Physical Protection System, Corrective Actions, and Weaknesses Identification Based on Nuclear Security Series: The Hypothetical Atomic Research Institute (HARI) Case

The paper is an attempt, based on the IAEA’s Nuclear Security Series (NSS), to identify any unacceptable dysfunction of physical protection system (PPS) of the Material Test Reactor (MTR) facility in a Hypothetical Atomic Research Institute (HARI). The evaluation of an existing or a proposed PPS requires a methodical approach whereby the ability of the security system to meet defined protection goals as the safeguard against the possibility of sabotage and theft should be measured. Without this kind of careful assessment, the PPS might waste valuable resources on unnecessary protection or, worse yet, fail to provide adequate protection at critical points of the facility. In this work, an assessment of the PPS weaknesses for a hypothetical facility against malicious acts is presented. Hence, those weaknesses are founded during the examination of the site to build a 3D computerized simulation to simulate force engagement to evaluate the physical protection system effectiveness. Based on the IAEA nuclear security series publications, the paper proposes a new layout to correct the vulnerabilities, and another analysis of the changes made for the MTR wall thicknesses access control and the redesigned building plan. 1 Kabach: Physical Protection System, Corrective Actions, and Weaknesses Id International Journal of Nuclear Security, Vol. 6, No. 1, 2020


Introduction
The present work aims at identifying the various physical protection system (PPS), weaknesses of the Material Test Reactor (MTR) facility in Hypothetical Atomic Research Institute (HARI). Each nuclear facility needs to be protected by a PPS, which integrates personnel, procedures, and systems for the protection of nuclear material and facilities against theft, robbery, illegal transport, sabotage, and other malicious human actions as defined in Amendment to the Convention on the Physical Protection of Nuclear Material (CPPNM) [1]. The effectiveness of a PPS is characterized by its ability to withstand a possible attack [2] and prevent adversaries from achieving their objectives, since the results of inadequate protection can be disastrous and may lead to loss of nuclear materials or property, loss of information such as a trade secret, intellectual property, copyrights, and loss of confidential information, including employee personnel files.
The PPS should meet three basic elements (detection, delay, and response) [3] and must also include defense in depth [4], balanced protection, and high reliability. Once a PPS is designed, it must be analyzed and evaluated to ensure that it achieves the objectives; if the design is judged inadequate, then it must be upgraded and evaluated again. This process is repeated until an effective system is engineered. For this purpose, the International Atomic Energy Agency (IAEA) has issued a series of publications (Nuclear Security Series, Fundamentals, Recommendations, Implementing Guides, and Technical Guidance "NSS7") to assist member states' competent authorities in fulfilling their duties for nuclear security. As part of this assistance, the IAEA has dealt with the hypothetical research facilities in order to help member states, experts, and researchers to study a hypothetical nuclear facility, to practice nuclear security measures, and to use it as an educational tool in exercises, workshops, training, and to support practical application of nuclear security skills [5].
At the end of this paper, we suggest some corrective measures for each weakness based on IAEA Nuclear Security Series. Our study proposes a new layout, another analysis of the changes made for the MTR access control, and a redesigned building plan in an attempt to point out the main corrective measures to reduce the probability of theft, the sabotage of assets, or other malevolent acts that would result in loss of assets at a facility.

