Nuclear Security & Safeguards

December 4, 2012

NRC Regulators Conference On Nuclear Security December 4-6 Washington DC USA

11/12/2012

Bart Dal ........................................................................ Ministry of Infrastructure and the Environment Inspectorate for Human Environment and Transport Coordinator Nuclear Security & Safeguards Nieuwe Uitleg 1 | 2514 BP | Den Haag | A01.10 Postbus 16191 | 2500 BD | Den Haag ........................................................................ T +3170-456 2104 F +3184-8300623 M +316-1501 7964 bart.dal@ilent.nl www.rijksoverheid.nl

3 11-12-2012

THE NETHERLANDS

Surface: 41.528 km² (18,41% water)

Inhabitants: 16.105.285 (2002)

Capital: Amsterdam

Residence: The Hague

TYPICAL DUTCH

11-12-2012 4

5 Ni

URENCO

NUCLEAR ACTIVITIES IN THE NETHERLANDS

Petten

Nieuwdorp Borssele

PROTECTION OF SENSITIVE INFORMATION ?

6 11-12-2012

Confidentiality

URENCO & ETC ALMELO

11-12-2012 7

URENCO USA, NEW MEXICO

11-12-2012 8

INFORMATION PROTECTION CPPNM

• CPPNM Amendment, Fundamental Principle L: Confidentiality The State should establish requirements for protecting the

confidentiality of information, the unauthorized disclosure of which could compromise the physical protection of nuclear material and nuclear facilities.

• CPPNM Amendment, Fundamental Principle H: Graded Approach Physical protection requirements should be based on a graded

approach, taking into account the current evaluation of the threat, the relative attractiveness, the nature of the material and potential consequences associated with the unauthorized removal of nuclear material and with the sabotage against nuclear material or nuclear facilities.

11-12-2012 9

INFORMATION PROTECTION INFCIRC/225/rev5

• INFCIRC/225/Rev. 5, Para 3.54: Management of a physical protection system should limit access to

sensitive information to those whose trustworthiness has been established appropriate to the sensitivity of the information and who need to know it for the performance of their duties. Information addressing possible vulnerabilities in physical protection systems should be highly protected.

• INFCIRC/225/Rev. 5, Para 3.55: Sanctions against persons violating confidentiality should be part of

the State’s legislative or regulatory system. • INFCIRC/225/Rev. 5, Para 4.10 /5.19: Computer based systems used for physical protection, nuclear

safety, and nuclear material accountancy and control should be protected against compromise (e.g. cyber attack, manipulation or falsification) consistent with the threat assessment or design basis threat.

11-12-2012 10

INFORMATION PROTECTION ?

NUCEAR SECURITY RECOMMENDATIONS ON PHYSICAL PROTECTION OF NUCLEAR MATERIAL AND NUCLEAR FACILITIES:

• PHYSICAL SECURITY

• PERSONEL SECURITY

• INFORMATION SECURITY

CYBER SECURITY 11-12-2012 11

INFCIRC/225/Rev5 , NSS13

History 1972 GREY BOOK 1975 INFCIRC/225 1977 INFCIRC/225/Rev.1 1989 INFCIRC/225/Rev.2 1993 INFCIRC/225/Rev.3 1998 INFCIRC/225/Rev.4 2011 INFCIRC/225/Rev.5 -

11-12-2012 13

INFCIRC/225/Rev5, NSS13

• START 1969, TOKYO PANEL FOR SAFEGUARDS TECHNIQUES AND METHODOLOGIES

• MATERIAL UNDER SAFEGUARDS MUST BE PROTECTED • THEFT OF NUCLEAR MATERIAL, LATER SABOTAGE

• CATEGORISATION OF NUCLEAR MATERIALS

• PROTECTION OF NUCLEAR FACILITIES

• ADDITIONAL PROTOCOL, GCEP SENSITIVE TECHNOLOGY?

• FUNDAMENTAL PRINCIPLES, ESSENTIAL ELEMENTS (UNSCR1540) SCOPE NUCLEAR FACILITIES OR FUEL CYCLE FACILITIES ?

GAS CENTRIFUGE ENRICHMENT TREATIES

• TREATY OF ALMELO – 1970

• TREATY OF WASHINGTON - 1992

• TREATY OF CARDIFF - 2006

• TREATY OF PARIS - 2012

11-12-2012 14

11-12-2012 15

ENRICHMENT TECHNOLOGY COMPANY, ETC

TRICASTIN, FR ALMELO,NL

JUHLICH, GE CAPENHURST, UK

11-12-2012 16

SECURITY ARRANGEMENTS

• CLASSIFICATION GUIDE FOR CENTRIFUGE COMPONENTS • PENTAPARTITE HANDBOOK ON SECURITY OF CLASSIFIED INFORMATION, INCLUDING CYBER • HARMONIZATION OF SECURITY REQUIREMENTS

