevant regulatory requirements, identify synergies and
resolve potential conflicts.
Review all aspects of the design to ensure the appropriate inclusion of nuclear
security measures. Identify technologies and components (e.g. barriers,
sensors and assessment systems) best suited to meet applicable regulatory
requirements for nuclear security.
Implement an information security programme for sensitive information
used or generated during the nuclear facility design stage. This programme
should be based on applicable regulatory requirements for information
security.
Assess the final design to ensure that it meets applicable regulatory
requirements for nuclear security, and assess any proposed subsequent
facility design changes that would affect nuclear security. Provide the final
design of the systems and components that contribute to nuclear security to
the competent authority for assessment and approval.
Provide the competent authority with any subsequent design changes
Security of Advanced Reactors
The manual is written assuming that the INPRO assessor is primarily a technology
user, not a technology supplier or developer. However, the manual provides
guidance that is applicable to any developer of an AR and explicitly references the
need to address security early in the design process. For example, a sample of a
criterion from the manual is shown on the next page.
The second working group that has explored the implementation of ARs is within
the Generation IV International Forum (GIF).9 After issuing a roadmap in 2002, GIF
established a Proliferation Resistance and Physical Protection (PR&PP) Working
Group to develop measures and metrics for assessing PR&PP and an associated
evaluation methodology for ARs. Research and development have been conducted in
three areas: (1) safeguards and physical protection technology for each GIF system,
(2) formulation of PR&PP criteria and metrics, and (3) evaluation of the criteria and 13
metrics.
Although the GIF PR&PP and INPRO evaluation methodologies differ in their
implementation, they share the objective of ensuring that ARs are sustainable, safe
and reliable, and economically viable while minimising their risk of contributing
to proliferation and maximising their robustness against theft and sabotage. The
PR&PP methodology will be explored further in Chapter 5 of this report.
World Institute for Nuclear Security
9 GIF is an international collective representing governments of 13 countries where nuclear energy is significant now and also seen as
vital for the future. Most participants are committed to joint development of the next generation of nuclear technology. The purpose of
GIF is to share R&D rather than build reactors.
10 The report is titled Evaluation Methodology for Proliferation Resistance and Physical Protection of Generation IV Nuclear Energy Systems,
(Revision 6).
Criterion CR10.1 INS design and Criterion CR10.2 INS layout
The following should be addressed for design and layout of INS components:
• Does the design attempt to preclude any single point vulnerability (single
target)?
14
• Has an assessment been conducted to identify sabotage target locations (vital
area) and theft target locations?
• Does the facility design consider mutual use of redundant support systems
from adjacent facilities in emergency situations (for multi-unit INS)?
• Has the layout maximised the spatial and physical separation of redundant
components or systems to facilitate PPS design and preclude collocation of
these components or systems in the same area?
• Has the layout considered stand-off vulnerabilities by setting targets far from
protected area boundary, and obscured the targets from off-site observation?
• Has the layout been designed to minimise need for vehicular traffic?
• Has the INS layout considered space needs of detection, assessment, delay,
Security of Advanced Reactors
• Has the INS layout considered minimising the number of potential adversary
paths?
• Does the layout reflect provisions for response force deployment (protected
pathways and deployment locations to interrupt and engage adversaries)?
Communicating International Guidance
An IAEA Integrated Nuclear Infrastructure Review (INIR) is a holistic peer review to
assist Member States in assessing the status of their national infrastructure for the
introduction of nuclear power. The review covers the comprehensive infrastructure
required for developing a safe, secure and sustainable nuclear power programme.11
While this is applicable for newcomer countries developing the infrastructure
required for a new nuclear power programme, it is also valid for countries wishing to
expand their existing nuclear power capacity.
Introduction
A fundamental requirement is that ARs must be able to be licensed in each country
that wishes to deploy the technology. In some countries, regulators and developers
are working together to address this challenge. For example, in the United States,
the Nuclear Energy Institute (NEI), a nuclear trade industry association, has set up
task forces on AR and micro-reactors and is working cooperatively with the United
States Nuclear Regulatory Commission (NRC) to inform NRC’s consideration of
the licensing of AR design, including from the perspective of physical protection
requirements.
NEI has taken the position that AR designers are incorporating engineered
physical security systems, hardware and features into their facilities, which will
considerably reduce or eliminate reliance upon an onsite response force. With
that in mind, NEI has put forward white papers proposing new physical protection
performance criteria for AR technologies. The proposed criteria are based on a
set of “performance capabilities” that will identify facilities with designs that are
considered to have reduced the likelihood of a successful radiological sabotage
16 through engineered safety and security features.13
NEI believes this approach would promote the establishment of a clear, predictable
and stable licensing process for AR technologies and avoid potential inefficiency
and uncertainty. NEI is of the view that if AR technologies are subject to existing
physical protection requirements, they will not be competitive, thus hindering their
development and deployment.
Other regulators may adopt similar or entirely different approaches with industry
and AR developers. In all cases, however, there will likely be a stakeholder
engagement process that will inform the rulemaking and licensing process.
Ultimately, the regulatory approach will be based on each State’s legal and
Security of Advanced Reactors
13 NEI (2016). NEI White Paper: Proposed physical security requirements for advanced reactor technologies.
Comparison of Regulatory Approaches
As part of its research for this paper, WINS interviewed officials from three
regulatory bodies that are actively addressing the licensing of advanced and small
modular reactor designs: the US Nuclear Regulatory Commission, the Canadian
Nuclear Safety Commission, and the UK Office for Nuclear Regulation. All three
regulators are facing similar challenges in the development of regulations for and
the approach to licensing of ARs.
The choice of regulators was made based on the accessibility of their regulatory
documents (written in English) and their availability for interview. Many ARs are
planned for deployment in other countries and under different regulatory regimes. 17
In the future a greater range of regulatory frameworks and their suitability for
regulation of AR designs should be considered as a separate special report.
The regulatory basis for this rulemaking was published in July 2019 for public
consultation. The NRC is preparing a proposed rulemaking that, if enacted, would
amend the NRC’s regulations to provide alternative specific physical security
requirements for ARs, which refers to light-water small modular reactors and
non-light-water reactors.14 The proposal is a limited-scope rulemaking that would
provide a clear set of alternative, performance-based requirements and guidance
for AR physical protection that would reduce the need for exemptions from current
security requirements when applicants request permits and licences.
This limited scope rulemaking would apply the insights from advances in designs
and safety research, retain the NRC’s overall security regulations framework,
and provide alternatives and guidance related to specific physical protection
requirements.
18
The initial focus of the rulemaking includes several prescriptive requirements. Two
are the requirement for a minimum of ten armed responders and the requirement
for an onsite secondary alarm station. The NRC also identified three performance
measures based on NEI proposals and stakeholder interactions that would determine
the applicability of revised security requirements for an AR design:
2. The plant features necessary to mitigate an event and maintain offsite doses below
the reference values in 10 CFR 50.34 and 52.79 cannot reasonably be compromised
by the DBT for radiological sabotage (e.g. no achievable target set resulting in
offsite doses exceeding the cited reference values given the design features and
security features incorporated into a specific AR facility).
