James W. Purvis, Sandia National Laboratories

P.O. Box 5800 MS-0759 Albuquerque, NM 87185 USA 505-844-3975 jwpurvi@sandia .QST;

Recently there has been a noted worldwide increase in violent actions including attempted sabotage at

nuclear power plants. Several organizations, such as the International Atomic Energy Agency and the

US Nuclear Regulatory Commission, have guidelines, recommendations, and formal threat- and risk-assessment

processes for the protection of nuclear assets.

Other examples are the former Defense Special Weapons Agency, which used a risk-assessment model

to evaluate force-protection security requirements for terrorist incidents at DOD military bases. The US

DOE uses a graded approach to protect its assets based on risk and vulnerability assessments. The

Federal Aviation Administration and Federal Bureau of Investigation conduct joint threat and

vulnerability assessments on high-risk US airports. Several private companies under contract to

government agencies use formal risk-assessment models and methods to identifi security requirements.

The purpose of this paper is to survey these methods and present an overview of all potential types of

sabotage at nuclear power plants. The paper discusses emerging threats and current methods of choice

including economic and political just those that may result in unacceptable radiological exposure

to the public, are also discussed. Applicability of risk-assessment methods and mitigation techniques are

also presented.

A discussion of the emerging threats and current methods of choice for sabotage of all types against

nuclear power plants (NPPs)----especially vehicle bombs and chemical attacks-is the focus of this

paper. The potential consequences of sabotage acts are not limited to just those that may result in

unacceptable radiological exposure to the public; the far-reaching effects on the economic and political

arenas are also discussed. Applicability of risk-assessment methods and mitigation techniques are also

presented. The goal is to expand awareness of all types of potential sabotage, to emphasize the need for

increased physical protection measures, and to begin a dialogue on risk assessment methodology for

evaluating protection against sabotage.

internal or domestic actions

actions against neighboring states

international acts

war or threat of war

nonproliferation acts

of these categories, documented incidents of sabotage at NPPs can be found [1].

Sandia is a tnukiprogram laboratory

operated by Sandis Corporation. a

L@&ecd Martin Company, for the

under contract DE-AC04-94AL85~,

l ,

.

Domestic acts are those carried out by citizens of a state against their fellow citizens or the governing

authority. Recent examples include the Oklahoma City vehicle bombing in the United States, the nerve

gas attacks in Japan, and militant Islamic fundamentalist actions in Egypt and Algeria. Neighboring

states’ conflicts are most noted in the regions of the former Eastern Bloc countries and the Newly

Independent States, such as Bosnia and Chechnya. International terrorist activity has been around for

some time. In the 60s and early 70s, it involved mainly aircraft hijackings. In the late 70s and 80s, there

was a transition to the bombings of aircraft. The 90s thus far has been characterized by hidden bombs in

public places, armed attacks such as the Embassy in Peru, and vehicle bombings such as the World

Trade Center, the Marine barracks in Beirut, and the Khobar Towers in Saudi Arabia. War and threats

related to international nonproliferation actions.

In response to the number and type of documented incidents, and in combination with evolving threat

capabilities, the International Atomic’ Energy Agency (IAEA) has recently issued Revision 4 of

INFCIRC225 with a new section devoted to sabotage [2]. Assuming that an adequate armed response is

available, facilities adhering to IAEA recommendations for current physical protection systems should

be able to detect and neutralize both armed attacks and attempts to smuggle bombs into inner areas.

However, there are other types of sabotage, which have not been discussed to which these facilities may

be vulnerable. The evolving threat now includes armed suicide attacks, vehicle bombs, high-technology

military explosives, homemade man-portable explosive devices, and chemical/biological capabilities.

To explore this complex area, we will generally follow the Design Evaluation Process Outline (DEPO)

as presented in Reference 3 and will discuss targets, threat, threat actions, consequences, analysis, and

risk estimation.

