Security of Advanced Reactor WEB

WINS Special Report Series
Security of
Advanced Reactors
August 2020
Acknowledgements 3
Foreword 4
Executive Summary 5
Introduction 6
1. International Perspective 9
Introduction 9
IAEA Nuclear Security Series Guidance 10
International Advanced Reactor Working Groups 11
Communicating International Guidance 15
2. Regulatory Issues 16
Introduction 16
Comparison of Regulatory Approaches 17
US Nuclear Regulatory Commission 17
UK Office for Nuclear Regulation 19 1
Canadian Nuclear Safety Commission 22

Addressing Regulatory Challenges 23
3. Security Considerations for Advanced Reactor Designs 26

Introduction 26
Analysis of Advanced Reactor Designs 26
Molten Salt Reactors 27
TRISO-Based Reactors 28
Fast Spectrum Reactors 30
Microreactors 33
Licensing of a Given Design 34
4. Common Security Challenges 36

Introduction 36
World Institute for Nuclear Security
Security Requirements of HALEU Fuel 37

Remote Siting 39
Transport of Fuel 40
Cybersecurity 41
Preparing for Future Security Challenges 45
5. Adopting Security by Design 46
Introduction 46
Implementing Security by Design 49
Security by Design Handbook 49
Secure by Design – Guidance Document Principles and Methods 51
The Evaluation Methodology for PR&PP of Generation IV Nuclear
Energy Systems (Revision 6) 53
Learning through Peer Review 56
Conclusion and Recommendations 57

References 60
Acronyms and abbreviations 64
Appendix 1: Advanced Reactor Technologies 66
Appendix 2: Categorisation of Nuclear Material 70
2
Security of Advanced Reactors
ACKNOWLEDGEMENTS
WINS acknowledges the generous sponsorship of the Nuclear Threat Initiative (NTI)
for the preparation of this report.
WINS is grateful to all subject matter experts who participated at the international
workshops in Vienna (March 2019) and Ottawa (2020). These events were the
foundation of this report.
WINS acknowledges all the distinguished experts and organisations, including

advanced reactor developers, who contributed to the development of this report
through workshops, technical meetings, interviews and peer review. Please note
that the views and opinions expressed in this report are those of WINS and do not
necessarily reflect the views and opinions of those experts and organisations who
were consulted during the writing of this report.
We Welcome Your Contributions

We welcome additional organisations to contribute their experience in response to
this special report. We plan to continue working on this topic and facilitating the
exchange of best practices and new ideas. Please email us at info@wins.org. You can
also contact us via the WINS website at www.wins.org. If you have ideas for additional
3
WINS Special Reports, we would like to hear about them. WINS is committed to
working with nuclear security professionals; our objective is to share best practices to
achieve operational excellence.
WINS 20(25)
ISBN: 978-3-903191-75-4

FOREWORD
The next wave of nuclear energy, powered by advanced reactors, holds the promise of
reducing the twin existential threats posed by climate change and nuclear weapons. As
a growing number of countries explore nuclear energy as an alternative to fossil fuels,
we know new reactors can play a major role in reducing the impact of carbon dioxide on
our atmosphere. It also is clear that for countries with ageing nuclear power plants, the
Generation IV reactors now under development can significantly reduce the risk that
nuclear energy can create a path to a nuclear weapon.
These new reactors can be designed to incorporate modern security elements that make
it easier to prevent theft or sabotage – and their suitability for deployment should be
judged on the degree to which they do so. Because these advanced reactors operate
differently from the well-understood light-water fuel cycle around which most current
security concepts are designed, security experts must be involved early to understand
and guide designs to account for current and future security risks and threats.
To aid those at the early stages of reactor design and encourage the development of
future reactors with enhanced security, the Nuclear Threat Initiative and the World
Institute for Nuclear Security partnered to create this guide to nuclear security for
advanced reactors. Developed with input from advanced reactor developers and other
4
experts, the guide offers a toolkit for designers and others working to bring these
technologies to market, as well as for policy makers and regulators interacting with
these advanced reactor companies. We hope it will also spark new questions and point
the way towards developing answers.
The world cannot afford to miss this unique opportunity to incorporate security by
design into the next generation of advanced reactors. These new reactors have the
potential to play a huge role in slowing climate change and reducing the risk of nuclear
weapons proliferation, and we hope this guide serves as an important contribution
to making the expansion of nuclear energy beneficial for ourselves and for future
generations.
Laura S. H. Holgate, Ambassador (ret.) Ray A. Rothrock

Vice President for Materials Risk Partner Emeritus, Venrock
Management Executive Chairperson, RedSeal, Inc.
Nuclear Threat Initiative
Director, Nuclear Threat Initiative
EXECUTIVE SUMMARY
The development of advanced reactor (AR) designs that will generate carbon-free
power for a variety of commercial applications beyond electricity supply is attracting
growing interest. The deployment of these AR designs is intended to address longer-
term challenges of nuclear technology including cost and competitiveness, potential
proliferation issues, management of long-lived radioactive waste, safety and security
This report focuses on the final issue in five chapters, with recommendations at the
conclusion of each chapter.
The report starts with a high-level perspective of the international instruments,

standards and guidance that influence national laws and regulations governing the
deployment of advanced reactors in different States. The report then reviews the
specific security considerations and challenges of the various reactor designs in meeting
regulatory requirements and concludes with an overview of security by design (SeBD)
methodologies that could be adopted by AR developers.
Recommendations:
1. The IAEA and other interested international governmental and non-governmental
organisations, such as NTI and WINS, should together identify the most effective way
of communicating international obligations and international guidance for security
5
to advanced reactor developers. Where needed, these stakeholders should work
collaboratively to develop new guidance to inform AR designers of the requirements
for effective security at the earliest stage of design.
2. Regulators should share security best practices and lessons learned in regulatory
approaches for advanced reactors through the establishment of an international
forum focused on security and regularly scheduled meetings. An independent
organisation could facilitate the arrangement of this forum.
3. Developers and their staff should pursue professional development opportunities

to ensure they are demonstrably competent to address security challenges in their
designs, such as cybersecurity. In addition, they should have access to appropriate
advice and expertise from subject matter experts. NGOs such as WINS and NTI should
develop training programmes to educate AR designers about key security principles to
ensure that security is taken into account at the earliest stage of design.
4. Subject matters experts should be commissioned by interested parties to further

explore key areas and future challenges for advanced reactors, including transport
security, security of HALEU fuel, supply chain security, remote siting, automation
and cybersecurity. These studies should identify potential problems, challenges and
opportunities and result in the development of best practice guides and enhanced
training packages for developers.
5. WINS is a strong proponent of peer review for nuclear security. For facilities in the
design stage, a security peer review using the SeBD methodologies available should be
considered. AR developers should assign staff to support peer reviews and share best
practices and lessons learned in SeBD. A forum for developers to facilitate reviews and
share information could be organised by NTI and/or WINS.
INTRODUCTION
“You can’t be in this business without paying attention to security.”
IAEA DIRECTOR GENERAL RAFAEL GROSSI1
As we enter the third decade of the 21st century, the nuclear industry has already
gone through significant changes. Early in the century, there was keen interest in a
“nuclear renaissance” driven by increasing fossil fuel prices and growing concern
about greenhouse gas emissions. This anticipation of a rebirth of the nuclear
industry was seriously damaged by the accident at the Fukushima Daichi Nuclear
Power Plant in Japan in 2011, as well as concerns about the commercial viability of
new or expanded nuclear power programmes in a number of countries.
However, support remains for nuclear technology, including for the next
generation of nuclear reactors, for reasons such as addressing the challenges of
climate change. The OECD Nuclear Energy Agency (NEA) states, “nuclear power
constitutes an established, reliable technology viewed by many countries as having
potential to be part of the solution for achieving robust low-carbon economies”.2
Likewise, the Global Nexus Initiative (GNI)3 asserts that, “driven by concerns about
energy security and greenhouse gas emissions, more countries are pursuing the
development of low-carbon energy sources. Nuclear power and renewable energy
6
technology will play an increasing role in global electricity production.”4
According to MIT,5 in addition to the generation of carbon-free electricity, nuclear

reactors can be used to address several other important applications such as:
• Production of district, residential and commercial heating such as space

heating and water heating
• Generation of industrial heat for production of chemicals, processes in

refineries, desalination of water and co-generation
• Generation of power and heat for niche markets and micro-grids such as
military bases, data centres, offshore platforms, remote communities or
islands where expensive diesel is the only energy alternative
• Support for actinide transmutation to help reduce the amount of radioactive

waste generated, produce medical isotopes and perform silicon doping
1 Dhal, F. (2020). Director General Grossi Outlines Plans to ‘Recalibrate’ IAEA. IAEA Office of Public Information and Communication.
2 OECD Nuclear Energy Agency. (2017). The strategic plan of the Nuclear Energy Agency 2017-2022.
3 GNI is a collaboration between the Nuclear Energy Institute and the Global Partnership for Security which is designed to explore the
linkages between climate change, nuclear power and global security issues.
4 Global Nexus Initiative. (2019). Advancing nuclear innovation: responding to climate change and strengthening global security.
5 Buongiorno, J., Parsons, J., Corradini, M., and Petti, D. (2018). The future of nuclear energy in a carbon constrained world - An
interdisciplinary MIT study. MIT Energy Initiative. Massachusetts Institute of Technology. www.energy.mit.edu/research/future-nuclear-
energy-carbon-constrained-world
It is also recognised that large, traditional light water reactors (LWRs) are
not necessarily the only or necessarily the most competitive option for these
applications. Reactor designs with significantly different features from traditional
LWRs could play an instrumental role in addressing these applications in the future.
Some of these reactors are referred to as advanced reactors.
There is no general consensus on what exactly falls into the category of AR. For
example, the IAEA includes light water small modular and large Generation III+
reactors in the AR category, together with Generation IV and other non-light water
reactors. On the other hand, GNI, in a June 2019 report6, only included reactors that
use molten salt as a fuel, have TRISO-based fuel or a fast neutron spectrum.
Tristructural-isotropic (TRISO) fuelled reactors have a

core that contains fuel in the shape of cylindrical pellets or
spheres (the TRISO particles). These particles are a three-
layer fuel. Reactors with this type of fuel sometimes use gas
and sometimes liquid salt as a coolant (such as FLiBe: fluor-
lithium-beryllium).
In fast reactors, high energies prevail in their neutron

spectra. This means that the neutrons move fast. In thermal
reactors, a moderator (e.g., water) is used to slow down
neutrons. Fast reactors do not have a moderator and are
typically cooled in a way that does not moderate (i.e. slow
down) neutrons or only minimally moderates neutrons.
Examples of coolants for fast reactors are helium, sodium,
liquid lead and lead-bismuth.
Reactors with molten salt in the fuel are subdivided into two
types. The first type has a dissolution of uranium in molten
salt, which acts simultaneously as fuel and coolant, that
moves around a set of plena. The second type has fuel in a
molten-salt solution confined in fuel elements and cooled by

a fluid mechanically separated from the fuel, e.g. by means of
fuel cladding.
Figure 1: Common AR designs
6 Global Nexus Initiative. (2019). Advancing nuclear innovation: Responding to climate change and strengthening global security.
The deployment of new AR designs may address long-term challenges of nuclear
technology including cost and competitiveness, potential proliferation issues, long-
lived radioactive waste, safety and security. The last issue is the focus of this report.
As noted by NEA,“the effectiveness of government and the international community
to address any concerns related to the security of nuclear material and facilities
[is] one of the factors that will determine the degree to which nuclear power will
contribute to addressing long-term energy supply needs.”7 In the same vein, GNI
asks, “If nuclear power is going to be a significant contributor to successfully
addressing climate change, how do we manage the expansion of nuclear facilities
and materials, including their spread to new, less stable regions in a way that
maximises safety and security and builds international confidence?”8
Therefore, the objective of this is report is to encourage developers, supported by

their regulators, to incorporate security as early as possible into their AR designs.
To support developers and their regulators, this report has been divided into five
chapters to:
1. Review existing international efforts to ensure the security of ARs
2. Provide examples of regulatory approaches and challenges to licensing new

reactor designs
8
3. Analyse AR designs and identify key considerations for ensuring security is
properly addressed
4. Explore common security challenges that will need to be resolved in the future
5. Identify approaches for implementing SeBD
At the conclusion of each chapter, the report provides a recommendation for the
future. These recommendations are further reviewed at the conclusion of the report.
For simplicity, the report examines the same reactor designs as those contained
in the GNI report (Figure 1). Appendix 1 contains a broader list of AR designs under
development and their applications in terms of those identified in the introduction
to this report as well as summarising the main parameters that are relevant for
security considerations.
7 OECD Nuclear Energy Agency (2017)

8 Global Nexus Initiative. (2020). About us.
1. INTERNATIONAL PERSPECTIVE
Introduction
It is well understood that the security of reactors is not just an issue for the country
in which the reactor is sited, constructed, operated and eventually decommissioned.
Effective security is a concern for all countries in relation to the transport of nuclear
material, the protection of nuclear facilities against sabotage, the protection of
nuclear material against unauthorised removal and the combatting of trafficking of
nuclear material. As a consequence, the international community is part of the fabric
of binding and non-binding international instruments, cooperating through their
membership in the IAEA and the UN.
The only binding international legal instrument that deals with the physical
protection of nuclear material and nuclear facilities is the Convention on the
Physical Protection of Nuclear Material (CPPNM) and its Amendment (CPPNM-A).
The Amendment to the CPPNM includes 12 Fundamental Principles of Physical
Protection. Below are some of the more relevant principles that may guide the
development of a regulatory framework for licensing AR designs within a country.
FUNDAMENTAL PRINCIPLE E: Responsibility of the License Holders 9

The responsibilities for implementing the various elements of physical protection within
a State should be clearly identified. The State should ensure that the prime responsibility
for the implementation of physical protection of nuclear material or of nuclear facilities
rests with the holders of the relevant licenses or of other authorizing documents (e.g.,
operators or shippers).
FUNDAMENTAL PRINCIPLE G: Threat

The State’s physical protection system should be based on the State’s current evaluation
of the threat.
FUNDAMENTAL PRINCIPLE H: Graded Approach

Physical protection requirements should be based on a graded approach, taking into
account the current evaluation of the threat, the relative attractiveness, the nature of
the material and potential consequences associated with the unauthorized removal of
nuclear material and with the sabotage against nuclear material or nuclear facilities.
FUNDAMENTAL PRINCIPLE I: Defence in Depth

The State’s requirements for physical protection should reflect a concept of several
layers and methods of protection (structural or other technical, personnel and

organizational) that have to be overcome or circumvented by an adversary in order to
achieve his objectives.
Supporting the CPPNM and CPPNM-A is non-binding guidance published by
the IAEA called the Nuclear Security Series (NSS). These publications support
the CPPNM and its Amendment and are consistent with, and complement, other
international instruments, such as United Nations Security Council Resolutions 1373
and 1540 and the International Convention for the Suppression of Acts of Nuclear
Terrorism. The principles contained within these documents generally determine
the national legislative and regulatory framework that AR designs will be subject to
for licensing and ongoing regulatory compliance throughout the lifecycle of these
reactors.
IAEA Nuclear Security Series Guidance