Security of Advanced Reactors
In discussions with NRC, the commission was open to the idea that engineered
safety features (e.g. underground reactor siting) and smaller designs could reduce
the risk of theft and sabotage compared to large LWRs. They also noted that
improved engineered safety features are likely to slow accident progression from an
event, providing additional time for mitigation of effects. In fact, NRC is expected
to identify how a demonstration of compliance with the performance criteria could
obviate the need for armed responders. The NRC rulemaking is in progress, and a
proposed rule planned to be published for public comment in 2021 and finalised by
2022, if approved by the NRC’s Commissioners.
In correspondence with WINS,15 ONR stated that they believe the GDA process
is suitable for assessing advanced modular reactor designs and will provide the
necessary framework for regulation. ONR noted that while the GDA process takes
place before a licence is granted and is not mandatory, they will still assess the
design drawing against their Security Assessment Principles (SyAPs) and related
guidance.
ONR published the SyAPs in 2017 to provide licensees with defined security
World Institute for Nuclear Security
15 UK Office for Nuclear Regulation. (2020). Office for Nuclear Regulation Response to WINS SMR Questionnaire.
16 UK Office for Nuclear Regulation. (2017). Security assessment principles for the civil nuclear industry (Ver. 0).
“...the licensees are responsible for leadership, design, implementation, operation
and maintenance of security programs to protect the public from risks arising from a
radiological event caused by the theft or sabotage...”
2. Organisational Culture
3. Competence Management
8. Workforce Trustworthiness
20 Figure 2: ONR SyAPs Fundamental Security Principles for the Civil Nuclear Industry
According to ONR, they use the SyAPs, together with supporting Technical
Assessment Guides (TAGs), to guide regulatory judgements and recommendations
when undertaking assessments of security submissions through the full lifecycle
of an installation. The requirement for these submissions and ONR’s role in their
approval are underpinned by the legal duties placed on organisations subject to the
Nuclear Industries Security Regulations (NISR) 2003. As stated by ONR,17
The introduction of SyAPs is the foundation of outcome focussed regulation for all
constituent security disciplines: physical; personnel; transport; and cyber security and
information assurance. This is a pivotal shift in regulatory philosophy which aligns our
nuclear security regime with our mature non-prescriptive nuclear safety regime. This
alignment provides a consistent ONR approach for duty-holders across the UK civil
nuclear industry. The introduction of SyAPs has been made possible by the significant
improvements in security management capability and capacity, developed within
duty-holder organisations since the establishment of formal regulation under NISR
2003. Any prospective vendor would need to develop submissions for ONR assessment by
adopting this approach, which offers flexibility and demands a higher level of security
professionalism.
Security of Advanced Reactors
• A vital area (VA) identification methodology and subsequent study that uses
the UK DBT
• The VAs and operational technology that need to be protected within a high-
level concept of operations that outlines how security risks are designed-
out and remaining risks might be mitigated by designing-in security
commensurate with the maturity of the design
• A cyber risk assessment that explains how nuclear technology and specifically
computer-based systems important to nuclear safety will be protected
ONR security inspectors work as part of the wider ONR regulatory team to ensure 21
the design company incorporates SeBD across the full spectrum of the design. This
is especially pertinent for cybersecurity, where the designer must demonstrate
how instrumentation and control (I&C) systems are resistant to cyber threats.
This includes the potential for malware to be inserted within the supply chain, and
operators should not be solely reliant on air gaps.
Assessing any vendor’s security case… requires excellence in analysis of the vendor’s
Security Case (their claims, argument and evidence that underpin their arrangements),
drawing on Relevant Good Practice to inform security risk management. This requires
expertise in Vital Area identification and categorisation, theft risk assessments, and
cyber security risk assessments; in all cases, drawing from Safety analysis including
Fault Studies and other related assessments. This requires a high degree of safety and
security integration.
World Institute for Nuclear Security
As part of its effort to modernise its nuclear security regulations and to address AR
designs and evolving threats, the CNSC has stated that it intends to move towards
a performance-based nuclear security regulation, that where warranted, would
include less prescriptive requirements. This more flexible approach will allow
adaptation to a variety of NPP and AR designs. To support a performance-based
regulatory approach for SMRs, the CNSC developed and implemented technology-
neutral requirements and a risk-informed decision process. Specific security
requirements are established for all stages of the lifecycle of the nuclear facility,
and in particularly during the conceptual design phase, to optimise the benefits of
security and reduce retrofit cost.
In correspondence with WINS, the CNSC has stated that it believes its regulatory
framework does provide the basis for assessing the nuclear security (physical
protection and cybersecurity) arrangements for ARs and other nuclear facilities
where nuclear materials are produced, processed, used and/or stored. However,
CNSC noted that in 2018 a number of industry, private and government partners
participated in a Pan-Canadian SMR Roadmap to develop a report on Canadian
Security of Advanced Reactors
readiness for SMRs. The SMR Roadmap reported that for nuclear security, in
some cases the current regulations would require SMRs to incorporate security
19 Duguay, R. (2020). Small modular reactors and advanced reactor security: Regulatory perspectives on integrating physical and cyber security
by design to protect against malicious acts and evolving threats and subsequent correspondence with and review by the CNSC.
infrastructure comparable to today’s operating full-scale nuclear power plants.
Industry stakeholders and the CNSC were already engaged in discussions about
potential changes to these regulations to take a graded approach, commensurate
with size and risk, while continuing to ensure appropriate security coverage is
maintained.20
This effort is still underway. The CNSC is currently in the process of reviewing
the nuclear security regulations and the associated REGDOC series. The proposed
amendments to the regulations will include provisions that consider nuclear
measures for ARs that follow a graded approach.
• They believe that rulemaking is signalling that ARs are vulnerable to sabotage.
• They object to the performance measures identified by regulators, which have
World Institute for Nuclear Security
• Eliminating offsite emergency planning would put the public at greater risk
from radiological sabotage.
• The required number of armed responders is based on the target sets and the
DBT. There needs to be a good explanation for why security requirements for
an AR would differ from a traditional large LWR.
The overarching concern in the submission of the UCS is that regulators will reduce
the required level of security for ARs below the current regulatory requirements,
introducing an unacceptable level of risk. Whether these objections are valid is,
24 of course, subject to debate. However, objections from concerned citizens and
stakeholder groups may not decrease, and regulators and developers need to
demonstrate to the public that the designs are sufficiently safe and secure and meet
regulatory requirements.
23 OECD Nuclear Energy Agency. (2004).Stakeholder involvement techniques: A short guide and annotated bibliography.
3. SECURITY CONSIDERATIONS FOR ADVANCED
REACTOR DESIGNS
Introduction
It has to be remarked that not all design solutions improving safety and reliability will
necessarily improve robustness against acts of sabotage. Actually, it might be the other
way round; hence, any design solutions must balance the trade-off for the different
objectives and goals as well as take into account economical aspects.
EVALUATION METHODOLOGY FOR PROLIFERATION RESISTANCE AND PHYSICAL PROTECTION OF GENERATION IV NUCLEAR
ENERGY SYSTEMS, REVISION 6
The potential value of ARs is significant, and their deployment could help address
global challenges such as energy security and climate change. However, to be
compliant with the legal and regulatory framework of the country it is to operate
in and consistent with that country’s international obligations, it is important to
demonstrate, at the design stage, and throughout the reactor lifecycle, that the
reactor will be secure and safe.
