NUCLEAR SECURITY CULTURE: FROM NATIONAL BEST PRACTICES TO INTERNATIONAL STANDARDS
NATO Science for Peace and Security Series This Series presents the results of scientific meetings supported under the NATO Programme: Science for Peace and Security (SPS). The NATO SPS Programme supports meetings in the following Key Priority areas: (1) Defence Against Terrorism; (2) Countering other Threats to Security and (3) NATO, Partner and Mediterranean Dialogue Country Priorities. The types of meeting supported are generally “Advanced Study Institutes” and “Advanced Research Workshops”. The NATO SPS Series collects together the results of these meetings. The meetings are co-organized by scientists from NATO countries and scientists from NATO’s “Partner” or “Mediterranean Dialogue” countries. The observations and recommendations made at the meetings, as well as the contents of the volumes in the Series, reflect those of participants and contributors only; they should not necessarily be regarded as reflecting NATO views or policy. Advanced Study Institutes (ASI) are high-level tutorial courses to convey the latest developments in a subject to an advanced-level audience. Advanced Research Workshops (ARW) are expert meetings where an intense but informal exchange of views at the frontiers of a subject aims at identifying directions for future action. Following a transformation of the programme in 2006 the Series has been re-named and reorganised. Recent volumes on topics not related to security, which result from meetings supported under the programme earlier, may be found in the NATO Science Series. The Series is published by IOS Press, Amsterdam, and Springer Science and Business Media, Dordrecht, in conjunction with the NATO Public Diplomacy Division. Sub-Series A. B. C. D. E.
Chemistry and Biology Physics and Biophysics Environmental Security Information and Communication Security Human and Societal Dynamics
Springer Science and Business Media Springer Science and Business Media Springer Science and Business Media IOS Press IOS Press
http://www.nato.int/science http://www.springer.com http://www.iospress.nl
Sub-Series E: Human and Societal Dynamics – Vol. 28
ISSN 1874-6276
Nuclear Security Culture: From National Best Practices to International Standards
Edited by
Igor Khripunov Center for International Trade and Security, University of Georgia, Athens, GA, USA
Nikolay Ischenko Moscow Institute for Professional Training, Federal Agency for Atomic Energy, Moscow, Russian Federation
and
James Holmes U.S. Naval War College, Newport, RI, USA and Center for International Trade and Security, Athens, GA, USA
Amsterdam • Berlin • Oxford • Tokyo • Washington, DC Published in cooperation with NATO Public Diplomacy Division
Proceedings of the NATO Advanced Research Workshop on Nuclear Security Culture: From National Best Practices to International Standards Moscow, Russia 24–25 October 2005
© 2007 IOS Press. All rights reserved. All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without prior written permission from the publisher. ISBN 978-1-58603-786-4 Library of Congress Control Number: 2007938419 Publisher IOS Press Nieuwe Hemweg 6B 1013 BG Amsterdam Netherlands fax: +31 20 687 0019 e-mail:
[email protected] Distributor in the UK and Ireland Gazelle Books Services Ltd. White Cross Mills Hightown Lancaster LA1 4XS United Kingdom fax: +44 1524 63232 e-mail:
[email protected] Distributor in the USA and Canada IOS Press, Inc. 4502 Rachael Manor Drive Fairfax, VA 22032 USA fax: +1 703 323 3668 e-mail:
[email protected] LEGAL NOTICE The publisher is not responsible for the use which might be made of the following information. PRINTED IN THE NETHERLANDS
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
v
Preface Over the past several years, the International Atomic Energy Agency (IAEA) has been working on a definition of “nuclear security culture” so that it can be used as a tool to improve the physical protection of nuclear materials and facilities. A 2001 IAEA report titled “Fundamental Principles of Physical Protection of Nuclear Materials and Nuclear Facilities” identified security culture as one of the twelve principles underlying fissilematerial security. In February 2005, at their summit in Bratislava, President Bush and President Putin vowed to step up joint efforts to bolster nuclear security, pairing disciplined, well-trained, responsible custodians and protective forces with well-maintained security systems. In July 2005, a series of amendments to the Physical Protection Convention was approved elevating the status of security culture to that of a treaty obligation. Since that time, IAEA member states worked on a concept, definition and guidelines for developing and implementing a robust security culture at nuclear facilities worldwide. The NATO Advanced Research Workshop “Nuclear Security Culture: From National Best Practices to International Standards,” which gathered in Moscow in the fall of 2005, brought together almost 100 experts from over 30 countries to discuss these issues and present their views with the hope to contribute to the IAEA’s work and facilitate better nuclear security culture worldwide. During the two-day workshop the participants examined several analytical questions: 1. What properties of nuclear security culture are universally applicable across national and cultural boundaries? How can these properties be communicated to representatives from a wide variety of regional and national traditions? 2. How does nuclear security culture fit into a nation’s overall professional culture? How can improvements to security culture be made to improve an organization’s overall performance? How can leaders be persuaded to “buy into” security culture? 3. What differences and similarities are there between the following regions with regard to security culture: (a) the United States, the European Union, and Japan; (b) Russia, the Commonwealth of Independent States, and Central Europe; (c) China and East Asia; (d) South Asia; and (e) Latin America? What national variations are there? 4. How can various interested parties – nuclear managers, governments, international institutions – use the similarities among national and regional professional cultures to raise overall standards of security culture? How can they work around differences in national and regional culture?
vi
Acknowledgements The Co-Directors would like to thank the North Atlantic Treaty Organization, the U.S. Department of Energy/National Nuclear Security Administration, Nuclear Threat Initiative, the Institute of Nuclear Materials Management, and International Business Relations Corporation for their support of this Workshop. A special thank you to the members of the Organizing Committee Dmitriy Nikonov, Julia Khersonsky, Vladimir Korneluk, Charles Packer, Adam Williams, Christine Shepherd, Christopher Tucker, and William Draxler, for their hard work in putting the workshop together.
vii
Contents Preface
v
Acknowledgements
vi
Nuclear Security Culture: The Way Ahead James R. Holmes
1
Welcome from the Workshop Co-Directors Nikolay Ischenko and Igor Khripunov
7
A Unique Opportunity: Seize It Eugene E. Habiger
9
The IAEA’s Perspective on Security Culture Anita Nilsson
13
Question-and-Answer Period Eugene Habiger and Anita Nilsson
15
Cultural Aspects of Sustaining Nuclear Security Laura Holgate
17
Security Culture: A Personal Perspective from the United Kingdom Peter Carroll
23
Nuclear Security Culture: The Need for Universal Standards Manabu Masuda
31
Relationship of Management Systems, Human Performance, and Security Culture Charles Packer
43
On the Need to Strengthen Nuclear Security Culture in View of New Security Risks Friedrich Steinhäusler
55
Security Culture in the Nuclear Field Denis Winter
63
Safety and Security Culture Link: Lessons from the Past Dmitriy Nikonov
75
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
83
Security Culture: Concept and Model
109
Appendices Appendix I: Case Studies
125
Appendix II: Learning and Professional Improvement: A Methodology for Better Security Culture in Russia
131
viii
Appendix III: Nuclear Security Culture Evaluation Methodology
139
Appendix IV: List of Workshop Participants
149
Appendix V: International Conference on Nuclear Security: Global Directions for the Future. Findings of the President of the Conference
151
Appendix VI: Joint Statement by President George W. Bush and President Vladimir V. Putin. Nuclear Security Cooperation
157
Author Index
159
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
1
Nuclear Security Culture: The Way Ahead A Summary Report on the Proceedings James R. HOLMES U.S. Naval War College, Newport, RI, USA and Center for International Trade and Security, Athens, GA, USA
“Everything in war is very simple,” wrote the strategic theorist Carl von Clausewitz, “but the simplest thing is difficult.” The same might be said of security affairs construed more broadly. Arriving at an agreed definition of basic terms and concepts can prove unexpectedly difficult, impeding progress toward the goal of national and international security. But Clausewitz also suggested that “friction” encountered by commanders in the field could be overcome given sufficient judgment, foresight, and determination. His wisdom is worth heeding for proponents of security culture. We have a joint interest in shielding our nations against a catastrophic terrorist attack, and thus in surmounting the impediments to joint action. We recently made some strides in this direction. Some 90 representatives from universities, nongovernmental organizations, and nuclear sectors in 26 countries assembled at Moscow’s Metropol Hotel on October 24-25, 2005 for a NATO Advanced Research Workshop titled “Nuclear Security Culture: From National Best Practices to International Standards.” The University of Georgia Center for International Trade and Security (CITS) and the Atomenergo Institute for Professional Training co-organized the workshop with additional support from the Nuclear Threat Initiative, the Institute of Nuclear Materials Management, the U.S. National Nuclear Security Administration, and the International Business Relations Corporation. Fittingly, in view of the interdisciplinary nature of the challenge before them, the participants examined nuclear security culture from a variety of angles during the two days of meetings. Prepared remarks on the first day of the workshop explored organizational culture, the relationship between security and safety at nuclear installations, generic models of security culture within an organization, external factors that shape organizational culture, and national approaches to nuclear security. Roundtable sessions comprised the second day’s agenda. Participants probed such matters as defining nuclear security culture, identifying motives and incentives that promote security culture, and gauging cultural progress within a facility. The organizers conceived of the workshop as an adjunct to the International Atomic Energy Agency’s (IAEA) security-culture work. Dr. Anita Nilsson, who heads the IAEA’s Office of Nuclear Security, reminded the attendees that recent amendments to the Convention on the Physical Protection of Nuclear Material had elevated—or, more precisely, will elevate, once ratified by national parliaments—nuclear security culture to the status of a treaty obligation and a fundamental principle of nuclear security. Yet a common definition of this concept has proved elusive, and it remained so during the Advanced Research Workshop. The IAEA and CITS definitions (reproduced below) gave rise to considerable debate, as did the models of security culture briefed by French and U.S. representatives.
2
J.R. Holmes / Nuclear Security Culture: The Way Ahead
Discussing security culture, let alone comparing or evaluating it across national lines, will prove a stiff challenge until we can reach a common understanding of the term. Governments will find it hard to meet their international obligations absent such an understanding. Unity of effort will suffer, and security along with it.
Mental Models of Security Culture Vary Several cross-cutting themes emerged from the workshop proceedings. Strikingly, none of the attendees disputed the magnitude or complexity of the threat to nuclear security or of the security-culture challenge. The participants by-and-large concurred that a healthy security culture involves rallying a variety of actors, many of which are unaccustomed to working together. Creative thought and action are and will remain crucial to unity of effort in this area. Despite these important points of agreement, however, it became clear during the session on models of nuclear security culture that representatives from different institutions and national traditions see organizational culture quite differently. Some of the participants, for example, took a vertical perspective on security culture. One depicted the influences on culture as multilayered, ranging from the international levelthe IAEA, international accords, and so forththrough the national level, where laws and regulations are made, down to the facility level, where managers make day-to-day decisions that shape the organizational culture. Others offered a more horizontal, less hierarchical view, emphasizing such factors as the potential of civic associations and ordinary citizens to serve as allies in the fight against nuclear or radiological terrorismto become part of a grand security culture, as it were. Still others spotlighted bureaucratic politics, noting that agencies with duties pertaining to nuclear security have distinctive organizational cultures of their own, making interagency coordination a delicate matter for national leaders. Three mental models of security culture became apparent. First, both in their formal presentations and in informal commentary, U.S. representatives generally portrayed “underlying assumptions”namely the conviction that there exists a genuine security threat that must be warded offas fundamental to a healthy security culture. In this bottom-up conception, assumptions form the base of a “pyramid.” Spoken and written words from decisionmakersthe intermediate level in the pyramidsupply evidence that these assumptions are guiding thought and action. Atop the pyramid are tangible, security-conscious behaviors deriving from written and verbal directives, and ultimately from basic assumptions. Second, the French representative at the workshop depicted security culture in top-down fashion, with national policy- and lawmakers handing down directives to the nuclear complex. Third, the multinational team from CITS articulated a model in which security culture is less a linear process than a Venn diagram in which external factors intersect and interact with intangible and tangible factors within the organization, helping fashion a nuclear security regime. The IAEA’s working group on security culture has attempted to merge the U.S. and French conceptions into a unified model. The participants said little about whether they found this effort persuasive. Instead they seemed content to defer to the working group. Whatever the precise mechanism for security culture may be, no one disputed the importance of leadership-by-example to nuclear security. In particular, noted
J.R. Holmes / Nuclear Security Culture: The Way Ahead
3
several participants, “big bosses” should forbid exceptions to security rules and procedures, even for distinguished visitors. Steadfast, rigid adherence to security arrangements sets the proper tone within an organizationespecially for security personnel, who live in a “binary” world where clear rules and procedures are at a premium.
An Agreed Definition Is Just Out of Reach Failing a common perspective on security culture, a consensus definition remained just beyond our grasp. The participants agreed that a common parlance for discussing and evaluating security culture is fundamental to any multinational effort to defeat nuclear or radiological terrorisman effort they seemed to view as the best way ahead. Governments united behind a single view of the challenges ahead and the best responses can work together effectively, and in concert with international institutions, to provide a common defense against nuclear or radiological terrorism. Such a definition will help governments manage infighting within national nuclear complexes, supplying coherent direction to nuclear regulators, facility managers, and security forces. It will also give them an objective standard for measuring progress. Pointing to the repercussions of nuclear or radiological terrorism, one speaker beseeched the participants not to let the best become the enemy of the good. An 80 percent solution now, he proclaimed, was better than a 100 percent solution at some point in the indefinite future. In this spirit the participants debated the IAEA’s provisional definition of nuclear security culture as: that assembly of characteristics, attitudes and behaviors in individuals, organizations and institutions, which supports the objectives of nuclear security and ensures that it receives the attention warranted by its significance. Also discussed was the definition put forward by CITS on page 9 of its 2004 report on Nuclear Security Culture. Declare the CITS analysts, the “nature of nuclear security culture” arises from: the degree to which all personnel, from senior managers and supervisors down to the most junior operators, are aware of and committed to widely understood security requirements and best practices[;] the degree to which available and affordable security technology is put to use, kept in good working order, and improved[; and] the degree to which security regulations and procedures are implemented and personnel are motivated to accomplish their security-related tasks. In keeping with the workshop’s purpose of augmenting the IAEA’s efforts, however, the participants devoted most of their analytical energies to the IAEA definition. In the course of this debate, one individual questioned whether the language of the IAEA definitionin particular “the attention warranted by its significance”conveyed the true peril of nuclear terrorism. A representative from a former Soviet republic took issue with the term nuclear security culture, noting that his government preferred the term “culture of physical nuclear security” and suggesting that a unique term might be needed to foster comprehension and action in the former Soviet Union. The workshop adjourned without endorsing either proposed definition or producing its own definition, but the participants’ recommendations and comments were forwarded to the IAEA working group on nuclear security culture. They declared
4
J.R. Holmes / Nuclear Security Culture: The Way Ahead
themselves content to abide by the working group’s future revisionssuggesting that a consensus definition is within grasp. This was a heartening sign.
Linguistic Intricacies Matter The relationship between nuclear safety and nuclear security occasioned lively debate at the workshop, for two principal reasons. First, linguistic difficulties interpose themselves. Quirks of various languages have complicated efforts to reach a consensus definition of nuclear security culture. For example, the words “security” and “safety” translate into Russian, Spanish, and Portugueseall languages spoken in nations with sizable nuclear sectorsas the same word. Observed several participants, a definition that does not conflate security with safety is essential. Second, linguistic intricacies aside, safety and security overlapone participant estimated the overlap at 90 percentbut they are not the same thing. Safety specialists, for instance, typically advocate building redundancy into nuclear installations to guard against equipment failure, while security specialists are more skeptical because redundancy furnishes extra opportunities for theft or diversion of sensitive materials. While it may be impossible to reconcile redundancy fully with security, the participants nonetheless seemed confident that the tension between the two will prove manageable. One other linguistic obstacle is worth mentioning. A German representative pointed out that “culture,” in the sense of organizational or professional culture, cannot be rendered precisely into German. The direct translation, Kultur, connotes what English-speakers would refer to as high culture, namely citizens’ being well-versed in literature and the arts. Identifying linguistic idiosyncrasies likely to obstruct a common view of nuclear security culture thus assumes considerable importance. The German case also serves as an indirect reminder that culture does indeed operate on multiple levels, from the macro, civilizational level all the way down to the micro, organizational level. Greater precision, then, seems in order during cross-national discussions of security culture. At the very least, proponents of the concept need to watch for and compensate for such linguistic variations.
Material Incentives Are Necessary But Not Sufficient The workshop also addressed the more pragmatic aspects of managing security culture. It seems clear that material incentives are not enough in themselves to sustain a vibrant culture, but participants voiced different views as to what mix of external stimuli would be most effectual. Russian participants, recalling their country’s budgetary malaise during the 1990s, tended to underscore the need for higher salaries and other inducements in today’s Russia, while also recalling that the Soviet Union’s “three Gs” modelguns, gates, and guardssucceeded in large part by appealing to patriotic sentiment. The Soviet model, then, offered security personnel nonmaterial forms of compensation. Similarly, the other participants seemed to agree that guards, technicians, and managers need to be predisposed to vigilanceone participant referred to a “passion” for nuclear security, another to “security pleasure”and that generous pay and benefits
J.R. Holmes / Nuclear Security Culture: The Way Ahead
5
alone cannot yield such a temperament. One participant wondered aloud whether every nation had a philosophical, cultural, or patriotic tradition to which nuclear managers could appeal. This is clearly an area in which leadership comes to the fore, and in which national policymakers and nuclear managers must adapt their efforts to mold culture to local conditions.
National Cultures and Competing Interests Count Although some of the speakers touched on their distinctive national cultures, the workshop made no serious effort to analyze national traits that might impinge on efforts to achieve a common understanding of security culture. Some of the comments did highlight the need for further inquiry. One question raised by the proceedings but left largely unexplored was how geography molded a nation’s outlook, and in turn its approach to nuclear security culture. For example, representatives of two of the three island nations represented at the gatheringIndonesia and Japavoiced views that were strikingly similar. They observed that their nations urgently needed nuclear power, both because of their archipelagic nature and to make up for their lack of indigenous oil and gas supplies. For them, energy security demands a robust nuclear complex. Such variations in perspective merit further study while highlighting, again, the need to adapt nuclear security culture to local conditions. Cross-national discussion, comparison, and evaluation depends on it.
Statesmen Drive the Problem The workshop participants, then, identified a host of challenges. What solutions presented themselves during the deliberations? The participants agreed that governments and international institutions now comprehend that a healthy security culture equips a nation’s nuclear complex to fend off nuclear or radiological terrorism. This gives the IAEA and other security-culture proponents a uniquebut perhaps fleetingopportunity to press their case in world capitals. Senior political leaders hold the key. Several individuals pointed to the joint U.S.Russian statement issued by Presidents George W. Bush and Vladimir Putin following their February 2005 summit in Bratislava, Slovakia. Among other things, the Bratislava Statement committed the two countries to work together to bolster nuclear security culture in their nuclear sectors. Other indicators of political resolve mentioned at the workshop include the July 2005 amendments to the Physical Protection Convention and a September 2005 decision by the IAEA Board of Governors to approve a Nuclear Security Plan for 2006-2009 in which security culture figures prominently. How long this resolve will last is unclear. Noted one participant, efforts to improve nuclear safety and nuclear security seem to be event-driven. Traumatic incidents such as Three Mile Island, Chernobyl, Beslan, and September 11 generate the political momentum needed to overcome political inertia, but this momentum tends to dissipate as time passes without another such eventin this case an actual nuclear or radiological terrorist attack or a near miss. How to sustain political will is a question the workshop left unanswered. The participants noted only that adequate political determination on
6
J.R. Holmes / Nuclear Security Culture: The Way Ahead
the part of citizens and their governments was and would remain crucial to high standards of security culture.
A Few Parting Thoughts What next for nuclear security culture? The Moscow workshop pointed the way to future inquiry and action. First, the proceedings left no doubt, if there was any beforehand, that security culture is a more variegated phenomenon than any book, bureaucratic wiring diagram, or written directive can convey. Managing it demands supple, sophisticated strategies and tactics on the part of national leaders, officials from the nuclear sector, and those who lead and manage individual facilities. Analysts and practitioners of nuclear security should keep the human dimension always in view as they conduct their affairs. Material inducements and penalties help, but they alone are not enough. Second, perspectives on security culture vary from nation to nation, but one thing remains constant: a sense of urgency on all levels, from presidents to managers to security guards, is essential to progress. As noted before, the French model of security culture takes a top-down view, implying that the convictions and actions of senior leaders are the prime mover for nuclear security. But facility workforces carry out the guidance handed down to them, even under this model, meaning thatas the U.S. model contendsa sense of threat on behalf of individual guards and technicians is indispensable. Lackadaisical security personnel will not effectively execute even the wisest policies and strategies devised by senior leaders. Conversely, even under the bottom-up U.S. model, which emphasizes the motives and convictions of individual facility personnel, only the senior leadership can enact laws, regulations, and policies that bring about cultural reform in the nuclear complexjust as the French model insistsand only they can supply the physical trappings for an effective security regime. The French and U.S. models, then, are less at odds than it might seem. At worst, partisans of the various approaches to security culture should be able to agree to disagree about which model best explains reality and provides the best guide to practical action. Clinging to a single model or definition helps nothing. Third, looking to the future, it should be possible to apply the concept of security culture to the chemical and biological sectors, further fortifying nations’ defenses against catastrophic terrorism. While there are some differences among the nuclear, biological, and chemical industries, the central insight underlying nuclear security culturethat hardware is no better than its operatorremains valid. So do many of the techniques used to manage organizational culture. Even as they tend to security in the nuclear sector, therefore, the Moscow workshop participants ought to begin reaching out to institutions that work to improve security at chemical and biotechnology facilities, supplying them with lessons-learned and expertise. Security-culture advocates clearly have an enormous amount to do. If Clausewitz had it rightif the simplest thing is difficult in human endeavorsthen we’d better get to it.
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
7
Welcome from the Workshop Co-Directors Nikolay ISCHENKO Atomenergo Institute for Professional Training Russia Igor KHRIPUNOV Center for International Trade and Security University of Georgia United States Dr. Ischenko. Welcome to this NATO Advanced Research Workshop. As many of you know, “nuclear security culture” is one of the 12 fundamental principles of nuclear security enunciated in the revised Convention on the Physical Protection of Nuclear Material. Additionally, President Vladimir Putin and President George W. Bush published a joint statement on nuclear security in March 2005, following their summit in Bratislava, Slovakia. The Bratislava Statement specifically mentioned the key role played by well-trained personnel in any security regime, attesting to the importance of the human factor. Up to now there has been no agreed definition of nuclear security culture. These proceedings will attempt to help the International Atomic Energy Agency (IAEA) formulate a definition that commands universal support. Dr. Khripunov. On behalf of the U.S. side, I would also like to welcome you to our Advanced Research Workshop. The University of Georgia has made a long-term commitment to advancing the concept of security culture. Why are we holding this workshop in Moscow? We decided to hold it here because Russians have amassed vast experience dealing with the human factor, and we believe all participants will benefit from the large number of Russian participants present to share their wisdom. What is the workshop about? I call your attention to the Hurricane Katrina debacle on our Gulf Coast, where government failures were attributable in large part to the human factor, ranging from top political leaders in Washington, through state and local officials, all the way down to first responders. A central lesson from Katrina: Equipment is only as good as its operator. I propose to you that nuclear security culture involves a wide range of actors—not simply the guards or workforces at nuclear facilities. Psychologists, police, fire services, and even the general public play crucial roles. Shaping the mindsets of these actors will require a comprehensive strategy premised on what I call the “three Ps,” namely “publicity, popularization, and public.” Cultivating these three Ps will advance the cause of nuclear security culture on a broad front. As we discuss and debate the issues before us over the course of the workshop, I would like to make a preliminary proposal: Should we form a “Core Group” of security-culture enthusiasts to support the work of the IAEA? The University of Georgia Center for International Trade and Security is prepared to spearhead the formation and activities of such a Core Group, provided we can raise sufficient
8
N. Ischenko and I. Khripunov / Welcome from the Workshop Co-Directors
funding. We already have funding to support a Nuclear Security Culture Website and are in the process of creating the site. We anticipate publishing books, articles, and shorter works. For example, the proceedings of this workshop will be published in book form, and the staff of our Center is preparing a book manuscript on security culture under a grant from the U.S. Institute of Peace. I welcome your thoughts and feedback on whether we should move ahead with a Core Group, and on what kind of strategy such a group could best employ to promote the IAEA’s work on security culture.
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
9
A Unique Opportunity: Seize It Gen. Eugene E. HABIGER, USAF (Ret.) Center for International Trade and Security University of Georgia United States This is the most important conference I have attended in the past five years. Meeting here in Moscow, we have a unique opportunity to make some real, significant progress toward meeting threats that confront all of our nations. We have a unique opportunity to break out of the bureaucratic constraints that impede progress. Nuclear security is too important a topic to get bogged down in bureaucracy. Meeting here these next couple of days, we must work to create a product that does not remain on the shelf. It must contain action points to guide our future efforts when we return to our home nations and organizations. In short, we need a plan to begin creating a shared culture among ourselves— among proponents of nuclear security culture—that crosses national, professional, and disciplinary lines. What is culture? Culture refers to the shared history, traditions, and attitudes handed down within some group of people, be it a nation or an individual organization. It predisposes us to look at the world around us, and the challenges that world presents, in a particular way. It does not mechanically determine our actions—we aren’t slaves to culture—but it does shape our actions. Now apply this to the realm of nuclear security. Recent events have brought the problem of nuclear security culture into sharp focus. Improving security culture should be a key ingredient in a comprehensive response to terrorist acts such as the ones that have shaken Russia and the West in recent years. Like the attacks on New York and Washington on September 11, 2001, the Beslan attacks and other atrocities served notice that the new breed of terrorists will strike at our countries with whatever means available—including nuclear weapons or radiological “dirty” bombs. They will seek out the makings for such weapons—primarily fissile materials—from sites where security is lax or insiders can be co-opted. A healthy security culture impels employees not only to execute preexisting procedures but to innovate when unforeseen circumstances arise—as they undoubtedly will, given the limits on our ability to predict the future. Now consider the task before us at this workshop. Are we likely to create a common transnational culture that unites all of us, giving us the same perspective on security affairs? Doubtful; nor should we make the attempt. What we can do is try to gain some commonality on challenges and threats that confront all of our countries. This is where security culture comes in. Security culture is a different matter from national culture. The task of evaluating it is the same from country to country, and no one has tried aggressively to do it up to this point, let alone to come up with an international approach to this task. My perspective is that of a former U.S. Air Force officer. As commander of the U.S. Strategic Command, I was responsible for the security culture pertaining to all U.S. nuclear weapons stationed on land, aloft, and at sea. I am confident in the security
10
E.E. Habiger / A Unique Opportunity: Seize It
of the U.S. arsenal, owing to the elaborate precautions that are in place to safeguard them against theft or tampering. But later, after I retired from the Air Force, I was responsible for security culture on the civilian side of the U.S. nuclear complex. Starting in 1999, I served as “security czar” at the U.S. Department of Energy (DOE), working with Secretary of Energy Bill Richardson to tighten up security in the aftermath of the Wen Ho Lee affair and other security lapses. One factor that leapt out at me: Cultures are stubborn things. When I took up my duties at DOE, I was troubled by the lackadaisical attitudes displayed by some DOE employees entrusted with safeguarding classified information. It is clear, judging by lingering problems at DOE facilities, that much work remains to be done to change that internal culture. Thus, it comes as no surprise that reshaping the security culture at Russian sites has proved to be a difficult undertaking. Cultural change clearly involves far more than building a fence or installing an alarm. Recognizing this, the U.S. government has devoted considerable effort to upgrading the security culture, both in the United States and within Russia’s civilian nuclear complex. For example, in 1991 the U.S. government, under the visionary leadership of Sen. Sam Nunn (D-GA) and Sen. Dick Lugar (R-IN), created the NunnLugar Cooperative Threat Reduction Program to help Russia safeguard its inventory of nuclear weapons, fissile materials, and associated technology. The Nunn-Lugar Program, complemented by other initiatives such as the G-8 Global Partnership Against the Spread of Weapons and Materials of Mass Destruction, has furnished Moscow with an array of high-tech surveillance systems, alarms, and other equipment, as well as low-tech but crucial items such as fences. I had a firsthand glimpse of the security culture that prevails within the Russian military, by virtue of the personal relationships I forged with Russian generals and other officials while I was on active duty. From what I saw, Russian security culture shared many similarities with that of the United States, but there were also some differences, some of them of profound concern. Russian security measures were arguably more stringent than ours in some respects. For instance, the U.S. military places certain sensitive sites, operations, and hardware off-limits to any single individual. Under its “two-person rule,” access to sensitive sites will be granted only to two or more qualified, certified individuals. Russia, by contrast, enforces a three-person rule. A noncommissioned officer can authorize access to a bunker housing U.S. nuclear weapons, while in Russia a colonel must grant permission to enter a bunker. Similarly, the chief of staff of Russia’s Strategic Rocket Forces must approve plans to remove a nuclear payload from a missile. In the United States, we allow more junior officials the authority to approve such procedures. On the other hand, the U.S. Personnel Reliability Program (PRP) is far more exacting than its Russian counterpart. Under the PRP, people entrusted with access to sensitive facilities and equipment undergo periodic, extremely rigorous reviews of their suitability for such duties. Access privileges can be suspended or withdrawn for a host of reasons, from divorce to prescription medications. Under our version of best practices, which I wholeheartedly support, the PRP makes no exceptions for rank. Indeed, on one occasion I had myself temporarily removed from the program while on antibiotics. While Russia at least recognizes the need for a PRP-style program, its current equivalent to the program provides only for cursory oversight over nuclear personnel. I
E.E. Habiger / A Unique Opportunity: Seize It
11
believe the Russian nuclear complex could benefit from substantial improvement in this area. We must set the bar for nuclear security culture very high, but there are certain drawbacks. For example, under the design basis threat, or DBT, methodology, the United States in effect has devised security precautions to fend off a seven-foot-threeinch terrorist bent on gaining access to a military or DOE nuclear site. We assume that terrorist groups possess perfect information, state-of-the-art weaponry, and insider help. The assumptions underlying our DBT analysis have given our nuclear facilities a pretty robust defensive capability, since few if any terrorists measure up to our assumptions. Sadly, the expense of such a capability may not be affordable elsewhere, where resources and threat perceptions differ. Contractors are another issue in the United States. Around 90 percent of DOE employees are contractors, while 100 percent of the security officers who guard DOE facilities are “mercenaries.” Now, in my experience our contract employees are very good. That culture is okay in my view. Still, it’s worth keeping in mind that security culture may have to extend beyond government employees, and that this complicates the policies of leadership to a certain degree. Leading by example is absolutely essential in any institution determined to improve its security culture, or indeed its overall professional culture, of which security culture is a subset. I repeat my previous point, in which I cautioned against making “exceptions” to security procedures for people with rank, political clout, or fame. When Marshal Sergeyev paid a visit to a missile base in Wyoming back in the 1990s, I and my personnel could have streamlined his entry to this secure site, say, by waiving the normal searches, or by using my personal authority to grant permission for the visit on the spot (rather than requesting permission from Washington, as doctrine dictates). Rather than bypass our security measures—as I could have done, in full knowledge that doing so would pose no risk to national security—I made a point of going through the full access regimen with Marshal Sergeyev, spending about 12 minutes more than we otherwise might have before entering the base. Marshal Sergeyev reciprocated a year later when I paid a visit to a Russian missile site. It was worth spending an additional 15 minutes of our time, as we did, in order to set an example for the security personnel at the U.S. and Russian sites. The bottom line in such cases: People who guard nuclear materials and weapons live in a binary world. They need binary rules to follow: Search or don’t search, shoot or don’t shoot, and so forth. I close by reiterating my challenge to all of you assembled here: During the next two days, we must develop a deliverable that we will all be proud of—that will make the world a safer place for all of our nations—by a year from now. I am confident that our efforts will be of immediate and practical use to all of our countries, while providing enduring lessons for policymakers elsewhere in the world. Thank you.