IAEA NSS 20: Objective and Essential Elements of a State’s Nuclear Security Regime
contains the objective and 12 essential elements of nuclear security. It provides the
basis for security recommendations within the NSS spanning nuclear and other
radioactive material, their associated facilities and activities, and nuclear and other
radioactive material out of regulatory control.
The primary nuclear security recommendations document relevant to AR facilities

is NSS 13: Nuclear Security Recommendations on Physical Protection of Nuclear Material
10
and Nuclear Facilities (INFCIRC/225/Revision 5), which provides guidance on the
physical protection of nuclear material and nuclear facilities. The obligations of an
operator are set out in detail in this document, including the three types of risks that
should be considered with regard to the protection of nuclear material and nuclear
facilities:
1. Risk of unauthorized removal with the intent to construct a nuclear explosive device;
2. Risk of unauthorized removal which could lead to subsequent dispersal;
3. Risk of sabotage.
Risk management requires that the physical protection systems be able to establish
and maintain the risk of unauthorised removal and sabotage at acceptable levels.
Risk can be managed by:
1. Reducing the threat: The threat may be reduced, for example, through
the deterrence provided by robust physical protection measures or the
confidentiality of sensitive information.
2. Improving the effectiveness of the physical protection system: The

physical protection system’s effectiveness may be increased, for example,
by implementing defence in depth or establishing and maintaining nuclear

security culture.
3. Reducing the potential consequences of malicious acts: Specific contributing
factors may be modified, for example, the amount and type of nuclear material
and the design of the facility.
In relation to sensitive information and computer-based systems, NSS 13 states

computer-based systems used for physical protection, nuclear safety and nuclear
material accountancy and control should be protected against compromise
(e.g. cyberattack, manipulation and/or falsification) consistent with the threat
assessment (TA) or design basis threat (DBT).
In relation to the design of any reactor, NSS 13 has the following general guidance:
For a new nuclear facility, the site selection and design should take physical protection
into account as early as possible and also address the interface between physical
protection, safety and nuclear material accountancy and control to avoid any conflicts
and to ensure that all three elements support each other.
The IAEA also provides detailed implementing guidance in NSS 35-G: Security During
the Lifetime of a Nuclear Facility. In this guide, the IAEA suggests incorporating
nuclear security in the early design stage and integrating security with safety,
safeguards, operations and other requirements. Integrating nuclear security
and safety measures helps to ensure neither has a negative impact on the other. 11
Including security experts in the design team will allow any potential conflicts
between nuclear safety, security, and safeguards to be identified and resolved.
NSS 35-G provides recommended design goals and actions for the state, competent
authority and the operator that are summarised in Table 1.
NSS-35G recognises that between the conceptual design and final design a cycle of
activities is repeated. These design actions are applicable to all reactors, including
ARs. It is recommended that all AR developers review this guidance.
International Advanced Reactor Working Groups

Two international working groups have been established to assess the viability of
ARs in a number of areas, including physical protection. The first working group is
the IAEA-supported International Project on Innovative Nuclear Reactors and Fuel
Cycles (INPRO) within the Department of Nuclear Energy. An INPRO assessment
covers six different areas: economics, environment, waste management, safety,
infrastructure and proliferation resistance. In addition, INPRO has created a manual
on physical protection (Volume 6 of the Final Report of Phase 1 of the International

Project on Innovative Nuclear Reactors and Fuel Cycles).
State Review the design basis threat or representative threat statement and
Actions evaluate the implications of any changes, as necessary.
Competent Ensure that a design basis threat or representative threat statement and
Authority relevant regulatory requirements for nuclear security are provided to the
Actions operator for development of nuclear security input for use during the design
of the facility, if required.
Ensure that any design modifications remain in compliance with applicable
regulatory requirements for nuclear security and safety.
Conduct a technical assessment of the final design of a facility to ensure
that it meets applicable requirements for nuclear security and safety before
licensing activities or granting authorisation.
Ensure that trustworthiness checks are implemented for personnel with
access to sensitive information.
Operator Identify the category of nuclear material to be protected against unauthorised
Actions removal as well as the possible radiological consequences of sabotage in
order to ensure that nuclear security design requirements are met.
Account for applicable regulatory requirements for nuclear security during
the design stage, including for computer security, sustainability, contingency
planning, emergency preparedness, incident reporting, trustworthiness,
quality assurance, nuclear security culture and nuclear materials accounting
12
and control, as applicable.
Ensure that all organisations with nuclear security responsibilities relating
to the facility should participate in facility design activities. Coordinate
nuclear security measures to be incorporated in the design with measures to
be incorporated for other disciplines (e.g. safety, safeguards and operations)
in order to compare relevant regulatory requirements, identify synergies and
resolve potential conflicts.
Review all aspects of the design to ensure the appropriate inclusion of nuclear
security measures. Identify technologies and components (e.g. barriers,
sensors and assessment systems) best suited to meet applicable regulatory
requirements for nuclear security.
Implement an information security programme for sensitive information
used or generated during the nuclear facility design stage. This programme
should be based on applicable regulatory requirements for information
security.
Assess the final design to ensure that it meets applicable regulatory
requirements for nuclear security, and assess any proposed subsequent
facility design changes that would affect nuclear security. Provide the final
design of the systems and components that contribute to nuclear security to
the competent authority for assessment and approval.
Provide the competent authority with any subsequent design changes
affecting the systems that contribute to nuclear security, as required,

incorporating the concept of configuration management.
Table 1: Nuclear security responsibilities

The target audience for Volume 6 is an assessor of an AR system (called an
innovative nuclear energy system, or INS), taking into consideration the physical
protection regime of a country that is planning to have a nuclear power programme
(or maintaining or enlarging an existing one). The INPRO assessment should lead
to the confirmation that the established or planned physical protection regime is
adequate for the nuclear power programme or lead to the identification of gaps and
the actions necessary to become compliant.
The manual is written assuming that the INPRO assessor is primarily a technology
user, not a technology supplier or developer. However, the manual provides
guidance that is applicable to any developer of an AR and explicitly references the
need to address security early in the design process. For example, a sample of a
criterion from the manual is shown on the next page.
The second working group that has explored the implementation of ARs is within
the Generation IV International Forum (GIF).9 After issuing a roadmap in 2002, GIF
established a Proliferation Resistance and Physical Protection (PR&PP) Working
Group to develop measures and metrics for assessing PR&PP and an associated
evaluation methodology for ARs. Research and development have been conducted in
three areas: (1) safeguards and physical protection technology for each GIF system,
(2) formulation of PR&PP criteria and metrics, and (3) evaluation of the criteria and 13
metrics.
The working group subsequently undertook a systematic evaluation of the

proliferation resistance and physical protection of six Generation IV reactor designs.
They developed a methodology and provided a comparative evaluation of the
performance of each system. The intent was to generate preliminary information
about the PR&PP merits of each system and to recommend actions for optimising
their PR&PP performance. An overall report was approved by GIF for open
distribution in 2011.10
Although the GIF PR&PP and INPRO evaluation methodologies differ in their
implementation, they share the objective of ensuring that ARs are sustainable, safe
and reliable, and economically viable while minimising their risk of contributing
to proliferation and maximising their robustness against theft and sabotage. The
PR&PP methodology will be explored further in Chapter 5 of this report.
9 GIF is an international collective representing governments of 13 countries where nuclear energy is significant now and also seen as
vital for the future. Most participants are committed to joint development of the next generation of nuclear technology. The purpose of
GIF is to share R&D rather than build reactors.
10 The report is titled Evaluation Methodology for Proliferation Resistance and Physical Protection of Generation IV Nuclear Energy Systems,
(Revision 6).
Criterion CR10.1 INS design and Criterion CR10.2 INS layout
Often, components of an INS will be designed by the technology holder and a

layout proposed without regard to the impact these will have on the Physical
Protection System (PPS). However, the design and layout of the INS components
could have significant impact on the effectiveness and efficiency of the PPS, and
therefore consideration of physical protection during INS design and layout
should be addressed at the earliest possible time. The design will determine
susceptibility of targets for theft and sabotage, and the layout will determine the
locations of these targets and influence the ease with which they can be protected.
Further, the design and layout may define the ease with which a PPS can be
designed and installed. As such, the technology holder and technology user need
to jointly consider the PPS as the INS component is designed and laid out.
The following should be addressed for design and layout of INS components:
• Does the design attempt to preclude any single point vulnerability (single
target)?
• Does the design reflect compartmentalised access to target locations to

facilitate protection against an insider?
14
• Has an assessment been conducted to identify sabotage target locations (vital
area) and theft target locations?
• Does the facility design consider mutual use of redundant support systems
from adjacent facilities in emergency situations (for multi-unit INS)?
• Have electronic/computer-based systems been designed to preclude internal

and external threats?
• Has consideration been given to incorporating or locating activated (active)

and passive barriers for PP benefit?
• Has the layout maximised the spatial and physical separation of redundant
components or systems to facilitate PPS design and preclude collocation of
these components or systems in the same area?
• Has the layout considered stand-off vulnerabilities by setting targets far from
protected area boundary, and obscured the targets from off-site observation?
• Has the layout been designed to minimise need for vehicular traffic?
• Is the layout conducive to reducing on-site nuclear material transportation

needs?
• Has the INS layout considered space needs of detection, assessment, delay,
and response systems to facilitate PPS design?
• Has the INS layout considered minimising the number of potential adversary
paths?
• Does the layout reflect provisions for response force deployment (protected
pathways and deployment locations to interrupt and engage adversaries)?
Communicating International Guidance
An IAEA Integrated Nuclear Infrastructure Review (INIR) is a holistic peer review to
assist Member States in assessing the status of their national infrastructure for the
introduction of nuclear power. The review covers the comprehensive infrastructure
required for developing a safe, secure and sustainable nuclear power programme.11
While this is applicable for newcomer countries developing the infrastructure
required for a new nuclear power programme, it is also valid for countries wishing to
expand their existing nuclear power capacity.
When conducting an INIR mission, the IAEA expects to find a documented

stakeholder engagement strategy and plan for each of the key organisations (i.e.
government, regulator and owner/operator) addressing the full range of nuclear
issues, including security.12 To help AR developers, regulators, government officials
and other stakeholders understand their obligations, the IAEA and other interested
international governmental and non-governmental organisations, such as NTI and
WINS, should work together to identify the most effective way of communicating
international guidance through workshops, webinars, training and other activities.
Currently, the international framework for nuclear security is no different

for AR developers than it is for any other traditional LWR designer. However,
the international framework was largely designed and implemented after 15
the widespread deployment of LWRs, so it generally reflects those reactor

characteristics. ARs have different characteristics (fuel types and quantities,
size, portability, application, etc.) that will require new approaches to achieving
acceptable levels of risk. Where needed, the IAEA, WINS, NTI and other nuclear
security-focused organisations should work collaboratively to develop new guidance
to inform requirements for effective security at the design stage.
11 International Atomic Energy Agency. Integrated nuclear infrastructure review.

12 International Atomic Energy Agency. (2016). Nuclear Energy Series No. NG-T-3.2: Evaluation of the Status of National Nuclear
Infrastructure Development (Rev. 1).
2. REGULATORY ISSUES
Introduction
A fundamental requirement is that ARs must be able to be licensed in each country
that wishes to deploy the technology. In some countries, regulators and developers
are working together to address this challenge. For example, in the United States,
the Nuclear Energy Institute (NEI), a nuclear trade industry association, has set up
task forces on AR and micro-reactors and is working cooperatively with the United
States Nuclear Regulatory Commission (NRC) to inform NRC’s consideration of
the licensing of AR design, including from the perspective of physical protection
requirements.
NEI has taken the position that AR designers are incorporating engineered
physical security systems, hardware and features into their facilities, which will
considerably reduce or eliminate reliance upon an onsite response force. With
that in mind, NEI has put forward white papers proposing new physical protection
performance criteria for AR technologies. The proposed criteria are based on a
set of “performance capabilities” that will identify facilities with designs that are
considered to have reduced the likelihood of a successful radiological sabotage
16 through engineered safety and security features.13
This approach proposes that generic new regulations be established in advance

of a design- or site-specific application for a licence or authorisation. If it can be
demonstrated that a proposed facility will meet a required performance capability,
an applicant could obtain a licence through compliance with a set of physical
protection requirements developed specifically for AR technologies. These same
requirements would then continue to apply to the licensee during operation of the
facility.
NEI believes this approach would promote the establishment of a clear, predictable
and stable licensing process for AR technologies and avoid potential inefficiency
and uncertainty. NEI is of the view that if AR technologies are subject to existing
physical protection requirements, they will not be competitive, thus hindering their
development and deployment.
Other regulators may adopt similar or entirely different approaches with industry
and AR developers. In all cases, however, there will likely be a stakeholder
engagement process that will inform the rulemaking and licensing process.
Ultimately, the regulatory approach will be based on each State’s legal and
regulatory framework, which will incorporate their international legal obligations as

well as relevant standards and guidance.
13 NEI (2016). NEI White Paper: Proposed physical security requirements for advanced reactor technologies.
Comparison of Regulatory Approaches
As part of its research for this paper, WINS interviewed officials from three
regulatory bodies that are actively addressing the licensing of advanced and small
modular reactor designs: the US Nuclear Regulatory Commission, the Canadian
Nuclear Safety Commission, and the UK Office for Nuclear Regulation. All three
regulators are facing similar challenges in the development of regulations for and
the approach to licensing of ARs.
A common theme is that all three regulators are examining a performance-based

(or outcome-based) approach with fewer prescriptive nuclear security regulations
or requirements for reactor operators, licensing proponents and/or designers,
recognising that ARs may require a more flexible and technology-neutral approach
to address significant variations between the different reactor designs. Furthermore,
there is a recognition that emerging technologies and threat capabilities that
will be particularly relevant to ARs, such as cybersecurity, require an updated
regulatory framework that keeps pace with new and emerging threats and changing
capabilities, including for cyberattack.
The choice of regulators was made based on the accessibility of their regulatory
documents (written in English) and their availability for interview. Many ARs are
planned for deployment in other countries and under different regulatory regimes. 17
In the future a greater range of regulatory frameworks and their suitability for
regulation of AR designs should be considered as a separate special report.
In this next section, we examine the reviewed regulatory approaches in additional

detail.
US Nuclear Regulatory Commission

The NRC is an independent agency of the US government tasked with protecting
public health and safety related to nuclear energy. NRC is engaged in several
pre-application activities with AR and small modular reactor (SMR) developers.
Starting in 2015, the NRC published Options for Emergency Preparedness for Small
Modular Reactors and Other New Technologies. This rulemaking describes a proposed
technology-neutral, risk-informed and performance-based emergency planning
framework that includes provisions for scalable emergency planning zones and
emergency planning programme requirements. NRC staff also conducted an
evaluation of its security and safeguards requirements for SMRs, and concluded that
the current regulatory framework was comprehensive, robust and sufficient.
In response to a proposal submitted by NEI, the NRC prepared SECY-18-0076,
Options for Physical Security for Light-Water Small Modular Reactors and Non-Light-
Water Reactors, which was sent to the NRC on August 1, 2018. In 2018, the NRC began
a limited-scope revision of regulations and guidance related to physical protection
for ARs. The commission approved, subject to edits, a related rulemaking plan for
public consultation.
The regulatory basis for this rulemaking was published in July 2019 for public
consultation. The NRC is preparing a proposed rulemaking that, if enacted, would
amend the NRC’s regulations to provide alternative specific physical security
requirements for ARs, which refers to light-water small modular reactors and
non-light-water reactors.14 The proposal is a limited-scope rulemaking that would
provide a clear set of alternative, performance-based requirements and guidance
for AR physical protection that would reduce the need for exemptions from current
security requirements when applicants request permits and licences.
This limited scope rulemaking would apply the insights from advances in designs
and safety research, retain the NRC’s overall security regulations framework,
and provide alternatives and guidance related to specific physical protection
requirements.
18
The initial focus of the rulemaking includes several prescriptive requirements. Two
are the requirement for a minimum of ten armed responders and the requirement
for an onsite secondary alarm station. The NRC also identified three performance
measures based on NEI proposals and stakeholder interactions that would determine
the applicability of revised security requirements for an AR design:
1. The radiological consequences from a hypothetical, unmitigated event involving the

loss of engineered systems for decay heat removal and possible breaches in physical
structures surrounding the reactor, spent fuel and other inventories of radioactive
materials result in offsite doses below the reference values defined in 10 CFR 50.34
and 52.79 (e.g. no definable target sets of equipment or operator actions that if
prevented from performing their intended safety function or prevented from
being accomplished would likely result in offsite doses exceeding the cited
reference values).
2. The plant features necessary to mitigate an event and maintain offsite doses below
the reference values in 10 CFR 50.34 and 52.79 cannot reasonably be compromised
by the DBT for radiological sabotage (e.g. no achievable target set resulting in
offsite doses exceeding the cited reference values given the design features and
security features incorporated into a specific AR facility).
3. The plant features include inherent reactor characteristics combined with

engineered safety and security features that allow for facility recovery and
14 NRC. (2019). Rulemaking for physical security for advanced reactors.