Some AR designs may be less susceptible to overheating and core damage. They
26 utilise passive safety features and as a result are less reliant on external sources
of power. In addition, some AR designers are incorporating engineered physical
protection systems into their designs and increasing the number of digital assets
for the purpose of automation, with a view to reduce or eliminate the reliance on
security personnel and reduce the cost of operation. Some developers are proposing
underground siting to defend against certain sabotage scenarios such as aircraft
crash.
The risk of theft or sabotage depends on the quantity of material and frequency of
refuelling (if any), which will vary based on the size of the reactor and its operating
cycle. Therefore, the specific technical characteristics of individual reactors and
the operational approach to their fuel supply will be important in assessing and
addressing this issue. This paper evaluates each of the three technologies against
security (physical protection) considerations, based on the work done by the PR&PP
Evaluation Methodology Working Group of the Generation IV International Forum
(Gen IV),25 as well as feedback from developers, regulators and other subject matter
experts.
Molten Salt Some fraction of the fuel inventory resides Safety studies are needed 27
Reactor outside the core. This does not make it before starting a real
more accessible or an easier target for theft evaluation of the physical
(MSR) as compared to conventional designs. All protection features and
salts are transferred as solid materials from resistance to sabotage.
the reactor hot cell with strong radiation
signatures. That limits the accessibility to However, MSR designs
fissile components. appear to be one of the
least vulnerable designs.
Compared to conventional solid fuel reactors,
there are no provisions for fuel manipulation,
no radiation damping medium (water) and in
many molten salt reactor designs the entire
fuel circuit is permanently sealed, making it a
very hard target for theft.
24 Categorisation of nuclear material for the purposes of physical protection systems and measures is set out in the Annex to the CPPNM
and in IAEA NSS 13 (INFCIRC 225/Rev.5). See Appendix 2.
25 The following analysis of risk of theft and sabotage for the three reactor types is largely based on the Gen IV paper on Evaluation
Methodology for Proliferation Resistance and Physical Protection of Generation IV Nuclear Energy Systems, (Rev. 6).
26 The primary source for this table is the Gen IV PR&PP assessment.
In molten salt fuelled reactors, the fuel consists of fissile materials dissolved in a
salt, a mixture that becomes liquid at operation. In general, the design has no fuel
units such as fuel rods or assemblies, and the fissile element (uranium or thorium)
is mixed with the coolant in most designs. Molten salt fuelled reactors operate with
low-enriched uranium or thorium-based fuel. Molten salt fuelled reactors can be
refuelled online, allowing for extended, continuous reactor operation. Molten salt
fuelled reactor designs can range in size from tens of MWe to hundreds of MWe.
According to a 2015 report by Energy Process Developments Ltd, current molten salt
reactor designs do not breed new fuel, do not require online fuel reprocessing and
use the well-established enriched uranium fuel cycle.27
Gen IV assessed that from security standpoint, the nature of MSRs precludes certain
releases, particularly gas releases, which limits the potential for sabotage. They also
use fluoride salt, which is hard to spread and not easy to extract. MSR designs appear
to be one of the least vulnerable designs from a security perspective, with a low risk
for theft of nuclear material and of dispersal of radioactivity.
Even the Union of Concerned Scientists, which as an organisation has been highly
concerned about the safety and security of ARs, has conceded that “the only non-
LWR design where the concept of significant core damage may not be strictly
applicable is an MSR reactor.”28 Likewise, GNI also assessed that MSRs have a low
28
vulnerability to theft of nuclear material and dispersal of radioactivity.29
TRISO-Based Reactors
Design Opportunity for Theft Sabotage
Triso-Based Fresh fuel is the most likely target for theft or The reactor is designed
Very-High- diversion. However, recovery of usable nuclear to achieve passive safety
Temperature material from fuel requires substantial effort to avoid release of
Reactor of both mechanical and chemical processing fission products under
(VHTR) with a resulting product of less-than- all conditions of normal
desirable nuclear characteristics. operation and accidents.
Systems maintain
Furthermore, spent fuel is not a desirable the fuel temperature
target for theft due to high radioactivity and below fuel-damaging
the same intrinsic qualities as fresh fuel. temperatures under all
conditions.
Gen IV assessed that theft of either spent fuel or fresh fuel would be highly
challenging for a variety of reasons:
Gen IV studied the VHTR design and assessed sabotage as unlikely due to the
passive safety features of the reactor. Sabotage scenarios that were assessed were
considered not to have the potential to cause significant offsite consequences but
World Institute for Nuclear Security
could be very expensive to recover due to lost operations and repair costs and would
be highly detrimental to public confidence. Gen IV provided a series of mitigating
steps in its report, including (inter alia):
• Quality controls at the fuel fabrication plant in the supplier nation
• Protection of the helium supply, the primary coolant contaminant monitoring
equipment, and the helium purification system
• Physical protection of and controlled access to fresh and spent fuel storage
locations, the inbound and outbound transportation loading systems, and the
transportation of fresh fuel from the fuel fabrication facility and of spent fuel
to processing or disposal facilities
Gas fast reactor (GFR) is helium-cooled, with the coolant under high pressure,
about 7 MPa, and high temperature, about 850°C. It uses uranium fuel in silicon
carbide fuel rods. Some GFRs are being designed to operate for an estimated period
of 10 to 40 years without refuelling.
The size and design of fast reactors can vary considerably, which makes an overall
group assessment of the security risk challenging.
Security of Advanced Reactors
Design Opportunity for Theft Sabotage
Sodium Spent fuel has significant heat load and Passive decay heat removal
Cooled Fast radioactivity. Therefore, fresh fuel is more protects the reactor from
Reactor attractive. severe accidents with
(SFR) potential for core damage.
Some designs utilise breeder blankets that
have desirable isotopic composition and
moderate radiation level and could be a
target for theft.
Lead Cooled For LFR designs, the radioactivity level LFR can theoretically
Fast Reactor is so high as to require remote handling be indirectly sabotaged
(LFR) using methods and locations that create a through an attack on the
substantial barrier for access by non-state shut-down systems.
actors.
LFR can be sabotaged
In some designs, fresh fuel with plutonium indirectly through an attack
would be a theft target similar to mixed- on the decay heat removal
oxide (MOX) assemblies of LWRs. systems.
31
The spent fuel storage area
can be indirectly sabotaged
through an attack on its
cooling systems.
Gas Fast Designs that use reprocessing for fresh Specific attention should be
Reactor fuels are the most attractive from a theft paid to the protection of the
(GFR) perspective. However, the fresh fuel can be emergency cooling systems
produced using group extraction of actinides on which the global safety of
which creates a radiation barrier. GFRs relies.
This long lifetime improves security and proliferation resistance by eliminating all
aspects of onsite fuel management.