This page intentionally left blank
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
13
The IAEA’s Perspective on Security Culture Anita NILSSON Office of Nuclear Security International Atomic Energy Agency To supply some context for nuclear security culture: The official proceedings of the March 2005 International Conference on Nuclear Security, held in London, pronounce nuclear terrorism one of the greatest threats we face today. The September 11, 2001 terrorist attacks on the United States served as a wakeup call to the international community. We must prepare throughout the spectrum. What are some of the threats that confront us? First, in a worst-case scenario, a terrorist group might obtain ready-built nuclear weapons. Second, if terrorists should obtain nuclear materials of sufficient quality, they might be able to construct a crude nuclear device. Accountability for the materials used at civilian nuclear power plants and other sites thus warrants our attention. Third, if they should obtain radioactive materials, even if these materials are not weapons-usable, terrorists could nonetheless build a “dirty bomb” or other radiological dispersal device. The magnitude of these threats impels us to continue and step up the efforts undertaken in recent years. Various international accords and instruments contribute to individual states’ and the international community’s ability to counter nuclear terrorism. To name one recent example, in April 2005 the UN General Assembly unanimously adopted the International Convention for the Suppression of Acts of Nuclear Terrorism, which calls on UN member states to criminalize such acts. The Convention requires parties to safeguard nuclear weapons and materials and to make other preparations consonant with recommendations from the International Atomic Energy Agency (IAEA). Russian president Vladimir Putin and U.S. president George W. Bush were the first two heads of government to affix their signatures to the document, attesting to its importance. This followed the two presidents’ joint statement on nuclear security, issued in Bratislava earlier in 2005, which specifically endorsed the concept of nuclear security culture. Other initiatives pertaining to nuclear security culture are underway. In July 2005, for instance, the parties to the Convention on the Physical Protection of Nuclear Material approved a series of amendments designed to improve international cooperation on measures to recover lost or stolen materials, detect sabotage, and so forth. Security culture numbers among the 12 “principles” spelled out in the amendments. Once the amended Convention enters into force—the amendments are currently awaiting approval in national parliaments—nuclear security culture will find itself elevated to a fundamental principle of nuclear security, not to mention an obligation under international law. Over 70 states have now committed to the Code of Conduct on the Safety and Security of Radioactive Sources, which among other things obligates states to promote
14
A. Nilsson / The IAEA’s Perspective on Security Culture
safety and security culture among those who handle sensitive materials. In September 2005, the IAEA Board of Governors approved a Nuclear Security Plan for 2006-2009 aimed at strengthening nuclear security culture in the nuclear sectors of IAEA member states. And the IAEA has convened a working group to define and help implement security culture, introducing this new concept into daily operations. We are developing a new document to guide this process—an effort which has demanded considerable intellectual energy. The IAEA’s security-culture-related endeavors, taken together with these other international agreements and accords, amount to an international commitment to do whatever it takes in this area. What is security culture? The IAEA defines the concept as “that assembly of characteristics, attitudes and behaviors in individuals, organizations and institutions, which supports the objectives of nuclear security and ensures that it receives the attention warranted by its significance.” If our objective is to improve security culture, then we must adopt measures at all levels. If security culture is in effect the expression of an attitude, as we believe it is, then a graded approach taking into account threats, risks, and consequences is in order. The components of a security culture include (1) the policies of national governments, (2) the organizations that apply the concept of security culture, and (3) the attitudes and actions of the individuals who implement the concept. Accordingly, the IAEA’s Nuclear Security Plan for 2006-2009 envisions (1) continuing to raise awareness and work on guidance for member states; (2) making assistance available to the nuclear complexes in member states; (3) developing a training module on nuclear security culture; and (4) following up on requests from member states for dedicated training on security culture. I hope that nuclear security is approaching a renaissance, in large part because radioactive substances play such a beneficial role in modern societies and economies. Citizens are coming to accept nuclear power, but one successful terrorist act involving nuclear materials or a nuclear installation would place this growing confidence at risk. The values underpinning nuclear security culture, consequently, must come to permeate all levels of society. I look forward to working with all of you to realize our shared vision. Thank you.
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
15
Question-and-Answer Period Eugene HABIGER and Anita NILSSON Question. I’d like to ask Gen. Habiger about the U.S. approach to defense-in-depth at nuclear facilities. Should we perform risk assessment with an eye toward reducing the expense of security preparations? Gen. Habiger. Yes. We can reduce our planning assumptions, preparing for a six-foot terrorist rather than a seven-foot-three terrorist, to use my earlier analogy. But there could be consequences. Expenditure up front could save lives and money later if a terrorist event occurs. In the United States, we have deemed the expense worthwhile. Question. For Anita Nilsson: Nuclear security and nuclear safety are global issues. How can we balance these two visions? Dr. Nilsson. We also need to consider how to balance nuclear security culture with legitimate uses of commercial power. Security has been too low a priority up until now. We now need to achieve a common baseline level of nuclear security culture—a minimal level, or at least a nonzero level. We also need to consider a dirty-bomb scenario. What is the proper level of preparation for such a scenario? Use commercial aviation as a model of how to approach the challenge of terrorism. We continue to fly under the new security regime; we now have an aviation security culture. So, the question is, what do we need to do to put an equivalent security culture in place in the nuclear sector? Question. For Gen. Habiger: In the United States, we see little evident worry about the perils of insider or outsider threats. How do we convince our nuclear sector to take these threats seriously? Gen. Habiger. This is the core issue. What seed should we seek to plant in the brains of nuclear security personnel? We need to build a “passion” for security. We can’t completely avoid risk; there aren’t enough resources in the universe to completely avoid risk. The individual is the one who is or isn’t going to stop an attack or other incident from occurring. I draw an analogy to the “single-point failure” that would take place if a Secret Service agent were to fail to shield the president from an assassination attempt, despite years of training and the best hardware available. You can’t entirely prevent such single-point failures, but you can bias the culture in that direction by encouraging good habits and attitudes.
This page intentionally left blank
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
17
Cultural Aspects of Sustaining Nuclear Security Laura HOLGATE Nuclear Threat Initiative United States The organization I represent, the Nuclear Threat Initiative (NTI), has engaged in an unusual activity for a nongovernmental organization (NGO) devoted to reducing nuclear threats worldwide: We made a movie that was broadcast on national television. This short film was designed to dramatize a number of truths about the nuclear threats we face today: x x x x x
Terrorists are seeking nuclear weapons in order to use them. Plutonium and especially highly enriched uranium are distributed globally, in both military and civilian venues, and in many instances are inadequately secured. Even upgraded security equipment can be defeated through insider collusion. If they obtain nuclear materials, today’s well-funded, well-organized, and suicidal terrorists are fully capable of improvising a nuclear device capable of devastation on the scale of Hiroshima. Once material is lost, there is little chance of recovering it or of discovering an assembled nuclear device in transit.
We made this film—called Last Best Chance and available free through our website, at lastbestchance.org—because we believe that these truths are not widely understood or accepted. But the scenarios portrayed are realistic, and may in fact be happening right now. The movie’s title refers to our belief that we have before us right now our last best chance to prevent nuclear terrorism, and that means creating and sustaining the highest levels of security for nuclear weapons and materials. Sustainability is often considered in the context of existing security systems, or in the service life of a piece of equipment, but in the world of nuclear security, sustainability has a much different meaning. Consider that the half-lives of plutonium239 and uranium-235, respectively, are 24,000 years and 713,000,000 years. Having created vast quantities of these sources of life-giving but also deadly energy, we now have the truly awesome task of protecting them for millennia. Hardware and software cannot fulfill this sacred mission—only people can. This reality brings us to the topic of nuclear security culture. By this point in our discussion, this term has already been exquisitely defined, so I will spare you yet another definition. What are some of the key ingredients of sustainable nuclear security?
18
L. Holgate / Cultural Aspects of Sustaining Nuclear Security
x x x x x x x x
Risk assessment Technology Training Documented procedures Performance testing Regulations Inspections and audits Funding
I’ll offer some thoughts on how the culture of nuclear security in any nation or facility can either contribute to or compromise the effective implementation of these elements of sustainable nuclear security.
Risk Assessment The long-term effectiveness of nuclear security requires continual reevaluation of the risks of theft or misuse of nuclear material. This requires both creative thinking and constant vigilance on the part of facility staffs, which must keep abreast of new ways potential outside attackers are operating and consider how operational changes might create either vulnerabilities or opportunities to improve security. The use of suicide bombers, as seen in the Iraqi insurgency and the August 2004 Russian airline attacks, creates an entirely new set of threats to nuclear facilities. The installation of new production lines or construction of new buildings, on the other hand, offers nuclear leaders the chance to integrate security features more efficiently than retrofitting typically allows. At the same time, closure of facilities or other changes to normal procedures create non-standard conditions that may be exploited by insiders familiar with facility operations. At the national level, collecting and communicating intelligence about threats and attack techniques is important. None of these activities can be fully carried out, however, absent a culture of personal responsibility and alertness to new realities.
Technology Nuclear security is often thought of primarily as the application of technology: hardware and software systems to monitor and defend facilities and materials. Cultural attitudes are a critical element of the application of technology, however. Technology works best when its design is appropriate to the operator and the task. Simplicity, low cost, robustness, maintainability, and interoperability are all important considerations when selecting among existing technologies or when designing new ones, and the security culture in which technologies will be used should define these criteria. Standardization and quality control become critical factors, and therefore nuclear security culture must be understood as encompassing design and production of security technology as well. Thus security culture often extends even into the commercial environment.
L. Holgate / Cultural Aspects of Sustaining Nuclear Security
19
Training As with technology, training is often conceived of as instruction on how to use specific equipment, but training is a critical component of security culture. Only when the entire staff of a facility understands the larger threat environment, international obligations, and national requirements can personnel be expected to perform at their peak day in and day out, and to recognize and act on anomalies that may indicate threats to nuclear security. Similarly, management, from the facility level to the national level, must see the value of such training in order to design and institute it.
Documented Procedures The concept of sustainability implies repeatability, consistency from facility to facility, and endurance over time. This is why the documentation of procedures is so critical, but it is often overlooked. A culture that tolerates deviation from established procedures certainly detracts from nuclear security, but procedures must also be updated regularly to account for changes in operational requirements and risks.
Performance Testing Ensuring that systems and operators interact effectively is a necessary component of sustainable nuclear security. Regular tests of a facility’s response to various scenarios can be very revealing of the differences between intentions and reality. A culture that embraces performance testing as a source of ideas and experience to improve security systems and procedures will lead to greater sustainability.
Regulations Defined standards for nuclear security are the prerogative of regulatory bodies, and their effective design and implementation will depend on cultural attitudes towards regulations. True nuclear security is only possible when regulations are appropriately conceived, consistently applied, and incorporated into standard procedures. This requires cultural attitudes that respect the authority of the regulatory infrastructure and are based on an understanding and acceptance of the central role regulation plays in nuclear security.
Inspections and Audits Regulations without enforcement mechanisms are hollow, and inspections and audits are important tools not only for higher authority to evaluate the performance of facilities, but for facility managers to understand and rectify their own weaknesses. Cultural attitudes that approach inspections and audits positively, as opportunities for improvement, will greatly improve the prospects for achieving nuclear security goals.
20
L. Holgate / Cultural Aspects of Sustaining Nuclear Security
Accountability of all elements of the nuclear security culture is a necessary component of its success.
Funding Assuring adequate funding for nuclear security requires actors at every level to internalize the importance of effective security and to be willing to make hard choices among competing claims on national and facility budgets. Only a culture that values nuclear security can amass the long-term political support needed to sustain such expenditures. At the same time, recognition of funding limits can create opportunities and pressures for efficiency, encouraging facilities where management is open to new approaches to foster a security culture that supports individual initiative to identify cost savings. Nuclear security is not cheap, but it is certainly cheaper than the alternative: a nuclear attack by terrorists. Since a strong nuclear security culture is essential to sustainable nuclear security, sustainability efforts must include specific attention to the culture in which such efforts take place. This attention is growing, as evidenced by the incorporation of securityculture concepts into foundational documents on nuclear security, such as the Convention on Physical Protection of Nuclear Materials, INFCIRC 225, and UN Security Council resolution 1540. The expansion of the IAEA’s efforts to define nuclear security culture and to support its improvement among member states is a necessary and welcome development. Professional organizations such as the Institute for Nuclear Materials Management (INMM) offer another venue to share best practices in nuclear-materials security and to develop further the concept and application of nuclear security culture. This is why NTI has joined with INMM to create workshops on best practices in nuclear-materials management. The first of these was held in Prague last summer, and I believe many of you attended this session. The next one is being planned for next year, and the organizers have already identified nuclear security culture as a focal point for that activity. At NTI, we see this Moscow workshop as following the overall trajectory, and we encourage other professional organizations around the world to incorporate the cultural aspects of nuclear security into their work. NTI believes a new structure is critical to nuclear security, and to the culture that sustains it. We are exploring the concept of creating an organization of nuclear-facility operators to promulgate best practices in nuclear-materials management around the world. Such an organization might be conceptually modeled along the lines of the World Association of Nuclear Operators, which provides training, peer reviews, and information sharing related to the safety of operations for nuclear power reactors worldwide. A similar voluntary approach to improving nuclear-materials security might be considered as an adjunct to the more formal requirements of national regulations and international treaties. Such an organization would certainly emphasize the critical role of security culture in sustaining nuclear-materials security. We have challenged the INMM to consider providing an initial platform for the design and establishment of this kind of mechanism. I’d like to spend a moment focusing on the role of the individual in nuclear security. Systems and mechanisms and institutions and infrastructure are all critical
L. Holgate / Cultural Aspects of Sustaining Nuclear Security
21
elements of nuclear security culture, but ultimately these are organizations of individuals, and they are designed to affect the behavior of individuals. Humans are the greatest strength of high-quality nuclear security, but they can be the greatest weakness if the culture in which they have been steeped is inadequate to the task. No machine or computer program can imagine new security approaches that reduce risk or increase efficiency; no mechanism can detect when a co-worker is suffering from stress, mental illness, or blackmail and may therefore put materials or people at risk. On the other hand, machines are not susceptible to these very real pressures that can turn a trusted colleague into an insider threat. Recent reports of high suicide rates and hazing among Interior Ministry guards at Russian closed cities are one very great source of concern, but they are far from the only concern. If individuals are not cared for, properly trained and educated, effectively equipped and tested, allowed to help define the processes for which they are responsible, and held accountable for their actions and the actions of those they supervise, no nuclear security system can be considered adequate. The individuals in this room are among the best equipped to bring this message forth, and I hope the outcome of this workshop will be specific ways to raise the level of security culture globally. As I stated at the outset, now is our “last best chance” to get this right. If we don’t, we have no one to blame but ourselves.
This page intentionally left blank
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
23
Security Culture: A Personal Perspective From the United Kingdom Peter CARROLL Department of Trade and Industry United Kingdom Abstract. This short paper provides an informal perspective on the United Kingdom’s development of security culture. It is an individual and personal viewpoint, as encouraged at this workshop, and does not represent formal U.K. policy on the subject.
Security culture plays as important a role to protecting our nuclear materials as any number of fences or intrusion detection devices. Security culture is the key element in our physical security protection against terrorism, countering the twisted ideology that motivates terrorists as they perpetrate their evil acts against civilized people. THREAT ASSESSMENT
RISK ASSESSMENT
Security Culture
General Staff
Security Staff Management
SECURITY REGULATORS
LEGAL CENSURE
Figure 1: Security Culture Relationships
The IAEA definition of security culture (“characteristics and attributes in organizations and of individuals, which establish that security issues receive the attention warranted by their significance”) focuses on the characteristics and attributes of an individual. Figure 1 below represents the relationships through which these characteristics and attributes define the security culture. The whole is driven in the first
24
P. Carroll / Security Culture: A Personal Perspective from the United Kingdom
instance by the local threat assessment and associated risk assessments. It is up to management to define the roles and responsibilities of the security staff, which in alliance with the other general staff creates the security regime necessary to protect the firm’s business assets, including nuclear material. The end result is subject to inspection by a country’s security regulators and, where the security regime is found wanting, may be subject to legal censure if site management is unable or unwilling to remediate the situation. In mounting security arrangements, it doesn’t matter how good the physical protection systems are in response to the local threat, it is the people setting up the systems, managing those systems, and responding to the alarms who are absolutely vital to an effective security regime. In considering the development of a healthy security culture, therefore, this paper will focus not on the software or the hardware, but on the “warm-ware”—namely, the people.
General Staff All staff members, whether they are part of the security team or not, are partners in the effort to maintain an effective security environment. Before they can properly play their part in safeguarding the security environment, however, they need to be aware of what the threat is, what it means to them, and what they can do to help defeat it. Many workers will have a vague notion of the prevailing threat in their country, as described in the press and other media. The dimensions of the threat may even have been exaggerated in certain fictional works. However vivid, this vision will seem remote to individuals, so it is important that they be made aware of the threat as it specifically and genuinely affects them at their place of work. To that end, they need to be briefed, and briefed regularly, on the threat as it affects them and their place of work. Any induction training given to new staff needs to include security lectures outlining the general threat to nuclear materials, as well as the specific threat to material stored locally or used at the site. These initial induction lectures should be backed up by “refresher” lectures every year, along with other techniques such as poster campaigns. The United Kingdom’s best practice encourages annual security briefings for all staff. The most important reinforcement of the message conveyed during the induction security lecture, though, comes through practical experience with security on site, at the institute. There needs to be a palpable demonstration of “security in action.” Workers need to be made part of the security regime, not only as subjects but as participants. The first part of the process pertains to the visible security issues that ordinary workers will encounter as they go about their day-to-day work x x x x x
Do staff members all wear their security passes? Do the guards check bags and briefcases? Is the baggage scanner working and being used? Are the guards alert and on the ball? Is security important?
The answer to these questions must always be “Yes” if the staff is to recognize the importance that is placed on their security, that of their colleagues, and that of the
P. Carroll / Security Culture: A Personal Perspective from the United Kingdom
25
nuclear material stored and used at the site. If the answer is “No,” then the indication is that the security culture at the site is not receiving the attention warranted by its importance. Security practitioners will probably be well aware of the phrase “Security is everybody’s business”; the reason we are is because this mantra is true. Every person at an institute, in a plant, or on a project has a responsibility for the security of that project and the materials that are part of it. Every pair of eyes should be backing up the CCTV and intruder detection equipment—even though modern security systems will have in place any number of cameras, covering every meter of perimeter fencing, every access control point, and every security door and window. Intruder detection systems will be in place at the perimeter fences to alert guards to incursions. But these cameras and sensors feed to a central monitoring station that is probably manned by only one or two people, and even these people will only be monitoring a few cameras at a time. Even at their most alert, therefore, the security staff will only be watching a small part of the security shield. The other workers thus become more than passive stakeholders. They must be an active part of the security regime; their ears and eyes must be part of the overall security system; they must develop a healthy, inquisitive attitude. As they go about their business, they must ask x x x x x
What’s that doing there? Who is he? Why isn’t she wearing a pass? How can he afford a new car? Should that door be open?
Having asked the right questions, they need to have the confidence to demand an answer and to know what to do if their questions do not elicit satisfactory answers. They will only become active security stakeholders if they are made aware of the important part they play in protecting their workplace and the materials in that workplace. They will only be confident in discharging their responsibility as active security stakeholders if they are confident that the infrastructure is in place to support them when they have concerns. Ensuring that such an environment is in place ultimately rests, of course, with management.
Security Staff It would be reasonable to consider the security staff, which is charged with preventing or responding to unauthorized access and activities at a nuclear site, the most important part of the security system. If so, it is surely important to have the right raw material with which to build the security team. Key to this is recruitment. In most countries— certainly the United Kingdom is no exception in this regard—the level of pay offered to the security staff is among the lowest in the nuclear industry. As a result, the quality of men and women recruited for security duty is likely to be poor. There is a saying in the United Kingdom which holds, “If you pay peanuts, then you get monkeys!” How, then, given the sometimes poor quality of the staff members we can recruit, do we create a team that will be highly motivated and effective?
26
P. Carroll / Security Culture: A Personal Perspective from the United Kingdom
Training is an obvious key milestone on the journey of turning the person-on-thestreet into an effective guard. However, basic or initial training is not usually conducted at the workplace or site where the guard will be on permanent duty, but in some remote location, in company with many different recruits destined for a variety of sites. This initial training can therefore only be generic in nature and needs to be rounded off by further, site-specific continuation training. All of those who have been involved in training will know the importance of reinforcing training with regular exercises and evolutions. Of course such periods of training should be carried out in the place in which the security staff usually works. Additionally, if it is to be effective, the training needs to be a positive experience. When things go wrong, as they often will, this should be seen as an opportunity to learn for the future. Reprimands for training mistakes will reduce the training’s effectiveness. Worse, they will discourage the security staff from reporting weaknesses in the security regime for fear of further reproaches. In such situations an opportunity to improve security arrangements by drawing on the firsthand experience of people on the ground will be lost. Regular training will equip guards with the skills they will need on the ground when chaos erupts around them. It is quite impossible to prepare for every conceivable eventuality. When an incident such as a security incursion or attack does happen, therefore, management will need guards to be flexible and to use their own initiative, drawing on the basic tools they have practiced during routine security exercises. The U.K. best practice therefore requires regular, formally monitored exercises that involve the whole security community. This includes everyone within the establishment, and often safety and security bodies from the wider community beyond the perimeter fence. It is important to remember that site security does not stop at the perimeter fence: Activities leading up to an attack will take place well outside this boundary, within the wider community. This wider community thus needs to be brought into the security arrangements as much as possible. In addition to the training they receive, the physical support furnished to security staff members is important. The equipment they use and the uniforms they wear must be smart and fit for the purpose. If guards are given ill-fitting, scruffy uniforms that make them look like Charlie Chaplin, if they are given equipment that doesn’t work, and if they are told to stand watch in a dilapidated and gloomy guard station, then they won’t take pride in themselves or their work and will rapidly become dispirited. Terrorist attacks are generally preceded by a period of surveillance; it is at this stage that we need to stop an attack or intrusion, and we achieve that by deterrence. Part of this deterrent effect is achieved by putting in place robust physical protection hardware alongside the obvious professionalism and effectiveness of the visible guard force. Members of this force thus need to be highly visible, they need to be obviously alert, and they need to look as if they know what they are doing. Economies made in supporting and equipping our security staffs are false and perilous economies, because they undermine the confidence and professionalism of the guards, with the result that the deterrent effect the guards project will suffer. In the United Kingdom, nuclear operators recruit security guards on normal commercial terms, with all of the potential risk that this brings. These guards are backed up by career professionals in the shape of the Civil Nuclear Constabulary. These professional men and women have overcome tough recruiting hurdles and undergone extensive training at their training establishment near the Sellafield nuclear
P. Carroll / Security Culture: A Personal Perspective from the United Kingdom
27
plant. They start as constables and ascend to the highest ranks in the service under terms and conditions similar to those of the U.K. Home Office Police Services. They are experts in their field, have pride in their profession, and are motivated to succeed, both individually and as a team. In short, they are just the sort of people needed to guard nuclear material. By working alongside the civilian, locally recruited guards (who are unarmed), the nuclear constables impart their motivation and expertise, raising the level of security awareness and professionalism across the board. It is important that, where possible, members of the career security staff (such as the MVD-IT in the Russian Federation) work as closely as possible with the less qualified and less able members of the staff. Such cooperation should include exercising together regularly. This practice will allow them to learn from one another, gaining mutual respect while bolstering the confidence of the less proficient security staff. It will also improve the chances of reaching common objectives and reduce the friction sometimes caused by split loyalties within the security organization. So, ensuring close teamwork, fueled by regular and joint training exercises, is a central element of best practices in the United Kingdom. Leadership, again, is a key element in an effective guard system. Guard duty, in particular static guarding, is dull and dispiriting work. In poor weather conditions, such as those that prevail in parts of the Russian Federation for long periods, guards will quickly tend to lose focus on their professional duties. Their efforts will tend to swing toward comfort or even simple survival. Constant encouragement and motivation, insistence on attention to detail, and regular signs of appreciation are all part of the good guard commander’s cache of measures to keep his guards on form under difficult yet mundane circumstances.
Management As mentioned earlier on, ensuring that a good security environment is in place rests ultimately with management. There must be buy-in at the very top of the organization. The management board should have a senior representative with primary responsibility for security. That person needs to be involved in discussions of all aspects of the institute’s business projects. In this way, any security implications of these projects—in particular those implications not immediately obvious to other members of the management team—can be taken into account, and, if necessary, the institute’s activities can be adjusted so as not to compromise the security environment. One of management’s first responsibilities is to arrange a threat assessment. Such an assessment will estimate the threat (in particular as it prevails locally), identify the assets that are in need of protection, and assess the vulnerability of those assets to the threat. Management will always be forced to balance the desire to provide as much security as modern technology and manpower will permit against the scarcity of resources to provide that technology and manpower. Regulations cannot cover every circumstance. Local security managers, accordingly, need the authority and skills to carry out local threat and risk assessments, allowing them to deploy available resources in the most effective way possible to combat the threat. In the United Kingdom we require security managers to generate their own local threat assessments, building on the foundation provided by the design basis threat methodology.
28
P. Carroll / Security Culture: A Personal Perspective from the United Kingdom
Figure 2: The Two Great Lies?
Attempts to abide by regulations imposed from afar, probably without the full resources needed to implement these regulations, will result in a security structure that is inherently susceptible to failure. In its attempts to comply with written regulations, management will likely develop flawed plans that may meet the budget but may not represent the most effective way to protect local assets from the local threat. While I do not suggest for one moment that security managers should ignore the best intentions of the regulating authorities, they do need to put a management infrastructure in place that allows them to work with regulators to achieve the best possible solution with the resources available to them. Management needs to be aware of and act with regard to regulatory, legal, or licensing constraints. Operating procedures need to be framed so that they take account of such constraints. It is the responsibility of the management board to make sure this is so. Any constraints imposed by regulatory or licensing requirements pertaining to security, moreover, need to be highlighted so that employees, subcontractors, or visitors have no chance to claim ignorance of their responsibility as stakeholders in security. In order to work with regulators, senior management must have a good relationship with the regulating authority, nurtured by regular meetings and discussions. All those who carry out security inspections will be familiar with what used to be dubbed the “two great lies,” as illustrated in Figure 2 above. In the United Kingdom, fortunately, this mutual antipathy and suspicion has been dispelled in recent years, largely because regulators and institute managers have come to recognize that they have a common objective when it comes to security—safeguarding nuclear material. People and organizations sharing a common objective benefit by working together as a team, not against one other as antagonists. In the United Kingdom the Office of Civil Nuclear Security (OCNS), which regulates the British nuclear industry, has an excellent working relationship with the nuclear companies. If a security problem arises, then the very first source industry will tap for advice is OCNS. This liaison has become at once routine and fruitful.
P. Carroll / Security Culture: A Personal Perspective from the United Kingdom
29
Leadership is a crucial and obvious skill-set at the level of top management. All too often, however, leadership in security-related matters devolves to a lower level of management than is warranted. Experience seems to show that when senior management takes an active role in security, the impact is dramatic. Given the same security challenges and the same tools with which to combat these challenges, two similar organizations can have utterly different security environments—focused, tight, and effective versus confused, slack, and vulnerable. Invariably the difference stems directly from the level of interest taken in the security environment at the very top. Leadership must therefore be backed up by a robust and rigorous regime of inspections to ensure that security standards are being met on the ground. Relying on local heads of establishment to monitor and regulate themselves is no use. Without legally enforceable regulations that are rigorously driven from above, financial and commercial pressures will inevitably force the profit-consuming business of security well down the scale of priorities. Despite the costs of security, which work against a facility’s imperative to turn a profit, managers need to be constantly driven to focus on the “front line,” not the “bottom line,” when it comes to nuclear security. At a recent meeting of the British Civil Nuclear Constabulary, the chief constable emphasized that every single thing the management of his organization did, every penny it spent, every decision it made, was taken, spent, and made to support the typical guard standing watch, alone and at night, guarding nuclear materials from the designs of the terrorist. This is more than best practices; it is a cultural way marker. All who manage security, from the very top to the bottom of the organizational hierarchy, need to ask themselves every day, “Is what I am doing actually going to help the men and women on the front line do their best to preserve the security of nuclear material?”