mitigation strategy implementation if a target set is compromised, destroyed or
rendered nonfunctional, such that offsite radiological consequences are maintained
below the reference values defined in 10 CFR 50.34 and 52.79 (e.g. a reactor design
with a large heat capacity and slow progression from loss of safety equipment
to degradation of fission product barriers and release of radionuclides from
the facility). Facility recovery and mitigation strategies may, where feasible,
include support from offsite resources.
In discussions with NRC, the commission was open to the idea that engineered
safety features (e.g. underground reactor siting) and smaller designs could reduce
the risk of theft and sabotage compared to large LWRs. They also noted that
improved engineered safety features are likely to slow accident progression from an
event, providing additional time for mitigation of effects. In fact, NRC is expected
to identify how a demonstration of compliance with the performance criteria could
obviate the need for armed responders. The NRC rulemaking is in progress, and a
proposed rule planned to be published for public comment in 2021 and finalised by
2022, if approved by the NRC’s Commissioners.
UK Office for Nuclear Regulation

The Office for Nuclear Regulation (ONR) is the independent regulator of safety
19
and security at nuclear licensed sites in the United Kingdom. In May 2019, ONR
published a document titled New Nuclear Power Plants: Generic Design Assessment
Technical Guidance. This Generic Design Assessment (GDA) process is applied where
ONR is asked to assess a proposed design in advance or in parallel to an application
for a nuclear site licence. The May 2019 document provides technical guidance for
the safety, security and safeguards assessment of new nuclear power plants (NPPs)
proposed for construction and operation. The GDA process is necessary to receive
a Design Acceptance Confirmation (DAC) and a Statement of Design Acceptability
(SoDA) in the UK.
In correspondence with WINS,15 ONR stated that they believe the GDA process
is suitable for assessing advanced modular reactor designs and will provide the
necessary framework for regulation. ONR noted that while the GDA process takes
place before a licence is granted and is not mandatory, they will still assess the
design drawing against their Security Assessment Principles (SyAPs) and related
guidance.
ONR published the SyAPs in 2017 to provide licensees with defined security
outcomes that must be demonstrated for the licensee to be assessed as compliant.

The SyAP states that:16
15 UK Office for Nuclear Regulation. (2020). Office for Nuclear Regulation Response to WINS SMR Questionnaire.
16 UK Office for Nuclear Regulation. (2017). Security assessment principles for the civil nuclear industry (Ver. 0).
“...the licensees are responsible for leadership, design, implementation, operation
and maintenance of security programs to protect the public from risks arising from a
radiological event caused by the theft or sabotage...”
SyAPs Fundamental Security Principles

1. Leadership and Management for Security
2. Organisational Culture
3. Competence Management
4. Nuclear Supply Chain Management
5. Reliability, Resilience and Sustainability
6. Physical Protection Systems
7. Cyber Security and Information Assurance
8. Workforce Trustworthiness
9. Policing and Guarding
10. Emergency Preparedness and Response
20 Figure 2: ONR SyAPs Fundamental Security Principles for the Civil Nuclear Industry
According to ONR, they use the SyAPs, together with supporting Technical
Assessment Guides (TAGs), to guide regulatory judgements and recommendations
when undertaking assessments of security submissions through the full lifecycle
of an installation. The requirement for these submissions and ONR’s role in their
approval are underpinned by the legal duties placed on organisations subject to the
Nuclear Industries Security Regulations (NISR) 2003. As stated by ONR,17
The introduction of SyAPs is the foundation of outcome focussed regulation for all
constituent security disciplines: physical; personnel; transport; and cyber security and
information assurance. This is a pivotal shift in regulatory philosophy which aligns our
nuclear security regime with our mature non-prescriptive nuclear safety regime. This
alignment provides a consistent ONR approach for duty-holders across the UK civil
nuclear industry. The introduction of SyAPs has been made possible by the significant
improvements in security management capability and capacity, developed within
duty-holder organisations since the establishment of formal regulation under NISR
2003. Any prospective vendor would need to develop submissions for ONR assessment by
adopting this approach, which offers flexibility and demands a higher level of security
professionalism.
17 UK Office for Nuclear Regulation (2020)

Section 3.18 of the GDA process further details the requirements for the design
company. The applicant is required to submit a Generic Security Report (GSR)
describing the security features of the reactor technology being assessed. The GSR
documents the categorisation of nuclear material and other radioactive material
from both theft and sabotage in order to determine the protective security outcomes
and applicable security postures to be applied. Further information in the GSR
includes (inter alia):
• A vital area (VA) identification methodology and subsequent study that uses
the UK DBT
• The VAs and operational technology that need to be protected within a high-
level concept of operations that outlines how security risks are designed-
out and remaining risks might be mitigated by designing-in security
commensurate with the maturity of the design
• In sufficient detail, information for any future licensee in the development of a

site security plan
• A cyber risk assessment that explains how nuclear technology and specifically
computer-based systems important to nuclear safety will be protected
ONR security inspectors work as part of the wider ONR regulatory team to ensure 21
the design company incorporates SeBD across the full spectrum of the design. This
is especially pertinent for cybersecurity, where the designer must demonstrate
how instrumentation and control (I&C) systems are resistant to cyber threats.
This includes the potential for malware to be inserted within the supply chain, and
operators should not be solely reliant on air gaps.
In sum, ONR conveyed to WINS that,18
Assessing any vendor’s security case… requires excellence in analysis of the vendor’s
Security Case (their claims, argument and evidence that underpin their arrangements),
drawing on Relevant Good Practice to inform security risk management. This requires
expertise in Vital Area identification and categorisation, theft risk assessments, and
cyber security risk assessments; in all cases, drawing from Safety analysis including
Fault Studies and other related assessments. This requires a high degree of safety and
security integration.
18 UK Office for Nuclear Regulation (2020)

Canadian Nuclear Safety Commission19
The Canadian Nuclear Safety Commission (CNSC) is the independent federal
regulator for nuclear power and materials in Canada. The CNSC establishes its
nuclear security regulations and requirements through considered research
and technical assessment and analysis. In doing so, it also considers IAEA
recommendations and guidance set in IAEA NSS 13 and NSS 27-G, among others. To
that end, the CNSC is considering ways to implement a graded approach based on
the category of the nuclear material and potential radiological consequences in case
of sabotage. In applying the graded approach, the CNSC defines security objectives
and/or requirements for protecting each category of nuclear material and for
preventing each level of potential radiological consequences at nuclear facilities.
In the regulatory document REGDOC-2.5.2 Design of Reactor Facilities: Nuclear

Power Plants, the CNSC highlights the importance of interfaces of safety, security
and safeguards for NPP designs. Safety measures, nuclear security measures and
arrangements for the system of accounting for, and control of, nuclear material for
an NPP must be designed and implemented in an integrated manner so that they do
not compromise one another. REGDOC-2.5.2 also ensures that physical protection
systems and cybersecurity programmes are considered in NPP design management
and documentation. Specific security requirements are established and ensure that
22
designs take into account the interfaces between safety, security and safeguards and
other aspects of the facility layout.
As part of its effort to modernise its nuclear security regulations and to address AR
designs and evolving threats, the CNSC has stated that it intends to move towards
a performance-based nuclear security regulation, that where warranted, would
include less prescriptive requirements. This more flexible approach will allow
adaptation to a variety of NPP and AR designs. To support a performance-based
regulatory approach for SMRs, the CNSC developed and implemented technology-
neutral requirements and a risk-informed decision process. Specific security
requirements are established for all stages of the lifecycle of the nuclear facility,
and in particularly during the conceptual design phase, to optimise the benefits of
security and reduce retrofit cost.
In correspondence with WINS, the CNSC has stated that it believes its regulatory
framework does provide the basis for assessing the nuclear security (physical
protection and cybersecurity) arrangements for ARs and other nuclear facilities
where nuclear materials are produced, processed, used and/or stored. However,
CNSC noted that in 2018 a number of industry, private and government partners
participated in a Pan-Canadian SMR Roadmap to develop a report on Canadian
readiness for SMRs. The SMR Roadmap reported that for nuclear security, in
some cases the current regulations would require SMRs to incorporate security
19 Duguay, R. (2020). Small modular reactors and advanced reactor security: Regulatory perspectives on integrating physical and cyber security
by design to protect against malicious acts and evolving threats and subsequent correspondence with and review by the CNSC.
infrastructure comparable to today’s operating full-scale nuclear power plants.
Industry stakeholders and the CNSC were already engaged in discussions about
potential changes to these regulations to take a graded approach, commensurate
with size and risk, while continuing to ensure appropriate security coverage is
maintained.20
This effort is still underway. The CNSC is currently in the process of reviewing
the nuclear security regulations and the associated REGDOC series. The proposed
amendments to the regulations will include provisions that consider nuclear
measures for ARs that follow a graded approach.
Best Practice: CNSC SMR Vendor Design Review21

The CNSC developed a pre-licensing vendor design review (VDR) as an optional
service for SMR developers. A VDR is a mechanism that enables CNSC staff
to provide feedback early in the design process based on a vendor’s reactor
technology. NPP designs can include SMR concepts, AR concepts or more
traditional designs. The assessment is separated into three phases and is
completed by the CNSC at the request of the vendor. As part of SMR VDR process,
CNSC staff review SeBD and interfaces with safety, in particular robustness of
structures, systems and containment as well as safeguards for nuclear material
23
accounting and control. During the VDR, the interfaces between nuclear security
and system engineering specialists allows for assessment of both physical
protection and cybersecurity systems in a more holistic approach. This allows
the regulator to evaluate how developers intend to optimise nuclear security to
mitigate against potential acts of sabotage, and how to consider physical and
cyber defensive measures to counter blended attacks.
Addressing Regulatory Challenges

The licensing of ARs may encounter opposition in many countries from anti-nuclear
or other civil society organisations during public hearing processes for either rule
making or the licensing process itself. The Union of Concerned Scientists (UCS), for
example, has publicly lodged submissions to the US NRC rulemaking process for AR
which indicates their concerns about the rule making process.22 The submission can
be summarised as the following:
• They believe that rulemaking is signalling that ARs are vulnerable to sabotage.
• They object to the performance measures identified by regulators, which have
not yet been analysed against security scenarios.
20 Canada Nuclear Safety Commission. (2020). Correspondence dated 12.5.2020.

21 Canada Nuclear Safety Commission. Pre-licensing vendor design review.
22 Lyman, E. (2019). Union of Concerned Scientists comments on the draft regulatory basis for the rulemaking for physical security for advanced
reactors.
• AR designs have different accident precursors than LWRs that could render
them vulnerable to radiological sabotage attacks.
• Eliminating offsite emergency planning would put the public at greater risk
from radiological sabotage.
• Changes in the regulatory definition of radiological sabotage from significant

core damage or spent fuel sabotage to an offsite dose-based standard could
introduce uncertainty and subjectivity into security analyses.
• The required number of armed responders is based on the target sets and the
DBT. There needs to be a good explanation for why security requirements for
an AR would differ from a traditional large LWR.
• Probabilistic risk assessments are used to identify target sets. However,

probabilistic risk assessments will not be validated for AR until prototypes or
commercial demonstration units are built and operated. Credit allowing for
security reductions should not be given until that time.
The overarching concern in the submission of the UCS is that regulators will reduce
the required level of security for ARs below the current regulatory requirements,
introducing an unacceptable level of risk. Whether these objections are valid is,
24 of course, subject to debate. However, objections from concerned citizens and
stakeholder groups may not decrease, and regulators and developers need to
demonstrate to the public that the designs are sufficiently safe and secure and meet
regulatory requirements.
To meet this challenge, regulators will need to engage in a stakeholder engagement

process to inform and involve individuals and organisations that may be affected
by decisions being made for an AR project. Stakeholder engagement practices vary
by country, region and community; may have different objectives; and will provide
varying levels of involvement, from simply providing information, asking for and
providing opportunities to comment, through to inviting and enabling stakeholders
to collaborate on analysis and participate in decision making. As a minimum, the
purpose of stakeholder engagement is to ensure stakeholders understand why a
decision has been made and trust the basis for that decision.
The OECD/NEA Forum on Stakeholder Confidence defines stakeholder involvement
as:23
An integral part of a stepwise process of decision making. At different phases,

involvement may take the form of sharing information, consulting, dialoguing, or
deliberating on decisions. It should be seen always as a meaningful part of formulating
and implementing good policy. Stakeholder involvement techniques should not
be viewed as convenient tools for ‘public relations’, image-building, or winning
acceptance for a decision taken behind closed doors.
How to engage stakeholders and provide public information on nuclear security

innovations incorporated into AR, while remaining compliant with national
legislation and regulations and keeping an appropriate balance between the
benefits obtained from sharing information and the need to protect sensitive
information, will require careful consideration, discussion and agreement between
the government, relevant national security authorities, the technology developer,
project proponents and the nuclear safety and security regulator(s).
To support this process, it is recommended that regulators should share best

practices and lessons learned in regulatory approaches for ARs through the
establishment of an international forum and regularly scheduled meetings. An
independent organisation could facilitate the arrangement of this forum. 25
23 OECD Nuclear Energy Agency. (2004).Stakeholder involvement techniques: A short guide and annotated bibliography.
3. SECURITY CONSIDERATIONS FOR ADVANCED
REACTOR DESIGNS
Introduction
It has to be remarked that not all design solutions improving safety and reliability will
necessarily improve robustness against acts of sabotage. Actually, it might be the other
way round; hence, any design solutions must balance the trade-off for the different
objectives and goals as well as take into account economical aspects.
EVALUATION METHODOLOGY FOR PROLIFERATION RESISTANCE AND PHYSICAL PROTECTION OF GENERATION IV NUCLEAR
ENERGY SYSTEMS, REVISION 6
The potential value of ARs is significant, and their deployment could help address
global challenges such as energy security and climate change. However, to be
compliant with the legal and regulatory framework of the country it is to operate
in and consistent with that country’s international obligations, it is important to
demonstrate, at the design stage, and throughout the reactor lifecycle, that the
reactor will be secure and safe.
Some AR designs may be less susceptible to overheating and core damage. They
26 utilise passive safety features and as a result are less reliant on external sources
of power. In addition, some AR designers are incorporating engineered physical
protection systems into their designs and increasing the number of digital assets
for the purpose of automation, with a view to reduce or eliminate the reliance on
security personnel and reduce the cost of operation. Some developers are proposing
underground siting to defend against certain sabotage scenarios such as aircraft
crash.
Regardless of the degree of theoretical inherent safety and security in a given

design, ARs may still be perceived as high-value targets depending on their size
and the associated radionuclide inventory. They could be characterised as critical
infrastructure, particularly if they are deployed to generate electricity. Protection
of this infrastructure will therefore be an essential requirement for their regulation
and their commercialisation.
Analysis of Advanced Reactor Designs

As stated in the introduction, this report considers only the following types of ARs
(as well as subset of these reactors called micro-reactors):
1. Molten salt fuelled reactors
2. TRISO (tristructural-isotropic) fuelled reactors
3. Fast neutron reactors

All three types of AR designs have passive safety systems and inherent features,
which significantly reduces the radiological consequences of an accident, incident
of other safety failure or act of sabotage. All three AR types also usually contain
uranium-based fuel with an enrichment up to 20 percent. The fast reactor group
is the only type of AR design that potentially has Category I nuclear material if the
reactor uses separated plutonium in the fresh fuel.24
The risk of theft or sabotage depends on the quantity of material and frequency of
refuelling (if any), which will vary based on the size of the reactor and its operating
cycle. Therefore, the specific technical characteristics of individual reactors and
the operational approach to their fuel supply will be important in assessing and
addressing this issue. This paper evaluates each of the three technologies against
security (physical protection) considerations, based on the work done by the PR&PP
Evaluation Methodology Working Group of the Generation IV International Forum
(Gen IV),25 as well as feedback from developers, regulators and other subject matter
experts.
Molten Salt Reactors