31 The primary source for this table is the Gen IV PR&PP assessment.
In general, Gen IV assessed sabotage as unlikely because of the inherent safety
characteristics of the design. From a theft perspective, the fresh fuel is the more
attractive target because it has low radioactivity. Breeder blankets may also have
nuclear material with attractive isotopic composition at moderate radiation levels.
The spent fuel produces significant heat and radioactivity and must be cleaned
(removal of residual sodium) after extraction from the reactor vessel. This makes
transportation after cleaning, cooling and packaging potentially a more desirable
pathway for theft. The transport techniques and security arrangements will be quite
different between co-located and centralised fuel cycle strategies. For example,
reactors with co-located recycle facilities would require stringent security measures
to protect Category I plutonium. However, such an arrangement of co-located
recycle facilities is highly unlikely in practice.
The report concluded that all these system elements need to be protected from direct
sabotage attack, similar to a traditional LWR.
With respect to sabotage, the present design of GFRs offers a traditional set of
Security of Advanced Reactors
Microreactor designs vary, but most would have capacity of 1-20 MW of thermal
energy that could be used directly as heat or converted to electric power. They can
be used to generate clean and reliable electricity for commercial use or for non-
electric applications such as district heating, water desalination and hydrogen fuel
production.
Microreactors are much smaller than other designs. These reactors are extremely
compact. Components such as pumps, valves and others are largely located
outside of the reactor module, and items can typically be serviced online. Some
microreactors might even be smaller than most research reactor designs, although
no microreactors propose the use of HEU (common with research reactor designs).
Thus, the question, how are these microreactors to be regulated for security? Does it
depend on the thermal power of the reactor and the DBT?
To quote a senior nuclear security officer at the IAEA, the answer may simply be a
graded approach to protection.
reactor has a unique design and features that require the design of physical protection
systems to allow the facility’s mission to be accomplished while ensuring protective
measures are effective in a security event.”34
While this may be true for certain designs, developers will still find numerous
benefits by adopting security considerations early in the design process, especially
from a regulatory perspective. This is true even if the risk is evaluated as low. Table 5
outlines the potential benefits.
Security of Advanced Reactors
35 IAEA NSS 13 defines Category II material as uranium enriched from 10%-19.99% U-235 with 10kg or more of U-235.
Security challenge Regulatory benefit of considering security early in the design
process
Integration of safety Early in the development of the safety case, the designer
and security should also begin to examine the security case. The designer, in
conjunction with security experts, can run security assessments
on the reactor design. The designer’s assessment of safety and
security will help inform the key regulatory documentation that
will need to be submitted as part of the licensing process, including
the security plan.
Understanding The designer should consider the security guard force models and
of regulatory security checks. If this will be required by the regulator, then these
requirements conversations about regulatory expectations should commence
early in the design process.
35
Table 5: Advantages of including security into the design of a reactor
To ensure the adoption of best practices, developers and their staff should undertake
professional development opportunities to ensure they are demonstrably competent
to address security challenges in their designs, such as cybersecurity. In addition,
they should have access to appropriate advice and expertise from subject matter
experts. NGOs such as WINS and NTI should develop training programmes to
educate AR designers about key security principles to ensure that security is taken
into account at the earliest stage of design, including in relation to procurement
decisions and the entire supply chain.
Introduction
Through a number of interviews, WINS has identified three primary concerns for the
developer community.
• Removing the human element reduces the potential for insider threat.
• Robotics and other technologies like drones and unstaffed equipment can
reduce security costs significantly by reducing the number of security
personnel required.
While the evolution of artificial intelligence, robotics and the development of more
autonomous systems may be beneficial from a safety and economic standpoint,
developers will also need to consider the increasing risks of cyberattacks, terrorism
and other potential emergent risks. Cybersecurity is especially important because
a number of ARs are initially intended to be used at remote locations, including
offshore, with minimal staffing. In addition, developers may need to address
increased security requirements for high-assay low-enriched uranium (HALEU) fuel
used in many designs.
These challenges are intertwined and will be further explored in the following
section of the report.
However, the categorisation tables in the CPPNM and IAEA NSS 13 distinguish
between LEU enriched under 10 percent and LEU enriched above 10 percent but
below 20 percent.36 Regulators will therefore distinguish between lower enriched
LEU and HALEU. For example, the US NRC separates special nuclear material (SNM)
into three categories (largely in line with NSS 13):
World Institute for Nuclear Security
36 Appendix 2 provides a discussion of the historical basis for the distinction between LEU enriched under 10% and LEU enriched above
10% but below 20%.
• Category I (strategic SNM): any SNM with uranium enriched to 20 percent or
more uranium-235, uranium-233 or plutonium
The most comprehensive discussion on the topic was provided in a January 2018 NEI
White Paper on Addressing the Challenges with Establishing the Infrastructure for the
Front-end of the Fuel Cycle for Advanced Reactors. NEI writes that existing enrichment
facilities that are producing LEU of less than 5 percent uranium-235 would be
38 required to obtain an NRC licence amendment to produce HALEU fuel. Among other
issues, the security requirements would be different for portions of the facility with
Category II and III SNM which could create complexity in the plant modifications.
NEI also writes that following the events of 9/11, the NRC re-evaluated its security
requirements for Category I and III facilities. However, the NRC did not have a
Category II SNM facility licensed and as a result did not issue Category II facility
security orders. According to NEI, the NRC’s current policy is not to require
the physical protection systems of facilities with Category II SNM to protect
against a DBT for theft or diversion and radiological sabotage. Rather, for these
facilities, the NRC’s policy is to require licensees to meet a set of requirements, the
effectiveness of which has been evaluated based on NRC threat assessments as well
as consequence and security assessments for these facilities. The physical protection
requirements are generally graded based on the risk of the material being used for
malevolent purposes.
Security of Advanced Reactors
37 Note that in the unlikely situation that a developer chose to use a fuel enriched between 5-9.9% U-235, they would not be subject to
Category II security requirements.
NEI concludes that:
The lack of recent NRC licensing introduces additional uncertainty that could affect
both the timeliness and economics of the process. To limit this uncertainty, prior to
the initiation of a licensing effort, the NRC should update its plans for revision of 10
CFR Part 73 and development of associated guidance documents. The guidance should
cover Physical Security Plans for facilities licensed under 10 CFR 70.22(k) for SNM of
moderate strategic significance and address the changed threat environment. In the
interim, prior to completion of rulemaking, if needed, the NRC could establish Category
II SNM security requirements through the issuance of facility specific orders. The NRC
is expected to address this issue for medical isotope facilities that would be licensed to
possess Category II SNM at some time during 2018.
NRC is currently the only regulator that WINS was able to interview that is
considering HALEU as a separate issue from LEU generally. They are planning to
provide additional guidance, which was not yet complete at the time of this report
drafting.
Remote Siting
A significant number of ARs (such as heat pipe reactors) are initially intended to
39
be used at remote locations, including offshore in some instances. However, the
difficulty of physical access to remote sites can present both security benefits and
disadvantages.
Potential Benefits
• It may be harder for adversaries to reach and access the site for a physical
attack.
• For a sabotage scenario, the impact and consequences may be lower because of
design mitigation strategies.
World Institute for Nuclear Security
Potential Challenges
• It will be difficult for any offsite response force to access the site in a timely
manner.