Summary x
x
x
Security culture is a key element of physical security protection. Without a healthy security culture to complement the hardware, physical security systems will be substantially less effective. It doesn’t matter how good a site’s physical protection systems are in response to the local threat, it is the people setting up the systems, managing those systems, and responding to the alarms who are absolutely vital to an effective security regime. Everyone, not just the security staff, has a responsibility for the security of nuclear materials. A good security culture inculcates within all members of a facility’s staff that they have a responsibility to become active stakeholders in security. This is achieved in part by rigorous, routine security practices and regular briefing sessions designed to instill awareness of local security conditions. Basic and initial training of security staff recruits must be followed up by a properly formulated, regulated regime of continuation training. Such training is best conducted within the actual workplace and should include all staff members, not just the security force. Training should be designed to give staff members confidence, encourage them to think for themselves, and prepare them to rely on their own initiative when confronting an incident. Emergency and utility services outside the perimeter fence should be included, and management should consider including the local population as well, in an
30
P. Carroll / Security Culture: A Personal Perspective from the United Kingdom
x
x
x x x
effort to build confidence in the security regimen and garner more security stakeholders. The challenge of funding necessary security measures while still showing a profit is daunting. But economies made in supporting and equipping the security staff undermine its capability and confidence while simultaneously reducing its deterrent effect. When addressing the vital issue of assuring nuclear security, then, managers should be constantly driven to focus on the “front line,” not the “bottom line.” Security staffs are drawn from a mix of full-time career professionals and short-term contract personnel. The professionals need to work alongside the less qualified and less able staff, transferring their skills and knowledge to the contract employees while reducing the potential for friction between groups with competing outlooks and needs. Security regulators and site security managers have a common objective. Both groups need to recognize this, and to develop an interface and working practices that allow them to work together to meet that common goal. Leadership is a fundamental skill-set at all levels of security management. It must be nurtured and developed. Finally—if it looks like a mess, then it probably is a mess!
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
31
Nuclear Security Culture: The Need for Universal Standards Manabu MASUDA Japan Nuclear Security System Co., Ltd. Japan
Abstract. To make security culture universal, deeper thought about its associated factors—namely personnel, hardware, organization, and information—is required. To this end, it is critical to understand and emphasize the interrelation of these factors, as well as to assure that they are well-balanced. The concept of safety culture materialized out of the experience of various nuclear accidents, giving rise to an international common sense for those whose work is related to the nuclear power field. Based on valuable experience from the past, I believe that many things can be learned from the model and emergence of safety culture, which in turn can help us create a far-reaching and sustainable security culture. In this report, personnel, hardware, organization, and information are examined as the basic elements of security culture.
1. Discussion 1.1. Personnel Overall, today’s nuclear facilities are managed with advanced computer systems. However, these computer systems are limited by the capabilities and judgments of their human operators. In operating a security system constrained by such realities, it is necessary to think about the insider threat. In this section, the prerequisites needed to operate a stable security system are considered, and a methodology to establish these as part of the facility’s culture is reviewed. For the next step, although this is a large task, further considerations are assessed as to methods for stabilizing and maintaining a given security system vis-à-vis the prevailing threat.
For Stable Operation of the Security System In a modern security system, equipment is controlled by an advanced computer system, and thus continuous maintenance and testing are indispensable tools for the stable operation of the system. For the system operator in particular, familiarity with the characteristics of the system is required, along with demonstrated ability and experience in the system’s everyday operations. Continuing education and proper training are vital for the successful operation of the system. It is also necessary to
32
M. Masuda / Nuclear Security Culture: The Need for Universal Standards
perform periodic maintenance on the system’s equipment on schedule, managing the system so as to assure adequate security coverage while elements of it are off-line. Unfortunately, the undesirable attitude that attention to material condition is only necessary when equipment breaks occasionally surfaces. Planned maintenance of equipment is indispensable in order to assure normal operations. We must not forget that maintenance and repair costs can be reduced if the system’s components are regularly maintained and managed. This is the basic condition needed to guarantee that the security system functions properly in case of emergency. The patrolling activities of personnel are a vital complement to scheduled maintenance. With proper attention to these dual dimensions of security, the facility’s chances of detecting possible dangers prior to an act of sabotage, whether committed by outsiders or insiders, are much greater.
Personnel Management Decreases the Insider Threat In a facility’s advanced security system, the success of the system is limited by the quality of the system’s human management. The oversight mechanism used by human management to oversee the performance of individual personnel begins from the time an employee concludes a contract of employment with the organization. The methods of initiating employment, however, vary according to the historical background of the country and organization. Depending on the country, a company investigates the potential employee and checks his or her lineage—dating back as far as three generations—before employment is even contracted. Before offering a contract, some firms even seek confirmation that no one in the prospective employee’s family was ever involved in an anti-government movement. Recently, efforts to confirm arrest records, criminal backgrounds, drug or alcohol habits, mental illness, suspect friendships, or monetary troubles through background checks have increased, although this kind of screening varies widely according from country to country. Employees in military and nuclear-related facilities undergo particularly close scrutiny from investigators. Although the preliminary methods mentioned above can help deter potentially dangerous employees, the risk of insider threat can also be reduced through the following management practices: • • • • •
Mandatory, regular check-ups for employees Requiring various security procedures to enter protected areas Auditing an employee’s routine work by a personnel manager Establishing a positive work environment Continued education and training
It is also important to note here that management should attempt to understand comprehensively each employee’s situation on these various occasions. We must not collect it as mere individual personal data. It is necessary to carry out these synthetic judgments effectively. Although the behavior of a prospective wrongdoer is sure to show some signs, it is also necessary to acquire actively the bio-data of personnel, and to update this information regularly at each opportunity.
M. Masuda / Nuclear Security Culture: The Need for Universal Standards
33
Importance of Maintenance and Management 1.2. Components and System Various pieces of equipment compose a security system. The maintenance of the security system is very important to sustain its ideal function at any time. It is not an exaggeration to say that how effectively the security system functions will be determined by the quality of routine upkeep. When performing maintenance, we must recognize not only usual ISO procedures but also other important security factors entailed by this work. When abnormalities within the system are discovered during the course of maintenance activities, unearthing the cause then becomes the focus of the staff’s efforts. Further inspection of an abnormality is crucial to determine whether the irregularity is the result of a mere breakdown or of intentional sabotage. Moreover, it is necessary to decide carefully the frequency of routine inspections, the routes taken by patrols, etc., according to the specifications of the system’s equipment. In general, in Japan’s nuclear power industry, the inspection cycle for both the equipment and the nuclear reactor (including the containment vessel) conforms to the operating cycle of the nuclear reactor, and detailed maintenance and tests are regularly performed. These activities are one of the legal obligations imposed on the nuclear power plants owned by the electric power company. Shutting down a reactor for periodic inspection is a major operation in itself. Safety measures built into the main system of the power plant were designed to deal sufficiently with threats such as earthquakes and typhoons, and as a result the cost of these measures and procedures is considerable. In Japan’s nuclear facilities today, various improvements in security systems are being made for purposes of counterterrorism, while periodic inspections of equipment and system operations are performed. Even if the plant is operating when problems with the equipment arise, the security system will be upgraded with the latest hardware. Managers of the security forces of Japanese nuclear facilities understand the purpose of these new pieces of equipment and of updated security systems, and to date we have had few if any problems with the technical knowledge level of security personnel. This desirable custom reflects the importance afforded safety culture in Japan’s nuclear field, which has amassed significant practical experience to further bolster safe operations. Nonetheless, a major problem still exists within this culture. Specifically, an advanced security system is technically marvelous, beautiful, and functional. If the system that the engineer loves works according to specifications, it is free of troubles. The preservation of a security system’s function can be achieved through rigorous maintenance and attentive management, as described above. However, human actors will still play an important role in the workings of the system. In the end, an engineering system represents only a lens through which a human’s judgment is passed. This employee’s judgment possesses great significance, and the value of an advanced security system is decided by the employee’s characteristics. As for the operations of the security system, rigor is essential. However, security guards sometimes tend to be flexible about enforcing security procedures. This problem tends to occur when a superior such as a government official, a top manager in the company, a man with local social influence, or a cabinet member comes to inspect the
34
M. Masuda / Nuclear Security Culture: The Need for Universal Standards
nuclear facility. More frighteningly, such lapses also occur when large groups of general visitors travel to nuclear facilities. When visitors attempt to pass the entrance gate, security guards occasionally bypass the function of the security system and allow unfettered access in an attempt to save time. This seemingly benign blunder appears to be common not only in Japan but also throughout the world. Even an extremely astute security guard sometimes cuts off a noisy siren to avoid painful hearing damage. We have to analyze the practices of security culture in order to unearth the root causes of a security guard’s illogical behavior. We must explore the deep psychology of the individual, which in turn is influenced by an amalgamation of geographic characteristics, political factors, experiences from major disasters, historical backgrounds, traditional customs, and so on. Such study can provide a guide to action.
Effective Management Depends on the Organization 1.3. Organizations and Information Considerations for Information Security Thus it is necessary to examine the assumptions of security culture, which are layered in a structure consisting of an international level, the national level, the local governmental level, the company level, etc. This layered structure applies not only to the field of security but also to other common international disciplines. Indeed, a similar layered structure can be postulated for safety culture as it pertains to the construction and operation of a nuclear power plant. For instance, when we construct nuclear facilities, how has safety culture generally been treated? The concept of safety is applied to each policy of the organization based on the intentions of the safety designer. Then, the manager of each organization (such as the electric power company in Japan) instills the concept of safety through an emergency correspondence manual. To confirm the safety of nuclear facilities, the local government assigns a specialist to evaluate the draft emergency manual. At the country level, the safety of whole systems in entire facilities is evaluated, and permission for construction is granted only after safety conditions undergo careful scrutiny. The government judges these decisions against globally recognized safety norms and determines whether a given facility lives up to international standards. In Japan, this basic hierarchy for evaluating safety is the same both for small and for larger organizations. Past experiences have impressed upon us the necessity of safety in the nuclear field, and accordingly these kinds of safety procedures take place on a daily basis. This multi-tiered approach to reviewing and improving safety, we believe, provides the best insurance against worst-case scenarios such as a diffusion of radioactive materials as a result of insider sabotage or terrorist attack. Here, we can see that safety culture and security culture have some features in common. If the layered structure postulated above indeed explains reality, then actions premised on it should help us contain the effects of accidents and manmade emergencies. However, we should not discuss this approach in a vacuum, and we
M. Masuda / Nuclear Security Culture: The Need for Universal Standards
35
should be proactive. Thus we should aim to prevent an attack beforehand. It is also necessary to note that: • • • •
Culture is not related to the scale of the organization, so it is crucial to have a manager with strong leadership skills in each hierarchy. The leaders of a given organization must strive to accomplish their duties with a sense of both safety and security. It is necessary to establish an information reporting system among related organizations, and for these organizations to update one another regularly with the latest verified information. Information about terror threats must be obtained from the military, the intelligence agencies, the local police, private information banks, and other sources. This information must be efficiently analyzed, and an information system capable of transmitting analysis and findings rapidly to the organizations affected by these threats is necessary.
Self-Regulation It is necessary to manage nuclear security information with great care. It is especially crucial to take into account the fact that security systems use sensitive security information. Since the chances for information leaks and theft have risen in recent years, thanks to growing computer and Internet use, management of computer operations should be more stringent. For example, a computer virus recently infected multiple personal computers in Japan, resulting in personal and engineering data being leaked to the Web. This helps demonstrate that information management is critical not only for stand-alone information workstations but also for networked ones. The Japanese government now demands judicious oversight of information security relating to the nuclear power field. The government requires facilities not only to follow the letter of the law diligently but also to establish and abide by in-house rules. Even within these self-imposed regulations, nuclear security information is still sometimes divided at different levels. This hierarchical classification of information aims to control information in detail. It is necessary to perform information management at each stage of a security system, during its design and installation as well as its operational stage. Often, we tend to shift the focus to the economic aspect. However, the essence of this discussion is to devise methods of evading and preventing a terrorist attack such as that of 9/11, an attack that can occur at any time.
Revised Law Japan’s law concerning nuclear security restrictions—a law which imposes the DBT methodology on the nuclear complex—was revised as recently as December 2005. An information protection law intended to safeguard individual privacy has been in force since April 2005, with the result that the identities of and personal information about employees in nuclear-related fields are no longer disclosed to the public.
36
M. Masuda / Nuclear Security Culture: The Need for Universal Standards
The revised law concerning nuclear power restrictions provides explicitly for the use of DBT, classifies security information, and mandates stringent facility oversight. The December 2005 revision aims to strengthen the security of Japanese facilities using DBT profiles of individual sites, and it categorizes all information relating to nuclear security as confidential. Enforcement regulations were added, although Japanese law does not punish leaks of information regarding nuclear security. As a result, parties concerned in the nuclear power field must participate more actively in information management. This process has also initiated changes to regulatory rules as power plants’ administrative organizations and security forces alike move toward compliance with the guidelines set forth in the government’s latest legislation. In all likelihood the security of nuclear facilities in Japan will take even higher priority in the future. Because the security system at the national level is integrated with a backup system for disasters such as typhoons and earthquakes (discussed below), a positive outcome is probable.
1.4. Total Approach Each discussion above concerns different parts of elements that, on the whole, comprise security culture. These ideas are applied generally, and therefore they can be applied toward a much broader field of study, beyond just nuclear facilities. Moreover, the role of personnel played a large part in the discussions above, and the importance of careful human oversight was demonstrated. To examine the universality of security culture, the need for taking insider threats into consideration was also shown. In the following discussions, the elements described above are effectively combined to create a comprehensive approach to the formation of a universal nuclear security culture.
Toward a Definition of Security Culture To assure that a security system functions reliably, I insist that a human presence is always necessary. Therefore, it is necessary to emphasize the word “human” throughout these various discussions of universal security culture. I believe that attempting to define security culture while disregarding the critical role human factors play is impossible. In this paragraph, I would like to try to define security culture from my viewpoint because its definition varies by country. Wording or terminology that includes “human” is an important prerequisite for any definition of security culture.
Aspects of Security Culture To define security culture, the following elements are extracted from the above examinations:
M. Masuda / Nuclear Security Culture: The Need for Universal Standards
• • • • • • • • •
37
Maintenance activities involving a system’s equipment. Regular and independent confirmations of the system’s status. Confirmation though inspections and audits conducted by specialists. The effective execution of information gathering and control. Effective organizational and management practices exercised by powerful leadership. Oversight of personnel, with particular attention to the insider threat. Continuous education and training with regard to the entire security system. An effective symbiosis, as mentioned in the above discussion. Finally, it is necessary to recognize that security culture applies not only to employees in the security field but also to the surrounding society.
I believe that these points represent preconditions for any discussion leading to a definition of security culture. We can say that a security system is functioning effectively at any given time if: • • • • • •
The security staff is dependable and has had sufficient education and training to operate the security system. The organization which controls the security system shares the latest information with other, similar organizations and works efficiently using good management practices. The organization has a reliable leader. The implementation of security practices closely follows government policies and procedures. The performance conditions and necessities pertaining to security are acknowledged and supported by the wider society. The conditions above are functionally well-balanced.
Nonetheless, this approach lacks the very important points discussed below. As will be further explored, the influence of government policy, geographical environment, race, religion, customs, and economics, as well as of the interrelationship among these factors, is also significant with regard to security practices. Furthermore, security priorities cannot be supported by a society unless security culture itself is universal and clearly defined. Again, an especially important point to remember is that the role of the “human” is critical in all of these elements. In other words, the keyword is “human.” As already mentioned above, universal security culture cannot be examined or built up without first acknowledging the importance of human elements. Therefore, I wish to examine the common factor presented in these elements—that of the human presence. For instance, regardless of the size of the organization to which a human belongs, a view of life and life’s values, along with a distinctive historical view, is involved in each element examined here. Given this situation: • Attacks by terrorists against nuclear facilities would become threats not only to local environments but worldwide. • This is the same as the influence of a major accident in a nuclear facility, which poses a common threat to the human race.
38
M. Masuda / Nuclear Security Culture: The Need for Universal Standards
In this sense, the terrorist’s malicious activities threaten to destroy the foundation of these basic elements.
Propaganda Is Necessary Effective propaganda is an indispensable tool to ensure that security culture receives the support it deserves from the wider society. True, it is important for specialists to examine the methods through which a security system can be protected from terrorist attack. However, general public awareness of possible terrorist attacks offers a large, untapped resource to augment the abilities of specialists. We should not forget the reality that terrorists hide themselves within this very same society. This fact is true of any country. We tend to assume that only specialized organizations can help counter terrorism. This perception, however, is not entirely accurate. The eyes and ears of the general society are necessary to furnish the information needed to thwart terrorism. Just as the eyes of society can be used to solve ordinary crimes, information from the general public can be used to prevent terrorism. Therefore, it is necessary to improve and expand the use of propaganda. In this case, we should not overlook elements of international society (such as the IAEA) that can play critical roles in public outreach initiatives.
1.5. Background The examination above explores the methodology needed to maintain the proper functioning of a security system. Investigations of the elements that form the background of a human’s character are indispensable to discussions about security culture. We have to examine what exactly does influence the background of a security culture. To begin this exploration, psychology, as shaped by geographic characteristics and historical background, is indispensable. Finally, the direction of security culture as a whole can be examined using this background.
Geographical Background—The Formation of Safety Geographic conditions are major factors in national identity. In turn, these conditions have a deep influence on governmental policy and economics. Today’s national borders, which often conform to geographic features such as mountain ranges or the sea, demonstrate the historical persistence of the threat of foreign invasion. In recent years, however, the importance of seas and mountains has decreased from the standpoint of geopolitics. Human societies tend to depend on geographical conditions as long as these conditions remain important. For example, an isolationist policy is a typical one. While such a policy lasts, the people within the isolated society tend to become dependent on governmental policy. Subsequently, the idea of safety becomes ingrained in the society’s culture, representing a form of common sense.
M. Masuda / Nuclear Security Culture: The Need for Universal Standards
39
This geographical explanation explains why Japan has occupied the same cultural sphere for such a long time. As seen below, geographical background can strongly influence the historical context.
Historical Background I believe that temporary factors do not become embedded in a general culture. Only when a factor is repeated over a period of time can it become part of the societal culture. The influence that nature and geography have on culture was alluded to above. At any given time, the government enacts policy according to its geographical environment. For example, if a country does not have to fear invasion from another country and its safety is assured for a long time, the general populace welcomes the situation. If a similar policy is repeated over a long timeframe, it becomes embedded in a society’s culture, although this experience can vary from country to country. Consider an example from Japanese history. About 420 years ago, in 1588, Shogun Hideyoshi Toyotomi issued a very famous and unprecedented instruction, known as the Confiscation of Arms, to the general public. In 1870, a new law prohibited even the samurai from carrying swords. Along similar lines, the postwar Japanese government passed a law in 1946 prohibiting the personal acquisition of guns as well as swords. To this day, both the sword and the gun remain forbidden to the common person except as works of art. These laws and orders represent a special policy of government regarding the methods of self-defense permitted in the country. As a result, Japanese culture no longer emphasizes the need to possess personal weapons as a means of personal protection. From longstanding experience, people in Japan depend instead on the power of the state for their security.
Psychology by Natural Disaster The experience with and cultural influence of natural disasters varies widely from state to state. Something is incorporated into the culture when there is continuity and repetition. In this respect, the psychology produced by natural disasters greatly resembles that created by a nation’s historical background, as discussed above. When a natural disaster occurs repeatedly, the experience exceeds a single generation and will become part of the society’s culture. A good example of this process can be seen in the lessons learned in Japan from repeated catastrophes. A similar discussion is possible from a geographical vantage point. However, repeated disasters can quickly make their way into national culture, as discussed below.
Typhoons and Earthquakes The best model to which security culture can be compared is that of safety culture. Because the national experience with natural disasters such as earthquakes and typhoons is abundant, Japan’s recognition of safety culture is extremely keen. The level of understanding of these traumatic events among the Japanese people is likewise quite
40
M. Masuda / Nuclear Security Culture: The Need for Universal Standards
high. To help explain Japan’s heightened cultural attentiveness to possible crises, the geographic location of the Japanese islands is paramount. A large earthquake struck Tokyo on September 1, 1923. Approximately 142,800 people were killed or missing, and over 575,000 buildings collapsed or burned down in the ensuing fires. As a result of these catastrophes such as this one, the culture of crisis management in the Japanese people has become quite strong. It can be said that since large earthquakes occur periodically, they imprint a continuous fear of disaster on the culture. From historical experience with such disasters, backup systems have been instituted in addition to formal government policy. Today, special surveillance areas employing advanced high technology have been established to watch for signs of impending earthquakes. It is also true that typhoons present a formidable menace to the people of Japan. Because satellites can measure the direction, scale, etc. of weather patterns on an hourly basis, however, predicting possible typhoons is relatively easy. Therefore, the public’s fear of typhoons differs from its fear of earthquakes. Instead of national planning, local governments spearhead preparations for possible typhoon damage. Because the nation’s experience with natural disasters such as earthquakes and typhoons is wide-ranging, safety culture is ingrained. The general public broadly agrees on the precepts for safety identification and response. In Japan, all types of disaster prevention take place on the governmental level due to past experiences with typhoons and earthquakes. As part of these preparations, engineering developments designed to prevent damage beforehand have made remarkable progress. Various communication networks and disaster evacuation procedures serve to aid the government in the unfortunate event of a disaster. In the nuclear domain, revisions to the law concerning radioactive contamination have also been added. In turn, preventive procedures and regulations designed to reduce the effects of natural damage to nuclear facilities have shaped the safety measures designed to guard against terrorist attacks on these same facilities. In the past, the Japanese people had little need to worry about threats posed by foreign forces because of the nation’s geographic isolation and government policies enforcing isolation. For such reasons, parts of Japanese society insist today that terrorist attacks on nuclear facilities are altogether impossible.
1.6. Example of the Culture of Disaster Prevention The relationship between seismic hazards and nuclear facilities is particularly strong with regard to the development of technical methods and means for environmental assessment. Because of the risks nature poses to nuclear facilities, simulation technology has become a necessary element of efforts to predict the discharge and diffusion of radioactive materials in a nuclear incident. Today, the same technology designed to forecast the effects of radioactive dispersal following a natural event can be used to imagine the possible consequences of a terrorist attack. Nuclear incidents across the world have also helped influence the safety of nuclear facilities in Japan. It seems that a crisis consciousness has emerged as a result of events such as Three Mile Island, Chernobyl, and the accidents of Tokai-Mura. This consciousness has spurred the rise of safety technologies.
M. Masuda / Nuclear Security Culture: The Need for Universal Standards
41
Disaster Preparedness Day There are several national-level approaches to the possibility of a nuclear incident in Japan. One such approach finds expression in “Disaster Preparedness Day,” which is held annually on September 1, involving a variety of disaster-related training activities. This memorial day was designated by the government to commemorate the dark experience of the 1923 Tokyo earthquake. On this day, training mandated by law is executed by nuclear facilities and nuclear power stations throughout Japan. Various organizations such as the police and fire departments and the coast guard participate in large-scale training exercises. Additionally, the Self-Defense Forces conduct extensive rescue drills. These activities reach beyond the government sector. Iodine tablets are distributed to residents who live near nuclear facilities, while hospitals nationwide practice their responses to radiation exposure. Special counterterrorism task forces within the police and defense forces prepare to control radioactive contamination. Communication networks are established nationwide, linking police and fire stations with hospitals near nuclear facilities. At the top of the communication network sits the government’s Crisis-Management Task Force, headed by the prime minister. This task force assembles whenever a nuclear incident occurs. The capabilities exercised on Disaster Preparedness Day clearly exhibit the influence that natural catastrophes (earthquakes, typhoons, and volcanoes) have had on national disaster-prevention practices in Japan. These technological developments, evacuation procedures, and communication networks could provide valuable tools for the response to major nuclear hazards created by terrorist attacks. Realizing this, the government has adapted many of the radioactive contamination measures used during natural disasters for use during terrorist events.
2. Conclusion In order to create a universal security culture, we must sustain the effectiveness of both hardware and software systems. As methods to accomplish this goal, continuous monitoring, audits, and on-spot inspections are vital. It is also necessary to recognize the importance of the processes of propaganda, education, and training. As previously mentioned, if deep psychology tests are not conducted, human errors will continue to repeat themselves. Even the most wonderful high-technology systems need human judgment and intervention. Personnel oversight is an important aspect of any security system. Also, it is necessary to monitor multinational efforts, since various major flaws in any security culture and outside experiences can provide useful insights and lessons. Ultimately, an effective security culture will be fundamental to any multinational effort to defeat nuclear or radiological terrorism.
42
M. Masuda / Nuclear Security Culture: The Need for Universal Standards
3. Appendix: Hypotheses About Customs
Hypothesis 1: Life in Open Fields Table manners requiring silence when eating are an unnecessary custom for a people with an agriculture-oriented base. In an agricultural nation, the appearance of crop growth in one’s field is always being watched and confirmed by one’s neighbor, who also attends to his own field. There are no dangerous animals around these fields of crops; therefore, people within an agrarian society face no danger when loudly eating in an open rice field.
Hypothesis 2: Life in a Cave On the other hand, there was persistent danger for those who lived within caves that they would be attacked by a hungry brute if they did not eat quietly. So, we can say that the culture of eating meat gave rise to a “culture of crisis.” Consequently, loud eating was strictly prohibited in caves, and later, with the passage of time, the custom of silence evolved into table manners in European culture. Every phenomenon we discuss relating to nuclear security can be interpreted and understood in similar fashion. Perhaps, this consciousness and attitude toward crisis management, drawn from ancient necessity, has been imprinted into our DNA and will remain an instinct into the 21st century.
Hypothesis 3: Lighting Recently I discovered an interesting fact. We Japanese maintain our custom of lighting an entire room with a fluorescent lamp, and we prefer this to partial lighting. The custom of partial lighting only recently began to take root in Japan as an influence of European-style fashions. Did this difference in lighting culture originate with the difference between hunting people, who become accustomed to dim partial lighting in their caves, and agricultural people, who typically lived in the wide-open air of the plains? And do the latitude, the longitude, and the amount of daylight in the places where people live relate to the elements mentioned above? It could be said that differences among cultures of living can be explained by different backgrounds of security culture. I believe this hypothesis might help us understand the deep psychological underpinnings bequeathed to security culture by ancient custom.
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
43
Relationship of Management Systems, Human Performance, and Security Culture Charles PACKER Cherrystone Management, Inc. Canada Abstract. In the field of security, equipment and management systems, or security systems, are established ahead of time to address anticipated threats. Routine tasks and the response to actual or suspected events are controlled in real time by the performance of individuals and teams (human performance), while the possible impact of unknown conditions or threats is minimized through anticipation and learning (learning). Together, these three areas of the overall security system make up what we can call the “security culture” of an organization.
MINIMIZE THE UNKNOWN AND RESPOND TO THE UNEXPECTED ANTICIPATION AND LEARNING
CONTROL AHEAD OF TIME
CONTROL IN REAL TIME HUMAN PERFORMANCE
SECURITY SYSTEMS ANTICIPATED EVENTS are avoided by SYSTEMS and BEHAVIORS
UNEXPECTED EVENTS emerge from what is UNKNOWN or INVISIBLE
These three areas are strongly interdependent, but each has a specific area of focus where it exerts its influence most powerfully, and without which the effectiveness of the other two is weakened. The diagram above illustrates these focal areas.
44
1.
C. Packer / Relationship of Management Systems, Human Performance, and Security Culture
Security Systems
A strong and effective security system is the critical foundation for all of the three areas. Without a strong system (both management processes and suitable equipment), it is not possible to structure, identify, and implement a human performance program or a security-culture program. However, a strong system will not ensure security by itself; for that to happen, the system must be respected and followed. And so at this point it is necessary to start thinking about the actual behaviors that exist in the organization (human performance) and to assess whether or not they are in line with requirements. We can then go on to look for the underlying perceptions, attitudes, and beliefs that are driving “what actually goes on around here”−in other words, the security culture.
2.
Human Performance
The concepts underlying human performance are directed toward helping management understand and implement specific techniques to increase the probability of desired outcomes and reduce human error. These techniques are ultimately behavioral but are supported by various tools and procedures. Some organizations choose to limit the concept of human performance to those aspects which reduce or prevent human error in the execution of work. Others expand the scope to include additional areas such as effective teamwork or decisionmaking at the management level. The primary focus of human performance programs is therefore to exert control over “what happens in realtime” during the execution of a task, whether that task involves hands-on work or work in offices or meetings. These techniques aim to reduce error and to improve decisionmaking in the cause of security. Human performance programs are therefore based on identifying and establishing specific patterns of behavior in the organization. These patterns are designed to be set in motion by specific situations. For example, certain types of teamwork or commandand-control are triggered by situations which demand security-critical decisions to be made. The triggers, tools, and behaviors that go to make up a human performance program are usually the result of extensive research and practice across different organizations and industries. For example, techniques such as the use of the phonetic alphabet and three-way repeat-back communications are used worldwide in many sectors when communicating operational information, and they have a long history of success. As distinct from the security culture, which always exists, it can be said that a human performance program or orientation only exists in an organization by choice. To implement such a program requires a management decision, a search for good practices, and a major long-term effort to embed the required concepts and behaviors within the organization. As the program proceeds, its qualities therefore become part of the security culture, and people’s attitudes toward and perceptions of it can be assessed. In summary: 1.
Human performance programs are very specific and exact in what they intend to accomplish, and in identifying the desired triggers and behaviors.
C. Packer / Relationship of Management Systems, Human Performance, and Security Culture
2. 3. 4.
45
The best human performance techniques have usually been developed through extensive research and practice across many organizations. Human performance programs are established by management decision, but once established, they come to form part of the security culture. The primary focus of human performance techniques is to control what happens in real-time during the execution of assigned tasks.
Security Culture
Security Culture and Events Security culture is a fairly new concept, and so it is useful to illustrate some of its ideas by using examples from the safety field, in which the follow-up investigations from catastrophic events virtually always reveal that certain patterns of behavior or deeply held beliefs had infected the culture to the point where “the event was inevitable.” The point of looking at the culture is to find and reverse these traits before the event happens. An example of this in safety (rather tha security) terms was the Chernobyl nuclear power plant accident of April 26, 1986. At Chernobyl the operators were instructed to perform an abnormal test. As they executed the test, the reactor literally exploded, causing widespread radioactive contamination and a number o short-term fatalities. The human causes of the event included: a)
Obeying instructions from above despite warning signs indicating that the instructions were wrong (pattern of behavior of excessive obedience to authority).
b)
Proceeding with the test despite the fact that they were not properly prepared for it (responding to perceived pressures rather than real-life indications).
c)
Disregarding every indication from the reactor tha what they were doing with the controls−bypassing interlocks, ignoring alarms, etc.−was hazardous (assumption that the reactor was robust, with some extra margin of safety).
The security culture of an organization embraces everything that goes on inside the organization. That is, it includes security systems, patterns of behavior that can be observed, and attitudes and beliefs that are shared. As such, a security culture always exists, whether good or bad, and it has a limiting effect on everything that goes on. For example, if people have come to believe through observation that management does not really believe there is any serious security threat, then the attention and respect they pay to the security function and the priority afforded it will all become weak. Within an organization, the culture can be coherent and widely shared (i.e., the same patterns of behavior and attitudes are found in all departments and at all levels), or it can be varied and fragmented into “subcultures” (i.e., when the substantially different from the
behaviors and attitudes of certain groups or layers are behaviors and attitudes of other groups). The security culture of an organization affects all of its efforts; however, to concentrate our focus, it might be said that culture exerts its strongest influence when no one is looking. In other words, culture is the controlling force not only on day-to-
46
C. Packer / Relationship of Management Systems, Human Performance, and Security Culture
day routine but also on the unexpected and the abnormal. When one remembers that essentially all past major, dramatic accidents or security events appeared at the time to be unexpected (or were misdiagnosed or misinterpreted), then the significance of security culture starts to be apparent.