Design Opportunity for Theft Radiological sabotage
Molten Salt Some fraction of the fuel inventory resides Safety studies are needed 27
Reactor outside the core. This does not make it before starting a real
more accessible or an easier target for theft evaluation of the physical
(MSR) as compared to conventional designs. All protection features and
salts are transferred as solid materials from resistance to sabotage.
the reactor hot cell with strong radiation
signatures. That limits the accessibility to However, MSR designs
fissile components. appear to be one of the
least vulnerable designs.
Compared to conventional solid fuel reactors,
there are no provisions for fuel manipulation,
no radiation damping medium (water) and in
many molten salt reactor designs the entire
fuel circuit is permanently sealed, making it a
very hard target for theft.
Table 2: Summary of MSR theft and sabotage assessment26

24 Categorisation of nuclear material for the purposes of physical protection systems and measures is set out in the Annex to the CPPNM
and in IAEA NSS 13 (INFCIRC 225/Rev.5). See Appendix 2.
25 The following analysis of risk of theft and sabotage for the three reactor types is largely based on the Gen IV paper on Evaluation
Methodology for Proliferation Resistance and Physical Protection of Generation IV Nuclear Energy Systems, (Rev. 6).
26 The primary source for this table is the Gen IV PR&PP assessment.
In molten salt fuelled reactors, the fuel consists of fissile materials dissolved in a
salt, a mixture that becomes liquid at operation. In general, the design has no fuel
units such as fuel rods or assemblies, and the fissile element (uranium or thorium)
is mixed with the coolant in most designs. Molten salt fuelled reactors operate with
low-enriched uranium or thorium-based fuel. Molten salt fuelled reactors can be
refuelled online, allowing for extended, continuous reactor operation. Molten salt
fuelled reactor designs can range in size from tens of MWe to hundreds of MWe.
According to a 2015 report by Energy Process Developments Ltd, current molten salt
reactor designs do not breed new fuel, do not require online fuel reprocessing and
use the well-established enriched uranium fuel cycle.27
Gen IV assessed that from security standpoint, the nature of MSRs precludes certain
releases, particularly gas releases, which limits the potential for sabotage. They also
use fluoride salt, which is hard to spread and not easy to extract. MSR designs appear
to be one of the least vulnerable designs from a security perspective, with a low risk
for theft of nuclear material and of dispersal of radioactivity.
Even the Union of Concerned Scientists, which as an organisation has been highly
concerned about the safety and security of ARs, has conceded that “the only non-
LWR design where the concept of significant core damage may not be strictly
applicable is an MSR reactor.”28 Likewise, GNI also assessed that MSRs have a low
28
vulnerability to theft of nuclear material and dispersal of radioactivity.29
TRISO-Based Reactors
Design Opportunity for Theft Sabotage
Triso-Based Fresh fuel is the most likely target for theft or The reactor is designed
Very-High- diversion. However, recovery of usable nuclear to achieve passive safety
Temperature material from fuel requires substantial effort to avoid release of
Reactor of both mechanical and chemical processing fission products under
(VHTR) with a resulting product of less-than- all conditions of normal
desirable nuclear characteristics. operation and accidents.
Systems maintain
Furthermore, spent fuel is not a desirable the fuel temperature
target for theft due to high radioactivity and below fuel-damaging
the same intrinsic qualities as fresh fuel. temperatures under all
conditions.
Table 3: Summary of VTHR theft and sabotage assessment30

27 World Nuclear Association. Molten salt reactors.

28 Lyman (2019)
29 Global Nexus Initiative. (2019). Advancing nuclear innovation: Responding to climate change and strengthening global security.
TRISO-fuelled reactors operate at high temperature, using small, uniform
microspheres of uranium oxycarbide coated with several layers of pyrocarbon
and silicon carbide that are dispersed into either graphite pebbles or prismatic,
hexagonal graphite fuel blocks in which the TRISO fuel particles are dispersed. The
fuel is designed not to crack due to the stresses from very high temperatures, which
will prevent release of fission products or actinides during accident conditions.
TRISO-fuelled reactors can range in size from tens to hundreds of MWe. Most
reactors of this type are refuelled online: Used pebbles are taken out of the core,
and unirradiated pebbles or pebbles that have not reached the desired burnup are
added to the core. The reactor is shut down periodically (about every 6-10 years) for
replacement of in-core graphite structures.
Gen IV assessed that theft of either spent fuel or fresh fuel would be highly
challenging for a variety of reasons:
1. The nuclear material is quite dilute in each pebble.
2. Obtaining a significant quantity would require the theft of metric tons of

contaminated graphite and/or carbon containing the coated particles.
3. Obtaining access to the nuclear material would require substantial mechanical

effort and chemical processing. 29
TRISO fuel provides strong physical protection characteristics against a non-state

actor, and there are few credible scenarios in which an adversary could acquire
the material, de-clad it, and use it to make a weapon. Instead, it would require
infrastructure of a State actor to utilise the material, thus a focus on safeguards
issues such as item vs. bulk accounting for the individual pebbles is needed. In
discussions while drafting this report, a developer proposed that TRISO fuel
considerations are a State-level proliferation concern rather than a facility-level
security concern.
However, it would certainly be damaging for the reputation of the operating

organisation if pebbles were to be successfully removed or stolen. While drafting
this report, one developer advised that from a business perspective, they would like
to track individual pebbles. In addition to the assurance that the pebbles remain
under control, if a batch of fuel were faulty, it could be tracked and removed.
Gen IV studied the VHTR design and assessed sabotage as unlikely due to the
passive safety features of the reactor. Sabotage scenarios that were assessed were
considered not to have the potential to cause significant offsite consequences but
could be very expensive to recover due to lost operations and repair costs and would
be highly detrimental to public confidence. Gen IV provided a series of mitigating
steps in its report, including (inter alia):
• Quality controls at the fuel fabrication plant in the supplier nation
• Protection of the helium supply, the primary coolant contaminant monitoring
equipment, and the helium purification system
• Physical protection of and controlled access to fresh and spent fuel storage
locations, the inbound and outbound transportation loading systems, and the
transportation of fresh fuel from the fuel fabrication facility and of spent fuel
to processing or disposal facilities
Fast Spectrum Reactors

Fast reactors use a fast neutron spectrum that can enable high fuel utilisation,
operational flexibility and fuel recycling. Fast reactors can use liquid metal, gas
coolants, or salt coolants. Designs can employ a closed fuel cycle:
Sodium-cooled fast reactors (SFR) have several hundred reactor-years of

operational experience and the benefit of oxygen-free/low-corrosion operation.
However, the chemical volatility of sodium requires a sealed coolant system.
Sodium-cooled reactors typically use uranium oxide or metal fuel.
Lead-cooled fast reactors (LFR) utilise either molten lead or a lead-bismuth

30
mixture as the coolant, which are relatively inert in relation to water or air but are
highly corrosive, requiring more robust piping or vessel materials. Lead-cooled
designs typically use uranium metal or nitride fuels. They are typically designed to
operate at low, near-atmospheric pressure and high temperature (~500-800°C).
Gas fast reactor (GFR) is helium-cooled, with the coolant under high pressure,
about 7 MPa, and high temperature, about 850°C. It uses uranium fuel in silicon
carbide fuel rods. Some GFRs are being designed to operate for an estimated period
of 10 to 40 years without refuelling.
The size and design of fast reactors can vary considerably, which makes an overall
group assessment of the security risk challenging.
Design Opportunity for Theft Sabotage
Sodium Spent fuel has significant heat load and Passive decay heat removal
Cooled Fast radioactivity. Therefore, fresh fuel is more protects the reactor from
Reactor attractive. severe accidents with
(SFR) potential for core damage.
Some designs utilise breeder blankets that
have desirable isotopic composition and
moderate radiation level and could be a
target for theft.
The small modular configuration has

inherent security because there is no access
to fuel assemblies.
Lead Cooled For LFR designs, the radioactivity level LFR can theoretically
Fast Reactor is so high as to require remote handling be indirectly sabotaged
(LFR) using methods and locations that create a through an attack on the
substantial barrier for access by non-state shut-down systems.
actors.
LFR can be sabotaged
In some designs, fresh fuel with plutonium indirectly through an attack
would be a theft target similar to mixed- on the decay heat removal
oxide (MOX) assemblies of LWRs. systems.
31
The spent fuel storage area
can be indirectly sabotaged
through an attack on its
cooling systems.
Gas Fast Designs that use reprocessing for fresh Specific attention should be
Reactor fuels are the most attractive from a theft paid to the protection of the
(GFR) perspective. However, the fresh fuel can be emergency cooling systems
produced using group extraction of actinides on which the global safety of
which creates a radiation barrier. GFRs relies.
Table 4: Summary of fast reactor theft and sabotage assessment31
Sodium Cooled Fast Reactor

Developers are considering SFR plant sizes ranging from small modular systems to
large monolithic reactors. In addition, developers are considering a wide variety of
fuels and fuel cycles. For example, the Small Modular Fast Reactor (SMFR) is aimed
at utilising characteristics inherent to fast reactors for small grid applications. A
key design feature of the SMFR is the long-lived core – 30 years with no refuelling.
This long lifetime improves security and proliferation resistance by eliminating all
aspects of onsite fuel management.
In general, Gen IV assessed sabotage as unlikely because of the inherent safety
characteristics of the design. From a theft perspective, the fresh fuel is the more
attractive target because it has low radioactivity. Breeder blankets may also have
nuclear material with attractive isotopic composition at moderate radiation levels.
The spent fuel produces significant heat and radioactivity and must be cleaned
(removal of residual sodium) after extraction from the reactor vessel. This makes
transportation after cleaning, cooling and packaging potentially a more desirable
pathway for theft. The transport techniques and security arrangements will be quite
different between co-located and centralised fuel cycle strategies. For example,
reactors with co-located recycle facilities would require stringent security measures
to protect Category I plutonium. However, such an arrangement of co-located
recycle facilities is highly unlikely in practice.
Lead Cooled Fast Reactor

Two designs were studied by Gen IV: European Lead-cooled System (ELSY) and
Small, Sealed, Transportable, Autonomous Reactor (SSTAR). For both designs, theft
was considered unlikely. However, sabotage was considered a credible scenario. For
ELSY, a sabotage incident yielding potential radiological consequences could result
from a direct attack on the following system elements:
32
• Reactor
• Fresh fuel storage area
• Spent fuel storage area at fuel building
• Fuel shipping neighbouring areas (during arrival of fresh fuel and dispatching
of spent fuel)
The report concluded that all these system elements need to be protected from direct
sabotage attack, similar to a traditional LWR.
Gas Cooled Fast Reactor

The Gas Cooled Fast Reactor (GFR) has a similar fuel cycle to other fast reactor
technologies that use centralised, aqueous reprocessing. The fresh fuel used
in the GFR provides the most attractive target for theft, since it has the lowest
contamination with fission products. When the fuel is produced using group
extraction of actinides, the radiation levels in fresh fuel require significant
shielding, which can also be designed to provide a passive barrier to theft.
With respect to sabotage, the present design of GFRs offers a traditional set of
protection compared to PWRs (mainly with a reactor containment building) given

the fact that inert gas is used as a primary coolant. A guard vessel which envelopes
the primary system should provide an additional protection level. Specific attention
should be paid to the protection of the emergency cooling systems on which the
safety of GFRs relies.
Microreactors
Another subset of the examined ARs are microreactors. Microreactors are not
defined by their fuel form or coolant. Instead, they have three main features:32
1. Factory fabricated: All components of a microreactor would be fully assembled

in a factory and shipped out to location.
2. Transportable: Smaller unit designs will make microreactors very

transportable.
3. Self-adjusting: Simple and responsive design concepts will allow

microreactors to self-adjust.
Microreactor designs vary, but most would have capacity of 1-20 MW of thermal
energy that could be used directly as heat or converted to electric power. They can
be used to generate clean and reliable electricity for commercial use or for non-
electric applications such as district heating, water desalination and hydrogen fuel
production.
As an example of this technology, California-based company Oklo has designed

a reactor called Aurora, a compact fast reactor that builds on the Experimental
Breeder Reactor-II and space reactor legacy. Heat is transported using heat pipes 33
that function as thermal superconductors. The reactor is sited underground and
contained in several layers, including a robust cask-like module, producing 4 MWt
(~1.5 MWe).33 The Aurora is just one example of a microreactor that is currently
being designed in the AR community.
Microreactors are much smaller than other designs. These reactors are extremely
compact. Components such as pumps, valves and others are largely located
outside of the reactor module, and items can typically be serviced online. Some
microreactors might even be smaller than most research reactor designs, although
no microreactors propose the use of HEU (common with research reactor designs).
Thus, the question, how are these microreactors to be regulated for security? Does it
depend on the thermal power of the reactor and the DBT?
To quote a senior nuclear security officer at the IAEA, the answer may simply be a
graded approach to protection.
“When it comes to research reactors, there is no one-size-fits-all approach for

protection. It has to be evaluated and implemented on a case-by-case basis. Each
reactor has a unique design and features that require the design of physical protection
systems to allow the facility’s mission to be accomplished while ensuring protective
measures are effective in a security event.”34
32 Office of Nuclear Energy (2018). What is a nuclear microreactor?

33 NRC. (2020). Aurora – Oklo application.
34 IAEA Bulletin. (2020). Finding the right fit: How nuclear security is incorporated into research reactors.
While drafting this report, the issue was discussed with nuclear regulators. The
current view is that these microreactor designs will still have some security
requirements, depending on the technology implemented. For example, some
microreactors could be characterised by the US NRC under similar groups as some
fuel fabrication facilities, if they plan on using Category II material.35
Licensing of a Given Design

Regardless of the design used, there are a number of common best practices that can
be adopted by any developer. From the discussions with various individuals involved
in the AR reactor development community, the authors of this report can confirm
that many AR developers are taking a proactive approach to the need for security
considerations to be included within their design. To optimise the success of their
design being licensed, they are addressing security early in the design process.
However, other developers have a different perspective about security requirements.

Some developers believe that the radiological consequences of any security incident
would be minimal. In this paradigm, security concerns – in terms or radiological
releases or impact to the public – are greatly exaggerated. In other words, under a
number of different initiating events including security incidents, safe shutdown of
34 the reactor could be achieved with very low risk of radiological release.
While this may be true for certain designs, developers will still find numerous
benefits by adopting security considerations early in the design process, especially
from a regulatory perspective. This is true even if the risk is evaluated as low. Table 5
outlines the potential benefits.
35 IAEA NSS 13 defines Category II material as uranium enriched from 10%-19.99% U-235 with 10kg or more of U-235.
Security challenge Regulatory benefit of considering security early in the design
process
Cost By considering security early in the design process, the designer

can better address security requirements and lower the cost of
implementing them during operations. The designer and operator
can avoid the need for expensive retrofitting or other compensatory
measures that may be required by the regulator after construction
and during operation.
Integration of safety Early in the development of the safety case, the designer
and security should also begin to examine the security case. The designer, in
conjunction with security experts, can run security assessments
on the reactor design. The designer’s assessment of safety and
security will help inform the key regulatory documentation that
will need to be submitted as part of the licensing process, including
the security plan.
Understanding The designer should consider the security guard force models and
of regulatory security checks. If this will be required by the regulator, then these
requirements conversations about regulatory expectations should commence
early in the design process.
35
Table 5: Advantages of including security into the design of a reactor
To ensure the adoption of best practices, developers and their staff should undertake
professional development opportunities to ensure they are demonstrably competent
to address security challenges in their designs, such as cybersecurity. In addition,
they should have access to appropriate advice and expertise from subject matter
experts. NGOs such as WINS and NTI should develop training programmes to
educate AR designers about key security principles to ensure that security is taken
into account at the earliest stage of design, including in relation to procurement
decisions and the entire supply chain.