Case study analysis: Hypothetical Atomic Research Institute (HARI)
Facility characterization: understand the activities at the facility as well as the facility layout.
An initial step either in designing a new PPS or in upgrading an existing system is to characterize the facility [7]. That characterization process may be useful to understand clearly what to protect, to identify the areas of investigation, and to collect the information from these areas. In other words, the analyst or the designer must in the first place gather information about facility operations and conditions-to strive to get a comprehensive description and understanding of it.
In fact, the description of the facility and the country where it is installed is purely hypothetical. HARI is a nuclear research reactor located in the Republic of Lagassi. The HARI institute was designed to serve as the Republic of Lagassi's premier nuclear energy research facility and as a hypothetical research building. It is operated by the Lagassi national academy of science and is engaged in many research activities for the Hashbakar technical university. The purpose of HARI is to build scientific expertise and technological capacity for the country. The open campus institute houses a research reactor facility called Material Test Reactor and its related facilities, as well as administrative and plant support facilities for the university. HARI has three major areas: Security Controlled Area (SCA), Limited Access Area (LAA), and Protected Area (PA) [5].
Firstly, the SCA is enclosed by a standard 1.5-meter 4-mm x 50-mm mesh galvanized chain-link fence that surrounds the entire campus. The fence is mainly used as a demarcation to define the boundaries of the campus. Appropriate signage is installed within certain distances of the fence line. The fence also prevents animals from entering onto campus grounds. There is only one entry point into the campus with no controls. The gates are open at all times. Secondly, the LAA is surrounded by a single standard 2.5-meter 4-mm x 50-mm mesh galvanized chain-link fence with outriggers that surrounds the MTR and a few administrative buildings. The LAA boundary prevents unauthorized personnel from gaining immediate access to the MTR. A turnstile with badge swipe and personnel identification number (PIN) controls on entry control point that allows pedestrians access into LAA. Only one gate allows vehicle entry into the LAA. The vehicle gate is only accessed by guard services to unlock the gate for authorized vehicles to enter the LAA [5]. The PA begins at the boundary of the MTR building. The latter is structurally separated but connected into two areas: auxiliary building (administrative area) and Reactor Hall. The administrative area consists of a variety of administrative offices, classrooms, and conference rooms. The administrative area has 20-cm reinforced concrete walls and ceilings with multiple windows. A large window separates the large classroom located in the administrative area and the control room for the reactor located inside [5]. The reactor hall consists of the reactor, the control room, and the fresh fuel vault. The reactor hall has 30-cm reinforced concrete walls and ceiling [5].

Identification of the HARI Security Weaknesses and Proposed Corrective Actions
Based on Nuclear Security Series, we identified several PPS weaknesses relating to the site location, the Security Controlled Area, the Limited Access Area, the Protected Area, and the Material Test Reactor building. Since the PPS for nuclear materials in a nuclear research reactor facility must provide extra measures for external protection, they are applied during construction, and decommissioning of the facility such as administrative control, guards, entry and access control, and protection for transport and personnel because adversaries should face a variety of protective devices.
In the paragraphs below, we attempt to better figure out the main weaknesses and recommend supplementary corrective actions to improve the PPS of the HARI facility.

Identification of Weaknesses:
The HARI institute is located in the country's capital where a major robbery was committed (Crime Study) [5]. The institute is located also at the center of a thriving research park and business community in an upscale residential suburb.
Proposed corrective can be described as follows: 1. Facility location (provisions for the facility geographical location) is important as it bears on the threat environment and thus attractiveness level. Site selection should involve consideration of public health, safety, and security factors like robbery, prevention of radiological sabotage and theft of nuclear materials, and other malicious human actions [8].

2.
A nuclear installation in a busy city increases the probability of theft or sabotage of assets or other malevolent acts that would result in loss of assets at such a facility. A suitable site for a nuclear facility should be selected by taking into consideration a low population zone (actual and future status) [9].

3.
The State via competent, dedicated staff should continuously review the threat spectrum and evaluate the implications of any changes in either the threat assessment or design basis threat.
In other words, a good practice for the PPS designer is to consider implementing designs that may be easily adapted to new and emerging threats, changes in the facility or targets, or changes in requirements [2, 10, 11].

4.
The selection and the evaluation of a suitable site for a nuclear building installation can significantly affect the costs, public acceptance, and safety of the installation over its operating lifetime [9].

B. The Security Controlled Area (SCA)
Identification of Weaknesses: Proposed corrective actions for the Security Controlled Area: 1.
The first fence should be higher to provide deterrence and some delay: an outsider adversary can easily jump a 1.5-meter fence. In addition, the fence must have a video camera allowing complete visibility of the fence zone. Furthermore, the fence should contain alarms, a lighting system, and sensors in order to ensure the functioning of the surveillance 24 hours a day.

2.
For the pedestrian entry control port: a. At least one of the guards should be present because intrusion could occur when there are no guards at the gate. b. The site entrance gate should be locked and opened.

1.
A single standard 2.5-meter chain-link fence surrounds the LAA.

2.
Patrol inside the LAA is conducted by only one random patrol P3a (Institute random patrols) that is not extensive enough for such area.