HAZARD Lack a sense of urgency about fixing defective equipment
PHYSICAL Barrier
Don’t follow all the procedures
PEOPLE Barrier
Don’t report minor problems or unusual observations
LEARNING Barrier
Make non-conservative decisions in situations of uncertainty
“LAST-CHANCE” Barrier
INVISIBLE ASSUMPTION “There is no serious security threat”
EVENT
To understand the strengths and weaknesses of the security culture, it is normally necessary to perform an assessment of the attitudes, beliefs, perceptions, and patterns of behavior that go on in the organization and which, by habit, go largely unnoticed under normal circumstances. Such an assessment therefore complements other audits and reviews rather than repeating them. An example would be that the security management system in an organization is normally audited both internally and externally. Therefore, a security-culture assessment need not go into depth about the security and management systems themselves, but can limit itself to asking questions about the respect paid to the system and the perceptions of its effectiveness.
3.
The Power of Assumptions and Beliefs
Cultures are founded on deep-rooted and widely shared assumptions and beliefs that are normally invisible and unconsciously held. These beliefs are formed through experience, but once formed, they perpetuate themselves. The diagram below shows how a single unconscious assumption can infect the culture to a point where security barriers are routinely broken.
C. Packer / Relationship of Management Systems, Human Performance, and Security Culture
47
Note that the unconscious assumption is built up in the minds of new employees when they observe what normally goes on in the organization–people violating routine security checks, security guards letting managers’ cars through barriers without inspections, supervisors tolerating minor equipment deficiencies, etc. In this way, the flawed belief system is constantly reinforced. In summary: 1. 2.
3.
4.
There is always a security culture in an organization: the question is whether it is strong or weak. The security culture affects everything. When it is assessed, however, it is appropriate to look more at attitudes, beliefs, and behaviors than at security systems, which are assessed through other means such as internal and external audits. The security culture limits the standards of security that can be achieved in practice.
A Self-Assessment Process fo Security Culture
DESCRIBE THE DESIRED CULTURE
SECURITY CULTURE FRAMEWORK
PRODUCE ASSESSMENT TOOLS Decide how to assess each characteristic, e.g., surveys, interview guides, or observation checklists. Produce the related tools and training materials, etc.
SURVEY AND ASSESSMENT MATERIALS
PERFORM ASSESSMENT Administer the survey, interview people, and observe what goes on in the organization
REPORT
FOLLOW UP Interpret the report, plan remedial action, etc.
ACTION PLAN
48
C. Packer / Relationship of Management Systems, Human Performance, and Security Culture
5.
Security Culture Framework
The starting point for a security-culture assessment is a written description of the desired characteristics of the culture. This description is often called the “Security Culture Framework,” and a typical example is shown here.
OBJECTIVES AND RESULTS INDICATE A STRONG REGARD FOR SECURITY o
Security Performance Indicators
SECURITY EQUIPMENT IS IN GOOD CONDITION o o
Operational and Security Equipment Physical Working Conditions
MANAGEMENT SYSTEMS ARE EFFECTIVE o o o o o o o
Security Rules and Procedures Capability and Training Planning Change Management Recognition and Rewards Drills and Practices Regulatory Relationship
BEHAVIORS FOSTER A HEALTHY SECURITY CULTURE Leadership Behaviors o o o o
Standards and Expectations Effective Supervision Decisionmaking Open Communications and Trust
Individual Behaviors o o
Personal Work Practices Vigilance and Questioning
SECURITY FOUNDATIONS ARE IN PLACE AND UNDERSTOOD o o o
Security Systems Reporting Incidents and Concerns Oversight and Improvement
PRINCIPLES ARE APPLIED TO GUIDE DECISIONS AND BEHAVIOR Specific security principles that the organization uses are applied here
SECURITY-CRITICAL ASSUMPTIONS ARE WIDELY SHARED o
We are vulnerable to events (“It can happen here”)
C. Packer / Relationship of Management Systems, Human Performance, and Security Culture
49
As a note, there is currently no standard description of what a good security culture should look like, although there are plenty of raw materials on which to build. A typical security-culture framework consists of about 7580 statements grouped under a set of higher-level elements. Ideally, such a framework is produced in collaboration with the management of the organization. A small sample is given below in which there are six observable characteristics under the higher-level element “Incidents and Concerns.” Note that this way of describing the desired security culture helps determine what sort of questions to ask in a survey.
SECURITY FOUNDATIONS ARE IN PLACE AND UNDERSTOOD Security System Incidents and Concerns Oversight and Improvement
EXAMPLE OF SECURITY CULTURE FRAMEWORK CHARACTERISTICS Incidents and Concerns 1. The organization has established processes to allow and encourage employees at all levels to report security concerns and actual or suspected events. 2. Employees at all levels understand the expectations for reporting events and unusual occurrences (i.e., thresholds, consequences of not reporting, etc.). 3. Employees at all levels are comfortable raising security concerns without fear of retribution, and a significant number of reported concerns, near-miss events, etc. attest to this practice. 4. Managers and supervisors act promptly on reported concerns (with examples proving they do so) and communicate what corrective action will be taken. 5. Employees and supervisors report that when an error or event occurs, management wants to find out what went wrong and does not focus primarily on who was wrong. Possible Related Survey Questions o When something goes wrong in this organization, we try to find out what went wrong, not who to blame for it. o I feel comfortable reporting a problem or concern. o If we report a problem or concern, we usually hear back what will be done about it. o I think we are good at learning from our mistakes and problems. o I know what types of incident or concern I am expected to report.
Once the framework is in place, assessment tools such as surveys can be developed. The framework can also be used for training and development purposes, as it tells supervisors and managers what they are aiming to create in the culture.
6.
Security Culture Surveys
A security-culture survey might typically be 50-60 questions in length. The phrasing of questions and statistical analysis of the data can be done by specialists in the field. Demographic data can be collected (e.g., by department, organizational level, years of service, or work group). The survey questions should be tied directly to the elements of the security-culture framework. Surveys can be administered either electronically or on paper. In either case, it is important to assure that individual responses cannot be
50
C. Packer / Relationship of Management Systems, Human Performance, and Security Culture
identified from the data. This preserves confidentiality for the respondents while helping ensure that they answer the survey questions as honestly as possible.
7.
On-Site Assessment
An on-site assessment elicits additional information about a site, allowing for a more comprehensive security-culture assessment. The process typically starts with the production of a set of assessment materials matched to the security-culture framework. These normally include: • • •
Interview questions A meeting observation guide Team training materials
One of the most difficult aspects of cultural assessment is how to aggregate and record the data and insights gleaned from interviews in such a way that the information gathered supplies a valid standard of comparison if the assessment is repeated two to three years later. A method must therefore be devised to record the results of interviews conducted and observations made during the assessment. This method is used to rate the impressions and information gained from each interview or observation. It is best to record both statistical data and written comments for later analysis. The information gathered from this process, together with survey data, forms the basis for judgments regarding the state of the security culture. In a typical assessment, a team of six to eight people from inside and outside the organization interviews employees from various levels in the organization over a period of one to two weeks. The team also observes behaviors in the workplace and in activities such as meetings. By the end of the assessment, the team will have gathered an extensive volume of information to evaluate against the set of characteristics in the security-culture framework. Again, full confidentiality must be maintained throughout the process. A security-culture assessment has far more value if the process is repeated at intervals (typically every two to three years), allowing for trend analysis. Repeat assessments can show change (or show that there has been no change), furnishing essential insight for managers.
8.
Assessment Report
Survey results are normally reported question by question, together with demographic breakdowns. An example is shown. Question: “I feel comfortable reporting a problem or concern,” rated on a scale of 1-7
51
C. Packer / Relationship of Management Systems, Human Performance, and Security Culture
80
Percent
60
MAIN FUNCTION Security Guards Maintenance Employees Security Supervisors Managers
40
20
Score 5.8 5.9 5.6 6.2
0 1
2
3
4
5
6
7
Rating
Similarly, the results of interviews and observations can be related to the characteristics of the security-culture framework in order to help the assessment team and management gain an understanding of the strengths and weaknesses of the culture. There is a need to present the overall findings from an assessment in a simple way, preferably on a single page. Our method of doing this is to break the issues out into three categories, as shown below. STRENGTHS
STRENGTHS ACCEPTABLE
ACCEPTABLE
IDEAL TREND: FROM AWARENESS TO STRENGTH OVER A PERIOD OF TIME NOT YET RECOGNIZED AS AN ISSUE
NEEDS ATTENTION
NEEDS ATTENTION
LONGSTANDING PROBLEMS
WEAKNESS
EMERGING: The issue is not widely recognized.
CHANGING: The issue receiving attention and perceived to be changing.
WEAKNESS
is is
LONGSTANDING: The issue is known about and has existed for a long time.
52
C. Packer / Relationship of Management Systems, Human Performance, and Security Culture
This “Security Culture Map” presents the key insights from the assessment in two dimensions. The vertical scale captures the scores assigned in the various areas, and the horizontal scale divides the areas into three groups, depending on the degree to which they are an established feature of the culture.
9.
Interpreting the Report
Some things to consider when interpreting a security-culture assessment report are given here. Perception May Not Be Reality If, for example, survey results indicate that the great majority of people believe that they report unusual observations, yet managers have evidence that this is not really true, then clearly people’s perceptions are out of step with reality. This situation needs to be improved, aligning perceptions with concrete facts. To claim a high score in this area as a good result is obviously incorrect. The Issue or Situation May Be Changing If management has only recently started work on an improvement initiative, then it will likely receive negative feedback, and a low score, when people rate its effectiveness. This does not mean that the initiative is unnecessary or that in the long run it won’t be effective. In this case, to treat the low score as “poor” or requiring remedial action is not appropriate. Consider Solving Problems in New Ways Since the culture is “the way we do things,” it may be necessary to think of new ways to solve problems. Otherwise the action plan may end up reinforcing the existing, dysfunctional culture. Communicate the Results Employees need to know that managers heed the input employees provide when they respond to a survey or undergo an interview. It is important, therefore, to communicate the results of any assessment where it is practical to do so without compromising security. Simply performing an assessment and communicating the results gives security a higher focus and can improve performance. Look for Common Causes Many weak points in a security culture can arise out of a few root causes. For example, a lack of effective two-way, face-to-face interactions can show up in poor ratings of many of the characteristics of a typical security-culture framework: • • • •
Lack of personal recognition Lack of supervisory coaching People failing to understand the basis for management’s decisions or believing that management makes bad decisions People feeling that management does not listen to them
C. Packer / Relationship of Management Systems, Human Performance, and Security Culture
53
Choose Only a Few Initiatives Self-assessment of the existing security culture will reveal a number of weaknesses, but it is better to work on a few cultural-level initiatives than too many. Use Change Management Use a structured change-management process. There are many models for effective management of change, but in simple terms all of them incorporate four steps: • • • •
Understanding the reasons for and potential impacts of the change Planning the change Implementing the change Reinforcing the change
Focus on the Front Line Frontline supervisors are the typically the most critical people in the organizational culture, in that what they insist on or tolerate becomes the norm. They must be informed about all changes, therefore, and they must know what is expected from them and their employees. Senior Management Role Cultural change requires a sustained effort and focus over a long period of time, and this has to be generated by senior management. If leaders do not actively support the desired culture, then employees will form their own culture (beliefs, attitudes, and behaviors), with potentially damaging consequences.
This page intentionally left blank
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
On the Need to Strengthen Nuclear Security Culture in View of New Security Risks Friedrich STEINHÄUSLER Division of Physics and Biophysics University of Salzburg Austria Abstract. Over the past few years, security threats to the nuclear fuel cycle have increased as a consequence of increased terrorist activities worldwide. The civilian and military nuclear industry has extensive experience in dealing with security issues. This experience is reflected in the industry’s security culture, which is generally further advanced than in many other sectors of the national infrastructure in industrialized countries. The reason for this lies in its characteristics, which render the nuclear industry inherently more prone than other industries to security threats: the symbolism inherent in the nuclear industry, which is viewed as a cornerstone of modern industrialization; the physical and chemical properties of the radioactive materials handled at nuclear sites; the importance of the civilian nuclear industry to the national economy, producing up to 80 percent of total electricity in some countries; and the importance of the nuclear sector to national security in nuclear weapon states. The increasing incidence of suicide terrorism worldwide, coupled with the increasing degree of transnational operational logistics used to plan and implement covert illicit activities, has resulted in new security risks for the nuclear fuel cycle. These new security risks cover a wide range, from the successful establishment of international networks that covertly traffic in nuclear technology and materials, to the loss of “self-protection” of radioactive materials in the case of suicide terrorism. Several such security threats have already emerged. Therefore, it will be necessary for nuclear facility owners and operators, security agencies, and regulators to strengthen the current nuclear security culture at all levels by considering it as a dynamic process, reflecting the needs of the time. This will require a review and overhaul of the current security management system, building sufficient flexibility into the system to make it applicable to all nuclear operations for all situations, since there is no “best” approach. Key to success in countering new threats is a clear emphasis on the important role played by each of the stakeholders. Ideally, a comprehensive nuclear security culture (CNSC) system should reflect a close relationship among operators, managers, and regulators in jointly analyzing new threat scenarios, developing adequate, cost-effective countermeasures, and allowing each stakeholder to identify for himself his specific contribution to the overall goal. Four universal properties of a CNSC system are presented here, which should enable the nuclear community to adapt the current nuclear security culture to the new security risks.
55
56
F. Steinhäusler / On the Need to Strengthen Nuclear Security Culture in View of New Security Risks
1. The Global Importance of Nuclear Security Terrorism crossed the line from conventional terrorism to strategic terrorism on September 11, 2001 with regard to the degree of sophistication, the comprehensiveness of logistical preparations and requirements, the attack mode and weapons deployed, the scale of harm inflicted on the targeted population, and the socioeconomic and political impact resulting from the attacks.1 These simultaneous attacks on multiple targets showed clearly that were no constraints on the desire of terrorists to inflict mass casualties. The possible modalities of strategic terrorist attacks employing nuclear and other radioactive substances fall into three categories: (1) diversion of nuclear-weaponsusable material to build a crude nuclear device (CND); (2) diversion of other radioactive material to use in connection with a radiological dispersal device (RDD); (3) attack on or sabotage of a nuclear facility in order to cause a major, uncontrolled release of radioactivity. The threat scenarios associated with these attacks and the probability for them to happen cover a wide range. While weapons-usable material and weapons-grade material have been diverted on several occasions since 19902, the construction of a CND requires some minimum technical and logistical capabilities which are beyond the capacity of many terror organizations.3 By comparison, the diversion of a radiation source suitable for construction and deployment of an RDD poses few obstacles for most terrorists. Attacks on different components of the nuclear fuel cycle (e.g., nuclear fuel fabrication sites, nuclear power plants, vehicles transporting spent fuel) present multiple operational challenges for the attackers, ranging from recruiting insiders to choosing the mode of attack. The resulting impact can range from insignificant to a facility kill.4 The probability of an incident involving an RDD is high in view of the attractiveness of such an attack, which would attract massive media coverage and inflict substantial psychological impact on society, beyond any actual damage done to the targeted nuclear facility. The characteristics of the nuclear industry make it more attractive than other industries as a target for strategic terrorism. Specifically: x
x
Symbolism: The nuclear industry is viewed by nations in possession of a developed nuclear infrastructure and developing nations alike as a cornerstone of modern industrialization. A terrorist attack on any nuclear facility thus would be viewed as a major success for the terrorist cause. Properties of Materials Handled: The physical and chemical properties of the radioactive materials handled in the nuclear fuel cycle are such that the possibility of high-consequence accidents or manmade disasters cannot be excluded. Several major accidents in nuclear fuel facilities, such as Windscale
1 Friedrich Steinhäusler, “Strategic Terrorism: Threats and Risk Assessment,” in European Security and Transatlantic Relations after 9/11 and the Iraq War, ed. H. Gärtner and Ian M. Cuthbertson (New York: Palgrave-Macmillan, 2005), pp. 48-65. 2 Lyudmila Zaitseva and Friedrich Steinhäusler, “Illicit Trafficking of Nuclear and Other Radioactive Material: The ‘Net’ Security Threat,” International Journal of Nuclear Knowledge Management, forthcoming. 3 Friedrich Steinhäusler, “What It Takes to Become a Nuclear Terrorist,” American Behavioral Scientist 46, no. 6 (February 2003): pp. 782-95. 4 NATO SST. CLG. 978 964, Terrorist Attacks on Nuclear Power Plants and Nuclear Material Transports, July 2004.
F. Steinhäusler / On the Need to Strengthen Nuclear Security Culture in View of New Security Risks
x
x
57
(1957, United Kingdom), Chelyabinsk (1957, Russia), Three Mile Island (1979, United States), Chernobyl (1986, Ukraine), and Tokaimura (1999, Japan), resulted in significant damage to facilities and, in some of these cases, radiation-induced deaths, other health effects, and large-scale environmental contamination. If such damage resulted from a terrorist attack, the impact on the public’s already limited acceptance of nuclear power could be severe. Importance to the National Economy: On a global scale, nuclear energy supplies about 17 percent of total electrical energy consumed.5 However, there are several countries where this percentage is significantly higher (e.g., France, 80 percent), or where a large share of national electricity production depends on the operations of only a few nuclear power plants (e.g., Belgium, Bulgaria, Hungary, and Lithuania). A successful attack on any of these facilities would result in major primary and secondary damage to the national economy of the afflicted country. Importance to National Security: Several countries depend heavily on their declared, suspected, or proclaimed status as nuclear weapon states as a demonstration of their military strength. China, France, India, Pakistan, Russia, the United Kingdom, the United States openly proclaim this status, while Israel and North Korea are more circumspect. A successful terrorist attack on a nuclear-weapon production site or a nuclear-weapon storage site would raise serious questions about the overall vulnerability of the nuclear arsenals in these countries.
2. New Security Threats to the Nuclear Fuel Cycle The increasing incidence of suicide terrorism worldwide, coupled with the increasing sophistication of transnational operational logistics used to plan and implement covert illicit activities, has resulted in new security risks for the nuclear fuel cycle. These new security risks cover a wide range, from the successful establishment of international networks that covertly traffic in nuclear technology and materials to the loss of “selfprotection” of radioactive materials in the case of suicide terrorism. Suicide terrorism has been used successfully by groups around the world, for example by the Marxist-oriented Tamil Tigers in Sri Lanka, the anti-Israeli-oriented Palestinians, and the insurgents battling U.S.-led coalition forces in Iraq. To date the coordinated suicide terrorist attacks on the United States on September 11, 2001 have represented the most spectacular such operation. With regard to the nuclear fuel cycle, suicide terrorism as a mode of attack has several advantages, such as: (a) little need to consider the delayed health effects incurred by the attackers from radiation exposure; (b) no need for an escape route; (c) accurate selection of the time and place to deploy the explosives; (d) high probability of success in causing casualties and extensive property damage; and (e) most importantly, the “self-protection” of radioactive material is no longer relevant, even for highly radioactive material. Covert exchange of nuclear information has been an essential component in the development of nuclear-weapon programs in several instances, such as India, Iraq, 5 UN Scientific Committee on the Effects of Atomic Radiation (UNSCEAR), Report to the General Assembly with Scientific Annexes, Sources and Effects of Ionizing Radiation, vol. 1: Sources (2000).
58
F. Steinhäusler / On the Need to Strengthen Nuclear Security Culture in View of New Security Risks
Israel, Pakistan, and South Africa. Lately, however, international networks have been discovered which involve covert trade in nuclear technology. Several essential components of the nuclear fuel cycle, such as uranium derivatives and centrifuges for enrichment, as well as blueprints for nuclear weapons and delivery systems, have been traded secretly between countries. For example, the A. Q. Khan network enabled the international transfer of almost two tons of uranium hexafluoride from Asia to Libya over a period of several years, using the services of a national airline via the nuclear ring Pakistan-Malaysia-United Arab Emirates.6 There is some evidence that professional illicit trafficking in weapons-usable nuclear material is taking place now, using neutron and gamma shielding techniques to avoid detection at border crossings.7 Persistently high or increasing corruption in countries vital to nuclear security, such as Georgia, Kazakhstan, Moldova, Russia, and Ukraine, is noticeable (Table 1). All of these countries either have large nuclear infrastructures or lie along known transit routes for illicit trafficking in nuclear and other radioactive materials. Table 1: Corruption Perception Index (CPI) for the former Soviet Union, and, for comparison, selected Western European countries and the United States for 2004-2005 (Source: Transparency International, 2005) COUNTRY
CPI 2004
CPI 2005
Belarus
3.3
2.6
Georgia
2.0
2.3
Kazakhstan
2.2
2.6
Kyrgyzstan
2.2
2.3
Moldova
2.3
2.9
Russia
2.8
2.4
Germany
8.2
8.2
United Kingdom
7.5
7.6
United States
7.5
7.6
According to this assessment, the level of corruption in Russia is the same as in Albania, Niger, and Sierra Leone, and only slightly above that of Chad (Chad: CPI 2004 = 1.7, CPI 2005 = 1.7). A similar conclusion can be drawn with regard to bribery in Russia in 2005. (For comparison, the corresponding value in 2001 is given in parentheses. All numbers represent estimates by the INDEM Foundation and ROMIR Monitoring Company, published in 2005. Currency figures are in U.S. dollars.) x x
Percentage of all contacts with government bodies or officials that involve bribery: 35 percent (26 percent) Average amount of bribe: $97 ($62)
6 Andrew Prossner Jr., “Nuclear Trafficking Routes: Smuggling in Southern Asia,” Center for Defense Information, November 2004. 7 “Paris-Case,” DSTO Database, operated by Friedrich Steinhäusler and Lyudmila Zaitseva, Division of Physics and Biophysics, University of Salzburg, Austria.
F. Steinhäusler / On the Need to Strengthen Nuclear Security Culture in View of New Security Risks
x x x
59
Total amount of bribes paid to members of the military: $530 million ($110 million) Total amount of bribes paid to members of the traffic police: $183 million ($90 million) Percentage of all bribes paid during a control or inspection procedure: 39 percent (39 percent)
In 2001 the total amount of bribes was estimated at $36 billion. In 2005 an estimated $319 billion will go to bribes in Russia, i.e., about $1 billion per day. This trend shows that bribery has surged by almost a factor of nine over the past four years. With regard to nuclear security, it is particularly worrisome that the “control and inspection” sector accounts for more than a third of all bribes, and that this level of bribery has held constant since 2001.
3. Multiplicity of Stakeholders Any action intended to strengthen nuclear security culture needs to account for the complexity of the nuclear fuel cycle, which involves multiple stakeholders. Included are: the uranium mining industry; the uranium milling industry; fuel enrichment facilities; fuel fabrication facilities; power reactor operators; research reactor operators; nuclear-weapon production facilities; nuclear-weapon disassembly facilities; nuclearweapon stockpile facilities; nuclear-waste disposal sites; and transport operators between all of these facilities. (See Figure 1, which comes from Braden R. Allenby, “Towards a Functional Definition of ‘Environmental Security,’” in URCL-ID-129655, Environmental Threats and National Security: An International Challenge to Science and Technology, ed. Braden R. Allenby, T. J. Gilmartin, and R. F. Lehman II (Livermore, CA: Lawrence Livermore National Laboratory, 1996). Ideally, in each of these segments, management and workers at different levels of responsibility should take an active hand in the overall effort to strengthen nuclear security culture. However, it is equally important to acknowledge that each of these sectors has its own requirements, strengths, and weaknesses in terms of nuclear security, adding complexity to the challenge of implementing a comprehensive nuclear security culture.
4. Properties of a Comprehensive Nuclear Security Culture A successful nuclear security management system should address the needs of all of the above-listed stakeholders in a comprehensive manner, taking into account that: x x x
Nuclear security culture should be viewed as a dynamic process that must be adapted to the requirements distinctive to a certain facility at a given time. A nuclear security management system should have sufficient flexibility to apply to all operations within the civilian and military nuclear fuel cycles. When designing the physical protection system (PPS) for a site, the leadership should take economic constraints into account by following the three-tiered design basis threat concept. Specifically:
60
F. Steinhäusler / On the Need to Strengthen Nuclear Security Culture in View of New Security Risks
o o o
Meeting DBT Level I requirements results in a PPS that supplies protection at a minimally acceptable level, guarding against the most probable threats only. DBT Level II standards result in a PPS that provides an intermediate level of protection, applying the “AHARA” principle.8 DBT Level III results in a PPS that provides the optimal level of protection, as specified in an externally reviewed DBT assessment.
5. Universal Properties of a Comprehensive Nuclear Security Culture To develop a globally acceptable approach to strengthening nuclear security culture, two preconditions must be met: 1.
2.
All stakeholders must acknowledge that a security threat to the different components of the nuclear fuel cycle does indeed exist. In the aftermath of the September 11 terror attacks on the United States, some representatives of or lobbying groups for nuclear facilities find themselves in a difficult position: On the one hand, they feel obliged to certify that nuclear security is adequate to counter the new threat situation, while on the other, several studies reveal that it is impossible to protect against every possible threat for financial and logistical reasons. This schism in the thinking of experts is not helpful in the ongoing international debate, which needs to produce a coherent strategy for explaining threats to nuclear security to the public. An internationally acknowledged, credible source of information needs to provide objective information on nuclear security threats and solutions, tailored to the specific needs of various target audiences such as: political decisionmakers, nuclear regulators, nuclear facility operators, nuclear site management, members of the workforce, representatives of the electronic and print media, and members of the public.
Once these conditions have been met, it should be possible to get the international nuclear community to accept the four pillars representing the Universal Properties of a Comprehensive Nuclear Security Culture, namely: x
The national government lays the foundation for a CNSC by providing: o Comprehensive legislation and regulations reflecting the international consensus about nuclear security requirements. o Practical guidance, financial means, and effective control. Government agencies should oversee the implementation of pertinent measures at the different nodes in the nuclear fuel cycle, in compliance with the current national security assessment.
8 Nuclear security measures should be As High As Reasonably Achievable (AHARA), an optimization process similar to the optimization process used in radiation safety (the As Low As Reasonably Achievable, or ALARA, principle). For details see S. Kondratov and F. Steinhäusler, “Why There Is a Need to Revise the Design Basis Threat Concept,” International Journal of Nuclear Knowledge Management, forthcoming.
F. Steinhäusler / On the Need to Strengthen Nuclear Security Culture in View of New Security Risks
61
Figure 1: Overview of the different stakeholders in the civilian and military nuclear fuel cycles
The methodology for implanting a CNSC is the responsibility of the competent authorities. The methodology needs to be transparent and internationally acknowledged. It should be flexible enough to be adapted to the current threat situation, taking into consideration the complete nuclear fuel cycle, not just one or a few of its components.
62
F. Steinhäusler / On the Need to Strengthen Nuclear Security Culture in View of New Security Risks
x
x
x
Communications with regard to the current security situation and the associated responsibilities should be tailored to the various stakeholders involved in implementing the CNSC, reflecting each party’s need-to-know. How successfully the need for and advantages of a CNSC are communicated will likely be decisive in persuading all parties to embrace the CNSC. A system of incentives, performance-based and applicable to all members of the workforce, should be established. In this manner each staff member will be provided tangible guidance as to his or her individual role in ensuring optimal security at the nuclear facility. The international community needs to develop a system of “yardsticks” that gives the competent national nuclear regulatory authorities objective measures for evaluating their progress toward instilling a vibrant security culture.
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
63
Security Culture in the Nuclear Field Denis WINTER Institut de radioprotection et de sûreté nucléaire (IRSN) France Abstract. This paper discusses the nuclear security culture concept and definition, and provides a review of the 12 fundamental principles as stipulated in the amended Convention on Physical Protection of Nuclear Materials.
1. Introduction The Board of Governors of the IAEA has acknowledged 12 fundamental principles of physical protection for nuclear materials and nuclear facilities. These principles will be integrated into the forthcoming revision of the international Convention on the Physical Protection of Nuclear Material. Fundamental Principle F proposes a definition of security culture and recommends that implementing and maintaining such a culture be made a priority in the organizations concerned. It thus appears necessary to specify the concept of security culture. Note that the other 11 fundamental principles mentioned above are also linked to security culture to varying degrees. These principles will thus appear at various points in the remainder of this text. Reference to them will be made implicitly on various occasions in the text. This document also complements INSAG-4 (1991 edition), an IAEA report on safety culture which presents a concept of safety culture. One chapter in the report compares safety culture and security culture, pointing out commonalities and differences between the two concepts. 2. Definition of Security Culture Security culture includes characteristics and attitudes in organizations and of individuals which establish that protection against the loss, theft, or other unlawful taking of nuclear material, on the one hand, and deliberate malicious acts against nuclear facilities or during transport of nuclear materials, on the other, receive the attention warranted by their significance. The malicious acts in question refer to anything that may directly or indirectly have radiological consequences for man and the environment. This definition is more complete than the one given in IAEA document GOV/2001/41, which relates only to the physical protection of nuclear materials and nuclear facilities. In addition, INSAG-4 only refers to nuclear power plants, whereas the current definition extends the purview of security culture to all nuclear facilities and the transportation of nuclear materials. The protection of radioactive substances is not, however, considered explicitly in this document. The discussion could be extended to these substances at a later date.