4. COMMON SECURITY CHALLENGES
Introduction
Through a number of interviews, WINS has identified three primary concerns for the
developer community.
1. Whether the design can be licensed
2. The cost of construction and operation
3. The desirability of an increased reliance on automation, removing the need for

human operators
The cost of being granted a licence, construction and sustaining operations of

ARs is considered a major challenge by developers. Well-considered decisions will
have to be made when proposing ways to optimise security and save costs without
compromising either safety or security. A number of developers interviewed by
WINS expressed the belief that incorporating security features into their AR designs
that are similar to those required by traditional NPPs would not be economic,
primarily in terms of operation and maintenance costs. In their estimation, the
36 inherent safety characteristics of ARs should form the basis for demonstrating risk-
informed security requirements and that meeting these requirements should be less
onerous for the applicant for a licence.
In addition, automation is a significant design goal of AR developers. Developers

see automation as improving both safety and security as well as making reactor
operations more economic. Some of the benefits identified by reactor developers
include:
• Automation in the AR operating systems will reduce human error significantly.

In addition, moving to fully automated systems that rely on digital assets not
only reduces human error but makes the operation of the different systems
and their components more efficient.
• Removing the human element reduces the potential for insider threat.
• Robotics and other technologies like drones and unstaffed equipment can
reduce security costs significantly by reducing the number of security
personnel required.
• Advanced technologies could be deployed to improve detection capabilities.

For example, machine learning is not susceptible to degradation in alertness.
AR developers have also expressed interest in the deployment of remotely operated

weapons systems (ROWs) to protect their facilities. On one hand, this could
potentially reduce guard force requirements and make operations more profitable.
On the other hand, use of ROWs require careful consideration on the part of the
regulator to assess the controls that would be in place. The use of ROWs systems
may also be subject to other legal considerations outside of the purview of the
nuclear regulator and subject to other national laws and custom.
While the evolution of artificial intelligence, robotics and the development of more
autonomous systems may be beneficial from a safety and economic standpoint,
developers will also need to consider the increasing risks of cyberattacks, terrorism
and other potential emergent risks. Cybersecurity is especially important because
a number of ARs are initially intended to be used at remote locations, including
offshore, with minimal staffing. In addition, developers may need to address
increased security requirements for high-assay low-enriched uranium (HALEU) fuel
used in many designs.
These challenges are intertwined and will be further explored in the following
section of the report.
Security Requirements of HALEU Fuel

Many ARs will require higher enrichments than those currently manufactured for
LWRs. This new fuel, enriched between 5 percent and 20 percent, is called HALEU.
37
The higher enrichment level and novel fuel design can improve fuel utilisation and
support better overall plant economics for ARs.
Some developers interviewed by WINS are concerned about the differentiation

between LEU and HALEU. They are of the view that the description of HALEU has
introduced confusion about its categorisation for the purposes of physical protection
requirements. In their opinion, the 20 percent enrichment levels for the HEU/LEU
cut-off is an arbitrary number to begin with and not reflective of weapons-usable
material. They note that it would take the capabilities of a state actor to enrich
separated material regardless of whether the fuel is 5 percent, 10 percent, 19.9
percent or even higher enrichment. Thus, from a security perspective they contend
that there should be no difference in whether it is LEU or HALEU. They characterise
it as an issue related to proliferation rather than security.
However, the categorisation tables in the CPPNM and IAEA NSS 13 distinguish
between LEU enriched under 10 percent and LEU enriched above 10 percent but
below 20 percent.36 Regulators will therefore distinguish between lower enriched
LEU and HALEU. For example, the US NRC separates special nuclear material (SNM)
into three categories (largely in line with NSS 13):
36 Appendix 2 provides a discussion of the historical basis for the distinction between LEU enriched under 10% and LEU enriched above
10% but below 20%.
• Category I (strategic SNM): any SNM with uranium enriched to 20 percent or
more uranium-235, uranium-233 or plutonium
• Category II (moderate strategic significance): 10,000 grams or more of

uranium-235 enriched to 10 percent or more but less than 20 percent
uranium-235
• Category III (low strategic significance): 10,000 grams or more of

uranium-235 contained in uranium enriched above natural but less than 10
percent uranium-235
This is relevant because higher categorisations have increased security requirements

in any country following the NSS 13 categorisation tables. This is an obvious concern
for developers using HALEU because they could be categorised as a Category II
facility37, which could have significant implications on the amount of security that is
required by the national regulations.
The most comprehensive discussion on the topic was provided in a January 2018 NEI
White Paper on Addressing the Challenges with Establishing the Infrastructure for the
Front-end of the Fuel Cycle for Advanced Reactors. NEI writes that existing enrichment
facilities that are producing LEU of less than 5 percent uranium-235 would be
38 required to obtain an NRC licence amendment to produce HALEU fuel. Among other
issues, the security requirements would be different for portions of the facility with
Category II and III SNM which could create complexity in the plant modifications.
NEI also writes that following the events of 9/11, the NRC re-evaluated its security
requirements for Category I and III facilities. However, the NRC did not have a
Category II SNM facility licensed and as a result did not issue Category II facility
security orders. According to NEI, the NRC’s current policy is not to require
the physical protection systems of facilities with Category II SNM to protect
against a DBT for theft or diversion and radiological sabotage. Rather, for these
facilities, the NRC’s policy is to require licensees to meet a set of requirements, the
effectiveness of which has been evaluated based on NRC threat assessments as well
as consequence and security assessments for these facilities. The physical protection
requirements are generally graded based on the risk of the material being used for
malevolent purposes.
37 Note that in the unlikely situation that a developer chose to use a fuel enriched between 5-9.9% U-235, they would not be subject to
Category II security requirements.
NEI concludes that:
The lack of recent NRC licensing introduces additional uncertainty that could affect
both the timeliness and economics of the process. To limit this uncertainty, prior to
the initiation of a licensing effort, the NRC should update its plans for revision of 10
CFR Part 73 and development of associated guidance documents. The guidance should
cover Physical Security Plans for facilities licensed under 10 CFR 70.22(k) for SNM of
moderate strategic significance and address the changed threat environment. In the
interim, prior to completion of rulemaking, if needed, the NRC could establish Category
II SNM security requirements through the issuance of facility specific orders. The NRC
is expected to address this issue for medical isotope facilities that would be licensed to
possess Category II SNM at some time during 2018.
NRC is currently the only regulator that WINS was able to interview that is
considering HALEU as a separate issue from LEU generally. They are planning to
provide additional guidance, which was not yet complete at the time of this report
drafting.
Remote Siting
A significant number of ARs (such as heat pipe reactors) are initially intended to
39
be used at remote locations, including offshore in some instances. However, the
difficulty of physical access to remote sites can present both security benefits and
disadvantages.
Potential Benefits
• It may be harder for adversaries to reach and access the site for a physical
attack.
• If the site is in a remote area with no population in the vicinity, then

the consideration of offsite consequences may be limited to potential
environmental effects, which would be examined as part of an environmental
impact assessment (EIA). Moreover, reactors in remote locations will have
significantly lower radioisotopic inventories because the reactor is small.
• For a sabotage scenario, the impact and consequences may be lower because of
design mitigation strategies.
Potential Challenges
• It will be difficult for any offsite response force to access the site in a timely
manner.
• There may be increased vulnerability during the transport of nuclear material

or transport of a fully fuelled reactor to the remote location.
• There may be an increased reliance on offsite monitoring stations. This raises

cybersecurity concerns in relation to reactor operations as well as remote
monitoring through a central alarm station or secondary alarm station.
• There is an additional need to ensure that a remote AR/SMR cannot be shut

down by an adversary or be vulnerable to cyberattacks, including a denial of
service attack.
The biggest question with remote siting may be the line between acceptable and
unacceptable offsite radiological consequences to human beings. However, siting
has many considerations beyond just security, including natural hazards and EIAs.
EIAs and other regulatory requirements are unlikely to allow for a “relaxation” of
safety and security standards due to the remoteness of a facility.
40 Transport of Fuel
As previously mentioned, remote siting of an AR raises the question of fuel
transport. Most AR systems are likely to rely on offsite fuel fabrication facilities
for fresh fuel supply. In addition, they will all require transportation of the spent
fuel to a disposal site, a high-level waste storage or reprocessing facility. The
requirement to transport fresh or spent fuel will depend on the fuel cycle technology
configuration (co-located or centralised).38
In some cases, there are outstanding questions as to whether the reactors will be
transported fuelled or whether the fuel will be transported separately. It largely
depends on the size of the reactors. Microreactors may be shipped fuelled or have
the fuel shipped separately, as with a traditional NPP. Either way, it is important
that AR designers consider transport during the entire fuel cycle including during
decommissioning.
The issue of transport packaging is a primary concern that has arisen while
undertaking this research. From interviews with AR stakeholders, no AR companies
are working on fuel package designs, in some cases because they are still early in the
design process. In its 2018 White Paper on Addressing the Challenges with Establishing
the Infrastructure for the Front-end of the Fuel Cycle for Advanced Reactors, NEI stated
that industry will need:
38 Generation IV International Forum. (2011). Evaluation Methodology for Proliferation Resistance and Physical Protection of Generation IV
Nuclear Energy Systems, (Rev. 6).
Development of a new shipping package, certified for safe transport of uranium
hexafluoride with enrichments from 5% to less than 20% uranium-235. In addition
shipping packages will need to be designed, tested and certified for deconverted HALEU
forms (e.g., oxide or metal) as well as the manufactured fuel being transported from the
manufacturer to the reactor site.
It is recommended that additional design, analysis and commercialisation are

necessary to be undertaken specifically to address this challenge.
Cybersecurity
From our discussions with regulators and developers, the approach taken to
addressing cybersecurity for ARs, up to now, has not differed from that for existing
traditional LWRs. The general view is that there is nothing unique about AR
beyond the potential for remote siting. Just like traditional LWRs, AR designers
need to identify cybersecurity considerations from inception to decommissioning.
The development of cybersecurity solutions for AR relies upon understanding
the threat landscape and capabilities of the adversaries against digital systems
that will perform sensitive or higher consequence facility functions. That means
consideration of information security for design documents, cybersecurity
consideration in the supply chain, classification of digital assets and defensive 41
cybersecurity architecture.
Cyberattacks at nuclear facilities may contribute to causing physical damage to the

facility and/or disabling its security or safety systems (i.e. sabotage), to obtaining
unauthorised access to sensitive nuclear information, or to the unauthorised
removal of nuclear material. Cybersecurity is, therefore, vital at nuclear facilities to
protect both nuclear security and nuclear safety.
Operational technology is the term used for those systems that generally control
and/or monitor physical processes. Industrial control systems is the term used to
broadly describe operational technologies (both analogue and digital) that support
industrial processes.39 The term instrumentation and control (I&C) system describes
operational technology that provide for safety and security systems within nuclear
facilities. I&C systems play a critical role in ensuring the safe and secure operation
of nuclear facilities. As digital technologies continue to evolve, they are increasingly
being incorporated into and integrated with I&C systems.40 New nuclear facilities
designs use highly integrated digital I&C systems to efficiently and simultaneously
handle vast quantities of process data while requiring less human interaction and
intervention than previous I&C systems.41
39 Stouffer, K, et al. (2015). Guide to Industrial Control Systems (ICS) Security.

40 WINS. (2020). Nuclear Cybersecurity Module.
41 IAEA. (2018). NSS 33-T: Computer Security of Instrumentation and Control Systems at Nuclear Facilities.
Nuclear power plants contain simple and complex I&C systems that are dedicated
to very specific tasks and that may not be monitored centrally or continuously.
Examples of these common control systems include automated building systems
(heating, ventilation and air conditioning), building management control systems,
and interior and exterior lighting systems. Examples of complex control systems
are the reactor protection system, the reactivity control system and safety-related
supervisory control and data acquisition and distributed control systems.
Both simple and complex I&C systems within a nuclear power plant may be subject
to a cyberattack. These systems have become more and more automated and they
have been designed to allow remote maintenance and monitoring, which increases
efficiency. Remote access to systems, whether for maintenance or monitoring,
should be restricted as it may provide a possible entryway for cyberattacks. I&C
systems, whether complex or simple control systems, should be protected from
cyberattack to ensure their availability and reliable operation.
IAEA Guidance on Cybersecurity

The guidance documents developed and published by the IAEA on information
and computer security (i.e. cybersecurity) within the Nuclear Security Series are
structured to provide concepts and processes to establish, maintain and sustain
42 information and computer security within nuclear security regimes and nuclear
facilities, irrespective of the use of nuclear material or the physical characteristics
of the facility. The IAEA has developed the following implementing and technical
guidance documents:
• NST045 (Approved for and pending publication as NSS 42-G) Computer Security for
Nuclear Security: NST045 provides guidance on developing, implementing and
integrating computer security as a key component of nuclear and its interfaces
with nuclear safety and other elements of a state’s nuclear security regime.
NST045 addresses the roles and responsibilities of state organisations, other
responsibilities, and the activities involved in developing, implementing and
sustaining a state strategy and plan on computer security for nuclear security.
• NST047 (Approved for and pending publication as NSS 17-T Rev. 1) Computer
Security Techniques for Nuclear Facilities: NST047 provides guidance on
implementing computer security at nuclear facilities with the aim to prevent
and protect against unauthorised removal of nuclear material, sabotage of
nuclear facilities, and unauthorised access to sensitive nuclear information
throughout the lifecycle of the facility.
• NSS 33-T Computer Security of Instrumentation and Control (I&C) Systems

at Nuclear Facilities. NSS 33-T provides technical guidance for the secure
design and protection of individual I&C systems at nuclear facilities through
computer security against malicious acts that could prevent such systems from
performing their safety and security related functions.
• NSS 23-G Security of Nuclear Information provides guidance on implementing
the principles of confidentiality, integrity and availability and on the broader
aspects of information security in relation to sensitive information within
nuclear security regimes and in particular in nuclear facilities. NSS 23-G was
created with the goal of assisting States in bridging the gap between existing
government and industry standards on information security in general, the
particular concepts and considerations that apply to nuclear security, and
the special provisions and conditions that exist when dealing with nuclear
material and other radioactive material.
Through an agreement between the International Electrotechnical Commission

(IEC) Technical Committee 45 on Nuclear Instrumentation and the IAEA nuclear
sector safety and security, standards prepared by the IEC implement principles and
terminology of the IAEA safety and security guides and both organisations actively
collaborate to ensure harmonisation in particular for publications related to the
design of electrical power systems, I&C systems for nuclear power plants, including
the topics of information and computer security. In addition, the IEC Technical
Committee 45 cybersecurity standard documents for nuclear power plants are
developed in coordination with the ISO/IEC 27000 series of cybersecurity standards.
Cybersecurity Standards
43
From our interviews, regulators are not yet addressing cybersecurity for ARs during
the design licence certification process. For example, the US NRC plans to address
the matter in a later stage because they do not yet fully understand the potential
radiological consequences of a cyberattack. There is not yet enough information
to evaluate the issue thoroughly. In the United States designers will need to be
compliant with North American Electric Reliability Corp. Critical Infrastructure
Protection standards Version 5, among others. Operators are also required to submit
a cybersecurity plan for approval by the US NRC that demonstrates they satisfy
the requirements of NRC Regulation 73.54 Protection of digital computer and
communication systems and networks.42 This regulation lists a set of high-level
requirements that must be demonstrated as part of the operators’ cybersecurity
plan.
Supporting this high-level requirement is a regulatory guidance document that was

developed to present an acceptable method for a licensee to meet the requirements
of the regulation. Regulatory Guide 5.71 Cybersecurity Programmes for Nuclear
Facilities, NUREG 5.71 (RG 5.71)43 is based on the identification of critical digital
assets, which represent those computer-based components that are required to be
protected from cyberattacks under 10 CFR 73.54. This guide sets out a list of security
controls recommended to be applied by the licensee. The basis of this guidance is
NIST SP 800-53 (Revision 3) and NIST SP 800-82.
42 NRC. (2017). § 73.54 Protection of digital computer and communication systems and networks.
43 NRC. (2010). Regulatory Guide 5.71: Cybersecurity programs for nuclear facilities.
In Canada, the CSA standard on cybersecurity, N290.7, applies to nuclear power
plants and small reactor facilities. This standard addresses cybersecurity at nuclear
power plants and small reactor facilities for the following computer systems and
components:44
a. Systems important to nuclear safety
b. Nuclear security
c. Emergency preparedness
d. Production reliability
e. Safeguards
f. Auxiliary assets or systems which, if compromised, exploited, or failed, could

adversely impact (a), (b), (c), (d) or (e).
The key is to manage risk and direct limited resources towards protecting digital
systems and assets based on their relative value or importance. The IAEA guidance
publications on information and computer security address this through processes
that consider the maximum consequence of compromise of the facility function (i.e.
graded approach) while taking into account the additional connectivity provided by,
44
enabled interactivity of, and resulting trust relationships between computer-based
systems that require protection and preservation of the function they perform (i.e.
defence in depth).
Best Practice: NuScale Power