Proposed corrective actions for the Limited Access Area:
According to NSS 13 [12], all prudent and necessary physical protection measures should apply for nuclear or other radioactive material within a limited access area, so: 1. The second fence must also have video surveillance to monitor the inner areas. The purpose of a CCTV assessment system is to support the intrusion detection and response functions by promptly and accurately assessing alarms (to include verification of nuisance and false alarms), determine adversary actions, and direct protective force response. The principal factor in evaluating the CCTV system is whether it effectively and reliably provides prompt and complete observation of the isolation zone and the area adjacent to the inner perimeter fence line in any zone from which an alarm is received. An integrated alarm system with ultrasonic sensors to detect the movement of an intruder within the interior of a specific inner area inside the facility (integration of video surveillance and sensor has become a necessity in perimeter security) and a lighting system in order to ensure functioning of the surveillance 24 hours a day. In other words, the LAA fence should provide another layered security system with a local security control center, guards, communication equipment, and should be in direct contact with the main guard and security center.  2. The number of patrols should be increased (patrols by vehicles or foot) because provision should be made for detecting unauthorized intrusion and for appropriate action by sufficient guards to prevent an adversary's actions [14].
3. For personnel entry control, the following changes should be made: a. Access should be denied and potentially an alarm sounded when an individual entering into the area is not properly identified. An important role of personnel entry control systems is to verify the identity and authorization of the person seeking admission at a point of entry to the area. The authorization is usually based on the need for access. b. The gate should be opened, locked, and equipped with an alarm. For off-shift hour's access, personnel should have an authorized voucher listing their requisite task, designate the area where the task would be carried out, and the average amount of time it takes, signing in a registration book is required. c. Guards should be present for detecting unauthorized intrusion and for inappropriate action and observing personnel for unusual behavior.

4.
For the LAA Delivery Vehicle, the following changes should be made: a. The gate should be locked, equipped with an alarm, and the guards should be present during working/non-working hours. b. A random patrol should be present during the off-shift since various shift schedules influence the LAA security system [14]. c. CCTV cameras should be installed. d. A Portal display monitor should be installed in conjunction with the PPS so that the portal is properly staffed for surveillance and detection [12]. e. Some kind of barrier, for instance, a deployable vehicle barrier, should be placed at a suitable distance from the area to provide adequate delay [17] for an appropriate response-under all operational conditions-to prevent unauthorized vehicles from entering the facility.

Identification of Weaknesses:
The protected area begins at the MAT building. The building is separated into two areas: The administrative area (Auxiliary Building) and the Reactor Hall.

1.
Administrative Area: In the auxiliary building entry/exit (the MTR building personnel portal) there is one guard at all times, whenever there is any person inside the MTR. However: a.
Other times, the doors are locked and the guard is not present. b.
No radiation detectors. c.
No alarms.

2.
MTR reactor hall: a. MTR reactor hall vehicle portal (personnel emergency exit). i. There is no exit process. ii.
The vehicle portal is a roll-up door. iii.
No metal or radiation detectors. iv.
No CCTV cameras. b.
No alarms. iii.
No metal or radiation detectors. iv.
No CCTVS cameras to record incoming and outgoing personnel. c.
Inside the reactor hall: i.
No CCTV cameras. ii.
The fresh fuel vault (R090) is located next to the shipping door and personnel emergency exit.

Proposed corrective actions for the Protected Area:
General purposed corrective actions for the PA: 1. The State's requirements for physical protection should reflect a concept of several layers [19] and concentric security areas defense-in-depth, like limited access areas, protected areas, inner areas, and vital areas.

2.
The protected area should be subject to search for detection and prevention of unauthorized access and introduction of banned items (i.e., permanently staffed and its access should be controlled). Instruments for the detection of nuclear material, metal, and explosives can be used for such purposes. And another layer such as the perimeter intrusion system should be built around the area as a second barrier [19]. The purpose of a perimeter security system is to establish another boundary around an area that needs to be protected for security reasons. That boundary is designed to prevent or to detect unauthorized entry into the secure area. 3.
In a nuclear reactor platform, the greatest concern in the design of a physical protection system is to prevent radiological release from the reactor that may be initiated by sabotage. The vital areas of particular concern, which are considered appropriately secured and equipped with alarms, should provide an additional protection layer for deterrence, effective managing access control, and delay ( Figure 15).

4.
Nuclear and metal detectors should be installed: The purpose of nuclear material detectors is to detect the unauthorized removal of nuclear materials on persons, in packages, or in vehicles leaving a security area.

1.
It may be required to keep vehicles outside a nuclear facility since it is challenging to look carefully at vehicles. If they are allowed to enter into a nuclear facility, the vehicle must be isolated until it is checked. Vehicle barriers should be installed at an appropriate distance from the vital area to prevent the penetration of unauthorized vehicles [21].