64
D. Winter / Security Culture in the Nuclear Field
3. Universal Features of Security Culture Security culture has three major components. The first concerns the policy that the state wishes to put into practice, taking into account the national and international contexts. The second is the arrangements introduced within each organization to apply the policy fixed by the state. In this component, distinction must be made between what comes under the organization as a whole and what concerns its managers in particular. The third component refers to the attitudes adopted by various individuals at all levels toward implementing this policy within the institution and incorporating policy guidance into their daily work. These components are examined separately under the headings of “Role of the State” (Paragraph 3.1), “Role of Organizations” (Paragraph 3.2), “Role of Managers in Organizations” (Paragraph 3.3), and “Attitude of Individuals” (Paragraph 3.4). Figure 1 illustrates the main components of security culture and links the chapters to the overall diagram. All these components must nevertheless be considered parts of a whole. A healthy security culture arises from overall coordination and dialogue among the parts. Security culture must not remain confined to the organizations concerned and their personnel. Everyone active in the nuclear field must make an effort to raise public and media awareness of security culture. The general public should view security culture as a sign of professionalism, skill, and responsibility on the part of all actors (organizations and individuals) involved in protecting nuclear facilities and materials. An effective public outreach campaign will help strengthen the confidence of each citizen in security within the nuclear field. 3.1. Role of the State In any major activity, the manner in which individuals act is conditioned by requirements set at a higher level. Legislation is the highest level able to influence how the nuclear complex protects against loss, theft, or unlawful taking of nuclear materials, malicious acts at nuclear facilities, or malicious acts during the transport of nuclear materials. Here are laid the national foundations for security culture. In the very first instance, the state is responsible for compiling a legislative and regulatory framework that defines general objectives for protection, division of responsibilities, and protection of information. This framework is discussed fully with all stakeholders while undergoing development. 3.1.1. Definition of General Protection Objectives The state sets security policy. It develops this policy in view of identified threats, the international context, and specific aspects of the national context. The state uses these elements in particular to define the design basis threat. The design basis threat must be revised periodically to take into account the constant evolution of risks and technologies. Thus, protective measures implemented to meet the design basis threat must be constantly adapted to maintain a constant, acceptable level of security in the nuclear sector.
D. Winter / Security Culture in the Nuclear Field
65
3.1.2. Division of Responsibilities The state’s commitment to nuclear security finds concrete expression in national legislation and regulations. A state will normally set up a competent authority, possibly supported by a technical support body. This authority will have the personnel, financial resources, and supervisory powers it needs to perform its security-related functions. In particular, provision will be made for reporting any event affecting, or likely to affect, the protection of nuclear materials or nuclear facilities to the competent authority without delay. So that all organizations and individuals feel involved at their respective levels, the state clearly lays out its own responsibilities pertaining to the protection of nuclear materials, nuclear facilities, and the transport of nuclear materials, along with the responsibilities it entrusts to other bodies. The facility director has full responsibility for safeguarding all nuclear materials, security equipment, transport means, installations, and information assigned to him. However, the government agency holding ultimate law-enforcement responsibility may be called on to intervene on or off site. It is also justified in intervening when an event occurs during the transport of nuclear materials, particularly on a public highway. Lastly, the potential repercussions from a failure to protect nuclear materials or facilities involve the entire national territory and could even spread to other countries. It is essential that this division of responsibility be clearly defined and well understood by all individuals within nuclear facilities. Given the need for coordination among the public authorities and other organs—as required by such a division of responsibility—the state introduces mechanisms for exchanging knowledge and data, particularly in terms of intelligence and intervention. It organizes regular exercises, involving operators and government departments, to test the capacity to safeguard nuclear materials and facilities. 3.1.3. Protection of Information Security culture is different from the culture of secrecy. It must apprise all individuals within the organization of the sensitive nature of a piece of information. To ensure sufficient protection against estimated risks, however, some information may not circulate freely in the public domain, where it could be used for malicious purposes. Thus, given the division of responsibility discussed earlier and the resultant exchanges, the state lays down general principles for authorizing access to facilities and information that could compromise the protection of nuclear materials, nuclear facilities, or the transport of nuclear materials. It subsequently checks that these principles are applied. 3.2. Role of Organizations The policies defined by senior management within each organization derive from the principles laid down by the state. These policies condition the work environment and influence the behavior of individuals. They differ depending on the nature of the organization and the activities pursued by its staff, but they also show significant common characteristics, as described in the following paragraphs.
66
D. Winter / Security Culture in the Nuclear Field
3.2.1. Commitment Any organization with activities relating to the protection of nuclear materials or nuclear facilities makes its responsibilities publicly known and understood in a statement of security policy issued by its managing director. The aims of this statement are to demonstrate the commitment of site management, to provide guidelines to the staff, and to set out the organization’s security objectives. Responsibilities vary according to the function of each organization. For public authorities, the commitment focuses more on the promotion of security culture. Operators undertake to apply the regulations and to seek ongoing improvement in the protection of nuclear materials and facilities. Lastly, support bodies (design, manufacture, maintenance, research, security response, etc.) basically show their commitment in the quality of their services and their compliance with information access rules. In addition, this commitment spans all the various levels of the defense-in-depth concept. It must cover preventive systems before addressing provisions for detection, early warning, reaction, and limitation of consequences. 3.2.2. Management Structures Implementing predefined policies requires a clear definition of each organization’s responsibilities with regard to the protection of nuclear materials, nuclear facilities, or the transport of nuclear materials, along with methods for assuring that each organization discharges its responsibilities effectively. Regardless of the role an organization plays, strong hierarchical links are forged that are used for direct exchanges on matters of security. Operators appoint dedicated internal units to monitor security-related activities. These units report to senior leaders in the hierarchy. In addition, within each organization, responsibility for protecting nuclear materials or facilities may be entrusted to individuals not directly involved in the safety field. The internal organization must therefore foster exchanges and establish structures for dialogue, analyzing and resolving any difficulties caused by potential conflicts of interest between the safety and security apparatuses. 3.2.3. Resources The organization must allocate adequate resources to protecting nuclear materials, nuclear facilities, and the transport of nuclear materials and to assuring these protective measures are effective. Personnel thus will have the equipment, facilities, and support they need to fulfill their assignments. Adequate resources must also be made available for staff training. The resources dedicated to security must match the expected response with the expected threats to a facility or transportation scheme. In particular, operators set up protective measures sufficient to cope with design basis threats defined by the state. In addition, operator resources complement those provided by government departments, particularly the law-enforcement agencies, taking into account the division of responsibility mentioned previously.
D. Winter / Security Culture in the Nuclear Field
67
Lastly, all organizations must use the resources allocated to them in an adaptive manner, responding to changes in the short- and long-term threat environments. A supple approach will leave site staffs in position to react rapidly and to expend their resources wisely during actual incidents. 3.2.4. Vigilance All organizations make arrangements to regularly review all practices that form part of the protection system against the loss, theft, or unlawful taking of nuclear materials, malicious acts at nuclear facilities, or malicious acts during the transport of nuclear materials. This especially covers hiring and personnel policy, access authorizations, staff training, quality assurance, and protection of classified information. These periodic reviews should take into account any lessons-learned from practical experience and any changes to the design basis threat. In particular, organizations must make sure that all discrepancies relating to protective systems are comprehensively analyzed and corrected. 3.3. Role of Managers in Organizations The work environment has a strong influence on the attitudes of individuals. Developing and maintaining a true security culture within individuals lies in conditioning this environment, encouraging attitudes that contribute to the protection of nuclear materials, nuclear facilities, and the transport of nuclear materials. Top management is responsible for fixing policies and security objectives; lower-ranking managers are then in charge of initiating and enforcing practices that comply with these policies and objectives. 3.3.1. Definition of Responsibilities The exercise of individual responsibility is rendered easy by a clearly defined chain of command. The responsibilities allocated to each individual are established and documented in sufficient detail to avoid all ambiguity; their scope is specified. In particular, restrictions on the exchange and circulation of information must be rigorously spelled out. These responsibilities should be approved at the highest possible level in the chain of command. Provision is made for processes to monitor classified materials and to assure that individuals execute their responsibilities efficiently. 3.3.2. Definition and Supervision of Practices Managers make sure that activities relating to the protection of nuclear materials, nuclear facilities, and the transport of nuclear materials are carried out in strict accordance with established practice. Documents listed in order of importance from general directives to detailed work procedures and kept scrupulously up-to-date, form the foundation for good working practices. These reference documents comply with the organization’s quality-assurance policy and include, in particular, a quality-assurance plan for each activity.
68
D. Winter / Security Culture in the Nuclear Field
The managers ensure that activities are executed as spelled out in these directives, setting up a verification system to help them with their oversight duties. Managers of individual facilities maintain regular contact with fellow facilities, consistent with the rules governing information confidentiality. Relationships of this type are necessary when coordinating intervention resources between state departments and operators. In this context, exercises are organized to test organizations’ organic protective capabilities, their ability to maintain liaison with outside groups, their capacity to train response teams, and their ability to draw on lessons-learned, improving performance in future exercises or actual crises. 3.3.3. Qualifications and Training Managers ensure that temporary and permanent staff members and any self-employed service providers are acquainted with the importance of protecting nuclear materials, nuclear facilities, the transport of nuclear materials, and sensitive information. These individuals should be systematically informed of the rules in force in this area. Managers make sure their staffs have the skills and authority they need to perform tasks linked to the protection of nuclear materials, nuclear facilities, and the transport of nuclear materials. Recruitment, training, and authorization procedures are established for this purpose. Exercises and retraining courses are carried out periodically. Performance appraisals for individual staff members assess both physical and psychological considerations. Training is not restricted to acquiring technical qualifications or becoming familiar with the details of procedures to be followed. It encompasses a far broader spectrum of skills and competencies. While meeting the requirements described before, it should help individuals understand the importance of their security-related tasks and the possible consequences of error. 3.3.4. Rewards and Sanctions Apart from organizational provisions and resources, the behavior of individuals, influenced both by independent and by group motivations and attitudes, dictates whether a practice is satisfactory or not. Managers should encourage particularly commendable attitudes, congratulate those who exhibit such attitudes, and back up verbal commendations with tangible rewards to the extent possible. Managers should pay special attention to encouraging their subordinates to report any event affecting, or likely to affect, the protection of nuclear materials, nuclear facilities, or the transport of nuclear materials. This involves exhorting personnel to provide the security staff with any information that could improve protection. Easing any worries in this regard—notably fear of reprisals or ignorance of the issues at stake—is a challenge for management. Managers must nevertheless impose sanctions in the event of repeated deficiencies or serious negligence, in particular by withdrawing qualifications previously awarded.
D. Winter / Security Culture in the Nuclear Field
69
3.3.5. Audit, Review, and Comparison Managers are responsible for implementing monitoring practices such as regular reviews of training programs, staff hiring and qualification procedures, working methods, document-control procedures, a quality-assurance system, and procedures for granting access to facilities and information. Managers ensure that events inside or outside the organization liable to have an impact on security are analyzed and enlarged upon. Events outside the organization will be examined and taken into account if appropriate. It may be relevant to call on specialists from outside the organization under this approach. 3.3.6. Setting an Example Managers are expected to ensure that their staffs comply with established security practices and to work assiduously to inculcate attitudes that favor nuclear security. Setting a proper example can help lower-level employees achieve a high standard of performance in their security-related duties. 3.4. Attitudes of Individuals The previous chapters have indicated how the elements necessary to build a true security culture are set in place, emphasizing the responsibilities of the state, individual organizations, and managers. As indicated in the introduction, it is up to individuals at all levels to take these elements into account and to make the most of them. Nevertheless, distinction must be made between the reactions expected of individuals assigned direct responsibility for the protection of nuclear materials, nuclear facilities, or the transport of nuclear materials and the reactions of those not directly involved. 3.4.1. Individuals Directly Involved in Security The behavior of individuals directly involved in security is characterized by: • • •
A rigorous, prudent approach Constant vigilance and a questioning attitude The ability to react swiftly when faced with an unexpected situation
Among other things, individuals who fall into this category can be expected to apply procedures and official rules strictly. They should understand that security systems must be compatible with other activities performed within the organization. In addition, they must take a prudent, considered approach to the handling of confidential information. They must also be steadily motivated on a personal level, with no slacking off with regard to the protection of nuclear materials, nuclear facilities, or the transport of nuclear materials. They must be responsive, quickly sizing up any event or action regarded as suspect. In such circumstances, they should dispatch information immediately to the hierarchy, even if it appears to be of minor importance. Lastly, in the event of a breach of security rules, whether deliberate or through negligence, staff members’ reaction must be immediate, using resources commensurate
70
D. Winter / Security Culture in the Nuclear Field
with the estimated risk. When faced with immediate danger, the operator’s staff must act rapidly to delay or counteract the malicious act while it is in progress, requesting assistance from the public authorities as necessary. 3.4.2. Individuals Not Directly Involved in Security Security culture concerns us all. Any individual involved directly or indirectly in the protection of nuclear materials, nuclear facilities, or the transport of nuclear materials must be totally immersed in it. The duty to remain vigilant is essential for all. The expected attitude of individuals at nuclear sites is characterized by: • • •
Knowledge and application of the principles of physical protection Compliance with rules and procedures A questioning attitude with regard to abnormal acts or events affecting the protection of nuclear materials, nuclear facilities, or the transport of nuclear materials, and a readiness to apprise the management hierarchy of such events and their security implications
3.5. Safety Culture and Security Culture It seems relevant to identify the links between security culture and safety culture. It is clear that these two cultures interact with and complement each other in the nuclear field, even if they present their own distinctive attributes in certain areas. This paragraph addresses similarities and differences in terms of culture only, ignoring the application of the safety and security approaches. 3.5.1. Similarities Security and safety cultures are normally based on the same principles in the main. In safety or in security, the same types of organizations are concerned; facility directors must ensure that the two cultures live side-by-side. It seems logical that the two cultures can only develop and be maintained if they are promoted at the state level and by top managers of the organizations concerned, as individuals clearly play a role in their application. Lastly, the same types of elements are found in efforts to implant one or the other of these cultures in an institution. 3.5.2. Differences In terms of human behavior, safety culture normally revolves around the risk of human error, while security culture factors in deliberate acts intended to cause harm. It is therefore important to integrate notions of deterrence and confidentiality into the security culture of nuclear installations. Differing degrees of government involvement, both on the organizational and individual levels, are worth highlighting when comparing security culture and safety culture. Because of confidentiality requirements and its distinctive division of responsibility, a security culture can take root only with extensive state intervention. Appraising the external and internal threats to national security while defining the
71
D. Winter / Security Culture in the Nuclear Field
scope of responsibilities and requirements for access to classified information is the exclusive remit of the state. DEFINITION OF GENERAL PROTECTION OBJECTIVES STATE COMMITMENT
SECURITY POLICY STATEMENT MANAGEMENT STRUCTURES
DIVISION OF RESPONSIBILITIES COMMITMENT BY ORGANISATIONS
PROTECTION OF INFORMATION
DEFINITION OF RESPONSIBILITIES
RESOURCES
DEFINITION AND SUPERVISION OF PRACTICES
VIGILANCE
COMMITMENT BY MANAGERS
QUALIFICATIONS AND TRAINING REWARDS AND SANCTIONS AUDIT, REVIEW AND COMPARISON
STRICT AND PRUDENT APPROACH VIGILANCE AND QUESTIONING ATTITUDE
EXEMPLARITY
COMMITMENT BY INDIVIDUALS DIRECTLY INVOLVED
KNOWLEDGE AND TAKING INTO ACCOUNT OF PRINCIPLES
SPEED OF REACTION
COMMITMENT BY INDIVIDUALS NOT DIRECTLY INVOLVED
COMPLIANCE WITH RULES AND PROCEDURES QUESTIONING ATTITUDE
SECURITY CULTURE
Figure 1. Illustration of the Presentation of Security Culture.
72
D. Winter / Security Culture in the Nuclear Field
In addition, different authorities with different structures and a different type of supervisory power oversee the fields of safety and security. Also worthy of note is that large numbers of government departments are concerned with security culture. In particular, various oversight bodies have roles to play in protecting nuclear materials, nuclear facilities, and the transport of nuclear materials. This assortment of actors, each with special duties, creates demand for coordinating structures, close communication, and supporting information and exchange systems. These organizations must understand and complement each other. Individuals involved with safety and security face a dilemma: each community has attitudes distinctive to itself, yet nuclear personnel take part in both cultures. For safety culture, individuals must demonstrate a prudent, questioning attitude and share information with others, exhibiting an overriding concern for transparency and dialogue. Security culture, by contrast, sometimes requires individuals to respond speedily to confirmed or assumed threats and to communicate information only to certain authorized people. Whereas security clearly involves everyone, some hold special responsibility for applying it, and some information must be protected. 3.5.3. Interactions The two cultures must not be pitted against each other; nor should one have ascendancy over the other. It is impossible merge these two cultures into a single entity, but they must coexist and mutually reinforce each other. Each of these cultures must be developed to suit the individual organization’s mission and needs. Lastly, these two cultures must be mutually enriching. All possible synergy between them must be sought and developed; mechanisms must be in place to provide for continual interchange.
Glossary • •
•
•
Competent authority: National authority designated or recognized as such by the state for a specific purpose. Defense in depth: A concept used to design protection systems that requires an adversary to overcome or circumvent several layers and methods of protection (structural or other technical, personnel, and organizational) in order to achieve his objective. Design basis threat: Attributes and characteristics of potential insider and/or external adversaries who might attempt unauthorized removal of nuclear material or sabotage, against which a protection system is designed and evaluated. Nuclear facility: Facility in which nuclear material is produced, processed, used, handled, stored, or disposed of (including the associated buildings and equipment), if damage to or interference with such a facility could lead to the release of significant amounts of radiation or radioactive substances.
D. Winter / Security Culture in the Nuclear Field
•
• •
•
• •
• • •
• •
73
Nuclear materials: Materials that may be used to manufacture a nuclear weapon. Their definition is based on their fissile (for a fission device), fusible (for a thermonuclear bomb), or fertile (ability to produce fissile or fusible materials) characteristics. Nuclear power plant: Nuclear facility including one or several reactors, with all the structures, systems, and components required to ensure safety and to produce energy, i.e., heat or electricity. Nuclear safety: All technical provisions and organizational measures, relating to the design, construction, operation, shutdown, and dismantling of nuclear facilities and to the transport of radioactive substances, that are intended to prevent accidents and limit their effects. Operator: Any organization or person applying for authorization or authorized to perform one or several activities pertaining to the nuclear field. This involves in particular the operation of nuclear facilities and the development, holding, transfer, use, and transport of nuclear material. Practice: The act of conducting a particular activity, implementing the rules and principles of an art or a technique. Protection: Set of administrative, organizational, and technical provisions with the following objectives: o Protecting nuclear material within facilities and during transport against theft and other unlawful taking for the purposes of malicious use of said materials o Protecting nuclear facilities and transport activities against acts of sabotage liable to affect the environment and human health o Mitigating or minimizing the radiological consequences of sabotage The provisions for protection designed to satisfy these objectives include control and accountancy of nuclear materials and physical protection systems for facilities and the transport of nuclear materials. Quality assurance: Planned and systematic actions necessary to provide adequate confidence that an item or a facility will function satisfactorily. Radioactive substances: Substances emitting ionizing radiation which, therefore, are governed by provisions for the protection of man and the environment against the harmful effects of this radiation. Sabotage: Any deliberate act directed against a nuclear facility or nuclear material in use, storage, or transport which could directly or indirectly endanger the health and safety of personnel, the public, or the environment through exposure to radiation or a release of radioactive substances. Safety culture: That assembly of characteristics and attitudes in organizations and individuals which establishes that, as an overriding priority, nuclear plant safety issues receive the attention warranted by their significance. Transport: International or domestic carriage of nuclear material by any means of transportation, beginning with departure from a facility of the shipper and ending with the arrival at a facility of the receiver.
This page intentionally left blank
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
75
Safety and Security Culture Link: Lessons from the Past Dmitriy Nikonov Senior Research Associate Center for International Trade and Security University of Georgia United States Abstract. Safeguarding nuclear material has become paramount for international security since the end of the Cold War, and in particular since September 11, 2001. On the one hand, nuclear materials have became more readily available and accessible as a result of the Soviet collapse and the emergence of many new suppliers. On the other, the nature and intensity of the threat have changed, rendering previously existing measures to safeguard nuclear materials less adequate. The biggest threat to international security since the early 1990s has been the theft of nuclear materials by terrorists who use these materials in terror attacks. The emphasis during these early years was on quickly fixing security gaps at a large number of nuclear facilities. There was little time to develop a comprehensive strategy not only to fund, build, or install these upgrades, but also to assure that they were properly used and operated. It soon became clear that these initial strategies placed insufficient emphasis on the human factor of materials protection, control, and accounting (MPC&A). Newly installed equipment was in many cases incompatible with work practices and threat perceptions among facility personnel. Subsequent efforts to develop an appropriate “security culture” that addresses the new security threats have produced positive results. Security culture received the highlevel attention it undoubtedly deserves at the U.S.-Russian Bratislava summit in February 2005. However, most observers agree that changing security culture is not as easy as installing technical upgrades: cultures are resistant to change and develop gradually, whereas a quick response is needed. A striking cultural shift occurred in the safetyculture domain after the 1986 Chernobyl accident. Indeed, this cultural transformation took place not only on the workforce level but on the level of facility management, the national leadership, and even the general public. The accident also helped revolutionize international perspectives on and cooperation in nuclear safety, resulting in new international norms and regulations to prevent such accidents in the future. This paper examines the safety-culture shift and considers how applicable it is to the ongoing work of improving security culture at nuclear facilities worldwide.
1.
Background
The task of safeguarding nuclear materials became paramount for international security after the end of the Cold War, and especially after September 11, 2001. On the one hand, nuclear material became more readily available and accessible as a result of the Soviet collapse and the attendant emergence of many new suppliers. On the other, the nature and intensity of the threat changed dramatically, rendering previously existing measures to protect, control, and account for nuclear material less and less effective.
76
D. Nikonov / Safety and Security Culture Link: Lessons from the Past
The biggest threat to international security in the 1990s was the potential theft or smuggling of nuclear material from the former Soviet Union. The absence of modern physical protection and material control and accounting systems in Russia, coupled with less stringent border controls and increased individual travel, increased the probability of theft or smuggling. This threat clearly required immediate attention. The assistance programs instituted during these early years by the United States and other countries emphasized quickly fixing glaring security gaps at a large number of critical nuclear sites. There was little time to develop a comprehensive strategy that not only funded, built, or installed upgrades, but also assured that the new systems were properly used and operated. It soon became evident that the practices by which nuclear personnel used the new MPC&A equipment were not what was needed: negligence, lax habits, and a lack of maintenance and training were reported frequently and consistently, by many observers.1 It was also obvious that the initial MPC&A assistance strategies placed insufficient emphasis on the human factor. Newly installed equipment was in many cases incompatible with work practices and threat perceptions among nuclear personnel, who had grown accustomed to a completely different professional environment. Subsequent efforts to develop a security culture among the nuclear workforce, aligning the professional culture both with new security threats and with newly installed equipment, have produced significant and positive results. Though grudgingly, the Russian Federal Atomic Energy Agency, or Rosatom, has agreed to a U.S.sponsored program intended to train security-culture coordinators for Russian nuclear facilities. Security culture came to new prominence at the U.S.-Russian Bratislava summit in February 2005, garnering the policy attention it richly deserves. However, it is clear that changing security culture is not as easy as installing technical upgrades. There are a number of indigenous obstacles to changing the security culture in a given country. Prevailing threat perceptions, traditions, and the overall professional and corporate culture rank high among these obstacles. And cultures in general are resistant to change. But there is also a more general reason why security culture is difficult to change in any country. The principal threat that all nuclear security (i.e., MPC&A) measures try to prevent–a theft or diversion of nuclear materials to a terrorist group, with subsequent use of these materials in a catastrophic act–has never materialized. The significance of this fact is difficult to overestimate. Security and operations personnel at nuclear facilities are trained and expected to perform their functions on the assumption that an incident or attack may occur at any time. Granted, there have been incidents 1 According to one report from the U.S. General Accounting Office, Security of Russia’s Nuclear Materials, GAO-01-312 (Washington, DC: Government Publishing Office, 2001), p. 12, at three of nine sites visited by the GAO, “some problems appeared to decrease the effectiveness of the new systems. For example, one site left a gate to its central facility opened and unattended during the day. According to a site official, the gate was left open to allow employees to enter and leave the facility without having to use the combination locks on the gate. When the gate is open, the only other controlled access point is on the perimeter of the site. At another site the guards did not respond to metal detectors that were set off when the GAO team entered the site, nuclear materials portal monitors were not working, and the alarm system had exposed cabling that could allow an adversary to cut the cable and disable the alarm easily. At the third site, the DOE had provided heavy metal containers that could be bolted to the floor to make it more difficult for an individual to gain access to the material, but some of the containers were empty, and the site stored material in old containers that did not offer as much protection. In addition this site did not have access controls, such as material detectors or nuclear material portal monitors at locations where nuclear material is stored, and the guards did not check the identification of the people entering the storage areas.”
D. Nikonov / Safety and Security Culture Link: Lessons from the Past
77
involving nuclear-material theft or diversion, but these incidents have been isolated and have taken place on a small scale. None has resulted in a catastrophic event thus far. For security personnel, thereforeand this is a second factorit is very difficult from a psychological standpoint to maintain peak levels of alertness and vigilance in anticipation of a hypothetical event, no matter how catastrophic such an event might be. This is coupled with the inevitable fatigue experienced by personnel unable to release accumulated psychological tension by responding to an actual incident. Finally, security measures in many cases still take substantially lower priority than the primary missions of the nuclear facility. Under such circumstances, improving nuclear security culture presents a formidable challenge. In fact, changes to the international security environment and to the nature of the threat require a qualitative shift in the mentality, the perceptions, and operating practices among security and operations personnel. Such a shift occurred in the safety-culture domain in the Soviet nuclear sector after the Chernobyl accident in 1986. To a lesser degree, the same occurred in the U.S. nuclear sector after the Three Mile Island incident in 1979. Cultural transformation took place not only at the workforce level, but at the levels of facility management, the national leadership, and the general public. The Chernobyl accident helped revolutionize international perspectives and cooperation on nuclear safety, resulting in new international norms and regulations designed to prevent such accidents in the future. These norms and regulations specifically targeted safety culture as a factor requiring additional attention.
2.
Model of Organizational Culture
Both safety and security culture are subsets of the overall organizational or professional culture of an institution. Organizational culture is a psychological and social phenomenon that has been studied extensively. There are several schools of thought on culture, but one of the most widely recognized and accepted is the one proposed in the seminal work of Edgar Schein. Organizational culture, according to Schein, is a pattern of shared basic assumptions that the group learned as it solved its problems of external adaptation and internal integration, that has worked well enough to be considered valid and, therefore, to be taught to new members as the correct way to perceive, think, and feel in relation to those problems.2 Schein’s model of culture, represented in Figure 1 below, refers to three levels of awareness, behavior, and artifacts that constitute organizational culture. These levels are: x x x
Basic assumptions held by individuals about human nature, society, work, relationships, and everything else that determines, directly or indirectly, their attitudes toward these phenomena Espoused values voiced and manifested by individuals with the purpose of expressing or, in some cases, concealing their basic assumptions Observable artifacts, namely phenomena relating to human behavior and interactions (either personal or professional) that represent the visual manifestations of culture
2 Edgar H. Schein, Organizational Culture and Leadership, 3d ed. (San Francisco, CA: Jossey-Bass, 2004), p. 47.
78
D. Nikonov / Safety and Security Culture Link: Lessons from the Past
The significant component of Schein’s model is its feedback character: not only do our basic assumptions have an impact on our espoused values and the observable artifacts of culture, but the latter in turn shape our basic assumptions over time. Thus, the model is cyclical and self-supporting. This factor will become important for the purposes of the main argument in this paper.
OBSERVABLE ARTIFACTS
ESPOUSED VALUES
VISIBLE INVISIBLE BASIC ASSUMPTIONS
Figure 1. Schein’s Three Levels of Culture
3.
Safety Culture Shift
As studies undertaken by the International Atomic Energy Agency (IAEA) subsequent to the Chernobyl accident point out, the Soviet nuclear complex considered safety to be a function primarily of procedures, practices, and organization within the nuclear industry.3 In theory, better safety was achieved through more diligent compliance with established procedures. The full analysis of the accident, which was not published until much later, pointed to human error as one of the primary factors behind the accident. This resulted in a series of measures being taken at the national and international levels, with the aim of reducing the risk of such accidents occurring in the future. Prior to Chernobyl, the Three Mile Island accident had already highlighted the critical role of personnel preparedness and alertness in ensuring reactor safety, although the limited nature of the accident limited its effect as a catalyst for change. Measures taken by individual countries ranged from reductions to or complete elimination of the nuclear power component from their energy portfolios, to less radical strategies designed to bring about the necessary cultural shift within the nuclear sector. 3 International Atomic Energy Agency, “Safety Culture in Nuclear Installations,” IAEA-TECDOC-1329 (Vienna: IAEA, 2002), p. 16.
D. Nikonov / Safety and Security Culture Link: Lessons from the Past
79
There are a number of reasons why the shift in safety culture occurred. First, the magnitude of the Chernobyl event created detrimental, long-lasting medical, psychological, political, environmental, and economic impact. Second, the Chernobyl incident was a direct result of human error–a fact that emphasized the human factor in the nuclear safety equation. And third, the accident had a direct, negative impact on the lives, health, and well-being of a large number of individual nuclear facility employees; covered substantial geographic areas; extended over time; affected large populaces scattered across several countries; and impaired the health and prospects of the nuclear industry worldwide. Also important is the fact that the safety-culture shift occurred at several levels. Employees, operators, and support personnel felt or were able to observe the immediate impact of a catastrophic safety-related incident that rendered the hazards of negligence, slipshod practices, or malfeasance suddenly tangible and real. In addition to healthrelated fears, many employees felt the direct economic impact of the prolonged recession that struck the nuclear industry worldwide. They personally bore physical and financial burdens in the aftermath of the Chernobyl event, making a change in fundamental assumptions about safety easier to achieve. Management and businesses suddenly faced the prospect of a serious decline or even shutdown of the industry if effective measures were not developed and implemented quickly enough to address public safety fears and intense pressure from environmental advocacy groups. The national leadership had to cope with the problem at several levels, ranging from addressing public safety concerns, to resisting political pressure to shut down the nuclear industry, to dealing with cleanup and rehabilitation issues, to scrambling to fill the gap in energy supplies left when nuclear energy development projects were scrapped or indefinitely delayed. Finally, public perceptions of the Chernobyl event had a decisive effect on subsequent safety improvement processes at both the national and the international levels. It was public pressure that forced governments and industries to reassess or develop and implement new safety requirements and regulations governing the design, development, construction, and operation of nuclear sites in this new environment. All these developments combined to create a powerful impact on the basic assumptions, using Schein’s terminology, of all major stakeholders in the nuclear industry: employees and operators, industry, governments, the public, and, finally, the international community. The result was a series of measures at all levels to institutionalize and internalize the necessary safety changes within the nuclear industry. Regulations pertaining to safety culture were developed and implemented, training courses and materials prepared and approved, and an extensive regulatory, educational, and outreach effort launched at the national and international levels. The comprehensive nature of these measures created a new psychological, social, economic, and informational environment that helped major stakeholders maintain and reinforce new basic assumptions about safety in the nuclear industry. Thus, the circle was complete.
4.