NuScale has designed a small modular LWR, the NuScale Power Module™, based
on a well proven and conventional LWR design. Although not falling under the
three categories of ARs reviewed by this paper, the cybersecurity approach that
NuScale has adopted should be a guide for AR designers.
Cybersecurity was considered at an early stage in the NuScale Power

Module design. It is a secure cyber architecture based on a graded approach.
Communication from systems in higher security levels to lower security levels
are controlled and enforced by hardware-based unidirectional data flow paths.
It is physically impossible for data to pass from a lower security level to a higher
security level. NuScale’s protection systems design is based on a proprietary
method that uses field programmable gate array technology. The NuScale design
allows for all 12 NuScale Power Modules to be controlled and operated from a
single control room.
44 ANSI. (2020). N290.7-14 - Cyber security for nuclear power plants and small reactor facilities.
The design of the control systems may use some commercial off-the-shelf items,
but NuScale will work with suppliers to understand the threat vector. The design
of the NuScale protection systems does not have a runtime environment, or
infrastructure that supports the running of a particular programme, for software.
Instead, everything is hardcoded for operations, which makes OT very difficult to
change and particularly resilient against cyberattacks.
By taking a cybersecurity-by-design approach and adopting a secure digital

architecture and field programmable gate array technology for safety-related
systems, cybersecurity is more a physical protection concern, with a focus on
ensuring the integrity of the supply chain and components, as well as mitigating
insider threat.
Preparing for Future Security Challenges

All of the challenges outlined in this chapter are still in the nascent stages of their
development or rapidly evolving. For example, we are just beginning to grasp
both the security opportunities and risks of advanced technologies and automated
systems, especially with respect to the consequences for cybersecurity. There has
also been a lack of studies on the security implications of remote siting, transport
security, and security of HALEU fuel. Furthermore, there are additional challenges 45
not discussed here such as supply chain security that need further review.
It is recommended that interested organisations commission subject matter experts

to begin studying each of these challenges in depth. These studies should identify
potential problems, challenges and opportunities and result in the production of
best practice guides and enhanced training packages.

5. ADOPTING SECURITY BY DESIGN
Introduction
The most commonly observed security design model focuses on the implementation
of conventional physical protection and cybersecurity controls after the facility
design is largely set. However, the most effective and efficient security can be
realised when it is incorporated into every aspect of design – from pre-conceptual,
conceptual and preliminary final design to construction, maintenance and
operation.
SeBD means including security within the systems engineering for the facility,
thereby reducing security risks at the source rather than relying on only physical
protection measures. It cannot be implemented solely by design engineers, security
managers or nuclear safety assessors. It requires a commitment – from the chief
executive down – to make security a primary design consideration on a par with
nuclear safety. It also requires a coordinated approach by all parties, including
operators, project managers and regulators.45
The concept is sometimes referred to as intrinsic security or inherent security.46 The

46 UK ONR says inherent security can be improved by:47
1. Reducing the inventory of nuclear or other radioactive materials to the

minimum necessary
2. Controlling the physical state of the material by removing/minimising its

potential effects if compromised (e.g. vitrification of high-level radioactive
waste, encryption of stored data, etc.)
3. Application of engineering, administrative and technical security measures
ONR provides guidance that such measures can be articulated within a security
hierarchy of controls as outlined in Figure 3. This hierarchy is based on a similar
control model used in safety. Application of this hierarchy should reduce the need
for, and reliance on, protective security systems and the challenges placed on them.
45 WINS. (2014). BPG 4.1 Implementing security by design at nuclear facilities, (Ver. 2.1).
46 In the authors’ view, ‘intrinsic’ and ‘inherent’ security is a distinction without a difference.
47 ONR. (2017). Security assessment principles for the civil nuclear industry (2017 Edition, Ver. 0).
Increasing Rescue/remove nuclear material/other
Effectiveness radioactive material inventory (e.g. redundant
Elimination
sources) or regularly weeding sensitive nuclear
information.
Changing or swapping processes such as using
off site delivery points, using less hazardous
Substitution sources or annexing sensitive nuclear information
in documents.
Passive protection measures such as static hostile
vehicle mitigation, remote handling operations to
Passive Engineering minimise/prevent access, air gaps and demilitarised
zones for cyber security.
Active Active protection such as rising arm hostile vehile

Engineering mitigation, automatic access control systems, firewalls and
anti-virus software.
Operational
Includes policy and procedures such as searching, two-person
Human principles, password control and manual alarm assessment.
Factors
Increasing Cost
Figure 3: ONR Secure by Design Hierarchy of Controls
According to the Gen IV PR&PP Working Group, the interest in SeBD is based on a set
of assumed, but nonetheless credible, potential benefits:48
1. Cost-effective risk reduction, through early changes to the design 47
2. Improved resilience, through greater use of more reliable security and safety
engineering solutions
3. Improved public confidence in newbuilds, by demonstrating improved security

and resilience
4. Improved integrations of safety and security design functions
5. A competitive advantage for vendors of new or improved SeBD products
In its 2013 Security by Design Handbook, Sandia National Laboratories (SNL) further
explains why SeBD is so important. It outlines historical problems with the design
of nuclear facilities due to security not being taken into consideration during the
design stage (Table 8). According to SNL, all of these factors resulted in higher costs
to develop and upgrade PPS to meet the changing threat and limited the potential for
such systems to evolve over time.
48 Generation IV International Forum (2011)

Problem Historical Basis
Late involvement of security Historically, consideration of the PPS design in nuclear
in the design process that facilities was delayed until a relatively late phase of plant/
either led to less security or facility design, after many facility design details had been
required expensive redesign established and could not be changed to accommodate
and construction costs security.
PPS designs created with As time progressed after construction, the threats to the
either no consideration of nuclear facility have typically become more capable. As
the threat or based only on a result, licensees have been faced with the dilemma of
consideration of the current making PPS improvements that are very expensive, have
threat large negative operational impacts, or are not consistent
with social norms in the host country; or having to accept
a higher risk associated with newer, more capable threat
attacks. For example, the following threats currently
discussed in INFCIRC/225/Revision 5 caused relatively
little concern 25 years ago:
• Cyber threats
• Insider threats
• Stand-off attacks
Lack of proper integration The conflicts between security and other important
between security and functions, such as operations, safety, and safeguards,
48
operations, safety, and were not anticipated early in the design phase, forcing
safeguards, leading to uncomfortable trade-offs between requirements that
inefficiencies were solved in ways that impacted the effectiveness
of the PPS. At the same time, designers did not exploit
possible ways in which security and other functions
could be improved to benefit both security and the other
function(s).
Weaknesses in governance This would include stakeholders not communicating

and organizational structures, effectively to one another about how to improve security,
especially concerning the leading to both increased costs and decreased security.
competent authority and
licensees
Little or no consideration of Security systems were developed to address the physical

the facility lifecycle protection of the facility when it opened, within the
context of either no DBT/Threat Assessment (DBT/
TA) or merely the current DBT/TA. This focus missed
opportunities to take advantage of safety and safeguards
features and the future requirements of the physical
protection system and/or the DBT/TA.
Table 8: Security by Design Handbook – Historical issues with nuclear facility design and
security
Implementing Security by Design
Through its workshops, research, discussions and interviews with a number of
experts in SeBD, WINS has identified three prominent SeBD implementation and
evaluation methodologies that have been developed and published as the following
documents:49
1. The Security by Design Handbook, developed by SNL
2. The Secure by Design – Guidance Document Principles and Methods, developed by

Adrian Prior (Frazer-Nash Consultancy and Robert Barnes (Rolls-Royce Ltd))
3. The Evaluation Methodology for Proliferation Resistance and Physical Protection

of Generation IV Nuclear Energy Systems (Revision 6), developed by the
Proliferation Resistance and Physical Protection Evaluation Methodology
Working Group of the Generation IV International Forum
Each of the methodologies is quite comprehensive and provides detailed SeBD

guidance to developers of nuclear reactors. It is recommended that all AR developers
review these three documents. In the following section, the paper provides a
summary of each methodology as a starting point.
49
Security by Design Handbook
SNL published the Security by Design Handbook to describe an approach to SeBD,
starting with a strategy for achieving SeBD, and then showing how that strategy
can be implemented. The approach is explained with the framework of the IAEA’s
three-phase Milestones Approach for developing a nuclear power programme in a
country. It also addresses SeBD within the context of the objectives and fundamental
principles of INFCIRC/225/Rev. 5.
Although the handbook is primarily targeted at decision makers, advisors, senior

managers in the governmental organisations, utilities, industries, and regulatory
bodies of a country interested in developing nuclear power, it is also useful for
operator organisations to better understand their role in supporting security by
design.
49 Developers may also be interested in the US NRC’s Nuclear Power Plant Security Assessment Guide (NUREG/CR-7145) which provides
detailed guidance for the format and content of a security assessment. NRC encourages design certification and combined licence
applicants to use the guidance to optimise physical security during the design phase.
The handbook is divided into four sections (Table 8).
Section Contents
Section 2: Security Provides an overview of the SeBD framework and discusses the
by Design value of using that framework to develop NPPs and NFs
Section 3: Strategy Describes an approach or strategy for implementing SeBD within

for Achieving the context of the recommendations found in INFCIRC/225/Rev.
Security by Design 5 and the IAEA Milestones documents. The basic strategy for
achieving SeBD includes four main elements:
1. Incorporation of an integrated design team

2. Use of a risk-informed design decision-making process that
addresses threat, vulnerability and consequence
3. Use of a structured lifecycle process for the integrated design
team
4. Implementing a set of physical protection principles and
practices
Section 4: SeBD Principles and their associated practices for SeBD are described
Principles and in this section, including useful practices that support each of
Practices the 12 Fundamental Principles found in INFCIRC/225/Rev. 5. If
adopted, these principles and practices are expected to provide high
50
confidence in both the effectiveness and sustainable operation of
the PPS.
Section 5: Detailed Describes in some detail on how the SeBD framework has been and
Application of the can be applied. The section includes discussion of specific practices
Principles and that competent authorities can take to encourage the application of
Practices SeBD, on one hand, and that designers can take to help implement
SeBD at the facility layout level. There is also a section on how
adversary capabilities might change in the future and possible
countermeasures that designers can employ now to be ready for
those changes. This is provided to give some general guidance to
designers on how to protect against the possibility that those trends
may materialise in future DBTs/TAs.
Table 8: Contents of the Security by Design Handbook
The document is a good starting point for developers wishing to familiarise

themselves with SeBD because it provides a holistic picture of SeBD from the
key international guidance underpinning the concept, the role of the competent
authority (regulator) and a summary of the designer’s role. However, the handbook
is not particularly detailed on designer implementation, which is better covered in
the next methodology.

Secure by Design – Guidance Document Principles and Methods
Adrian Prior (Frazer-Nash Consultancy) and Robert Barnes (Rolls-Royce Ltd),
were funded by the UK’s Department of Business, Energy and Industrial Strategy
for a series of research projects to develop guidance for the application of Secure by
Design principles, suitable for use by security practitioners in the UK civil nuclear
sector. According Secure by Design – Guidance Document Principles and Methods, a
successful approach should:
1. Encourage efforts to reduce security risk at source, before considering the

effect of a security protection system
2. Adopt a system-level, or systems engineering, approach to the design of

nuclear security systems
3. Engineer features into the design of the facility, plant or process that have
security functionality
4. Encompass the entire lifecycle of the facility
Prior and Barnes identify and characterise seven key SeBD principles:
SeBD Principle Description of Principle

51
1. Security The application of SHoCs (as outlined in Figure 3) when examining risk
Hierarchy reduction options. In this approach, elimination and substitution are
of Controls considered before the more common security engineering options, as
(SHoCs) they are likely to deliver greater reliability and financial savings.
2. Integrated The pursuit of an integrated security design solution through the use
design of integrated design teams. These comprise security professionals
working with safety colleagues and nuclear engineers to apply the
SHoCs, and select design options, in an integrated way.
3. Early Suitably qualified and experienced security professionals should be

engagement decisively engaged in the design process from the earliest concept
stage, in order to be able to meaningfully apply the SHoCs. Delayed
engagement in the design process may mean that risk reduction
opportunities, via elimination or substitution, are lost.
4. Cross domain This is the exploration of opportunities to reduce security-related

risk reduction risk through integrated action in security and other domain areas,
such as safety and emergency response. This includes actions to avoid
building-in inherent security vulnerabilities in all domains.
SeBD Principle Description of Principle
5. Security There are a number of powerful security objectives which can
objectives be applied to direct effective security design in the early stages,
before detailed security system requirements are dealt with. These
aspirational objectives are:
Minimise IAEA-based categorisation for theft and sabotage
Reduce the number and footprint of potential vital areas
Exploit opportunities to building-in inherent delay – maintain

integrity and balance of potential intrinsic barriers (plant structure)
Mitigate specific adversary vectors through adaptation of plant design:

e.g. aircraft impact
Mitigate common construction vulnerabilities: e.g. HVAC voids

through barriers
Seek close alignment of the potential emergency planning zone and the
asset perimeter
Enable safe plant shutdown against defined security challenges
52 6. Future- The security related design should be future-proofed against likely

proof against emerging threats for the lifetime of the plant. This may impact the
emerging content of the threat assessment or design basis threat applied for the
threats project but may also influence a more flexible design, which enables a
responsive uplift of security measures as threat changes occur.
7. Common Principles 1-6 are focused on the application of the SeBD concept. The
and nuclear existing common and nuclear security principles (i.e. defence in depth)
design are still relevant to the design process and should be applied during the
principles development and consideration of security control options.
Prior and Barnes also describe a process for implementing their methodology. These
stages are:
Stage 0 - Preparation
Stage 1 - Concept
Stage 2 - Development
Stage 3 - Production
Stage 4 - Utilisation and Support
Stage 5 - Retirement
Because the process is aligned with international and UK standards for systems
engineering lifecycle management,50 it would be relatively simple for a developer to
synchronise with the stages. However, the full process is commercial in confidence.
If an interested organisation is unable to gain access to this process, the next
methodology may be helpful for AR developers.
The Evaluation Methodology for PR&PP of Generation IV Nuclear

Energy Systems (Revision 6)
The Gen IV Proliferation Resistance and Physical Protection Working Group
developed an evaluation methodology for proliferation resistance and physical
protection (PR&PP) of Generation IV ARs. For a proposed design, the methodology
defines a set of challenges, analyses system response to these challenges, and
assesses outcomes. The challenges are the threats posed by potential actors
(proliferant States or sub-state adversaries). The characteristics of Generation IV
systems, both technical and institutional, are used to evaluate the response of the
system and determine its resistance against proliferation threats and robustness
against sabotage and terrorism threats. Figure 4 illustrates the methodological
approach.
53
Challenges Threat Definition
System Element Identification
Target Identification and Categorisation