2.
The two-man rule can help to protect against insiders. Any attempt to defeat the two-man rules should be investigated.
In conclusion, for an effective access control system, the combination of hardware and procedural controls must be sufficient to prevent unauthorized entry to secure areas. Card readers, biometric identifiers, and CCTV identification systems are required.

1.
Proposed corrective for the Administrative Area: a. The guard should be present during off shift in order to observe personnel for unusual behavior. b. Alarms and detectors should be installed. c. Add an extra security layer by applying the two-man rule to prevent and protect against any insider opportunities.

2.
Proposed corrective for the MTR reactor hall: a. MTR reactor hall vehicle portal i. Vehicles and packages leaving the LAA should be subject to research for detection and prevention of unauthorized acts. ii.
Doors should be changed, for example, to wooden doors with metal sheeting and must be locked. The roll-up vehicle door is commonly used in shipping and receiving areas, warehouses, or other areas where vehicle access is required-for example, at the LAA delivery gate. However, these doors are relatively easy to penetrate using small hand or power tools. iii.
Vehicle barriers must be effectively monitored, and components must be appropriately located. Barriers should be within an area that is protected by detection sensors. Controls for vehicle barriers and motorized gates that are used at entry control points must be located within protective force posts or other locations. A railroad nuclear material monitor with CCTV can be installed in conjunction with the physical protection system so that the portal is properly staffed for surveillance and detection. iv.
During an emergency situation, strict entry/exit control should be maintained, searches and testing should be conducted to detect any tampering that may have been committed during an emergency situation. (Separate the emergency door from the shipping door to avoid material being removed in the event of an emergency) v.
To prevent unauthorized vehicles from entering the facility, vehicle barriers should be placed.
The entry/exit process should exist to identify authorized persons entering the reactor hall. The entry/exit process can provide immediate detection of any attempted unauthorized act, including any perpetrated by insiders. ii.
Only authorized persons should have access to the reactor hall. Effective access control measures should be taken to ensure detection (detectors should be installed). The number of authorized persons entering the area should be kept to the minimum necessary. iii.
Temporary personnel with access to the facility, such as visitors or construction workers, should be escorted in and out to ensure security. iv.
CCTV cameras should be installed.

3.
Inside the reactor hall: a. Install CCTV cameras covering the main entrance and vehicle portal (with personnel emergency exit). The live camera should be monitored inside the reactor hall areas, with the option of recording. The CCTVs can give the possibility of detection at each point, including detection of insiders. b. Visitors and temporary personnel should be escorted in and out by guards to ensure security. c. The fresh fuel vault R090 it should be locked and not be close to the shipping door or personnel emergency to prevent unauthorized removal in the event of an emergency [14].
d. Apply the nuclear material accounting control systems (NMAC) to minimize any insider opportunity.
At the end of this paper, the revised layout of different areas of HARI is redesigned to meet the corrective actions as previously proposed. Figure 17 depicts the changes, highlighted in the red color, to the MTR wall thicknesses and access control plan. They focused on: (1) creating a new area (vital area) and relocating the old ones (2.5-meter 4-mm x 50-mm mesh galvanized chainlink fence with outriggers [18]); (2) proposing further access control for pedestrians and vehicles related to each area as described in the tables above; (3) constructing new deployable vehicle barriers and patrol staff. Figure 18 illustrates a restructured MTR building plan regarding the approach detailed which promotes the new vehicle and pedestrian access control for the MTR areas and repositions the fresh fuel vault R090 to meet the conditions set out in the IAEA guidelines.

Conclusion and Future Work
This work identified different security measures and their weaknesses related to the HARI campus location (surrounding area) and the institute's different areas. We proposed some corrective actions based on IAEA nuclear security series recommendations. Therefore, a new design for the MTR wall thicknesses and access control was suggested to meet the PPS objectives against a large spectrum of threats. In this context, further work will be conducted to account for future challenges of PPS, typically managing the new adversary landscapes and capabilities.
Indeed, building a three-dimensional simulation model is proposed (future work) to ensure the efficiency of the physical protection system. The development of a 3D model will allow us to stage the force/force engagement to determine the effectiveness of tactical movement. The design model is a useful tool to test the PPS in a sufficiently effective and flexible way to save time, expense, and effort.