Security Culture Shift: Challenges and Solutions
That security culture was a concept distinct from safety was not immediately obvious. Many experts believed that, in the final analysis, security culture was a subset of safety culture, because the ultimate objective of security culture was to ensure public safety.
80
D. Nikonov / Safety and Security Culture Link: Lessons from the Past
This view, however, is only partly true. The consequences of human failure with regard to safety procedures may result in immediate danger to facility employees and residents of surrounding areas. Human failure with regard to security, on the other hand, might endanger employees in the event of sabotage, but it would pose just as major a threat to people far away from the facilitysay, if terrorists improvised a nuclear device from material stolen from the site and detonated it in a different region, city, or country. In the latter case, although facility employees might feel responsible for the security lapse at their facility, the psychological impact of their failure likely would not be as severe as it would in the case of a safety failure. Indeed, the direct physical impact on the facility, staff members, their families, and local residents would be absent altogether. Ironically, the fact that no serious security breach has resulted in a catastrophic nuclear or radiological terrorist incident is an impediment to improving standards of security culture. Whereas the Chernobyl accident served as a catalyst for changing the basic assumptions of the vast majority of employees, governments, and the public about safety, no counterpart to Chernobyl has yet taken place in the realm of security. One way to address this problem is to use Schein’s feedback model, in particular his hypothesis that basic assumptions are partly shaped by observable artifacts and espoused values. Since a direct shift in basic assumptions about nuclear security is likely only in the event of a catastrophe comparable in magnitude and impact to the Chernobyl accident, fundamental assumptions must be modified indirectly, using the feedback model. Over time, a change in observable artifacts and espoused values will lead to a shift in basic assumptions. There are a number of paths toward this goal. Specifically: x
x
x
Incentives, both positive and negative, may induce personnel to perform their duties to the best of their ability. These incentives may include: o Bonuses and other types of recognition for employees who maintain the highest standards of security and/or the lowest levels of violations or breaches o Development and effective implementation and enforcement of disciplinary measures to discourage lax behavior and petty violations Administrative and enforcement measures may include: o Introduction and implementation of new international, national, and industry security standards o Continuous education and training of top and middle management of nuclear facilities, along with exercises for officers and personnel of protective forces o Leadership by example, ensuring that employees see that management is serious about enforcing security regulations o Personnel reviews and performance evaluations that factor in performance in the area of security o Allocation of additional resources to security measures, including maintaining competitive salaries for security personnel and maintaining and regularly upgrading security equipment o Promotion of better overall organizational and professional culture On the cognitive level, measures to improve security culture must promote two goals: (1) instilling a deep understanding and belief among all employees of the facility that the threat is real and the facility is vulnerable; and (2)
D. Nikonov / Safety and Security Culture Link: Lessons from the Past
81
increasing employees’ awareness and understanding of the potentially catastrophic consequences of negligence or other violations. This can be achieved through a long-term, carefully prepared, and well-thought-out training and outreach program. Public pressure represents a powerful, proven means of instilling a new culture in the nuclear industry. Just as ordinary citizens exerted pressure on the nuclear industry to improve safety standards following the Chernobyl accident, they can prod elected officials, legislative bodies, or the media to work on behalf of better security standards now. At present, public incomprehension of the security threats to the nuclear sector posed by the current international and domestic environment encourages two kinds of responses: indifference and apathy at one end of the spectrum, and panic or sensationalism (especially among the media) at the other. Neither attitude is helpful in promoting better security standards and culture. This problem can be addressed through educational and awareness campaigns aimed at the general public, legislators, and the media.
5.
Conclusion
Changing nuclear security culture is a formidable challenge, but valuable lessons from the nuclear complex’s experience with safety culture can help. It is necessary to acknowledge that culture will not change quickly or by itself. Short-term political or economic pressures may temporarily change the observable artifacts or espoused values associated with security culture, but such pressures are unlikely to bring about overnight change to the fundamental assumptions that drive cultural change or maintain cultural stability. Again, the irony of the situation is that the very event that better safety or security practices are trying to prevent is the most likely to effect basic change within the nuclear sector. Achieving a significant shift in the basic assumptions that lead to higher standards of nuclear security culture will require long-term commitment and resources, but the payoff will be worthwhile.
This page intentionally left blank
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
83
NATO Advanced Research Workshop Proceedings Day 2, Session 1 Participant 1: Good morning. After each of these sessions, these four sessions that are planned for today, the work is to be done by you. Yesterday, you heard presentations by a lot of different people about their security culture and their country and some of the models of security culture. And the purpose of yesterday was to get your brain working on the subject of security culture so that today you can participate in this discussion. What you say will be recorded and become part of the meeting proceedings and will be very important, as I will explain to you in just a few minutes. But this first session, which will last until 11:00, is on the subject, and you may have seen it, “What properties of security culture apply universally?” If we are going to develop a security-culture model and the IAEA is going to publish documents describing security culture, we want this description of culture to be universal. We want it to apply to Russia and Brazil and the United States, so that all of the member states will see value in this model. Dr. Nilsson has a copy of the latest version of this model in her hands now, and soon this will go out to other member states and start the process of being approved. But we want to give that model the very best analysis we can before it goes out. That is one of the reasons, as Dr. Nilsson said, that this is an important meeting. You represent more countries than have ever assembled to look at this subject at any one time. That is one of the real purposes of this meeting: to make sure that all of you get to present your input on the model and on security culture. So it’s not just a model. As you see, the other topics are “How does this fit into your professional culture?” And, this afternoon, “What methodologies can you use for improving security culture?” The last one is, “How do you evaluate security culture?” But the one we are going to work on for this period is “What are the universal properties of security culture?” And indeed, what properties of security culture apply universally? Now let me just draw a little cartoon to remind you of the structure of security culture that is in the hands of the IAEA right now. It may need to be refined. Some may not agree with it, and we will want to hear that, but this is where the IAEA is right now. Yesterday I talked about security culture in an organization, and I just talked about the organization. As you remember, it was shaped like this, with the very bottom part being the basic assumptions. We said that in an organization, the bottom is the assumptions, then there is a set of things that you say, these are espoused values: “We are going to do this,” and “we are going to be a secure organization.” And then above that, there is management and there are behaviors. All this leads to a good security culture in an organization. If the assumption is that you are at risk, you say you are going to protect yourself, you set up management systems that will make for good security, and people behave well. All of this happens, fundamentally, because people feel that they are at risk, that someone is
84
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
out there who is going to attack them. Then you end up with a good security culture. This is essentially building the security culture from the bottom up. Now also in this paper that the IAEA hasand this is something I did not talk about yesterdayis a model reflecting a different perspective. This was alluded to in the French paper yesterday. This is sort of a top-down approach to security culture, and both of these approaches are valid; they work together. The top-down approach says you’ve got government, and government issues instructions, orders, and laws to the organization, which then feeds this down to management. Officials hand down to management what managers are to do within the governmentwhat the government tells them to do. And then this goes down to the people involved, either directly or indirectly, and leads to good security culture. So you can see that the paper that Dr. Nilsson has, that will be vetted over the next few months by IAEA member countries, has both of these models in it. And they complement each other. You can see in both of these models elements of all the things that were talked about yesterday, can’t you? Yesterday we heard people talking about the importance of the government telling people what to do and having a good security culture. That is a top-down approach. And then, part of this, is everyone in the organization feeling vulnerable and therefore you end up with good security culture. Now, many of these things are related. The management organization here that we’re talking about, is the same, essentially, as this model. So, they are related, and both of these concepts are in the paper that Dr. Nilsson has. Now, yesterday, we talked about many elements or aspects of nuclear security culture that are inside each of these boxes. But, again, my objective facilitating here today is to ask you, what elements of nuclear security culture apply universally? And hopefully the elements you will come up with will fit in this framework somehow. So, I can point and say, for example, if you talk about DBT, is that a part of security culture? I think it is. Who’s responsible for that? Well, usually that is the government’s responsibility. So, we will be able to point to things on this diagram and see where your ideas of the parts of nuclear security culture fit. What I’m going to ask from you now is to take an opportunity to think about what you heard yesterday and what you know about security culture, and tell us just one aspect that you think applies universally to security culture. We will record that, and we will then eventually feed that back into the process, back into the IAEA, and then this model that Dr. Nilsson has will be better as a result of this meeting. That’s what we want to do, that’s going to be our process. Are there any questions about that? But when we talk, remember that yesterday I said three sentences were an ideal length for answering a question. You can talk longer than three sentences, but we don’t want 10 or 20 minutes from each person. When you give your ideas, we would like them to be brief and to the point and to contain the kind of information we would consider putting into this model description. So that’s giving you an idea of what we want to do, and just before we start out, we’re going to have a short presentation about nuclear security culture. Participant 2: As I did yesterday afternoon, I will try and summarize with a quick PowerPoint presentation that I put together where we stand and where I think we may be going. Why is nuclear security culture so important globally? Remember that we aim for universal approaches.
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
85
And I think there are four answers why security culture is so important. This first one is: from the vantage point of terrorists, we are in the “limelight” in the nuclear industry, because our industry presents a symbol. Call it a cornerstone of modern industrial advancement. It has high symbolic value. The second: we’re dealing with materials that have properties that people are frightened of. There is a physicalchemical component of the radioactive materials that we handle that has the potential to create high-consequence accidents. And third, of course it is important to have the nuclear industry working: Some countries depend on it for 60, 70, even 80 percent of their electricity production. Finally, if you are a nuclear weapon state, it is important because you have to look after your nuclear weapons. So, there are some very important reasons why we’re attending to nuclear security culture. I think there is also an element of urgency, apart from these four components, that shows why we should hurry up in nuclear security culture. For one thing, we’re no longer dealing with the political or nonpolitical statements of rogue states or an “axis of evil.” We are dealing with professionally designed networks which actually trade nuclear technology across countries from offices in Malaysia to offices in Dubai and so on. For another, we have lost something that used to be very convenient for us in the past in terms of security and safety issues. And that was our ability to say, “Who would be stupid enough to attack with radioactive material, because they would kill themselves?” This no longer applies if you are dealing with suicide terrorists. We have lost this very useful self-protective aspect of radioactive material. I think we’re also fooling ourselves if we think that the illicit trafficking that we see is the illicit trafficking that really counts. There is a far more professional component to illicit trafficking than this haphazard, amateurish thief who steals some cesium-137 to sell and now thinks he is going to become a millionaire. That’s not the illicit trafficking we need to be concerned about. The moment we have someone who knows how to apply greater shielding to a cache of weapons-usable material which is actually traded, that is the danger. In many of the countries which are concerned about nuclear security and want to instill security culture, these countries are also where we see a lack of good governance, compounded by widespread bribery and corruption. Now let me show you what I mean with this very last point. This is the corruption assessment index. I won’t go into detail of how it is derived, but it is a very comprehensive assessment by organizations that interview the population and try to get a sense of their experiences with corruption. I’m giving you the past two years, last year and this year, for five countries for comparison. Notice that the higher the number, the less corruption it has. Russia scores somewhere below three on this index. That puts it at the level of Albania and Chad. Ukraine and Kazakhstan are not much better. For comparison, let’s look at Germany and the United States, which fare much better. We’re looking at countries which are of concern because of their very potent nuclear infrastructure and because they unfortunately rank at the bottom in terms of good governance, meaning corruption is high. Let me give you an indication about bribery. If a Russian citizen approached a government official in 2001, in one in four cases the official would demand a bribe. The total estimated amount of bribes paid out in Russia in 2001 was $36 billion. In four years, this amount has reached $319 billion. And it’s no longer one in four government officials, it’s practically every third government official who demands a bribe when approached by a citizen.
86
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
Now you can debate the accuracy of these assessments, but what I’m saying is that we do not have a situation that is getting better; we don’t even have a situation that is stable. We have a situation that is getting worse. When we talk about nuclear security culture, we talk in terms of boxes: organization, workforce, government, educated organizations. I would like to attract your attention to some really useful facts that run against this antiseptic way of thinking about nuclear security. The nuclear fuel cycle is far more complex than what we see depicted in boxes on a piece of paper: Here is the uranium mine, here is enrichment, here is fuel production, here is the power plant. This is what it really looks like. But that is only the material flow in the nuclear fuel cycle. I won’t go into this too much, but now think about the real world. Each of these boxes has people, has a workforce, has an organization, has legislation, has regulation. All that is what we want to address by instilling nuclear security culture. When we have a nuclear plant operator and a person with a gun in front of him, more than material factors is at work. There is more than meets the eye in these boxes in a chart. But what is a characteristic of what I would call a successful nuclear security management system? First of all, managing security is not a static process, it is a dynamic process. The threat changes, technology changes, perceptions change. Second, if we apply this to one sector only, we are missing several other sectors where it should apply as well. We need to address all of them. We all know that a chain is only as strong as its weakest link. Third, it is all very well when we compile a beautiful design basis threat and say: implement that. But if we don’t have the money to pay wages from last month or procure the equipment and training we need, the best DBT will fall short. We feel we’ve done our bit, we’ve accounted for all the security aspects we can, but reality is different. We may give our security force a detector this year, but will they have the money in five years to have it serviced and repaired? So we have to take reality into account in terms of economic constraints. And turning to nuclear security culture as an example, we will propose a concept called the AHARA principle, which is equivalent to the ALARA principle in radiation protection. We want security “as high as reasonably achievable,” radiation “as low as reasonably achievable,” making allowances for economic and other constraints. Now the task I was given for this panel was to comment on the question, “What are the universal principles we think we could agree on?” Well, I see two preconditions before we talk principles. The first precondition is this: all stakeholders, and I mean all of them, have to acknowledge that there is a security threat to this complex. If we don’t have any common grounda common understanding of why we should be concerned and what we should be concerned aboutthere will always be a disparity in our camp. Some will want to do more, some will want to do less, until we do nothing. The second precondition is: Who is going to inform us about this threat? Is it an NGO? Is it a government organization? Is it an international body? We need a credible source which has the reputation, without bias, the charisma of being recognized as a neutral program. Only then, I think, can this message be effectively tailored to governments, organizations, operators, and the workforce. Otherwise some of the people will interpret any message about security threats as panic. Others will say, “we are doing everything we need to do anyway, there is no need to do more.” The tension between these extremes will not create an efficient security culture. So we must meet these preconditions. If we meet them, then there are certain properties or principles I think we should be able to agree uponall of us, whether we are from Brazil, Indonesia, or some other country. The first might be called the
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
87
“justification principle.” Officials have to justify why they spend taxpayers’ money, and they have to justify why they introduce new legislation or regulation. I can think of an equivalent of the justification principle in radiation safety, where the threat of radiological contamination provides the motive force for laws, regulations, and resource allocations. Similarly, we will only tend to nuclear security if we believe there is a threat; the threat justifies an action. So the first principle is the justification principle, which means justifying legislation and regulation that reflect our international consensus on what is needed in the security realm. Principle number one. Once you’ve agreed on that, everything else follows. You need to implement, you need practically applicable guidance, you need the financial means, you need control. All the regulations in the world are no good if you are not able to control them. This applies to all the different boxes in the nuclear fuel cycle, not just the one that happens to be fashionable, trendy. You need to see whole different boxes. Once you know what you should be worried about, you will see that you need to do something about it, and you will probably see what that something is. Now in radiation safety, we have a second principle, the “limitation principle.” This involves limiting exposure to sources emitting hazardous radiation. I can see the same kind of principle in nuclear security, which means I’m attempting to limit the threat using an approved methodological approach, whether it is DBT or not, whether a country chooses another method or not; those are legitimate subjects for debate. But I would say that for principle number two, we need an internationally accepted methodology to assess the threat. Now that you know how to achieve security, you must communicate this message to those who implement it. So we have a third principle in radiation protection, called the “optimization principle.” But how to achieve optimal communications with stakeholders in security? Well, we do it by crafting a persuasive message and communicating it to the facility manager, to professional organizations. Principle number three means that the threat has to be communicated in a way specific to each target audience. The target audience ranges from the professional organization, to the facility operator, to the workers. This credible commitment, I call it, has to encompass all the different components we talked about. On the concrete level, some questions to ask: how do you train, what kind of software do you use, and how do you measure the effective of your training? The last principle derived from radiation safety is the “communication principle,” and it primarily involves communicating with the people who are working on the ground. It focuses on the workforce. I’m worried about the old saying that there are too many chiefs and not enough Indians in security. This saying holds considerable truth. It’s all very well to have beautiful mathematical schemes to design security systems. It is all very well for us to install support programs for customs and border guards, and even outfit them with high-tech tools. But if that border guard is making $100 a month and the average bribe paid by a company last year in Russia was $200,000, I can imagine that a customs officer or border guard could be persuaded to turn that hightech toy off at a critical moment. We need to communicate the responsibility that goes with the job and reward security personnel accordingly. Our message will loosen unless we show our appreciation for what they do. They are the most important line of defense, at the border, at the airport. These pillars are universally applicable, holding true for a Brazilian customs officer as much as for an Indonesian customs officer. So those would
88
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
be my suggestions of universally applicable elements of security culture. I think they are not too remote from the concepts used for radiation protection, where we justify why we intend to do something, then say how we will do it, then optimize our efforts to the situation, then impress on the workforce the importance of doing it. Participant 1: That was an excellent lead-in to what we are going to be talking about. What I heard was that this is a very complicated industry that we have, and we should not forget it. We draw a simple diagram and it applies to lots of different parts of the industry. He said that in any design basis threat analysis, appreciating that you are vulnerable is an essential, universally valid tenet of nuclear security culture. I think we are in agreement on that. He said that it is important to communicate this appropriately, and I think that would be an excellent additional box to put in our diagram of security culture. To me the universal truth embodied in this principle is that it forces us to consider how we should communicate the reality of the threat to everybody. He also said at the end not just to communicate this to a manager but to get it down to people on the working levelsguards at the gate, guards on the borderand communicate all the way down and involve people on the very bottom. As we start identifying these universal elements, I would like to ask some of the members of the committee that agreed on this structure to tell you in just a few sentences one of their favorite universal concepts of security culture and I’d like Participant 3 to be first. Please tell us in this model what universal element is important to you. Participant 3: [Declares that people are a universal principle of security culture.] Participant 1: Excellent. If I were to put one or two words in front of what Participant 3 said, he would say a universal principle is people. We sometimes think of equipment, but when we are talking about security culture, a universal principle is people. Participant 4: I would like to support what Participant 3 said about the research regarding the NunnLugar Program and the Global Partnership, and I may go beyond the three sentences if you don’t mind. Participant 1: All right, four. Participant 4: You know, when the Nunn-Lugar Program was launched, it was under the pressure of the Soviet Union disintegrating. If you look at the makeup of the Nunn-Lugar Program, it has two tiers. The first tier was the immediate tasks, and that was to take care of the hardware because material shortfalls posed a real threat. The second tier, which was formulated rather vaguely, was to promote nonproliferation. So that leaves us a lot of latitude to think about how to invest in the human factor and to push our leaders to think in terms of the human factor.
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
89
If you take the G-8 Global Partnership, it was adopted under the pressure of global terrorism. The people behind the Global Partnership thought in terms of taking immediate action against terrorists rather than investing in the human factorthe people who are supposed to protect sensitive materials. So what I am saying is that existing texts, if we interpret them correctly, give us a chance to urge our governments to think in terms of the human factor. The human factor was involved in these texts from their inception, but it received too little attention and resources because investing in the human factor is not easily quantifiable. The people who design and implement such programs have to report to their parliaments, to their constituents, and it is much easier to provide a list of the number of warheads, tanks, or missiles destroyed than to report to them that we invested in the minds of people. You cannot quantify that. This is a problem. Participant 1: Good, and I think that represents support for Participant 3’s comments. You’re saying that we are essentially in the second phase of this, when we can look at things from a cultural standpoint, and then you said that people are very important.
Participant 5: I would like to add to what last speaker just said, because it’s taught me one thing. One area where we have already done a lot is in recognizing the human factor in culture. We came to that recognition in the early 1990s, around the same time the Nunn-Lugar Program made its debut, and we established the International Science & Technology Center (ISTC). The ISTC was founded on our recognition that there were 60,000 peoplenot infrastructure, but peoplewho were capable of doing really bad things unless they were given other, new opportunities in the new Russia and under new circumstances. This was in fact one occasion when it was possible to quantify the human impact of our efforts. New opportunities, new education, new instruction, and so forth were actually quantifiable. While it may have represented a small percentage of the overall assistance effort, we were doing something concrete, even though it did not involve measurable activities such as the destruction of missiles. We offered employment to people. So this kind of thing was done to a certain extent early on, and the ISTC experience is worth keeping in mind and maybe building upon. Participant 1: Thank you for saying that this first phase did not focus quite as tightly on equipment and measurable events as Igor perhaps implied. That we in fact did feel the human side. Let me turn now to Participant 12, who was also on the IAEA’s working group, and ask her: what is an important universal principle of security culture to you? Participant 12: A good security culture promotes performance. It enhances the performance of the security system. There are ways to make what we’re doing quantifiable. I guess we need to go back to structure and managementto quantify the impact of our endeavors through lessons-learned programs. There needs to be a continuous process of improvement.
90
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
Participant 1: Excellent. I really heard two in there. One is consider doing things that are measurable. And then clearly another is to apply lessons-learned across the nuclear industry to improve security culture. Thank you. Participant 6 was also on this team. Would you tell us one of your favorite universal principles of security culture? Participant 6: Thank you. You mentioned one of them already. As others have stated, management commitment is critical, and so is the conviction throughout the hierarchy that there is a security threat. This is not just recognition in the abstract sense. I think there needs to be a formal process within the organization which documents security threats and provides a communication path to the rest of the people, allowing managers to convey the message that they’re actually buying into this. Management also needs to put in place a management process to convince the staff that security will take high priority when the organization plans, establishes priorities, and allocates resources. We not only need to support our employees, but also reassure them that, when that piece of monitoring equipment breaks down, it will be repaired right away. We will not let it go and force the staff to work without equipment. We’ve got to show people that we are serious and that we will take their feedback. As someone said, we call that a learning organization. We learn to question what we’re doing, learn from our experiences, and then go back and fix it. And then we go back and make sure that the corrective measures we put in place are actually achieving our objectives. That continuous learning process is very important. Participant 1: Let me just say a word about what last speaker said. He started by saying that having a gut feeling that you are vulnerable and that there is a threat out there is very important. Then he said management needs to make sure they fund the response to this vulnerability, that you have to have adequate resources to respond. Those are two points he raised; maybe there were more. Question: Yesterday we talked about a number of pieces of the system, but I didn’t hear a lot about information securityboth cyber security and your internal records, whether they are paper or digital. Participant 1: With regard to cyber security and paper security, there must be management systems in place that reflect the security of information. If such systems are not in place, then I would say that suggests you don’t believe you are vulnerable. And so that would be an important part of security culture. Thank you. Comment: I wanted to mention something that seems to be very universal. Of course it relates to the human factor, because most of the elements of security culture are related. This is the attitude towards security. In your diagram, it does not matter if one takes a topdown approach or a bottom-up approach; the attitude starts from the government and ends with personnel on the ground. And the attitude is something universal, because it
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
91
does not matter how you create the attitude for different kind of people, depending on their education, their position, or their profession. The proper attitude can be created by education or by orders. If your subordinates are military people, you just need to issue an order and the military follows. It depends on the people, but the attitude should be created. I can give you a very small example: imagine a nuclear site. All the people entering this site or even living around the site should have the necessary attitude toward security, starting with workforce personnel and visitors, and ranging all the way up to the top management of the site. Creating security measures creates a big burden for all of us. They are annoying. No one likes to be subjected to searches or delayed at the gate for “stupid” procedures such as checking passes. So these security measures should be followed up with efforts to cultivate a healthy attitude toward security. If management has not created such attitudes, you will be tempted to break the rules when no one is watching you. If the system allows you to break the rules, control is not strict enough. And if you observe security problems or see your colleagues breaking the rules during your everyday duties but deny this is your business, you do not have the right attitude. You cannot or will not report to the right person if you see something wrong, and security will suffer. And finally, I want to return to the statement Dr. Nilsson made yesterday about the aviation industry: that most travelers now have the right attitude toward security precautions at the airports. We understand the need for security screening to ensure our safety. We follow the rules at the airports, even though they are annoying. Thank you very much. Participant 1: Excellent. The key word in this statement was the attitude of all the people. This attitude runs from the government all the way down, even to the people who live in the surrounding neighborhood and the people who work at the site, the laborers. All of these people should have a good security-culture attitude, although the way you instill this attitude is different for different groups of people. It is a function of who they are, and what kind of management they respond to. So attitude is important, and then you need to consider how to instill that in various groups. Thank you. Let me go to Participant 7, and then to Participant 8. Participant 7: It seems to me that a key element, and possibly even something that could be rated when we evaluate security culture at a site, is: how do you motivate the staff to take security seriously? Why do people take security seriously? It is for one of two reasons: either because they’ve had the threat communicated to them in a credible way, or because they’re rewarded for taking security seriously or punished for failing to take security seriously. It seems to me that in this model you can rate an organization, number one, on the degree to which it has processes in place to communicate the threat and the importance of security to every employee, and, number two, on the degree to which it has measurable ways to reward good security performance and punish poor security performance. Participant 1: I just heard two elements. One was, how do you communicate this threat to everyone, and the other was, how do you make sure they take it to heart? It may be rewards, or it
92
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
may be punishment, but it has to be appropriate to the people and the management system. You would like to measure an institution by the way management communicates and the kind of incentive system it puts in place. Thank you. Participant 8: Thank you, Paul. I would like to underline the need for communication. From my point of view, if you look at these different boxes in the security-culture diagram, it is very important that communications between these different boxes flow in two directions: from the top down and from the bottom up. Both the manager or shift leader at a nuclear facility and the guy in the government writing draft directives for the nuclear industry must accept the importance of security and know why they are spending so much time working on it. This demands communication extending throughout the hierarchy. Remember, around 1996 or so, we started to install protection in our nuclear research centers. It was unclear to scientists, to professors, what they had to do. They had to show a pass, they had to identify themselves. For what, they asked? Impressing the importance of security on them verged on impossible. On the other hand, government may believe that everything is possible in our effort to safeguard our nuclear complexthat it is possible to protect against everything. (Unfortunately, governments don’t pay for perfect protection, but that’s not the point.) But these are all unnecessary complications, and they all stem from deficient communications. This is what I want to underline. Participant 1: Excellent. The key word here is communication, both down and up. I think the last speaker saw these lines on our diagram pointing downward and thought the diagram implies that the government communicates but doesn’t listen to what comes up. And that’s a very good point: Communication must go both ways. Thanks. Participant 4: I may be wrong, and it may make our mission more complicated, but my understanding of our discussion thus far is that we agree that, at the very beginning, we were fascinated by automation and equipment as a remedy for everything. Then we suddenly realized that human performance is really lagging behind. Thus we are well advanced in terms of technology, but we remain backward with regard to human performance. So would it be better, for the sake of coming up with something more specific, to divide human performance into specific stakeholders, and then identify what may be important to each group of stakeholders? We talked about responsibility and about horizontal and vertical communication. If you can depict these things on a chart that includes specific stakeholders, it may accurately fit with reality and help us make a very specific list of things we regard as universal and important. Participant 1: Participant 4 is saying that our chart may be a little different for different kinds of stakeholders, in different areas of the nuclear industry, and that the principles of communication and other things may vary based on different stakeholders. He wants us to make these distinctions. Thank you.
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
93
Participant 9: Thank you, Mr. Chairman. To me a very vital point that was addressed a number of times in yesterday’s presentation is that we should see technical safety and security in precise terms. What we want to achieve is to prevent damage to the health and safety of the people, to the welfare of employees, and to the environment. It doesn’t make any difference whether radioactive substances are released because of a technical failure or because of a breach in security. One thing we should keep in mind is that requirements and decisions pertaining to safety and security may be contradictory. What may be beneficial to security may impede safe operations. This should be taken into account. Also, in my understanding, to a degree the same principles apply both to safety culture and to security culture. My point is that safety and security measures should be dealt with and should be decided under a common point of view that ranges from the lawmaker to the regulator to the experts and workers on the ground. Participant 1: The commonalities between safety and security should not be forgotten. It is very important. I think we heard that yesterday. And we should acknowledge that there are sometimes contradictions between safety and security. This diagram that we use here should be very close to the one that has been used in safety, and those are three good observations. Participant 10: Thank you very much. At this stage of our discussion I think it is necessary to write some points which are important for everybody. I think it is time to think about criteria for evaluating institutions at the cultural level. I believe there are two levels that form a security culture: the country level and the facility level. At the country level, to assess the security culture, I think we need to take on some parameters like political commitments and treaties and conventions agreed to by states. This gives us some parameters to assess security culture at the level of facility managers and operators. Participant 1: Last speaker mentioned one thing, mentioned a lot of things, but in particular I think he said that there are two ways of looking at this security culture. You look at it from the country or large standpoint, and then you need to look at it from the facility standpoint. Probably we have looked at engineering systems more in the past than we have looked at “people systems.” When you start looking at people systems at the facility level, you should start looking at the responsibilities of these people and make sure you deal with them appropriately. That is an important aspect. It is for exactly that reason that the paper that Dr. Nilsson has now includes both of the diagrams. Thank you. Participant 11: Thank you. I come purely from a safety point of view and not from a security point of view, and I see a lot of parallels between what we are talking about here and actual safety culture. Many issues you raised here this morning have been dealt with on the safety side. What I will say, though, is that changing beliefs with regard to safety demands a systematic approach to safety: identify a hazard and mitigate the consequences, making everything very clear to the plant operator and the rest of the
94
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
workforce. What I see here, as sort of an outsider, is that I don’t actually see any sort of criteria for security culture. I don’t see anything that is systematic like safety codes. We need to provide systematic guidance on how to make judgments, factoring in considerations such as how much harm you are likely to do by taking or failing to take certain actions, or the consequences of failing to install a certain system or piece of equipment. You must be able to demonstrate these things clearly to the operator and the staff. In mitigating consequences, I can see a parallel to safety culture, but I see some blocks missing with regard to documentation, criteria, and support.