System Response
Pathway Identification and Refinement
Estimation of Measures
Pathway Comparison
Outcomes
System Assessment and Presentation of Results
Figure 4: Framework for the Gen IV PR&PP evaluation methodology
50 The SeBD process stages are aligned to the system lifecycle stages presented in BSI BS ISO/IEC/IEEE 24748-1 Systems and Software
Engineering – Lifecycle Management.
The methodology is organised to allow evaluations to be performed at the earliest
stages of system design and to become more detailed and more representative as
design progresses. Results are intended for three types of users: system designers,
programme policy makers, and external stakeholders. Programme policy makers
will be more likely to be interested in the high-level results that discriminate among
choices, while system designers and safeguards experts will be more interested in
results that directly relate to design options that will improve PR&PP performance
For physical protection threats, the actor is considered a non-State adversary. The
actors’ characteristics are defined by their objective, which may be either theft or
sabotage, and their capabilities and strategies. The threats include:
• Radiological sabotage
• Material theft
• Information theft
When threats have been sufficiently detailed for the particular evaluation, analysts
assess system response, which has four components as previously outlined in
Figure 4:
54 1. System Element Identification: The elements can comprise a facility, part

of a facility, a collection of facilities, or a transportation system within the
identified design where theft/sabotage could take place.
2. Target Identification and Categorisation: PP targets are nuclear material,

equipment or information to be protected from threats of theft and sabotage.
Targets are categorised to create representative or bounding sets for further
analysis.
3. Pathway Identification and Refinement: Pathways are potential sequences of

events and actions followed by the actor to achieve objectives. For each target,
individual pathways are analysed at a high level and in detail.
4. Estimation of Measures: Measures are the high-level characteristics of a

pathway that affect the likely decisions and actions of an actor and therefore
are used to evaluate the actor’s likely behaviour and the outcomes. For PP, the
measures are:
a. Probability of Adversary Success – The probability that an adversary will

successfully complete the actions described by a pathway and generate a
consequence.
b. Consequences – The effects resulting from the successful completion of the

adversary’s action described by a pathway.
c. Physical Protection Resources – The staffing, capabilities, and costs required
to provide PP, such as background screening, detection, interruption and
neutralisation, and the sensitivity of these resources to changes in the threat
sophistication and capability.
The goal of PR&PP assessment is, by comparing pathways, to identify those that
an adversary most likely will pursue and to provide a basis for decision makers
to prioritise investments in safeguards and PP resources. After completing
the assessment, investments to reduce risk can be evaluated using the PR&PP
measures. Risks and investment needs can also be compared broadly across critical
infrastructure and key assets, allowing optimal investments to identify and reduce
the largest sources of vulnerability.
Example of PR&PP Implementation: ESFR Full System Case Study
The PR&PP Working Group developed the methodology with the aid of a
series of studies based on an Example Sodium Fast Reactor (ESFR). The ESFR
is a hypothetical nuclear energy system consisting of four sodium-cooled
fast reactors of medium size co-located with a dry fuel storage facility and a
pyrochemical spent-fuel reprocessing facility. The objectives of the case study
were to:
55
1. Exercise the GIF PR&PP methodology for a complete Generation IV reactor/

fuel cycle system
2. Demonstrate, by comparing different design options, that the methodology

can generate meaningful results for designers and decision makers in
particular
3. Provide examples of PR&PP evaluations for future users of the methodology
To facilitate the analysis, the case study threat space was divided into four major
categories, including one category on theft of weapons-usable material or
sabotage of facility system elements. The theft and sabotage threats pathways
analysis found that multiple targets and pathways exist. The most attractive
theft target areas were found to be the LWR spent-fuel cask parking area, LWR
spent-fuel storage, the fuel services building staging/washing area, the fuel
conditioning facility air hot cell, and the fuel conditioning facility inert hot cell.
Basic lessons learned from the case study included the following:
• Each PR&PP evaluation should start with a qualitative analysis to allow

scoping of the assumed threats and identification of targets, system elements,
etc.
• Detailed guidance for qualitative analyses should be included in the
methodology.
• Access to proper technical expertise on the system design as well as on
safeguards and physical protection measures is essential for a PR&PP
evaluation.
• The use of expert elicitation techniques can ensure accountability and
traceability of the results and consistency in the analysis.
• Qualitative analysis offers valuable results, even at the preliminary design
level.
• Greater standardisation of the methodology and its use is needed.
Learning through Peer Review

The Gen IV PR&PP evaluation methodology provides a list of nine steps that will be
useful for applying the methodology and will support organisations in overcoming
56
challenges associated with implementing security by design.
One particularly useful step will be to commission a peer review. WINS is a strong
proponent of peer review for nuclear security and has developed detailed guidance in
this area for operating nuclear facilities.
For facilities in the design stage, a security peer review should be performed to
ensure the quality of the product. According to Gen IV, two types of peer review have
been widely used and provide different types of support during the design stage:
1. In-process peer review/steering committee
2. Independent peer review of the completed analysis
In-process peer review brings an expert group of practitioners and decision makers
into the process at regular intervals to be fully briefed on the status of the work and
any known problem areas. Independent peer review allows objectivity through the
review of the finished product by independent outside experts who have not been
involved in the evaluation.
AR developers should assign staff to periodically meet with other developers to

organise peer reviews and share best practices and lessons learned in SeBD. A forum
for developers to organise reviews and share information could be organised by NTI
and/or WINS.
CONCLUSION AND RECOMMENDATIONS
Throughout this report, WINS has promoted the need to engage with key
stakeholders during the early stages of AR design. Currently, the interested parties
tend to be AR technology developers, nuclear industry associations, regulators and
governmental departments, but future applications may be through other entities,
for example electricity utilities, industrial institutions and national nuclear energy
agencies or research institutions.
Engaging with stakeholders may be required by law, in which case it may be a

prescriptive process, e.g. through an EIA authorisation process or the nuclear
licensing process. In other cases, an organisation may decide to engage stakeholders
for a variety of reasons:
• Identify stakeholder concerns so they can be addressed; identify creative

solutions to address stakeholder concerns
• Share information about proposed or planned activities, convey the benefits

and risks of the activity
• Proactively disseminate accurate information, proactively counter fake news

57
• Build trust within the community and allay fears, get community input/
support/approval
• Build consensus among different stakeholder groups

• Explain how decisions will be made and the timeline for actions
• Demonstrate compliance
• Get endorsement of a planned path forward
• Develop public/political support that may be needed to sustain funding
Influencing stakeholder opinion depends on many factors, among them confidence
in the expertise of the organisations and entities behind an AR project, trust in the
independence and competence of the regulatory authorities, and the stakeholders’
knowledge of the project and the benefits and risks associated with the technology.
If information is not provided, and with limited or no opportunity for dialogue and
consultation, stakeholders will form their own opinions, trusting other sources
of information, which may not be supported by science and facts, to make their
assessment of the perceived risks and possible benefits of such projects.
With this in mind, and as a consequence of the material covered in this report, WINS
makes the following recommendations to help developers and other stakeholders
address security by design and move forward with a constructive licensing
processes:
Recommendation 1
The IAEA and other interested international governmental and non-

governmental organisations, such as NTI and WINS, should together identify the
most effective way of communicating international obligations and international
guidance for security to advanced reactor developers. Where needed, these
stakeholders should work collaboratively to develop new guidance to inform the
designers of the requirements for effective security at the design stage.
Recommendation 2
Regulators should share best practices and lessons learned in regulatory

approaches for advanced reactors through the establishment of an international
forum and regularly scheduled meetings. An independent organisation could
facilitate the formation of this forum.
Recommendation 3
Developers should be fully aware of the international and domestic security

58
requirements in the licensing process for their reactors and take these into
account at the design stage. Developers should also take the opportunity to
address safety and security (including cybersecurity) in an integrated manner.
To gain the requisite expertise, developers and their staff should complete
training and ensure access to professional development opportunities to ensure
they are demonstrably competent to address security challenges in their designs,
such as cybersecurity. In addition, they should have access to appropriate advice
and expertise from subject matter experts.
NGOs such as WINS and NTI should develop training programmes to educate
AR designers about key security principles and ensure that security is taken into
account at the earliest stage of design, including in relation to procurement
decisions and the entire supply chain.
Recommendation 4
Subject matters experts should be commissioned by interested parties to

further explore key areas and future challenges for advanced reactors, including
transport security, security of HALEU fuel, supply chain security, remote siting,
automation and cybersecurity. These studies should identify potential problems,

challenges and opportunities and result in the production of best practice guides
and enhanced training packages.
Recommendation 5
WINS is a strong proponent of peer review for nuclear security. For facilities in
the design stage, a security peer review using the SeBD methodologies available,
should be considered. Two types of peer review have been widely used and provide
different types of support during the design stage:
1. In-process peer review/steering committee
2. Independent peer review of the completed analysis
AR developers should assign staff to periodically meet with other developers

to organise peer reviews and share best practices and lessons learned in SeBD.
A forum for developers to facilitate reviews and share information could be
organised by NTI and/or WINS.
59

REFERENCES
American National Standards Institute. (2020). N290.7-14 - Cyber security for nuclear
power plants and Small reactor facilities. www.webstore.ansi.org/standards/csa/
csan2902014
ARES Security Corporation. (2020). The use of security risk assessment (SRA) tools for
nuclear power plant security assessment.
Badwan and al. (2015). SMR design considerations for security and MC&A/safeguards
developed by USA and Russia. Proliferation Resistance and Physical Protection
Evaluation Methodology Working Group.
Bari, B., Whitlock, J., Therios, I., Peterson, P. (2012). Proliferation Resistance and
Physical Protection Working Group: Methodology and applications.
Barnes, Robert A. (2020). Secure by design – Guidance document principles and methods.
Rolls Royce Civil Nuclear UK.
Brown, A., & Glaser, A. (2016). On the origins and significance of the limit demarcating
low-enriched uranium from highly enriched uranium. Science & Global Security
24(2).
60 Buongiorno, J., Shirvan, K., Baglietto, E., Forsberg, C., Driscoll, M., Einstein, H.,
Macdonald, I., Stewart, W. R., Velez-Lopez, E., Johnston, K., Hashimoto, G.
(2020). Japan’s Next Nuclear Energy System (JNext): Final report. Center for
Advanced Nuclear Energy Systems.
Buongiorno et al., (2020). Japan’s Next Nuclear Energy System (JNext). MIT-
ANP-TR-187 Rev. 1.
Buster, G., Laufer, M., and Peterson, P. (2015). Fracture analysis of reduced diameter
spherical graphite fuel elements under diametrical loading conditions. University of
California, Berkley.
Canada Nuclear Safety Commission

• (2020). Correspondence dated 2020-05-12.
• REGDOC-2.5.2. (2014). Design of reactor facilities: Nuclear power plants. www.
nuclearsafety.gc.ca/eng/acts-and-regulations/regulatory-documents/
published/html/regdoc2-5-2/index.cfm
• Pre-licensing vendor design review. https://nuclearsafety.gc.ca/eng/reactors/
power-plants/pre-licensing-vendor-design-review/index.cfm
Canadian Small Modular Reactor Roadmap Steering Committee. (2018). A call to

action: A Canadian roadmap for small modular reactors.
Congressional Research Service. (2019). Advanced nuclear reactors: Technology

overview and current issues.
Dhal, F. (2020). Director General Grossi outlines plans to ‘recalibrate’ IAEA. IAEA Office of
Public Information and Communication.
Duguay, R. (2020). Small modular reactors and advanced reactor security: Regulatory
perspectives on integrating physical and cyber security by design to protect against
malicious acts and evolving threats.
Generation IV International Forum:

• (2011). Evaluation methodology for proliferation resistance and physical protection
of Generation IV nuclear energy systems, Revision 6.
• (2011). Proliferation resistance and physical protection of the six Generation IV
nuclear energy systems.
• (2009). PR&PP evaluation: ESFR full system case study final report.
Global Nexus Initiative. (2020). About us. www.globalnexusinitiative.org/about
Global Nexus Initiative. (2019). Advancing nuclear innovation: Responding to climate

change and strengthening global security.
IAEA Bulletin. (2020). Finding the right fit: How nuclear security is incorporated into
research reactors. www.iaea.org/newscenter/news/finding-the-right-fit-how-
nuclear-security-is-incorporated-into-research-reactors.
International Atomic Energy Agency:

• INFCIRC/274/Rev.1/Mod.1: Amendment to the Convention on the Physical
Protection of Nuclear Material 61
• INPRO manual: Physical protection. International Project on Innovative Nuclear
Reactors and Fuel Cycles Final Report. Vol. 6.
• Integrated Nuclear Infrastructure Review. www.iaea.org/services/review-
missions/integrated-nuclear-infrastructure-review-inir
• International Nuclear Safety Group. (2016). Stakeholder involvement in nuclear
issues
• Nuclear Energy Series No. NG-T-1.4. (2011). Stakeholder involvement throughout
the life cycle of nuclear facilities.
• Nuclear Energy Series No. NG-G-3.1. (2015). Milestones in the development of a
national infrastructure for nuclear power (Rev. 1).
• Nuclear Energy Series No. NG-T-3.2. (2016). Evaluation of the status of national
nuclear infrastructure development (Rev. 1).
• Nuclear Energy Series No. N-P-T-3.12 (2011) Core knowledge on instrumentation
and control systems in nuclear power plants.
• Nuclear Energy Series No. NG-T-3.14. (2016). Building a national position for a
new nuclear power programme.
• NSS No. 4. (2007). Engineering safety aspects of the protection of nuclear power
plants against sabotage.

• NSS No. 13. (2011). Nuclear security recommendations on physical protection of
nuclear material and nuclear facilities.
• NSS No. 19. (2013). Establishing the nuclear security infrastructure for a nuclear
power programme.
• NSS No. 23-G. (2015). Security of nuclear information.
• NSS No. 27G. (2018). Physical protection of nuclear material and nuclear facilities.
• NSS No. 35G. (2019) Security during the lifetime of a nuclear facility.
• Safety Standards Series No. SSG-16. (2012). Establishing the safety infrastructure
for a nuclear power programme.
• Safety Standards Series No. GSG-6. (2017). Communication and consultation with
interested parties by the regulatory body.
• Stoiber, C., Baer, A., Pelzer, N., Tonhauser, W. (2003). Handbook on Nuclear
Law.
• TECDOC-1575: Guidance for the application of an assessment methodology for
innovative nuclear energy systems (Rev. 1)
• TECDOC-1868: Nuclear security assessment methodologies for regulated facilities.
Lyman, E. (2019). Comments on the Draft Regulatory Basis for the Rulemaking for
Physical Security for Advanced Reactors.
Buongiorno, J., Parsons, J., Corradini, M., and Petti, D. (2018). The future of nuclear
energy in a carbon constrained world - An interdisciplinary MIT study. MIT Energy
Initiative. Massachusetts Institute of Technology. www.energy.mit.edu/
research/future-nuclear-energy-carbon-constrained-world
62 Nuclear Energy Institute White Papers:

• (2016). Proposed Physical Security Requirements for Advanced Reactor
Technologies
• (2019). Micro-Reactor Regulatory Issues
• (2019). Cost Competitiveness of Micro-Reactors for Remote Markets.
• (2018). Addressing the Challenges with Establishing the Infrastructure for the front-
end of the Fuel Cycle for Advanced Reactors.
OECD Nuclear Energy Agency. (2017). The strategic plan of the Nuclear Energy Agency
2017-2022. Organisation for Economic Co-operation and Development.
OECD Nuclear Energy Agency. (2004). Stakeholder involvement techniques: A short

guide and annotated bibliography. Organisation for Economic Co-operation and
Development.
Prior, A. and Barnes, R. (15-19 March 2020). Nuclear security and safety – Secure by
design. Proceedings of ICAPP.
Sambuu, O. & Obara, T. (2014). Comparative study on HTGR design for passive decay heat
removal. Progress in Nuclear Energy. 82. 10.1016/j.pnucene.2014.07.013.
Sandia National Laboratories. (2013) Security-by-design handbook.