The biggest question with remote siting may be the line between acceptable and
unacceptable offsite radiological consequences to human beings. However, siting
has many considerations beyond just security, including natural hazards and EIAs.
EIAs and other regulatory requirements are unlikely to allow for a “relaxation” of
safety and security standards due to the remoteness of a facility.
40 Transport of Fuel
As previously mentioned, remote siting of an AR raises the question of fuel
transport. Most AR systems are likely to rely on offsite fuel fabrication facilities
for fresh fuel supply. In addition, they will all require transportation of the spent
fuel to a disposal site, a high-level waste storage or reprocessing facility. The
requirement to transport fresh or spent fuel will depend on the fuel cycle technology
configuration (co-located or centralised).38
In some cases, there are outstanding questions as to whether the reactors will be
transported fuelled or whether the fuel will be transported separately. It largely
depends on the size of the reactors. Microreactors may be shipped fuelled or have
the fuel shipped separately, as with a traditional NPP. Either way, it is important
that AR designers consider transport during the entire fuel cycle including during
decommissioning.
The issue of transport packaging is a primary concern that has arisen while
undertaking this research. From interviews with AR stakeholders, no AR companies
are working on fuel package designs, in some cases because they are still early in the
design process. In its 2018 White Paper on Addressing the Challenges with Establishing
Security of Advanced Reactors
the Infrastructure for the Front-end of the Fuel Cycle for Advanced Reactors, NEI stated
that industry will need:
38 Generation IV International Forum. (2011). Evaluation Methodology for Proliferation Resistance and Physical Protection of Generation IV
Nuclear Energy Systems, (Rev. 6).
Development of a new shipping package, certified for safe transport of uranium
hexafluoride with enrichments from 5% to less than 20% uranium-235. In addition
shipping packages will need to be designed, tested and certified for deconverted HALEU
forms (e.g., oxide or metal) as well as the manufactured fuel being transported from the
manufacturer to the reactor site.
Cybersecurity
From our discussions with regulators and developers, the approach taken to
addressing cybersecurity for ARs, up to now, has not differed from that for existing
traditional LWRs. The general view is that there is nothing unique about AR
beyond the potential for remote siting. Just like traditional LWRs, AR designers
need to identify cybersecurity considerations from inception to decommissioning.
The development of cybersecurity solutions for AR relies upon understanding
the threat landscape and capabilities of the adversaries against digital systems
that will perform sensitive or higher consequence facility functions. That means
consideration of information security for design documents, cybersecurity
consideration in the supply chain, classification of digital assets and defensive 41
cybersecurity architecture.
Operational technology is the term used for those systems that generally control
and/or monitor physical processes. Industrial control systems is the term used to
broadly describe operational technologies (both analogue and digital) that support
industrial processes.39 The term instrumentation and control (I&C) system describes
operational technology that provide for safety and security systems within nuclear
facilities. I&C systems play a critical role in ensuring the safe and secure operation
of nuclear facilities. As digital technologies continue to evolve, they are increasingly
being incorporated into and integrated with I&C systems.40 New nuclear facilities
designs use highly integrated digital I&C systems to efficiently and simultaneously
handle vast quantities of process data while requiring less human interaction and
World Institute for Nuclear Security
Both simple and complex I&C systems within a nuclear power plant may be subject
to a cyberattack. These systems have become more and more automated and they
have been designed to allow remote maintenance and monitoring, which increases
efficiency. Remote access to systems, whether for maintenance or monitoring,
should be restricted as it may provide a possible entryway for cyberattacks. I&C
systems, whether complex or simple control systems, should be protected from
cyberattack to ensure their availability and reliable operation.
• NST045 (Approved for and pending publication as NSS 42-G) Computer Security for
Nuclear Security: NST045 provides guidance on developing, implementing and
integrating computer security as a key component of nuclear and its interfaces
with nuclear safety and other elements of a state’s nuclear security regime.
NST045 addresses the roles and responsibilities of state organisations, other
responsibilities, and the activities involved in developing, implementing and
sustaining a state strategy and plan on computer security for nuclear security.
• NST047 (Approved for and pending publication as NSS 17-T Rev. 1) Computer
Security Techniques for Nuclear Facilities: NST047 provides guidance on
implementing computer security at nuclear facilities with the aim to prevent
and protect against unauthorised removal of nuclear material, sabotage of
nuclear facilities, and unauthorised access to sensitive nuclear information
throughout the lifecycle of the facility.
at Nuclear Facilities. NSS 33-T provides technical guidance for the secure
design and protection of individual I&C systems at nuclear facilities through
computer security against malicious acts that could prevent such systems from
performing their safety and security related functions.
• NSS 23-G Security of Nuclear Information provides guidance on implementing
the principles of confidentiality, integrity and availability and on the broader
aspects of information security in relation to sensitive information within
nuclear security regimes and in particular in nuclear facilities. NSS 23-G was
created with the goal of assisting States in bridging the gap between existing
government and industry standards on information security in general, the
particular concepts and considerations that apply to nuclear security, and
the special provisions and conditions that exist when dealing with nuclear
material and other radioactive material.
Cybersecurity Standards
43
From our interviews, regulators are not yet addressing cybersecurity for ARs during
the design licence certification process. For example, the US NRC plans to address
the matter in a later stage because they do not yet fully understand the potential
radiological consequences of a cyberattack. There is not yet enough information
to evaluate the issue thoroughly. In the United States designers will need to be
compliant with North American Electric Reliability Corp. Critical Infrastructure
Protection standards Version 5, among others. Operators are also required to submit
a cybersecurity plan for approval by the US NRC that demonstrates they satisfy
the requirements of NRC Regulation 73.54 Protection of digital computer and
communication systems and networks.42 This regulation lists a set of high-level
requirements that must be demonstrated as part of the operators’ cybersecurity
plan.
protected from cyberattacks under 10 CFR 73.54. This guide sets out a list of security
controls recommended to be applied by the licensee. The basis of this guidance is
NIST SP 800-53 (Revision 3) and NIST SP 800-82.
42 NRC. (2017). § 73.54 Protection of digital computer and communication systems and networks.
43 NRC. (2010). Regulatory Guide 5.71: Cybersecurity programs for nuclear facilities.
In Canada, the CSA standard on cybersecurity, N290.7, applies to nuclear power
plants and small reactor facilities. This standard addresses cybersecurity at nuclear
power plants and small reactor facilities for the following computer systems and
components:44
b. Nuclear security
c. Emergency preparedness
d. Production reliability
e. Safeguards
The key is to manage risk and direct limited resources towards protecting digital
systems and assets based on their relative value or importance. The IAEA guidance
publications on information and computer security address this through processes
that consider the maximum consequence of compromise of the facility function (i.e.
graded approach) while taking into account the additional connectivity provided by,
44
enabled interactivity of, and resulting trust relationships between computer-based
systems that require protection and preservation of the function they perform (i.e.
defence in depth).
44 ANSI. (2020). N290.7-14 - Cyber security for nuclear power plants and small reactor facilities.
The design of the control systems may use some commercial off-the-shelf items,
but NuScale will work with suppliers to understand the threat vector. The design
of the NuScale protection systems does not have a runtime environment, or
infrastructure that supports the running of a particular programme, for software.