Participant 1: Thank you. The statement was that safety culture is much more structured and that there are criteria out there in safety culture that you don’t see in security culture. I think we certainly recognize that first we need to define the concept, and then, once it is defined clearly, some of our next steps are going to be setting criteria and devising an evaluation mechanism. We’re ten years behind where safety culture is, I think. But safety culture has gotten there and has given us guidance. Participant 12: Maybe this falls more under the discussion of technical criteria than the discussion of universal principles, but what struck me about Participant 2’s presentation was this concept of justifiability. It seems to me that security planners tend to take for granted that certain kinds of material are present at a given facility. Rarely do they ask whether it is justifiable for that kind of material to be at that kind of facility in the first place. Making a cost-benefit judgmentbalancing what that facility gains from having that material against the risks and the costs of mitigating those risksstrikes me as an important element in the management box, perhaps on both of the security-culture charts. For example, requiring cost-benefit analysis would require us to make value judgments about the justifiability of operating research reactors with highly enriched uranium when we can accomplish our goals with low enriched uranium. It is not clear to me where that sort of judgment call fits into these charts. Participant 1: The statement was that organizations should normalize their security to the point where everyone has sufficient security for the material that they have. And you say that, in cases where operators cannot apply enough security, then maybe they should not be operating. Did I get that right? Participant 12: Not quite. Participant 1: Not quite? Okay, say it one more time in one sentence. Participant 12: The point is to evaluate whether the benefits of using certain materials justify the risks associated with having that material. Then you should question whether you can attain the benefits without incurring the risks.
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
95
[Russian speaker: Notes the importance of motivation, which can lead to quite different organizations even if they are identically equipped.] Participant 1: You said one key to securityone was motivation, how inspired the staff is to perform physical security or security tests. Organizations A and B may have the same equipment, but one may be more motivated to put in place this security culture. Thank you. Next? [Russian speaker: Highlights disparities among national cultures and urges the participants to make the security-culture model flexible enough to accommodate national differences.] Participant 1: He started out by saying that security culture should be systemic and that it should incorporate differences in national culture. Russian, Chinese, and other different cultures have different emphases on people, and when we come up with a model it should accommodate these different cultures. Then he went on to talk about some other things of interest to you, but that’s what I remember. Next? Comment: Thank you very much, Mr. Chairman. I would like to take a simple approach. I will call this a systems approach, using a simple soldier to illustrate. The systems approach using a simple soldier consists of only three components. The first component is the soldier’s mind. The second component is the gun. The third component is the target. Okay. If you want to be sophisticated in this human factor, you should analyze the soldier’s mind and his weapon. Both of these could be liabilities. So you need to build up the human factor, and make sure the gun, the communication system, and all the other hardware are in good working order. But there is a difference between security and safety. If you are talking about security, the target is a living target. The target is also a man with a gun. And this is in opposition to safety. The “targets” in safety measures are human failure and hardware error only. These are passive things, but the targets in security are human beings, intelligent human beings who can use guns. What is important is the following: that the target can interact with the human factor on your side. The target can influence the human factor, and this is a very, very important factor. We need to think deeply about this. Thank you very much. Participant 1: The statement used a simple soldier to convey the elements of security culture and safety culture. Our discussions must include the humans, the man, and that’s the human-factor side; the equipment that he has, that’s part of security culture; and also the targets and how these interact with the human factor. We must not forget this interactive dynamic. Okay, thank you. [Russian speaker: Urges the participants to take the long view of security and security culture.]
96
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
Participant 1: The comment was, we should think long term about this field and not just look at immediate challenges. The speaker gave an example, pointing out that threats to nuclear security may be very low if you take a short-term view, so you might be tempted to conclude it’s not a problem. But looking to the long term, the threat is much greater. Whatever we do in the field of security culture, we must look ahead. Good. Thank you. Participant 4: I’ve been considering security culture. We need to understand one important property of security culture: that it conditions the entire workforce to expect the unexpected. And I think this is the most important part of security culture because it trains people to expect the unexpected. According to one methodology, there is a known unknown. It means that we understand that this threat may materialize and we don’t know the timing or the scale of the threat. There are also unknown unknowns, things we cannot predict, and even the best equipment or automation is really helpless in the face of these. But a workforce imbued with the spirit of security culture can always react to these completely unexpected threats. As we talk about the value of security culture, we should keep in mind that this is perhaps one of its most important properties. Participant 1: The last speaker is saying that there will always be some unknowns in this equation. However you structure your security culture, therefore, you should recognize that unusual, unknown things are going to happen. The workforce must be prepared to respond as best it can, improvising when unknown things occur. Participant 13: I think if I had to define a single guiding principle that is most critical to security culture, I would actually define three principles that are so interrelated that they roll up into one. Those would be honesty, integrity, and responsibility. You can have lackluster leadership; you can even have mediocre equipment. If these things fail, they don’t fail suddenly. Having lackluster leadership or having mediocre equipment does not lead to an immediate failure of the security system. But if you don’t have honest operators, if they don’t have integrity, if they don’t accept responsibility at any of the critical junctures in a very complex model or process, than there are numerous opportunities in that model or process for a failure to take place. Any single one of those points can fail, leading to an overall failure of the system to secure the site. Participant 1: Thank you. That amounts to a very strong statement about the perils of corruption and the effects corruption can have. He is saying that if people are honest and responsible, then the country will rank higher on the corruption index, making the whole security culture better. Comment: As a physicist, I like numbers, and I couldn’t agree more with what was just said. To put this into a real-world context, if you list the top three segments of society that are susceptible to a lack of honesty and susceptible to bribery, you unfortunately see academics and higher education in the number three spot. At number two, you have the
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
97
military. And most disturbingly, you see both together in the number one spot, control and inspection. Nine hundred billion dollars changed hands last year in bribery. If you want to have a list of priorities for training, therefore, these are the three areas one should focus on: higher education, the military, and control and inspection. I would like to make a constructive suggestion as well. I come from the radiation protection community, so I share the view, common among safety specialists, that we optimally need a numerical yardstick to measure against. My suggestion would be to develop a yardstick to measure security-culture achievements. It would quantify the probability of a loss of control over the facility or nuclear materials. Now, since this is a political/social-scientific discussion, my suggestion would be not to deviate too far from how we approach radiation protection. We say that, if the probability of an event leading to an uncontrolled release of radiation is ten to the minus six, that’s safe. No problem; it’s okay. We can never make the probability of an accident or manmade hazard zero. If the probability is somewhere between ten to the minus four and ten to the minus five, then we start acting. Depending on the desired outcomes and our methodology, what is our policy on intervening? Should we post extra guards? Install extra walls? And what is the cost associated with each action? So we conduct risk-benefit-cost analysis. Once the risk rises to ten to the minus three, we believe that we no longer have any choice; we must act. Whether this applies to security culture, that is a political question, so somebody else can decide about that. But this methodology allows us to assign a number to the performance of your security precautions and security culture. Thank you very much. Participant 1: The argument that our friend made is that, once the concept of security culture is defined, and as it becomes more understood, he would like us to move toward an analytical framework to evaluate security culture. And then we would make judgments based on numbers, just as a good physicist would propose. Participant 14: Back to the subject of the security-culture diagram. We identify a threat or the indication of a threat. We have a security culture to install to meet that threat. But other governments, not just our own, should also be involved in our actions. To safeguard our facilities, there should also be a promise or commitment from other countries to help develop and reinforce our security culture. Participant 1: Yes. It’s important that the government (speaker corrects him) other governments appropriately support security culture. We have five more minutes. Participant 15: First let me voice my appreciation for the discussion that has taken place this morning; it has been very interesting. In hearing this mix of lectures on security culture and points brought up during the roundtables, I believe there is one dimension not yet mentioned, and that is communication with the public. There has been, I think, some communication on this topic within the community of nuclear specialists, but not much outside. The public is concerned with nuclear security. They have a legitimate need to
98
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
know that we are addressing these problems. We should also convey some of the guiding principles for our actions. Public communication recognizes another complication, which is that when we speak about nuclear security culture, we are referring to nuclear security narrowly construed. The discussions here have been quite concentrated on site operators, and I believe it has to go beyond them. In a simple parallel, we can refer to the already existing safety culture. Safety culture demonstrates clearly that we have to look beyond traditional operators. When there is a radiological release, the radiation will affect the people and environment, irrespective of whether the release is caused by an accident or a security failure. The actions we take are not that different, even if it is an accident and not a manmade incident. I also wish to express some skepticism over the proposal that was made to estimate the probability of a security breach. I think we can calculate probability when it comes to accidents. We know the materials; we know the machinery and how often it is likely to fail. But if we start moving out now and putting numbers on this, we could easily come to a position where we get conflicting priorities. I am concerned that trying to assign numerical benchmarks will deflect us from our purposes, because culture does not readily lend itself to this kind of measurement. Participant 1: You all heard last speaker’s statements. She thinks we’ve been talking about communication up and down but neglecting communication out to the public, which is also very important. She also said accidents don’t just affect nuclear facilities but can spread out to affect the surroundings, and she pointed out that our response actions don’t differ dramatically between accidents and security incidents. Then she was reluctant to support efforts to find a way to evaluate security numerically, because it just may not lend itself to that approach. It is exactly eleven o’clock. I know everybody wants to say more. Your comments were excellent, and most of all I appreciate that you held your comments to a few sentences. It saved me from having to stand in front of you and turn your microphone off. So, I think your comments were very useful, and we recorded all of them. I think we should celebrate the end of this roundtable, and we’ll come back at eleven fifteen for the next one. Give yourselves a hand.
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
99
Day 2, Session 2
Participant 16: Ladies and gentlemen, let us continue our discussion. We still have one hour before lunch. I would like to thank the sponsors for such a professional arrangement of our discussion. I will try to lead the discussion in a professional manner for the rest of this hour. Before continuing the discussion I would like to address all participants and ask them to speak clearly and slowly in order to facilitate the work of the interpreters. This way, the interpretation will be easy to understand. In reference to the discussion, let me suggest how to continue this discussion. For the past day and half we have discussed the issue of security culture. We convinced each other that this problem exists and that it is made up of certain components. We need to come up with recommendations in order to address this problem. I recall from yesterday, at the beginning of our working day, the presentation of General Habiger, who said that it would be beneficial for us to go home with certain practical results. Let us try to focus specifically on this. I would like to give you the following illustration. I ask you to treat this only as an illustration. The institute that I represent specializes in training specialists for Rosatom in a wide range of practices. There are more than forty specializations. One of these specializations trains personnel for nuclear submarines. This training program is meant to last approximately one thousand hours. We work in two of our facilities, one in the east and the other in the north, for nine to ten months preparing each group. Let us imagine that I have two teaching programs on my desk which must be approved. The purpose of both of them is to accomplish the task of removing obsolete equipment from reactors. One program solves this very task. It provides technical instructions on how to implement the program. The second program solves this task as well, but it does so with an eye to the task of security. What is the difference between the two programs? They differ in the way they solve the problem of security. During the next available hour we need to focus on the human aspect of nuclear security and figure out what needs to be done in the area of the human factor in order to improve nuclear security in Russia. During our discussion, the goal will be to create concrete solutions for improving nuclear security culture. Now I will ask my colleague to make a presentation about the role of the human factor in the nuclear industry. He is an expert in this area. He will express practical solutions for how to deal with the problem of the human factor. This is a presentation about the issue of safety in the professional world. The challenge that we Russians need to face is the transition process to a market economy. The entire nuclear arsenal of Russia still belongs to the federal government. Therefore, it is important that we develop a way to assess the quality of human resources and the employment of qualified specialists. I would like to speak about these two aspects of safety culture. First, I would like to say that the professional culture that we have known for the past forty years consists of systemic employment and a systemic approach to the requirements for qualified employees on every level in the industry. Next, we will talk about the requirements of safety culture for every level of employees (lower-level employees, supervisors, and
100
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
managers). An essential aspect of this activity (safety culture) is the physical safety of nuclear material. This aspect is part of the category of corporate culture. What are the features of this aspect? For the past four years, these features have been researched, studied, and assessed by a U.S.-Russian team. The Russian side included representatives of numerous institutes related to the nuclear industry (I am not sure about the names of the agencies). Institutes involved in this effort specialize in training personnel in our industry, certifying the qualifications of managerial personnel, and training personnel in materials accounting, control, and physical protection. Key challenges in the area of materials accounting, control, and physical protection are creating a worker-friendly atmosphere at work and creating good individual relationships between workers. These two aspects are essential for working in our nuclear facilities. Common mistakes made by workersthis relates only to the Russian nuclear industry, taking into consideration Russians’ mentalityinvolve failing to keep documentation. In the West it is very important to keep records, as it is part of international standards of safety. However, our mentality does not require accurate and scrupulous documentation. This is why our group came up with four rules to enhance the safety, control, and accounting of nuclear material. The first one is that a worker must be familiar with his work, functions, and responsibilities. Every worker must meet this requirement at a minimum. If a worker is unfamiliar with his work and functions, he cannot be responsible. The second rule is for the worker always to be able to work. He cannot relax. He must always concentrate on his work and not be distracted by external problems (such as personal problems). The third rule is to work professionally. This includes not only disciplinary aspects, but also cultivating respectful relationships with fellow workers. For instance, workers should treat each other formally and call each other Mr. or Mrs. The fourth rule is that each and every worker should report any mistake made during the work process. This is very hard for a Russian person to do, but failure to report mistakes must be a basis for termination or punitive action. Control is needed for safety culture. Who must exercise control? Supervisors must carry out this function. Supervisors, like common workers, must carry out their functions and be responsible at work. If supervisors are not good examples to the workers, we cannot expect good performance from the workers. It is more challenging to educate adults than children. Therefore, it is a daunting task to train supervisors. In order to enhance the safety culture, we must not only enhance operators’ technical proficiency and the ability of workers to work with the equipment, but improve professionalism and morale among the personnel. We must make sure that personnel are aware of what nuclear security culture is. Workers must also learn from one another’s mistakes. Learning a proper security culture needs to be a constant and systematic process. Along with this, personnel qualifications need to broaden. Motivation of workers is important. They should be rewarded financially and they should be promoted for good behavior. There is a method to measure the level of security culture; the name of this method is self-assessment. When we assess, we need to understand the independent variable, namely why the security culture is weak or robust in certain situations. We can also conduct an independent assessment. This consists of creating a team of expertsthat is, an expert committee. The expert is like an assistant who comes in, figures out what the problem is, and offers suggestions on how the security culture can be improved.
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
101
As I mentioned, motivation is an important element. Supervisors should figure out what the workers’ needs are and use them effectively. If the personnel are unmotivated, then orders issued by supervisors or managers will be left incomplete. There are two types of satisfaction: internal and external. Internal satisfaction motivates a worker to enjoy what he does and look forward to the next day of work. External satisfaction is felt when colleagues, management, and even governments reward the worker for his good performance. In conclusion, the human factor is of key importance because overall performance depends more on human performance than on equipment performance. Financial reward must be provided by the government, which controls public funding, and not by supervisors. The reason for this is that workers need not minimal financial compensation (especially in the atomic industry) but compensation sufficient for them to live well. Since 1994, my institute has been dedicated to increasing the qualifications of managers and CEOs from different companies. Every person we have trained has gone through special training on nuclear security culture. We have greatly improved our training in this area. One piece of evidence that our efforts have borne fruit is the growing number of people who are interested in the topic. There is a fundamental difference between security culture and safety culture. Safety culture has to do more with the technical aspects and physical security aspects of nuclear operations. Security culture, on the other hand, depends on the individual human being’s mentality and his contribution to the work he does. Oftentimes supervisors and managers are not interested in learning about security culture. They need to be motivated in order for them to listen and learn about this topic. Sometimes they don’t even know the definition of security culture. Therefore, we need to come up with an exact and accurate definition of security culture. Also, we need to motivate supervisors and managers. As a result of this motivation, the workers will be motivated as well. The way the general professional community sees us depends on this. If we want representatives of other industries, the media, and the government to listen to us and contribute to security culture, we need to come up with a better definition. I would like to speak about the issue of communication. We here represent a limited number of people who understand what security culture is. Instead of security culture, let’s say protection culture; I like this term better. I have been involved with the notion of this culture for several years. The problem is that all these definitions that we give are hard to grasp and are often neglected even by management. When I come to management and say that I came regarding nuclear security culture, they say, “Thank you and good-bye.” When I continue and say that I come to increase the nuclear security culture, they react differently. When I tell them the strict definition that we have, they do not grasp it. We must come up with a definition that is easy for management to understand, because our progress depends on their understanding and on how they implement security culture in their industries. It is important that we promote security culture not only in the nuclear industry, but in other spheres of society as well, such as the media, social organizations, and the government. We need to understand clearly that their acceptance of security culture will depend on how we disclose it to them, how we promote it.
102
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
Investing in security culture is not a waste of time and money. By investing in security culture, you also invest in the overall culture. Taking into consideration our task of coming up with specific results here, let me suggest the following approach: we have professional culture and security culture. There is some overlap between those two. So, it would make sense to figure out what these two cultures share, their common values and tools. This way we will understand how they work together. As we look at what is outside of this overlap, there are two categories that we must identify: principles, values, and tools that can coexist with each other without any difficulty, and the principles, values, and tools that may contradict each other. We need to transform those that cannot live together so that they can coexist with each other and work together. Let me ask this question of everybody: taking into consideration the Russian mentality, our economy, and the present state of physical nuclear protection, what are some suggestions you can give us? Also, is there a definition for international security culture? A number of speakers here, especially those who represent Russia, have emphasized the value of financial reward. Also, they focused on how to promote security culture, namely how to encourage workers to implement the elements of security culture. More important than that, I would say, there needs to be strong leadership from top management down to junior supervisors to promote security culture. From past experience, I have realized that these two elements are complementary and that one cannot exist without the other. Financial reward sometimes is not enough to encourage workers to implement security culture satisfactorily. We have talked enough about the material side of this issue. But there is another thing we need to take into consideration, and that is the wide age range among the workforces at our nuclear facilities. There are older personnel who have worked in this area for years and have developed experience as well as responsibility. There is also a younger generation, those up to thirty years of age. They do not understand the significance of security culture and do not exercise responsibility. There is a need to train and educate this younger generation so that they can contribute to this notion of security culture. Those from thirty to forty represent the leadership in our facilities. They are in the middle category. When it comes to motivation, we need to approach those age groups differently. One mechanism that might support this notion of continuing education or ongoing training, complementing Igor’s comments about the intersection of security and professional culture, and that is professional organizations. I’m a particular fan of organizations such as the Institute of Nuclear Materials Management, the National Nuclear Society, and other kinds of professional affiliations that allow professionals to interact with one another, share experiences and best practices among themselves, and conduct workshops for ongoing training. There is also an ethical and moral component that goes along with being a member of a particular profession, helping foster an ethical environment. This is like wearing a ring that represents your institution and reminds you of certain ethical responsibilities you should follow. A moral environment also needs to be created in the professional setting, but may be a little harder to accomplish. I was interested in the discussion about paying the guards at nuclear facilities adequately and about punitive sanctions that may be applied in case of non-compliance. Organizational studies conducted over the years have demonstrated the ineffectiveness of both of these methods, below some extraordinary level. By contrast, leadership,
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
103
professionalism, and a belief in the mission can spur people to go the extra mile. It all comes down to the mentality that I don’t just work here, and it’s my responsibility to make a difference. Sometimes strong leadership that creates a sense of purpose may be the more effective of the two aspects that I mentioned in the beginning. A guard’s sense of duty does not need to be created by fear of punishment. A decisionmaker needs to base a decision on considerations such as the degree of risk, the benefits of various strategies, and how much these strategies cost. This is an empirical approach, a numerical analysis of the probability of events. We need numerical criteria in order to make decisions. Decisions on training, wages, the cost of weapons, whatever. I don’t have the solution to how to do this, but I’m convinced we’ll have to do it. It is difficult to measure attitude. The human factor in security culture is a matter of the greatest uncertainty. However, there is a way to assess it, and this is by using virtual reality. Let’s talk about corrective actions and mechanisms to ensure correct behavior. There is compelling evidence that a zero-tolerance policy actually instills fear by imposing undue pressure on the worker. This has been reported by workers themselves. Workers see security as an impediment to their daily obligations, as something that impedes their operations. This is how they see the rules that we, the security people, impose upon them. We need to make rules that make sense to them. These rules need to make the workers feel secure when they report a mistake. If we try to achieve security culture only through financial motivations, we’ll never achieve it. We need to establish what’s called organizational behavior. We cannot measure security culture with money.
Participant 4 We will now start session number five, which is about incentives, motivations, and techniques for promoting nuclear security. Later we will have a session moderated by Participant 17 about the evaluation of security culture. We will be offering some ideas, and your contribution of ideas will be appreciated. We will also discuss the definition of security culture, as requested by Participant 15. As we all know, the IAEA has embarked on an effort to develop an agreed definition of security culture. At the end of our conference, we will ask that you give us feedback about whether we should continue this effort to contribute to security culture. Also, we will ask for your evaluations of our overall discussions. The Center for International Trade and Security will take a lead in the future to prepare a series of workshops through which we can, step by step, grow more meat on the skeleton of nuclear security culture. As of now, with no definition whatsoever, I don’t think we even have a skeleton of security culture. In order to come up with a definition and build on it, we need a multidimensional approach with the help of professionals, psychologists, and nuclear security experts. This will be a long-term process, and I would be very happy if you agreed with me that there is a need to support the work that the IAEA is doing in this area. Performance is ability multiplied by motivation. If either one is zero, you are going to have zero performance. In the programs designed to improve nuclear security, we have been focusing on the idea that technology provides capability. Now we need to focus on what is going to provide motivation. People will do certain things for two reasons. The first one is that they think these things are important to do. The second
104
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
reason is that they think they will receive incentives such as promotions or financial rewards for doing these certain things. According to research, only a small percentage of people will violate a rule they think is important, even if there is almost no chance they will be caught violating the rule. On the other hand, a large percentage of people will violate a rule they think unimportant, even if there is a big chance they will get caught violating the rule. This is what I call “good citizen” behavior. Everybody wants to do what they think is important. It is important to inform people that it is dangerous not to comply with security rules and that, therefore, these rules are important. I think that it is also important that we supervisors conduct real situation exercises with employees, so that the employees are more aware of the dangers of not complying with security rules. It is crucial to inform nuclear industry employees about the attempts of terrorist groups to acquire nuclear material. Al Qaeda is an example of such a terrorist group. This group is known for its desire to buy nuclear material from the Chechens, who could have access to Russian nuclear facilities. Another strategy to improve nuclear security culture would be to involve high Russian officials in this process. For example, if President Putin made a public speech stating that nuclear security is important to national security, everyone would take this matter more seriously. Incentives are important at the level of the individual or team. Incentives are designed to improve the performance of individuals and teams. The willingness to reward good performance sends a message that nuclear security is very important. If people offer input about how to improve nuclear security, they ought to be rewarded. Also, if they report a violation, they ought to be rewarded. Supervisors need to be convinced that security is important. If they perceive the importance of security, then they will communicate it to their subordinates. It would be worthwhile to establish an industry-wide system of reviews of security. This system would conduct polls and interview workers to determine how to improve security culture. As part of our incentive programs, we need to provide awards to facilities that are doing well in terms of security. The United States and other developed countries ought to do business with facilities that have demonstrated good security performance. Ultimately, good security needs to be the price a country pays to do business in the international nuclear market. I think security leadership awards designed to reward the leadership of well-performing facilities are worth looking at. At the international level, countries that do business with the United States are required to have good security performance. This contributes to the overall security of the world. Also, the member states of the Nuclear Suppliers Group are required to have good security standards and to require these standards of countries to which they export nuclear materials or equipment. In addition to rewarding facilities for good security performance, there ought to be rewards for the conversion of highly enriched uranium to low-enriched uranium. Also, there ought to be awards for shutting down reactors that are no longer in use. Ultimately, we need to reward those who employ nuclear scientists who do not have jobs. I would like to touch on something we discussed earlier, and it is the creation of some kind of international voluntary organization along the lines of the World Association of Nuclear Operators. This organization would provide measures for better practices, it would provide peer review of security performance, and it would provide
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
105
training for personnel. Regular meetings would help us sustain the effort to bolster security culture in all of our nuclear complexes. Part of dealing with security culture is establishing quality control in nuclear plants. Quality in Russian nuclear power plants should be on par with that of the Western world. It is a fact that in the West, there are systems of awards for national and international quality control. I would like to encourage the IAEA to come up with a system for assessing quality control. This would not be a system of material rewards, but a way to promote better quality. Recognition from the IAEA would elevate the prestige of a Russian nuclear plant, motivating plant employees to further improve their performance. Someone has expressed concern about the translation of the word “security” into Russian. This word actually sounds the same in Russian because there is no exact translation of it from English. In Russian the words “security” and “safety” have the same meaning. Therefore, there is a need to come up with a word in Russian that precisely conveys the meaning of “security” in English. This is crucial when dealing with the term “security culture.” As mentioned above, in order to improve nuclear security in Russia, it is necessary to deny terrorists access to nuclear materials. This can be achieved by putting in place a robust security culture within Russian nuclear facilities. Therefore, in addition to promoting security culture, we need to learn how to assess it. In other words, we need to learn how to evaluate to what degree security culture has been implemented in a given nuclear facility. Also, we need to encourage the Russian government to get involved in this common effort. The government can be helpful by passing legislation that promotes security culture by stimulating and evaluating it. Logically, evaluation can only be constructed on the foundation provided by a common definition of security culture. As mentioned at the beginning of our workshop, we will devote the last session to the construction of a definition of security culture, as requested by Participant 15. First, we need to identify the components of security culture. We will give everyone here an opportunity to approve or suggest amendments to the definition put forward by the IAEA, since we cannot operate down the road without a clear definition of nuclear security culture. Participant 17: Here on the screen we have two definitions. The first one is the definition of nuclear security in general, and the second one is the definition of security culture according to the IAEA. Many at this conference have stressed the need to come up with a common definition of security culture, and I think it is very difficult to come up with a common definition without starting somewhere. I think this might be a good start. It is necessary to demonstrate why it is important to evaluate security culture. The first reason is to find out where we are. As discussed before, security culture is a very subjective concept. Everyone in this room has his or her own definition of security culture. We at the University of Georgia have come up with a report, which is sort of a draft evaluation of security culture. Our idea is to try to come to a common understanding or common standards. In order to measure something that is not very measurable, we need to break it down into components. In this report we set forth four categories. The first one is leadership. Leadership is important for setting standards of behavior and practice at nuclear facilities. The second category is policy and procedures. It is difficult to
106
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
demand that employees follow policies and procedures if they are unaware of what these requirements are. Therefore, they need to be clearly promulgated to all personnel. Learning and professional improvement is the third category. The person who deals with critical material such as nuclear material needs to be constantly at the leading edge of knowledge and professional improvement. If we demand of them a certain level of culture and professionalism, we need to make sure we provide them the opportunity to achieve that level. Finally, the fourth category is personnel performance. Overseeing performance is what every manager in every facility does on a regular basis. We think this is the most critical part of this process of evaluation. To evaluate security culture is a very idealistic goal. Developing a standard evaluation, sharing this information, having someone come over and provide assistance in performing these evaluations, is probably not possible. For instance, a few years ago, we at the Center for International Trade and Security developed a methodology for evaluating export controls in different countries. We were not trying to gather information and conduct our own analysis, but to create a tool countries could use to improve their own export controls and then measure the progress they were making in this area. The countries we worked with really appreciated having that tool. My idea here is to perhaps work together and develop a similar, standardized tool that allows countries to evaluate the security culture in their nuclear facilities. I would like to pose key questions to stimulate our discussion. First, I would like to encourage everyone to offer suggestions or objections relating to the draft IAEA definition of nuclear security culture. Second, if we come up with a methodology for evaluating security culture, we need to develop a way to make it standard. Thankfully, the IAEA has been working on this for a number of years, and hopefully our discussions here will somehow be incorporated into their work. At this point I would like to open the floor for some ideas and discussions. Participant 4: It is easier to come up with definitions than to come up with ways to measure. The value of having an operational definition is, using this definition of security culture as an example, we have characteristics, attitudes, and behaviors. This definition would allow us to operationalize and measure security culture, which is hard to measure. This definition, however, gives us a concrete and tangible foundation to work on. The difficulty with measuring security culture is that at the governmental level the definition will be different than at the industrial level. Also, the behavioral norms that go along with security culture are different at the industrial (national) level, at the facility level, and the operator/technician level. Therefore, we need to use separate approaches to these two levels. Culture is the relationship between the human factor and the equipment. The final objective is to make physical potential even more effective. Now Participant 17 will read three prerequisites that can serve as a basis for future definitions of security culture. Security culture can be categorized by the degree in which all personnel, from senior management and supervisors down to junior operators, are aware of and committed to understanding security requirements. Also, the degree to which available technology is used to achieve security is essential. Finally, the degree to which security regulations and procedures are implemented and improved is crucial as well.
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
107
Comment: What does it mean when a facility is safe? It means that it adheres to the obligations with the IAEA, that the facility is committed to non-proliferation safeguards. When we at the Canadian Nuclear Security Commission look at security culture we look at all those attributes that make a facility safe, including environmental safety regulations. Communication is another attribute that we look at. We make sure that the top management is engaging with the junior personnel. We have designed an evolution to look at any area of security we want to look at. It can be security adherence, environmental protection, personnel communication, and so on. Mainly, we look at how the facility is doing what it promised to do and well it is doing it. We do not compare facilities. We go to a facility and evaluate their current performance compared to the previous performance and how much this performance has improved. Participant 18: It seems to me that you all know what nuclear security culture is, and I think is fine to move forward and begin to evaluate security culture. My experience has been in the area of nuclear nonproliferation, specifically export control. There used to be no agreement on the conception, definition, or operationalization of nonproliferation export control, so I have had discussions similar to the one we are having here with colleagues from around the world. About five years ago there was an agreement to move forward, set standards, and evaluate export control. This has been a major contribution to the area of nonproliferation export controls. Now there is considerable agreement on how to evaluate export control. So I think this is an extraordinarily productive discussion, and I would encourage all of you not to get bogged down if you do not come to a hundred percent agreement about the issue of evaluating security culture. We need to ask ourselves a question: when we look at the overall security culture at all nuclear facilities in a certain country as the highest degree of security culture, does this mean that the country as a whole has the highest possible degree of nuclear security culture? Perhaps we should look not just at security culture at the facility level, but at the national level as well. There needs to be a discussion of how to define nuclear terrorism in order to help us better understand what nuclear security culture is. When we discuss the definition of nuclear security culture, we need to connect this definition with the definition of nuclear security, because, as we have seen, nuclear security culture is a very important tool to achieve nuclear security. Although we have talked about the definition of nuclear security culture, there have been some suggestions. The first one is to add the outside factors to this current definition. The second one is that we need to concentrate on beliefs that will later translate into behaviors, policies, and procedures. Participant 4: As we have agreed on a definition of security culture, we will write a report of about five pages that summarizes this definition. This report will also include the issues that need to be worked on in order to get ahead with security culture. This report will come in addition to the book that we will be working on, which will publish all of your statements, along with a very detailed review of the discussions that took place today. We will be able to send you three copies of the book as soon as it is out.