Stouffer, K., Lightman, S., Pillitteri, V., Abrams, M., Hahn, A. (2015). Guide to Industrial
Control Systems (ICS). Security Special Publication 800-82 (Rev. 2). US National
Institute of Standards and Technology.
UK Office for Nuclear Regulation:
• (2020). Office for Nuclear Regulation Response to WINS SMR Questionnaire.
Correspondence dated 2020-06-05.
• ONR-GDA-GD-007 (May 2019). New nuclear power plants: Generic design
assessment technical guidance (Rev. 0).
• (July 2019). Guide for Smaller Dutyholders to the Application of the Security
Assessment Principles.
• (2017). Security assessment principles for the civil nuclear industry (Ver. 0).
UNECE. Good practice recommendations on public participation in strategic

environmental assessments. www.unece.org/index.php?id=42234&L=0
Office of Nuclear Energy. (2018). What is a nuclear microreactor? US Department of

Energy. www.energy.gov/ne/articles/what-nuclear-microreactor
US Nuclear Regulatory Commission:

• (2020). Aurora – Oklo application. www.nrc.gov/reactors/new-reactors/col/
aurora-oklo.html
• (2020). Emergency preparedness for small modular reactors and other new
technologies.
• NRC-2017-0227 (2019). Rulemaking for physical security for advanced reactors.
63
• (2 April 2020). Advanced reactor stakeholder public meeting.
• NRC-2017-0073 (2017). Non-light water reactor security design considerations.
• § 73.54 (2017). Protection of digital computer and communication systems and
networks. www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-
0055.html
• Regulatory Guide 5.71. (2010). Cybersecurity programs for nuclear facilities. www.
nrc.gov/docs/ML0903/ML090340159.pdf
• SRM-SECY-18-0076. (2018). Options and recommendation for physical security
for advanced reactors - Rulemaking plan.
World Institute for Nuclear Security. (2014). BPG 4.1 Implementing security by design at
nuclear facilities. (Ver. 2.1).
World Institute for Nuclear Security. (20-21 November 2019). Workshop report:
Security of small modular reactors.
World Nuclear Association. (2018). Molten salt reactors. www.world-nuclear.org/

information-library/current-and-future-generation/molten-salt-reactors.
aspx
Wilkes, A.B. (11-14 June 2019). Lessons from research for making nuclear energy cool.
Technical Meeting on Stakeholder Involvement and Communication for New and
Expanding Nuclear Power Programmes.

ACRONYMS AND ABBREVIATIONS
AR Advanced reactor
CFR Code Federal Regulations
CNSC Canadian Nuclear Safety Commission
CPPNM Convention on the Physical Protection of Nuclear Material
CSA Canadian Standards Association
DAC Design Acceptance Confirmation
DBT Design basis threat
EIA Environmental impact assessment
ELSY European Lead-cooled System
GDA Generic Design Assessment
GFR Gas fast reactor
GIF Global International Forum
GNI Global Nexus Initiative
64
GSR Generic Security Report
HALEU High-assay low-enriched uranium
HEU High enriched uranium
HVAC Heat ventilation and air conditioning
I&C Instrumentation and control
IAEA International Atomic Energy Agency
IEC International Electrotechnical Commission
INFCIRC Information Circular
INPRO International Project on Innovative Nuclear Reactors and Fuel Cycles
INS Innovative Nuclear Energy System
IT/OT Information technology/operational technology
LEU Low enriched uranium
LFR Lead-cooled fast reactors
LWR Light water reactor
MIT Massachusetts Institute of Technology

MOX Mixed oxide
MSR Molten salt reactor
MWe Megawatts electric
MWt Megawatt thermal
NEA Nuclear Energy Agency

NEI Nuclear Energy Institute
NGO Non-governmental organisation
NISR Nuclear Industries Security Regulations
NPP Nuclear power plant
NRC Nuclear Regulatory Commission
NSS Nuclear Security Series
NTI Nuclear Threat Initiative
OECD Organisation for Economic Co-operation and Development
ONR Office for Nuclear Regulation
PPS Physical protection system
PR&PP Proliferation resistance and physical protection
REGDOC Regulatory Document
ROW Remotely operated weapon
SeBD Security by design
SFR Sodium-cooled fast reactors
SHoCs Security hierarchy of controls 65
SMFR Small modular fast reactor
SMR Small modular reactor
SNL Sandia National Laboratories
SNM Special nuclear material
SoDA Statement of Design Acceptability
SSTAR Small, sealed, transportable, autonomous reactor
SyAPs Security assessment principles
TA Threat assessment
TAGs Technical Assessment Guides
TRISO Tristructural-isotropic
UCS Union of Concerned Scientists
VA Vital area
VDR Vendor design review

WINS World Institute for Nuclear Security

APPENDIX 1: ADVANCED REACTOR TECHNOLOGIES
Table 1 shows selected AR projects around the world, together with some of the
primary variables that relate to the design of physical protection systems and
measures such as power, type of fuel, enrichment and refuelling schemes.
The field “main applications” is referred to in the introduction section of this paper,
where five applications are envisioned for new nuclear:
a. Generation of carbon-free electricity for national power grids and macro grids
b. Production of district heating, residential and commercial heating
c. Generation of industrial heat for production of chemicals, processes in

refineries, desalination of water and co-generation
d. Generation of power and heat for niche markets and micro-grids; niche
applications of micro-reactors
e. Support for actinide transmutation to help reduce the amount of radioactive

waste generated, produce medical isotopes and perform silicon doping
66
Note that the BWRX-300, Rolls-Royce and NuScale reactor projects are not in the
table because they are LWRs. BWRX-300, NuScale and Rolls Royce SMRs have some
advanced features, but they lack TRISO or molten salt fuel, and they have a thermal
neutron spectrum. Consequently, although novel, they are outside the scope of
this report. While ARs have been defined based on their fuel and type of neutron
spectrum, they can also be defined based on their primary coolant, typically helium,
sodium, lead and salt.
67
68
Primary Refuelling Main

Acronym Full Name Designer Country Power Spectrum Fuel Enrichment Status
Coolant Period Applications
BN-1200 BN-1200 JSC Afrikantov Russia 1220 sodium fast fuel rods 20-80% Pu every 12 a construction
OKBM MWe months
(subsidiary of
Rosatom)
PRISM Power Reactor GE-Hitachi USA 311 sodium fast fuel rods 26% Pu every 18 a&e design
Innovative MWe months
Small Module
Aurora Aurora Oklo Inc. USA 1.5 sodium fast cells in a <20% never d design
MWe hexagonal
lattice
e-Vinci e-Vinci Westinghouse USA 1 to 5 sodium / epithermal UO2 19.75 never d design
MWe potassium pellets in
a metallic
matrix
TWR Traveling Terra Power USA 300 to sodium fast fuel rods not fuel moving a&e design
Wave Reactor 1150 available permanently
MWe and replaced
every 20
years
Xe-100 Xe-100 X-Energy USA 75 helium thermal TRISO 15.5% online a&c design
MWe pebbles
HTR-PM High Tsinghua China 105 helium thermal TRISO 8.5% online a&c construction
Temperature University MWe pebbles
Gas Cooled
Reactor -
Pebble Bed
Module
MIGHT-R Modular MIGHTR LLC USA 60 to helium thermal TRISO in <20% every 18 a&c design
Integrated 150 hexagonal months
Gas High MWe blocks
Temperature
Reactor
U-battery U-battery Urenco UK- 4 helium thermal TRISO in not every 5 years d design
Netherlands MWe hexagonal available
blocks
IMSR Integral Terrestrial Canada 194 molten salt thermal molten <20% every 7 years a&c design
Molten Salt Energy MWe salt
Rector
CMSR Compact Seaborg Denmark 100 molten salt thermal Molten <20% never a, c design
Molten Salt Technologies MWe salt
Reactor
KP-FHR Kairos Power Kairos USA 140 fluoride salt thermal TRISO 19.75% online a&c design
Fluoride-salt- MWe pebbles
cooled High-
temperature
Reactor
SSR Stable Salt Moltex UK-Canada 150 fluoride salt thermal fluoride not online a&c design
Reactor MWe salt in fuel available
assemblies
ALFRED Advanced Ansaldo European 125 lead fast fuel rods 30% Pu every 12 a&e design
Lead Fast Nucleare Union MWe months
Reactor
European
Demonstrator
MYRRHA Multipurpose SCK-CEN Belgium 100 lead- fast fuel rods 30% Pu every 3 e design
Hybrid MWt bismuth months
Research
Reactor for
High-tech
applications
Table 1. AR technologies
69

APPENDIX 2: CATEGORISATION OF NUCLEAR MATERIAL
Brown and Glaser51 trace the basis for the distinction between LEU enriched below
10% and LEU enriched between 10-20% to a 1954 US National Security Council
Policy Directive authored by Lawrence R. Hafstad, Director of Reactor Development
at the US Atomic Energy Commission. The memorandum was drafted in support
of President Eisenhower’s Atoms for Peace initiative and plans to export research
reactors abroad. It specified that fuel for the reactors should be “less than weapons
grade” and proceeded to provide recommendations based on a calculation provided
by Los Alamos National Laboratory:
• Enriched uranium of assay up to 10% U-235 should not be regarded as

weapons quantity in any amount.
• Enriched uranium of assay between 10-20% U-235 should not be regarded as

weapons significant provided the total quantity held by any one country does
not exceed that given by the formula: kg total U = 2/C1.7
According to Brown and Glaser, the formula suggests the amount of material needed
for a 1-kt explosion is as low as 2.3 kg for weapons-grade highly enriched uranium
(93 percent U-235), or about 31 kg of 20% enriched uranium. The underlying
70
assumptions for this 1954 assessment are inconsistent with the definition later
adopted by the International Atomic Energy Agency, which considers uranium
enriched up to 20 percent U-235 as “indirect use material” that cannot be used for
“the manufacture of nuclear explosive devices without transmutation or further
enrichment.” The 1954 reference calculations can also be compared to those that
were later adopted by the International Atomic Energy Agency, which are about
4–12 times higher. Regardless, the classification levels outlined (Categories I/II/III)
became the de facto standard and were integrated into IAEA INFCIRC/225 Rev. 1 in
1975.
51 Brown, A. & Glaser, A. (2016). On the origins and significance of the limit demarcating low-enriched uranium from highly enriched uranium.
Science & Global Security 24(2).
Material Form Category I Category II Category IIIa
Plutoniumb Unirradiatedc 2kg or more Less than 2kg but 500g or less but
more than 500g more than 15g
Uranium-235 Unirradiatedc
• uranium enriched to 5kg or more Less than 5kg but 1kg or less but
20% 235U or more more than 1kg more than 15g
• uranium enriched to n/ad 10kg or more Less than 10kg

10% 235U but less than but more than
20%. 1kg
n/ad n/ad 10kg or more

• uranium enriched
above natural, but less
than 10% 235U
Uranium-233 Unirradiatedc 2kg or more Less than 2kg but 500g or less but
more than 500g more than 15g
Irradiated Depleted or
fuel* natural uranium,
thorium or low
enriched fuel
71
(less than 10%
fissile content)e,f
a. Quantities not falling in Category III, natural uranium or thorium should be protected at
least in accordance with prudent management practices.
b. All plutonium except that with isotopic concentration exceeding 80% in Pu-238.
c. Material not irradiated in a reactor or material irradiated in a reactor but with a radiation
level equal to or less than 1Gy/hour (100 rad/hour) at one metre unshielded.
d. n/a - not applicable
e. Although this level of protection is recommended, it would be open to States, upon
evaluation of the specific circumstances, to assign a different category or physical
protection.
f. Other fuel which by virtue of its original fissile material content is classified as Category I
or II before irradiation may be reduced one category level, while the radiation level from
the fuel exceeds 1 Gy/hour (100 rad/hour) at one metre unshielded.
* The categorisation of irradiated fuel in this table is based on international transport
considerations. The State may assign a different categroy for domestic use, storage and
transport, taking all relevant factors into account.
2020 © World Institute for Nuclear Security (WINS) All rights reserved.
Landstrasser Hauptstrasse 1/18, 1030 Vienna (Austria).
+43 1 710 6519 | info@wins.org | www.wins.org
International NGO under the Austrian Law BGBI. Nr. 174/1992
GZ: BMeiA-N9.8.19.12/0017-I.1/2010
WINS(20)25
ISBN: 978-3-903191-75-4

Security of Advanced Reactor WEB

Uploaded by

Copyright:

Available Formats

You might also like

Security of Advanced Reactor WEB

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security of Advanced Reactor WEB

Uploaded by

Copyright:

Available Formats

WINS Special Report Series

Canadian Nuclear Safety Commission 22

3. Security Considerations for Advanced Reactor Designs 26

4. Common Security Challenges 36

Security Requirements of HALEU Fuel 37

Conclusion and Recommendations 57

WINS acknowledges all the distinguished experts and organisations, including

We Welcome Your Contributions

World Institute for Nuclear Security

Laura S. H. Holgate, Ambassador (ret.) Ray A. Rothrock

The report starts with a high-level perspective of the international instruments,

3. Developers and their staff should pursue professional development opportunities

4. Subject matters experts should be commissioned by interested parties to further

According to MIT,5 in addition to the generation of carbon-free electricity, nuclear

• Production of district, residential and commercial heating such as space

• Generation of industrial heat for production of chemicals, processes in

• Support for actinide transmutation to help reduce the amount of radioactive

Tristructural-isotropic (TRISO) fuelled reactors have a

In fast reactors, high energies prevail in their neutron

molten-salt solution confined in fuel elements and cooled by

Figure 1: Common AR designs

Therefore, the objective of this is report is to encourage developers, supported by

1. Review existing international efforts to ensure the security of ARs

2. Provide examples of regulatory approaches and challenges to licensing new

5. Identify approaches for implementing SeBD

7 OECD Nuclear Energy Agency (2017)

FUNDAMENTAL PRINCIPLE E: Responsibility of the License Holders 9

FUNDAMENTAL PRINCIPLE G: Threat

FUNDAMENTAL PRINCIPLE H: Graded Approach

FUNDAMENTAL PRINCIPLE I: Defence in Depth

layers and methods of protection (structural or other technical, personnel and

IAEA Nuclear Security Series Guidance

The primary nuclear security recommendations document relevant to AR facilities

2. Risk of unauthorized removal which could lead to subsequent dispersal;

2. Improving the effectiveness of the physical protection system: The

by implementing defence in depth or establishing and maintaining nuclear

In relation to sensitive information and computer-based systems, NSS 13 states

International Advanced Reactor Working Groups

on physical protection (Volume 6 of the Final Report of Phase 1 of the International

affecting the systems that contribute to nuclear security, as required,

Table 1: Nuclear security responsibilities

The working group subsequently undertook a systematic evaluation of the

Often, components of an INS will be designed by the technology holder and a

• Does the design reflect compartmentalised access to target locations to

• Have electronic/computer-based systems been designed to preclude internal

• Has consideration been given to incorporating or locating activated (active)

• Is the layout conducive to reducing on-site nuclear material transportation

and response systems to facilitate PPS design?

When conducting an INIR mission, the IAEA expects to find a documented

Currently, the international framework for nuclear security is no different

the widespread deployment of LWRs, so it generally reflects those reactor

World Institute for Nuclear Security

11 International Atomic Energy Agency. Integrated nuclear infrastructure review.

This approach proposes that generic new regulations be established in advance

regulatory framework, which will incorporate their international legal obligations as

A common theme is that all three regulators are examining a performance-based

In this next section, we examine the reviewed regulatory approaches in additional

US Nuclear Regulatory Commission

1. The radiological consequences from a hypothetical, unmitigated event involving the