Instead, everything is hardcoded for operations, which makes OT very difficult to
change and particularly resilient against cyberattacks.
not discussed here such as supply chain security that need further review.
Introduction
The most commonly observed security design model focuses on the implementation
of conventional physical protection and cybersecurity controls after the facility
design is largely set. However, the most effective and efficient security can be
realised when it is incorporated into every aspect of design – from pre-conceptual,
conceptual and preliminary final design to construction, maintenance and
operation.
SeBD means including security within the systems engineering for the facility,
thereby reducing security risks at the source rather than relying on only physical
protection measures. It cannot be implemented solely by design engineers, security
managers or nuclear safety assessors. It requires a commitment – from the chief
executive down – to make security a primary design consideration on a par with
nuclear safety. It also requires a coordinated approach by all parties, including
operators, project managers and regulators.45
ONR provides guidance that such measures can be articulated within a security
hierarchy of controls as outlined in Figure 3. This hierarchy is based on a similar
control model used in safety. Application of this hierarchy should reduce the need
for, and reliance on, protective security systems and the challenges placed on them.
Security of Advanced Reactors
45 WINS. (2014). BPG 4.1 Implementing security by design at nuclear facilities, (Ver. 2.1).
46 In the authors’ view, ‘intrinsic’ and ‘inherent’ security is a distinction without a difference.
47 ONR. (2017). Security assessment principles for the civil nuclear industry (2017 Edition, Ver. 0).
Increasing Rescue/remove nuclear material/other
Effectiveness radioactive material inventory (e.g. redundant
Elimination
sources) or regularly weeding sensitive nuclear
information.
Changing or swapping processes such as using
off site delivery points, using less hazardous
Substitution sources or annexing sensitive nuclear information
in documents.
Passive protection measures such as static hostile
vehicle mitigation, remote handling operations to
Passive Engineering minimise/prevent access, air gaps and demilitarised
zones for cyber security.
Operational
Includes policy and procedures such as searching, two-person
Human principles, password control and manual alarm assessment.
Factors
Increasing Cost
Figure 3: ONR Secure by Design Hierarchy of Controls
According to the Gen IV PR&PP Working Group, the interest in SeBD is based on a set
of assumed, but nonetheless credible, potential benefits:48
2. Improved resilience, through greater use of more reliable security and safety
engineering solutions
In its 2013 Security by Design Handbook, Sandia National Laboratories (SNL) further
explains why SeBD is so important. It outlines historical problems with the design
of nuclear facilities due to security not being taken into consideration during the
design stage (Table 8). According to SNL, all of these factors resulted in higher costs
to develop and upgrade PPS to meet the changing threat and limited the potential for
such systems to evolve over time.
World Institute for Nuclear Security
PPS designs created with As time progressed after construction, the threats to the
either no consideration of nuclear facility have typically become more capable. As
the threat or based only on a result, licensees have been faced with the dilemma of
consideration of the current making PPS improvements that are very expensive, have
threat large negative operational impacts, or are not consistent
with social norms in the host country; or having to accept
a higher risk associated with newer, more capable threat
attacks. For example, the following threats currently
discussed in INFCIRC/225/Revision 5 caused relatively
little concern 25 years ago:
• Cyber threats
• Insider threats
• Stand-off attacks
Lack of proper integration The conflicts between security and other important
between security and functions, such as operations, safety, and safeguards,
48
operations, safety, and were not anticipated early in the design phase, forcing
safeguards, leading to uncomfortable trade-offs between requirements that
inefficiencies were solved in ways that impacted the effectiveness
of the PPS. At the same time, designers did not exploit
possible ways in which security and other functions
could be improved to benefit both security and the other
function(s).
Table 8: Security by Design Handbook – Historical issues with nuclear facility design and
security
Implementing Security by Design
Through its workshops, research, discussions and interviews with a number of
experts in SeBD, WINS has identified three prominent SeBD implementation and
evaluation methodologies that have been developed and published as the following
documents:49
49
Security by Design Handbook
SNL published the Security by Design Handbook to describe an approach to SeBD,
starting with a strategy for achieving SeBD, and then showing how that strategy
can be implemented. The approach is explained with the framework of the IAEA’s
three-phase Milestones Approach for developing a nuclear power programme in a
country. It also addresses SeBD within the context of the objectives and fundamental
principles of INFCIRC/225/Rev. 5.
49 Developers may also be interested in the US NRC’s Nuclear Power Plant Security Assessment Guide (NUREG/CR-7145) which provides
detailed guidance for the format and content of a security assessment. NRC encourages design certification and combined licence
applicants to use the guidance to optimise physical security during the design phase.
The handbook is divided into four sections (Table 8).
Section Contents
Section 2: Security Provides an overview of the SeBD framework and discusses the
by Design value of using that framework to develop NPPs and NFs
Section 4: SeBD Principles and their associated practices for SeBD are described
Principles and in this section, including useful practices that support each of
Practices the 12 Fundamental Principles found in INFCIRC/225/Rev. 5. If
adopted, these principles and practices are expected to provide high
50
confidence in both the effectiveness and sustainable operation of
the PPS.
Section 5: Detailed Describes in some detail on how the SeBD framework has been and
Application of the can be applied. The section includes discussion of specific practices
Principles and that competent authorities can take to encourage the application of
Practices SeBD, on one hand, and that designers can take to help implement
SeBD at the facility layout level. There is also a section on how
adversary capabilities might change in the future and possible
countermeasures that designers can employ now to be ready for
those changes. This is provided to give some general guidance to
designers on how to protect against the possibility that those trends
may materialise in future DBTs/TAs.
3. Engineer features into the design of the facility, plant or process that have
security functionality
Prior and Barnes identify and characterise seven key SeBD principles:
2. Integrated The pursuit of an integrated security design solution through the use
design of integrated design teams. These comprise security professionals
working with safety colleagues and nuclear engineers to apply the
SHoCs, and select design options, in an integrated way.
Seek close alignment of the potential emergency planning zone and the
asset perimeter
7. Common Principles 1-6 are focused on the application of the SeBD concept. The
and nuclear existing common and nuclear security principles (i.e. defence in depth)
design are still relevant to the design process and should be applied during the
principles development and consideration of security control options.
Prior and Barnes also describe a process for implementing their methodology. These
stages are:
Stage 0 - Preparation
Stage 1 - Concept
Stage 2 - Development
Stage 3 - Production
Stage 5 - Retirement
Security of Advanced Reactors
Because the process is aligned with international and UK standards for systems
engineering lifecycle management,50 it would be relatively simple for a developer to
synchronise with the stages. However, the full process is commercial in confidence.
If an interested organisation is unable to gain access to this process, the next
methodology may be helpful for AR developers.
53
Challenges Threat Definition
Estimation of Measures
Pathway Comparison
Outcomes
System Assessment and Presentation of Results
World Institute for Nuclear Security
50 The SeBD process stages are aligned to the system lifecycle stages presented in BSI BS ISO/IEC/IEEE 24748-1 Systems and Software
Engineering – Lifecycle Management.