In the international arena, perhaps it is time to expand the sabotage area. As evidenced in References

4–6, the vehicle bomb problem has become a serious sabotage concern for many facilities and agencies.

The expansion could include not only all types of sabotage, but could establish consequence values for

threat type, threat level, threat motivation, and target. By creating such a matrix for sabotage, it will

then be possible for the physical protection system (PPS) designer or analyst to accurately identi~

exactly what needs protection and how to best to allocate funds in the wisest possible manner.

Target identification includes not only SNM at NPPs, but also vital areas, equipment, processes,

classified material, critical economic information, and personnel. To accurately identifj targets, it helps

to keep in mind all possible threat objectives; i.e., all types of sabotage. DOE has a well-developed

graded safeguards table for weapons and other nuclear material that establishes consequence values for

theft of various materials [7], as well as other similar tables for both radiological sabotage and industrial

sabotage. As the types of sabotage to be considered are expanded, proposals will be discussed to define

the consequences of various types of sabotage numerically. As these consequence values and threat

objectives are considered, identification and prioritization of targets are more easily accomplished. It

should be emphasized that the Central Alarm Station, Secondary Alarm Station, response force

barracks, and critical NPP personnel are also potential targets for sabotage.

The threat may consist of outsiders, insiders, and insiders colluding with outsiders. The well-established

outsider threat types [3,7] are: terrorist, organized criminal, white-collar criminal, disgruntled employee,

psychotic, and extremist. The extremist type would include in its definition the political activist as well

as the environmentalist. In considering an expansion of the sabotage area, it is prudent to establish a

threat level within each threat type that ties specifically to the type of sabotage. For example, the white-collar

criminal, psychotic, and disgruntled employee would almost always be a group of one. The

organized criminal category would likely be a small group. Extremists, on the other hand, could be

analyzed in terms of either a small, dedicated, highly trained, highly motivated group of two to four, or a

large unruly, mindless crowd of misguided individuals. The former would be more likely to plan in

detail and execute an attack on a vital area, while the latter may be content to cut fences and smash

windows. Terrorists, acknowledged as the worst category, should probably be considered in terms of

three levels: high, medium, and low. Each level would be defined in terms of numbers, objective,

motivation, and specific sabotage type. For example, a group of six individuals willing to kill or risk

death would not be sent on a mission to turn off a research reactor cooling valve or disperse a handful of

plutonium oxide into the atmosphere at a faciIity. IrI other words, there should be some logical

guidance, with examples, on how to develop an accurate design basis threat for different types of

sabotage. This guidance may include the determination of a probability of action, which is similar to the

probability of attack which is now assumed to be 1.0 in every case.

When the threat objective is theft of special nuclear material—for the ultimate purpose of building a

nuc~ear weapotihe motivation must be either financial or politica~ideological. Obviously, this would

be the highest level threat, and the strategy would include overt use of force with a willingness to kill

and risk death. But what about the threat against a nuclear power plant that is crucial to the economic

survival of a region or a sovereign state, for example, where extremist political parties are conducting

campaigns? The threat objective could be political sabotage, the purpose would be to sway public

political sentiment, the motivation is of course political ideology, the strategy maybe covert force, and

the equipment may include vehicle or anti-personnel bombs. We are breaching the gap between

physical protection and security here, but this situation is becoming a reality in many parts of the world,

and perhaps we should expand the process to address such situations with both guidance and examples.

At the least, we can point out that DEPO analysis works for all of these areas, not just physical

protection systems, and we can at some future point address the differences and similarities between

physical protection and security.