• ATOLL CLASSIFICATION OF TECHNOLOGY INFORMATION

• STATE ACCREDITATION OF WORKERS AND VISITORS • SECURITY ARRANGEMENTS SAFEGUARD INSPECTIONS (MANAGED ACCESS)

11-12-2012 17

Type of information In the UK, Germany Netherlands and France

In the US

Gas Centrifuge technology

ATOLL Restricted Data

Security/Safeguards information

No special markings National Security Information (not marked as such)

Clearance equivalence tabel

UK US FR NL GE

SECRET ATOLL DV Q SD B U2 CONFIDENTIAL

ATOLL SC L CD B U1

RESTRICTED ATOLL SC L B 9

SITE ACCESS

ONLY BPSS ACC CA VOG AtZuV

SECURITY CLASSIFICATION

11-12-2012 18

INFCIRC/225/Rev5 versus INFORMATION PROTECTION

• ENRICHMENTS SITES HAVE CAT3 NUCLEAR MATERIAL , LIMITED ACCESS AREA IS SUFFICIENT • ON ALL SITES IS A CENTRIFUGE ASSEMBLY AREA (CAB), RECYCLE CENTRE (RCC), HOT TEST AREA

Physical Protection System? SECRET ATOLL = VITAL or INNER AREA??

11-12-2012 19

SAFEGUARDS AND ADDITIONAL PROTOCOL

• MANAGED ACCESS =ADDITIONAL PROTOCOL (2004) • FIRST MANAGED ACCESS IS: LIMITED FREQUENCY UNANNOUNCED ACCESS (LFUA) • LFUA DEVELOPED FOR CENTRIFUGE ENRICHMENT PLANTS BY THE HEXAPARTITE SAFEGUARDS PROJECT (HSP-1983) LFUA MANAGES ACCESS TO CASCADE HALLS WITH CENTRIFUGE ARRANGEMENTS.

CASCADE HALL ARE RESTRICTED AREAS

EXPERIENCES WITH MANAGED ACCESS

PROTECTING SENSITIVE INFORMATION: • LIMIT VIEW TO WHAT HAS TO BE SEEN • VISUAL ACCESS ≠ PHYSICAL ACCESS (DISTANCE) • VIEW FROM DIFFERENT SIDES (DOORS/WINDOWS) • SHROUDING OF DETAILS (ACCESS DELAY) • LIMIT RESIDENCE TIME (ROUTING) • LIMIT NUMBER OF INSPECTORS • NO NOTE/PHOTOGRAPH TAKING • ESCORTING AT ALL TIMES VERIFICATION FMCT IN WEAPON STATES?

21

IT PROTECTION

• Slammer worm crashed Ohio nuke plant network • Cyber-attack stole Mitsubishi warplane, nuke plant data • Chinese Spies Steal F-35 Joint Strike Fighter Data from BAE Systems • French AREVA nuke biz slapped in mystery cyberattack • Saudi oil giant seals off network after mystery malware attack • Espionage hack attack preys on chemical firms • Vacuum cleaner set Swedisch nuke plant on fire • EDF security bosses guilty of hacking Greenpeace • Top General warns of cyberspy menace to UK biz • Cyberspy attacks targeting Russians traced back to UK and US • French officials: Don’t worry about fatal nuclear explosion • Obama Gov wants 3 yrs porridge for infrastructure hackers • Chinese cyberspies target energy giants • France blames China for hack attacks etc, etc, etc………

ETC COUNTS 60 ATTACKS /DAY

Bloomberg News

Iran Nuclear Plants Hit By Virus Playing AC/DC

Stuxnet Flame Thunderstruck

11-12-2012 23

In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back

Saudi Aramco’s Khurais plant, ¾ of pc’s wiped

SOME THOUGHTS IN CONCLUSION

• THE CONFIDENTIALITY OF INFORMATION GOES FURTHER THAN THE PHYSICAL PROTECTION OF NUCLEAR MATERIALS AND FACILITIES

• PROTECTION IS A MEANS, NOT A GOAL IN ITSELF • SENSITIVE TECHNOLOGIES SHOULD BE PROTECTED EQUALLY

AS NUCLEAR MATERIALS, USING A GRADED APPROACH • A PROPOSAL FOR A FIRST GUIDANCE DOCUMENT ON THE

PROTECTION OF SENSITIVE TECHNOLOGIES HAS BEEN OFFERED TO THE IAEA SOME TIME AGO BY THE TROIKA COUNTRIES, ETC AND URENCO

• THE EXTENSIVE EUROPEAN EXPERIENCE WITH PROTECTING TECHNOLOGY DURING SAFEGUARDS VERIFICATIONS MIGHT BE HELPFUL IN THE RATIFICATION PROCESS OF THE FISSILE MATERIAL CUTOFF TREATY (FMCT).

•

Questions…???

11-12-2012 25

11-12-2012 26

Kernfysische dienst / Nucleaire Beveiliging & Safeguards