The methodology is organised to allow evaluations to be performed at the earliest
stages of system design and to become more detailed and more representative as
design progresses. Results are intended for three types of users: system designers,
programme policy makers, and external stakeholders. Programme policy makers
will be more likely to be interested in the high-level results that discriminate among
choices, while system designers and safeguards experts will be more interested in
results that directly relate to design options that will improve PR&PP performance
For physical protection threats, the actor is considered a non-State adversary. The
actors’ characteristics are defined by their objective, which may be either theft or
sabotage, and their capabilities and strategies. The threats include:
• Radiological sabotage
• Material theft
• Information theft
When threats have been sufficiently detailed for the particular evaluation, analysts
assess system response, which has four components as previously outlined in
Figure 4:
The goal of PR&PP assessment is, by comparing pathways, to identify those that
an adversary most likely will pursue and to provide a basis for decision makers
to prioritise investments in safeguards and PP resources. After completing
the assessment, investments to reduce risk can be evaluated using the PR&PP
measures. Risks and investment needs can also be compared broadly across critical
infrastructure and key assets, allowing optimal investments to identify and reduce
the largest sources of vulnerability.
The PR&PP Working Group developed the methodology with the aid of a
series of studies based on an Example Sodium Fast Reactor (ESFR). The ESFR
is a hypothetical nuclear energy system consisting of four sodium-cooled
fast reactors of medium size co-located with a dry fuel storage facility and a
pyrochemical spent-fuel reprocessing facility. The objectives of the case study
were to:
55
To facilitate the analysis, the case study threat space was divided into four major
categories, including one category on theft of weapons-usable material or
sabotage of facility system elements. The theft and sabotage threats pathways
analysis found that multiple targets and pathways exist. The most attractive
theft target areas were found to be the LWR spent-fuel cask parking area, LWR
spent-fuel storage, the fuel services building staging/washing area, the fuel
conditioning facility air hot cell, and the fuel conditioning facility inert hot cell.
World Institute for Nuclear Security
Basic lessons learned from the case study included the following:
One particularly useful step will be to commission a peer review. WINS is a strong
proponent of peer review for nuclear security and has developed detailed guidance in
this area for operating nuclear facilities.
For facilities in the design stage, a security peer review should be performed to
ensure the quality of the product. According to Gen IV, two types of peer review have
been widely used and provide different types of support during the design stage:
In-process peer review brings an expert group of practitioners and decision makers
into the process at regular intervals to be fully briefed on the status of the work and
any known problem areas. Independent peer review allows objectivity through the
review of the finished product by independent outside experts who have not been
involved in the evaluation.
organise peer reviews and share best practices and lessons learned in SeBD. A forum
for developers to organise reviews and share information could be organised by NTI
and/or WINS.
CONCLUSION AND RECOMMENDATIONS
Throughout this report, WINS has promoted the need to engage with key
stakeholders during the early stages of AR design. Currently, the interested parties
tend to be AR technology developers, nuclear industry associations, regulators and
governmental departments, but future applications may be through other entities,
for example electricity utilities, industrial institutions and national nuclear energy
agencies or research institutions.
With this in mind, and as a consequence of the material covered in this report, WINS
makes the following recommendations to help developers and other stakeholders
address security by design and move forward with a constructive licensing
processes:
Recommendation 1
Recommendation 2
Recommendation 3
To gain the requisite expertise, developers and their staff should complete
training and ensure access to professional development opportunities to ensure
they are demonstrably competent to address security challenges in their designs,
such as cybersecurity. In addition, they should have access to appropriate advice
and expertise from subject matter experts.
NGOs such as WINS and NTI should develop training programmes to educate
AR designers about key security principles and ensure that security is taken into
account at the earliest stage of design, including in relation to procurement
decisions and the entire supply chain.
Recommendation 4
WINS is a strong proponent of peer review for nuclear security. For facilities in
the design stage, a security peer review using the SeBD methodologies available,
should be considered. Two types of peer review have been widely used and provide
different types of support during the design stage:
59
ARES Security Corporation. (2020). The use of security risk assessment (SRA) tools for
nuclear power plant security assessment.
Badwan and al. (2015). SMR design considerations for security and MC&A/safeguards
developed by USA and Russia. Proliferation Resistance and Physical Protection
Evaluation Methodology Working Group.
Bari, B., Whitlock, J., Therios, I., Peterson, P. (2012). Proliferation Resistance and
Physical Protection Working Group: Methodology and applications.
Barnes, Robert A. (2020). Secure by design – Guidance document principles and methods.
Rolls Royce Civil Nuclear UK.
Brown, A., & Glaser, A. (2016). On the origins and significance of the limit demarcating
low-enriched uranium from highly enriched uranium. Science & Global Security
24(2).
60 Buongiorno, J., Shirvan, K., Baglietto, E., Forsberg, C., Driscoll, M., Einstein, H.,
Macdonald, I., Stewart, W. R., Velez-Lopez, E., Johnston, K., Hashimoto, G.
(2020). Japan’s Next Nuclear Energy System (JNext): Final report. Center for
Advanced Nuclear Energy Systems.
Buongiorno et al., (2020). Japan’s Next Nuclear Energy System (JNext). MIT-
ANP-TR-187 Rev. 1.
Buster, G., Laufer, M., and Peterson, P. (2015). Fracture analysis of reduced diameter
spherical graphite fuel elements under diametrical loading conditions. University of
California, Berkley.
Dhal, F. (2020). Director General Grossi outlines plans to ‘recalibrate’ IAEA. IAEA Office of
Public Information and Communication.
Duguay, R. (2020). Small modular reactors and advanced reactor security: Regulatory
perspectives on integrating physical and cyber security by design to protect against
malicious acts and evolving threats.
IAEA Bulletin. (2020). Finding the right fit: How nuclear security is incorporated into
research reactors. www.iaea.org/newscenter/news/finding-the-right-fit-how-
nuclear-security-is-incorporated-into-research-reactors.
Lyman, E. (2019). Comments on the Draft Regulatory Basis for the Rulemaking for
Physical Security for Advanced Reactors.
Buongiorno, J., Parsons, J., Corradini, M., and Petti, D. (2018). The future of nuclear
energy in a carbon constrained world - An interdisciplinary MIT study. MIT Energy
Initiative. Massachusetts Institute of Technology. www.energy.mit.edu/
research/future-nuclear-energy-carbon-constrained-world
OECD Nuclear Energy Agency. (2017). The strategic plan of the Nuclear Energy Agency
2017-2022. Organisation for Economic Co-operation and Development.
Prior, A. and Barnes, R. (15-19 March 2020). Nuclear security and safety – Secure by
design. Proceedings of ICAPP.
Sambuu, O. & Obara, T. (2014). Comparative study on HTGR design for passive decay heat
removal. Progress in Nuclear Energy. 82. 10.1016/j.pnucene.2014.07.013.
Stouffer, K., Lightman, S., Pillitteri, V., Abrams, M., Hahn, A. (2015). Guide to Industrial
Control Systems (ICS). Security Special Publication 800-82 (Rev. 2). US National
Institute of Standards and Technology.
UK Office for Nuclear Regulation:
• (2020). Office for Nuclear Regulation Response to WINS SMR Questionnaire.