1: destruction of an employer’s property or the hindering of manufacturing by discontented

workmen

2: destructive or obstructive action carried on by a civilian or enemy agent designed to hinder a

nations war effort

3: an actor process tending to hamper or hurt

activity licensed pursuant to the regulations in this chapter is conducted, or against a component

of such a plant or transport which could directly or indirectly endanger the public health and

safety by exposure to radiation

nuclear material and associated fission products which could directly or indirectly endanger the

health and safety of the worker, the public, and the environment by exposure to radiation.

materials store~ produced, or used at DOE facilities, that may adversely impact the health and

stiety of employees, the public, or the environment

unacceptable impact to DOE programs

As noted above, both the IAEA and the Nuclear Regulatory Commission (NRC) are concerned

primarily with radiological sabotage, while the DOE considers toxicological, and industrial as well. Are

there more types that should be considered? What about personal, political, technical, environmental,

informational, diversionary and economic sabotage? Or are these subsets of the original three? Maybe

sabotage acts should just be categorized as lethal, violent non-lethal, and non-violent. The tendency to

get too complex and inundate the analyst with too much specificity should be avoided, unless it

addresses an area of analytical deficiency. At the least, a discussion of these types, tied to a consequence

value determination exercise, should be attempted. Specific acts of sabotage could include the basics:

vehicle bombs, explosive attacks against a reactor core, cooling system shutdowns, diversionary arson,

kidnapping or murder of critical personnel, etc. It is proposed that, at a minimum, three general

categories of sabotage should be considered: radiological, operational, and personnel.

Following the above proposal to consider three categories of sabotage, the next step should be to

identi$ the primary targets and threat objectives. For radiological sabotage, the primary target is SNM,

which at an NPP includes flesh fuel, the reactor core, and spent fuel. The threat objectives in attacking

this target include irradiating people and contamination of the site and the environment. Sabotage

against personnel would include as targets: critical NPP personnel, such as the plant manager or the

control room operators, other plant personnel, and any other people that might be on the site. Attacks

against personnel targets have the objectives both of causing fatalities and impacting plant operations.

For operational sabotage, the target would be any equipment that would impact power production or

other operations of the plant, or perhaps cause econmic problems for the facility.

Establishing consequence value tables for targets and types of sabotage has many benefits. A

consequence value is a measure of the value of the target to the NPP. This allows targets to be

prioritized for protection, and also aids in risk assessment. The table given below is an example of a

consequence value table used by DOE for radiological and toxicological sabotage. It is proposed that

similar but correlated tables be devised for each target type and sabotage category.

1.0 Catastrophic On- and off-site fatalities and injuries, long-term denial of

facility (>2years) due to damage or radiation contamination,

and off-site denial of food, water, or habitat due to

contamination for more than 1 year

0.8 High Off-site injuries and on-site fatalities and injuries, on-site

facility denial for 1 to 2 years, and off-site denial of food,

water, or habitat due to contamination for less than 1 year.

months to 1 year, and denial of food, water, or habitat due to

contamination for less than 6 months.

and no impact on food, water supply or habitat.

In the DOE community, the DEPO model for designing and analyzing PPSS was developed with the

nuclear weapons complex in mind. Consequently, the targets for the DEPO threats include weapons,

special nuclear material for weapons, and production or research facilities for both. In the DEPO model,

each threat type has two objectives: either theft or sabotage. In the case of sabotage, only either

radiological/toxicological or industrial. Sometimes toxicological is broken out as a third independent

category. The DEPO process is used with the Graded Safeguards Table to evaluate risk.

In general, the DEPO process or any similar methodology is satisfactory for analyzing the physical

protection system at an NPP. There are many path models available, such as EASI and SAVIin the

United States, and EVA in France, for use in the analysis process. These path models are used to

construct Adversary Sequence Diagrams, which predict the most vulnerable pathways into a facility, the

detection probability, and the time for an adversary to access the target. The analysis is usually stoppped

when the saboteurs reach the target, and denial is the response force strategy. However, there may be

some elements in the targetithreat matrix where escape, prior to initiating the sabotage act, is a desired

part of the attack. In this case, denial may not necessarily apply and containment maybe an acceptable

alternative.

As an enhancement to the usual analysis, NPPs might consider including reactor safety and accident

prevention experts in the process. Considering the proposed new target types and sabotage categories,