Correspondence dated 2020-06-05.
• ONR-GDA-GD-007 (May 2019). New nuclear power plants: Generic design
assessment technical guidance (Rev. 0).
• (July 2019). Guide for Smaller Dutyholders to the Application of the Security
Assessment Principles.
• (2017). Security assessment principles for the civil nuclear industry (Ver. 0).
World Institute for Nuclear Security. (2014). BPG 4.1 Implementing security by design at
nuclear facilities. (Ver. 2.1).
World Institute for Nuclear Security. (20-21 November 2019). Workshop report:
Security of small modular reactors.
Wilkes, A.B. (11-14 June 2019). Lessons from research for making nuclear energy cool.
Technical Meeting on Stakeholder Involvement and Communication for New and
Expanding Nuclear Power Programmes.
ACRONYMS AND ABBREVIATIONS
AR Advanced reactor
64
GSR Generic Security Report
TA Threat assessment
TRISO Tristructural-isotropic
VA Vital area
The field “main applications” is referred to in the introduction section of this paper,
where five applications are envisioned for new nuclear:
a. Generation of carbon-free electricity for national power grids and macro grids
d. Generation of power and heat for niche markets and micro-grids; niche
applications of micro-reactors
66
Note that the BWRX-300, Rolls-Royce and NuScale reactor projects are not in the
table because they are LWRs. BWRX-300, NuScale and Rolls Royce SMRs have some
advanced features, but they lack TRISO or molten salt fuel, and they have a thermal
neutron spectrum. Consequently, although novel, they are outside the scope of
this report. While ARs have been defined based on their fuel and type of neutron
spectrum, they can also be defined based on their primary coolant, typically helium,
sodium, lead and salt.
Security of Advanced Reactors
World Institute for Nuclear Security
67
68
Security of Advanced Reactors
BN-1200 BN-1200 JSC Afrikantov Russia 1220 sodium fast fuel rods 20-80% Pu every 12 a construction
OKBM MWe months
(subsidiary of
Rosatom)
PRISM Power Reactor GE-Hitachi USA 311 sodium fast fuel rods 26% Pu every 18 a&e design
Innovative MWe months
Small Module
Aurora Aurora Oklo Inc. USA 1.5 sodium fast cells in a <20% never d design
MWe hexagonal
lattice
e-Vinci e-Vinci Westinghouse USA 1 to 5 sodium / epithermal UO2 19.75 never d design
MWe potassium pellets in
a metallic
matrix
TWR Traveling Terra Power USA 300 to sodium fast fuel rods not fuel moving a&e design
Wave Reactor 1150 available permanently
MWe and replaced
every 20
years
Xe-100 Xe-100 X-Energy USA 75 helium thermal TRISO 15.5% online a&c design
MWe pebbles
HTR-PM High Tsinghua China 105 helium thermal TRISO 8.5% online a&c construction
Temperature University MWe pebbles
Gas Cooled
Reactor -
Pebble Bed
Module
MIGHT-R Modular MIGHTR LLC USA 60 to helium thermal TRISO in <20% every 18 a&c design
Integrated 150 hexagonal months
Gas High MWe blocks
Temperature
Reactor
U-battery U-battery Urenco UK- 4 helium thermal TRISO in not every 5 years d design
Netherlands MWe hexagonal available
blocks
IMSR Integral Terrestrial Canada 194 molten salt thermal molten <20% every 7 years a&c design
Molten Salt Energy MWe salt
Rector
CMSR Compact Seaborg Denmark 100 molten salt thermal Molten <20% never a, c design
Molten Salt Technologies MWe salt
Reactor
KP-FHR Kairos Power Kairos USA 140 fluoride salt thermal TRISO 19.75% online a&c design
Fluoride-salt- MWe pebbles
cooled High-
temperature
Reactor
SSR Stable Salt Moltex UK-Canada 150 fluoride salt thermal fluoride not online a&c design
Reactor MWe salt in fuel available
assemblies
ALFRED Advanced Ansaldo European 125 lead fast fuel rods 30% Pu every 12 a&e design
Lead Fast Nucleare Union MWe months
Reactor
European
Demonstrator
MYRRHA Multipurpose SCK-CEN Belgium 100 lead- fast fuel rods 30% Pu every 3 e design
Hybrid MWt bismuth months
Research
Reactor for
High-tech
applications
Table 1. AR technologies
69
According to Brown and Glaser, the formula suggests the amount of material needed
for a 1-kt explosion is as low as 2.3 kg for weapons-grade highly enriched uranium
(93 percent U-235), or about 31 kg of 20% enriched uranium. The underlying
70
assumptions for this 1954 assessment are inconsistent with the definition later
adopted by the International Atomic Energy Agency, which considers uranium
enriched up to 20 percent U-235 as “indirect use material” that cannot be used for
“the manufacture of nuclear explosive devices without transmutation or further
enrichment.” The 1954 reference calculations can also be compared to those that
were later adopted by the International Atomic Energy Agency, which are about
4–12 times higher. Regardless, the classification levels outlined (Categories I/II/III)
became the de facto standard and were integrated into IAEA INFCIRC/225 Rev. 1 in
1975.
Security of Advanced Reactors
51 Brown, A. & Glaser, A. (2016). On the origins and significance of the limit demarcating low-enriched uranium from highly enriched uranium.
Science & Global Security 24(2).
Material Form Category I Category II Category IIIa
Plutoniumb Unirradiatedc 2kg or more Less than 2kg but 500g or less but
more than 500g more than 15g
Uranium-235 Unirradiatedc
• uranium enriched to 5kg or more Less than 5kg but 1kg or less but
20% 235U or more more than 1kg more than 15g
Irradiated Depleted or
fuel* natural uranium,
thorium or low
enriched fuel
71
(less than 10%
fissile content)e,f
a. Quantities not falling in Category III, natural uranium or thorium should be protected at
least in accordance with prudent management practices.
b. All plutonium except that with isotopic concentration exceeding 80% in Pu-238.
c. Material not irradiated in a reactor or material irradiated in a reactor but with a radiation
level equal to or less than 1Gy/hour (100 rad/hour) at one metre unshielded.
d. n/a - not applicable
e. Although this level of protection is recommended, it would be open to States, upon
evaluation of the specific circumstances, to assign a different category or physical
protection.
f. Other fuel which by virtue of its original fissile material content is classified as Category I
or II before irradiation may be reduced one category level, while the radiation level from
the fuel exceeds 1 Gy/hour (100 rad/hour) at one metre unshielded.
* The categorisation of irradiated fuel in this table is based on international transport
considerations. The State may assign a different categroy for domestic use, storage and
transport, taking all relevant factors into account.
World Institute for Nuclear Security
2020 © World Institute for Nuclear Security (WINS) All rights reserved.
Landstrasser Hauptstrasse 1/18, 1030 Vienna (Austria).
+43 1 710 6519 | info@wins.org | www.wins.org
International NGO under the Austrian Law BGBI. Nr. 174/1992
GZ: BMeiA-N9.8.19.12/0017-I.1/2010
WINS(20)25
ISBN: 978-3-903191-75-4