108
Transcript of Workshop Proceedings, Day 2 Moderated Discussion
In addition to this, I would like to discuss whether it makes sense to keep our group as an interdisciplinary group that works on nuclear security culture. As I said in the beginning, nuclear security culture is a multinational issue requiring the attention of international experts who can provide insights into this issue. On behalf of the Center for International Trade and Security, I would like to receive support from all of you for this endeavor and perhaps some funding. I see our mission as promoting this idea of nuclear security culture in very general terms and supporting the work of the IAEA. There is also a need for more public outreach, and this should be very carefully measured. I think that a loose association of experts from many areas within the nuclear industry and other industries can be more effective in this endeavor than an official association such as the IAEA. We could also use some assistance for the parliaments of different countries to promote security culture within their borders. Our Center was requested, for instance, by the Department of State to help the parliaments of other countries develop laws in order to improve their export controls. We went to those countries and met with officials and NGOs. We organized workshops about export control. Thus, we promoted speedy ratification of amendments regarding export control in the legislation of these countries. This approach can be effective in building the infrastructure for nuclear security culture in other countries. Once we provide background and enough information, the governments of those countries will be obliged to pass legislation related to the issue. Another mission the Center for International Trade and Security can perform is to step down from this generic discussion to a more working and specific level, the level of facilities. We can organize workshops with specific organizations to discuss how people have been working and attempt to visualize this notion of security culture. It could be done differently. We may not focus specifically on security culture. We could focus on professional culture, because, as we know, it is more comprehensive; it includes safety, security, and finding the rationale and the relationship between safety and security. I think that we should build a common denominator between the nuclear industry and the chemical industry. The chemical industry has achieved a lot in terms of security due to its security culture. The chemical industry has a lot less security equipment than the nuclear industry, yet it manages to be very secure. There are two things that make our group uniquely useful. The first one is our interdisciplinary approach to the issue of nuclear security culture. The ultimate goal is to create a group that can significantly aid the IAEA with its work. It is a fact that the IAEA has its limitations, such as a lack of personnel, and we can contribute to the agency’s work significantly. Of course, we can never replace such a large and powerful agency as the IAEA. Secondly, it is fortunate that we have representatives of different nations in this group. As we all understand, security culture is perceived differently in different countries. If there are no other comments, I would like to conclude this workshop. I encourage everyone to communicate with one another on how to promote security culture around the world. I would like to thank this panel and everyone that contributed to this important discussion. I also would like to thank the University of Georgia students who helped to organize this event. I wish everyone a safe trip home. We will likely meet again in the future.
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
109
Security Culture: Concept and Model Background Over the past several years, the International Atomic Energy Agency (IAEA) has aggressively promoted the concept of “nuclear security culture” as a tool to improve the physical protection of nuclear material. Indeed, a 2001 IAEA report titled Fundamental Principles of Physical Protection of Nuclear Material and Nuclear Facilities identified security culture as one of the twelve principles underlying fissile-material security (Principle F), emphasizing that: All organizations involved in implementing physical protection should give due priority to the security culture, to its development and maintenance necessary to ensure its effective implementation in the entire organization.1 The growing threat of catastrophic terrorism and other new security challenges made it obvious that the scope of nuclear security and the associated culture needed to extend beyond the traditional task of protecting weapons-usable material. The message of UN Secretary General Kofi Annan to the 58th General Assembly spoke of deep worldwide concern over the risk of terrorists’ acquiring and using nuclear devices or radioactive materials. Annan portrayed the effort to keep nuclear weapons out of such dangerous hands as “a sine qua non of global security.” He urged all governments to work closely with the IAEA to take stronger measures to ensure the physical protection, safety, and security of nuclear and radioactive materials.2 Not only governments but new organizations need to be involved in nuclear security. Public awareness is likewise indispensable. In the post-September 11 world, consequently, promoting nuclear security culture requires not only dedicated leadership within organizations entrusted with fissile materials, but also broad participation at all levels of government, business, and civil society. All participants need to assign high priority to security planning and management. Educating these participants is the best way to assure that nuclear security receives attention and resources commensurate with its importance. In an effort to reflect these new realities and concerns, a more recent IAEA document, the 2004 Code of Conduct on the Safety and Security of Radioactive Sources, urged every state to take appropriate measures to promote safety culture3 and security culture with respect to radioactive sources. The Code of Conduct depicted this
1 International Atomic Energy Agency, “The Physical Protection of Nuclear Material and Nuclear Facilities,” INFCIRC/225/Rev.4, June 1999, . 2 UN General Assembly, Press Release SG/SM/9486, IAEA1361UN, September 20, 2004, . 3 For more on safety culture, see Ian Barraclough and Annick Carnino, “Safety Culture: Keys for Sustaining Progress,” IAEA Bulletin 40 (June 1998): pp. 27-30, .
110
Security Culture: Concept and Model
cultural approach as a way to protect individuals, society, and the environment.4 Among other things, the document defined nuclear security culture as “characteristics and attitudes in organizations and of individuals which establish that [nuclear] security issues receive the attention warranted by their significance.” To date, however, the IAEA is still working on detailed guidance and recommendations regarding the concept of nuclear security culture, its content, and ways to make it a reality.
Safety and Security Overlap Events in the Soviet Union, and later Russia, prodded the world community to begin thinking about safety culture and, subsequently, security culture. The 1986 Chernobyl accident, which resulted primarily from human error and violations of safety regulations, prompted the IAEA to embark on an laborious and time-consuming search for universally acceptable standards of safety culture. By the 1990s it had become obvious that inadequate skills and low motivation in the workforces at Russian sites imperiled international security. The need to develop a security culture, as distinct from a safety culture, is now widely acknowledged. Security culture and safety culture have much in common, but at times their requirements are at odds with one another. IAEA document INFCIRC/225/Rev.4, The Physical Protection of Nuclear Material and Nuclear Facilities, captures this ambiguous relationship. Section 7.1.5 of the document declares: Safety specialists, in close cooperation with physical protection specialists, should evaluate the consequences of malevolent acts, considered in the context of the State’s design basis threat, to identify nuclear material, or the minimum complement of equipment, systems or devices to be protected against sabotage….Potential conflicting requirements, resulting from safety and physical protection considerations, should be carefully analyzed to ensure that they do not jeopardize nuclear safety, including during emergency conditions.5 The tension between the two concepts arises from the fact that they embody two fundamentally different approaches to enhancing the operational reliability of vital systems, equipment, and components. Proponents of the engineering approach to safety typically call for building increased redundancy into at-risk systems, while proponents of security culture point out that greater redundancy would render these systems, equipment, and components even more vulnerable to malicious actsmaking security even more costly and elusive than it already is. To help identify vulnerabilities in safety systems that are relevant to protection against sabotage, the IAEA developed “Guidelines for Self-Assessment of Safety and Security Vulnerabilities of Nuclear Installations.”6 These guidelines identify important synergies between safety and security. Despite occasional conflict between the tenets of security culture and safety culture, the former is emerging as a distinct and important approach to enhancing 4 International Atomic Energy Agency, “Code of Conduct on the Safety and Security of Radioactive Sources,” 2004, . 5 International Atomic Energy Agency, “The Physical Protection of Nuclear Material and Nuclear Facilities.” 6 Tomihiro Taniguchi and Anita Nilsson, “Hot Spots, Weak Links: Strengthening Nuclear Security in a Changing World, IAEA Bulletin 46 (June 2004),
Security Culture: Concept and Model
111
physical protection. There are several reasons to develop a distinct concept of nuclear security culture: x x x
The concept of safety culture has been widely applied within the nuclear power industry, but it is not generally familiar to the wider range of organizations involved with nuclear materials and radioactive sources. Some aspects of security (e.g., controls over access to classified information, or the fact that the threat is purposeful rather than accidental or caused by equipment failure) differ from the safety field. While the objectives or desired outcomes of a nuclear security regime overlap to a substantial degree with those of a nuclear safety regime, they are not identical: it is possible to be safe without being secure.
Notwithstanding the tension between the two concepts, the characteristics of a good security culture would likely result in improved safety, quality, and productivity in an organization, since closer attention to personnel performance tends to produce better results in every area. Conversely, an improved safety culture would ideally make potential breaches of security less likely. The 2003 IAEA General Conference acknowledged such linkages and noted, among other things, that strengthening the safety of radioactive sources helps enhance the security of these sources.7
Nuclear Security The IAEA Advisory Group on Nuclear Security, established in January 2002, defined nuclear security as: The prevention and detection of and response to theft, sabotage, unauthorized access, illegal transfer or other malicious acts involving nuclear material, other radioactive substances or their associated facilities.8 This broad interpretation is largely consistent with the guidelines set forth in UN Security Council resolution 1540 of April 28, 2004, which sought to prevent the spread of weapons of mass destruction (WMD). The resolution is innovative in that, for the first time in such a document, it elaborates a comprehensive vision of how to curb the supply side of the proliferation problem. Among other things, the main body of the resolution requires all states to: x
7
Develop and maintain appropriate effective measures to account for and secure WMD-related items in production, use, storage, or transport
International Atomic Energy Agency, “IAEA General Conference Resolution,” GC(47)/RES/8, September 2003, . 8 The IAEA’s working definition of nuclear security, as adopted by the IAEA Advisory Group on Nuclear Security, is quoted in Taniguchi and Nilsson, “Hot Spots, Weak Links”: p. 60. The Convention on the Physical Protection of Nuclear Material and Nuclear Facilities defines sabotage as “any deliberate act directed against a nuclear facility or nuclear material in use, storage or transport which could directly or indirectly endanger the health and safety of personnel, the public and the environment by exposure to radiation or release of radioactive substances.” International Atomic Energy Agency, “Convention on Physical Protection of Nuclear Material,” INFCIRC /274/Rev.1/Add.7, September 22, 2000, .
112
Security Culture: Concept and Model
x
Develop and maintain appropriate and effective physical protection measures to safeguard these items
Just as striking is the fact that Security Council resolutions issued under Chapter VII of the UN Charter, as resolution 1540 was, are binding on all UN member states. UN member states thus are now accountable for implementing the terms of the resolution, regardless of whether they are parties to the relevant treaties, agreements, and regimes. This report focuses on specific threats such as theft, sabotage, unauthorized access, illegal transfer, and malicious acts that are largely dealt with through material protection, control, and accounting (MPC&A). Accordingly, this section provides an overview of nuclear security in fairly non-technical terms so that the discussions of the cultural aspects of security analyzed below can be kept in context. Nuclear security starts with understanding what represents a potential target for an adversary, and then attempting to define the nature of possible threats to this target and devise appropriate measures to meet these threats. The IAEA recommends the “Design Basis Threat” (DBT) methodology as a tool to design appropriate security measures. In essence, DBT describes the capabilities, intentions, attributes, and characteristics of potential adversaries who might attempt malicious acts. A physical protection system (PPS) for nuclear materials is designed against this threat profile, allowing management at a facility to identify all targets under their control and know what they are protecting. Using the DBT methodology also allows management to rank the vulnerability of targets. In essence, then, the nuclear security regime is founded on a “graded” approach that mounts an in-depth defense of facilities and materials against the greatest and most likely threats. The first objective of a protection system is to deter people from attempting to gain unauthorized access to nuclear facilities and material, and to prevent them from doing so if deterrence fails. Deterrent measures include installing highly visible, imposing security arrangements which convince potential adversaries that they cannot defeat the physical protection system. The problem with deterrence is that its effects are difficult to measure and predict. Related to deterrence is prevention, whose objective is to ensure that potential adversaries are identified and apprehended before they can attempt to gain unauthorized access. Sometimes the intelligence agencies or police forces learn in advance that some person or group is about to attempt a malicious act against nuclear facilities or material. Often, however, tips come from members of the general public. Prevention and detection can therefore be strengthened by a carefully organized public outreach program. If deterrence and prevention fail, the protection system must detect the attempt and respond without undue delaystopping the malicious act before it can be completed. These objectives are accomplished by the physical protection system and the material control and accounting (MC&A) system, which ideally operate in close coordination, constituting the material protection, control, and accounting system for any given facility. Several elements comprise a PPS. First, detection involves sensing an intrusion, sounding the alarm and assessing the reasons for the alarm, and controlling entry to prospective targets. Second, delay elements, usually passive and active barriers, make the task of breaching security consume more time than it takes to deploy the third element, the security response force, to neutralize the adversary. The three elements must work together harmoniously to achieve optimal results. The effectiveness of any
Security Culture: Concept and Model
113
physical protection system, however, depends on how well it is operated and maintained. A sound overall design can be rendered ineffective by a lack of spare parts, shortfalls in funding for preventive maintenance and repairs, or low morale or negligence among the operating personnel or protective force. High standards of nuclear security culture are partly intended to remedy these deficiencies. PPS designers analyze the performance of the detection, delay, and response elements in relation to the DBT and the consequences associated with the loss of or damage to the materials being protected. This analysis yields the consequence-weighted risk (Risk = Probability x Consequence), which is the primary metric for gauging whether a physical protection system is adequate. Risk calculations also estimate how well the PPS is likely to perform if one or more of its elements are degraded. MC&A systems maintain an inventory of the nuclear materials entrusted to a facility, including the specific locations of the materials. These systems also impose stringent controls on the movement and transfer of these materials. The extent and rigor of these systems vary by the type of material and the potential consequences of its unauthorized use. MC&A systems are therefore designed to ensure, on a near-real-time basis, that no material has been illegally transferred from its designated storage site. High standards of MC&A in an organization can deter an employee who might be contemplating theft. If the item accounting system or the bulk-material accounting system indicates that material is missing, this constitutes detection. Detection triggers a response. The response may be to immediately stop all movement of personnel into and out of the facility until the lost material is retrieved, or to start the preplanned hazard mitigation process jointly with other players. As is the case with the PPS, the ultimate effectiveness of any MPC&A system depends not only on the design and condition of installed equipment and the comprehensiveness of relevant procedures and instructions, but also on the attitudes and behavior of the personnel assigned to use the hardware. As any engineer will attest, equipment and procedures are no better than the operator. Ultimately this “human factor” determines whether a nuclear security regime succeeds or fails. Cultivating a nuclear security culture, then, is as crucial to success as are spare parts and written directives. This range of security requirements determines the nature of nuclear security culture, which can be characterized by: x x x
The degree to which all personnel, from senior managers, to supervisors, to the most junior operators, are aware of and committed to widely understood security requirements and best practices The degree to which available and affordable security technology is put to use, kept in good working condition, and improved The degree to which security regulations and procedures are implemented and personnel are motivated to accomplish their security-related tasks
Model of Nuclear Security Culture A cultural approach to physical protection involves determining what attitudes and beliefs need to be established in an organization, how these attitudes and beliefs manifest themselves in the behavior of assigned personnel, and how desirable attitudes and beliefs can be transcribed into formal working methods to produce good outcomes, i.e., effective protection. An important function of security culture is that it places great
114
Security Culture: Concept and Model
weight on the instinctive behavior of personnel. An efficacious security culture expects employees to take a proactive, security-value-based stance in any situation in which nuclear material and/or the facility itself are at risk. It expects them to innovate, since risks are too numerous to predict and no amount of planning or policymaking can prepare them for all contingencies. At a facility that boasts a supportive security culture, then, employees will respond to security issues out of habit rather than effort. In an unsupportive security culture, employees and management tend to ignore security, or even to circumvent security precautions when they become inconvenient or costly. Cultures are based on a set of shared underlying assumptions about reality (see Figure 1). In the practical context, this means that an organization will display tangible behaviors that derive from what the organization assumes should be most important to it. Often, however, these assumptions are unconsciously held and never discussed in the daily course of business. They simply become “the way we do things,” as opposed to a culture that demands conscious attention if it is to survive and thrive.9 Staff members will form their own assumptions based on their own experiences, or even their whims. The assumptions underlying the organizational culture will atrophy, consequently, unless the leadership works actively to propagate them. Forging and maintaining healthy patterns of ideas is one of the foremost missions of top managers. A good security culture has to be founded above all upon a healthy respect for the threat (see Figure 1, A-1). From the most senior leadership down to the lowliest technician, the staff has to believe that there is a credible threat to the facility and thus that security measures truly matter. This underlying conviction then permeates the way people do their work, and it drives their behavior under normal and abnormal conditions. In a facility that enjoys a good security culture, personnel typically display a deep-rooted belief that there are credible insider and outsider threats, including theft, sabotage, unauthorized access, illegal transfer, and other malicious acts, and that it is their duty to counteract these threats. The next level up in deconstructing the underlying assumptions is to conceptualize the basic principles and values conducive to the behaviors and physical arrangements that make up a vibrant security culture (see Figure 1, B-1). These still-intangible principles and values include honesty, integrity, and a sense of responsibility; a commitment to keeping installed equipment in good working order; compliance with procedure; a commitment to learning and process improvement; and effective leadership throughout the organizational hierarchy. It bears mentioning that these traits are not confined to security. They are a mainstay of healthy management practices. Conversely, a poorly managed work environment that lacks these attributes will be indifferent to efforts at achieve a high standard of security culture. Accordingly, any campaign to promote nuclear security culturewhether nationally sponsored or funded primarily through international assistancemust seek to better the overall professional culture.10 9 For more on the role of leadership, see James MacGregor Burns, Leadership (New York: Harper & Row, 1978); John P. Kotter, Leading Change (Cambridge, MA: Harvard Business School Press, 1996); Carnes Lord, The Modern Prince: What Leaders Need to Know Now (New Haven, CT: Yale University Press, 2003). 10 For more information on organizational and professional culture, see for instance J. Steven Ott, The Organizational Culture Perspective (Pacific Grove, CA: Dorsey Press, 1989); Edgar H. Schein, Organizational Culture and Leadership, 3d ed. (San Francisco, CA: Jossey-Bass, 2004); Hal Rainey, Understanding and Managing Public Organizations (San Francisco: Jossey-Bass, 2000); John P. Kotter and
Security Culture: Concept and Model
115
Another major source that shapes the tangible behaviors and concrete attributes identified in Figure 1 as the “Security Culture Mechanism” is a set of eight external factors (see Figure 1, C-1). These are independent variables that can either hamper or facilitate the development of security culture in an organization. External factors include: International commitments and assistance. Membership in relevant international agreements and forums is an important prerequisite for promoting a nuclear security culture. IAEA programs relevant to security culture include the International Physical Protection Advisory Service (IPPAS), which upon request helps member states evaluate their physical protection systems at the state and facility levels. The work of the IPPAS is based on the recommendations contained in document INFCIRC/22511 and the obligations set forth in the Convention on Physical Protection of Nuclear Material.12 IPPAS-sponsored workshops introduce national representatives to the intangibles and tangibles associated with nuclear security. External MPC&A assistance from sources such as the U.S. Department of Energy’s program in Russia and the other former Soviet republics contributes significantly to the familiarization process and the actual MPC&A infrastructure. National policies and leadership attitude. The behavior of management and other personnel at a facility reflects the priority accorded nuclear security issues by the national leadership. When top political leaders demonstrate their interest in this vital area, they send a powerful signal down to staff members at individual sites. Corporate and industry guidelines. A clear division between regulatory and operating functions is a must for sustaining industry-wide security standards. The industry and other appropriate agencies are responsible for clarifying and updating the current threat assessment in addition to conducting training, inspections, and quality assurance. Funding issues ranging from budgetary allocations to recommendations for private operators also fall under the purview of industry.
J. L. Heskett, Corporate Culture and Performance (New York: Macmillan, N.Y, 1992); Alan L. Wilkins, Developing Corporate Character: How to Successfully Change an Organization Without Destroying It (San Francisco, CA: Jossey-Bass, 1989); U.S. Office of Personnel Management, A Handbook for Measuring Employee Performance (Washington, DC: Government Publishing Office, 2001). Another area of organizational theory related to the problems discussed in the report is known as diffusion of innovation. Everett Rogers (Diffusion of Innovations, 5th ed. (New York: Free Press, 2003)) defines diffusion as the process by which, over time, an innovation is communicated through certain channels among the members of a social system. Rogers’ definition contains four elements that are present in the diffusion of innovation process. The four main elements are: (1) innovationan idea, practices, or objects that are perceived as new by an individual or other unit of adoption (2) communication channelsthe means by which messages get from one individual to another (3) time, including three time factors(a) innovation-decision process, (b) relative time with which an innovation is adopted by an individual or group, and (c) the rate of adoption of an innovation (4) social systema set of interrelated units that are engaged in joint problem solving to accomplish a common goal. 11 International Atomic Energy Agency, “The Physical Protection of Nuclear Material and Nuclear Facilities.” 12 International Atomic Energy Agency, “Convention on Physical Protection of Nuclear Material and Nuclear Facilities.”
116
Security Culture: Concept and Model
Design Basis Threat. As mentioned previously, the IAEA recommends DBT as the best method to design security measures, since it takes into account the capabilities, intentions, attributes, and characteristics of potential adversaries. Drawing on this methodology, individual countries can develop their own DBTs consistent with best practices and their national traditions and history. Security equipment. This equipment must be available through appropriate channels, meet national and international standards, and stay affordable by coming in a variety of price rangesallowing sites with smaller budgets to sustain their security precautions. The ultimate goal is to make maximum use of automated processes and procedures, thereby limiting prospects for human error. Rules and regulations. The texts of written directives must be up-to-date, succinct, and user-friendly. This is especially true for personnel who do not routinely deal with security matters. These texts need to send a clear and unambiguous message. Deterrence through enforcement. National governments should criminalize activities that might lead to breaches of nuclear security. The appropriate government agencies need to enforce these laws rigidly in order to deter potential perpetrators. General public awareness. The escalation of terrorism in recent years has created a political climate in which the public is receptive to security concerns. Well-tailored outreach efforts, consequently, can convince the public that breaches of security could jeopardize the safety of nuclear facilities, and even their own lives. A public that starts caring about security will be more likely to (a) report attempts at diversion and terrorism; (b) report inadequate security perimeters, suspicious people near a facility, and other conditions that could contribute to a breach of security; (c) call media, government, and legislative attention to security problems at nuclear facilities; and d) form advocacy groups to publicize the importance of nuclear security. The ultimate goal of the “Model of Nuclear Security Culture” (Figure 1) is to contribute to the efficient protection of nuclear material. This goal can be achieved by managing the three distinct but interacting sets of inputs discussed above: Principles and Values (B-1), External Factors (C-1), and the Security Culture Mechanism (D-1). These inputs are unique and equally important. Since it represents the primary focus of this report, however, the Security Culture Mechanism receives the bulk of the attention in the next section.
Model of Security Culture Mechanism The purpose of this section is to outline the tangible structures and behaviors within an organization (designated D-1 in Figure 1), which we call the Security Culture Mechanism. This mechanism, described more fully in Figure 2,13 is broken down into four major units: Facility Leadership (A-2); Proactive Policies and Procedures (B-2); Personnel Performance (C-2); and Learning and Professional Improvement (D-2). Each
13 The authors recognize the need to rank-order these subcategories according to priority, but this task is specific to each country and must be accomplished by surveying a pool of national experts in the field.
- Security culture path inside an organization
C-1 External Factors 1. International commitment and assistance 2. National policies and leadership attitude 3. Corporate and industry guidelines 4. Design Basis Threat 5. Security equipment 6. Rules and regulations 7. Deterrence through enforcement 8. General public awareness
A-1 Underlying Assumptions Vulnerability to: 1. Theft 2. Sabotage 3. Unauthorized access 4. Illegal transfer 5. Malicious act
Intangibles
For breakdown of D-1 see Figure 2.
D-1 Security Culture Mechanism: 1. Management 2. Policies 3. Personnel 4. Training
Tangibles
E-1 Goal: Effective Protection of Nuclear Materials
Figure 1. Model of Nuclear Security Culture
1. 2. 3. 4. 5.
B-1 Principles and Values: Honesty, integrity, & responsibility Good equipment condition Commitment to procedures Learning and improvement Effective leadership
Intangibles
Security Culture: Concept and Model
117
major unit is further broken down to permit brief comments and clarifications, which are offered on a selective basis below. In order to understand the workings of this mechanism, it is useful to look again at some general properties of nuclear security culture. Cultures are a product of social learning. Therefore, they cannot be shifted without determined effort from national and facility leaders. Orientation sessions that provide an outlet for explanation and discussion can help leaders modify the organizational culture, provided they back up these sessions with daily reinforcement and leadershipby-example.
118
Security Culture: Concept and Model
Cultures are difficult to enforce, but they can be developed, primarily through positive reinforcement and role models. There is always a security (or safety, or quality, etc.) culture in an organization. The questions are whether the culture is what management needs it to be, and whether it is improving, decaying, or remaining static. It is often easier to change patterns of thinking in an organization than to change patterns of behavior. New managers can come in brimming with bold new ideas, for example, yet fail to get people to change their old behaviors. Leaders change the organizational culture by intervening at all levels. With sustained effort, and by deploying all of the incentives and disincentives at their disposal, they can mold new and different patterns of thinking, establish new patterns of behavior, and even change the physical environment. Cultures reduce anxiety for their members by establishing shared patterns of thinking, speaking, and acting. Consequently, cultural change will always increase anxiety within the organization until the new patterns are learned. Leaders must make the anxiety of learning a new culture less than the anxiety of staying in the old culture. Nuclear facilities to which the Security Culture Mechanism applies include nuclear power plants, fuel-cycle facilities, research reactors, and defense facilities which handle or store nuclear material. These facilities are normally subject to nuclear security regulations, and they have departments or functions that are responsible for security. Several security problems typify such facilities. A strong sense of vulnerability to the insider threat, for instance, may be missing. People have often served at these organizations for long periods of time, and they cannot bring themselves to believe that their long-time colleagues and friends would steal nuclear materials. This problem is especially pronounced at facilities located in remote areas, where the work community overlaps substantially with the social community. Another problem arises from the financial pressures on these facilities, which in turn are the cause of resource shortages and operational problems. Nuclear security tends to rank low on the scale of priorities when the survival of the organization is at stake. An overall lack of commitment to nuclear security can result. Finally, as with any organization, individuals may fail to demonstrate personal responsibility, and management may tolerate low standards of honesty and integrity. The Security Culture Mechanism framed in Figure 2 is designed to operate inside the abovementioned facilities, contributing to a security-conscious work environment. Its main element is the performance of leadership. Top managers are responsible for developing and implementing a specific set of policies and procedures that shape the behavior of their subordinates. Continuous training is the primary tool to get the required results. Below are comments and clarifications regarding the policies detailed in Figure 2.
Leadership: A-2/4. Good supervision. An effective nuclear security culture depends upon the behaviors of individuals. Behavior in turn is very strongly influenced by good supervisory skillsskills that should be honed through training programs. A-2/5. Involvement of staff. The performance of an organization improves when all levels of the staff are empowered to contribute insights and help solve practical
Figure 2. Model of Security Culture Mechanism: Management, Policies, Personnel & Training (Breakdown of Box D-1 in Figure 1)
1. 2. 3. 4. 5. 6. 7.
A-2 Leadership Standards and expectations Use of authority Decision-making Good supervision Involvement of staff Open communication Improving performance
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15.
B-2 Proactive Policies and Procedures Visible security policy Employee code of conduct Clear roles and responsibilities Performance management Good work environment Reasonable “stick and carrot” approach Work management Information control Material accounting system Cyber-protection Employee screening Quality control Change management Operating experience feedback Contingency plans and drills
119
1. 2. 3. 4. 5.
C-2 Personnel Performance Professional conduct Personal accountability/responsibility Following procedures Teamwork and collaboration Questioning, whistle-blowing and reporting
Security Culture: Concept and Model
D-2 Learning and Professional Improvement 1. Initial training 2. Periodic training 3. Ongoing training 4. Ongoing assessment 5. Quality assurance on training and trainers
120
Security Culture: Concept and Model
problems. Mechanisms should be in place to encourage the staff to take ownership of the facility’s work. A-2/6. Open communications. Encouraging and maintaining a free flow of information up, down, and horizontally within an organization is intrinsic to a good security culture. A-2/7. Improving performance. An organization that is not constantly trying to improve its performance will become complacent. Complacency is a precursor to a serious decline in security standards and even breaches of security.
Proactive Policies/Procedures: B-2/1. Visible security policy. A policy document should exist which states the commitment of the organization to nuclear security, and which establishes the highest level of expectations with respect to decisionmaking and conduct. This mission statement should be promulgated widely throughout the facility. B-2/2. Staff code of conduct. It is especially important in the field of security to assure that staff members know what is expected of them. They will be expected, for example, to protect sensitive information, remain vigilant about potential security concerns, threats, and unusual occurrences, and bring security-related matters to the attention of their supervisors. B-2/3. Clear roles and responsibilities. All organizations need to delineate clearly “who is responsible for what” if they are to achieve their desired results. The organizational structure must be revised and updated, preferably beforehand, when organizational change is planned. B-2/7. Work management. Nuclear security equipment will require periodic maintenance, repairs, and occasional modification. All work on equipment should be planned to ensure that security coverage is adequate while the equipment is off-line. B-2/9. Material accounting system. The accounting systems for nuclear materials and radioactive substances are a vital part of the nuclear security system and must be vigorously supported and operated by qualified personnel. B-2/10. Cyber-protection. Security-related electronic information needs to be shielded from unauthorized access and use. A cyber-protection system featuring, for instance, firewalls and virus protection should be in place and should be routinely audited for effectiveness. B-2/11. Staff screening. Any security barrier or procedure can be defeated, particularly with insider collaboration. Effective staff screening processes should be in place to diminish the likelihood of an inside job. B-2/13. Change management. Many if not most organizational problems and failures are traceable to inadequate management of change. This applies not only to changes in equipment and procedures, but also to changes in organizational structures and roles, turnover in the workforce, and so forth. Therefore, the organization needs to put processes in place to understand, plan, implement, and reinforce changeespecially change relating to the security function. B-2/15. Contingency plans and drills. Most of the overall nuclear security system is poised to respond to an event, but it is rarely triggered by an actual event. Accordingly, management needs to conduct frequent drills to test out the organization’s capacity to respond to attempted or successful malicious acts or significant breaches of defenses.
Security Culture: Concept and Model
121
Personnel Performance: C-2/2. Personal accountability. Accountability means that all personnel know their specific assigned taskswhat they have to accomplish, by when, and what good results look likeand that they either execute these tasks or report to their supervisors if they are unable to execute them. If management fails to hold workers responsible for the performance of their duties, the performance of the organization as a whole will suffer. C-2/3. Following procedures. Procedures embody the organization’s collective knowledge and experience, and they must be followed to ensure that tasks are performed correctly. To help the staff comply with established procedures, managers must assure that procedures are clear, up-to-date, and easy to find and use. C-2/5. Questioning and reporting. Because security depends on vigilance and on “expecting the unexpected,” management must encourage the staff to be observant and to question small discrepancies as a matter of routine. This habit may prove difficult to instill in nations where authoritarian governments once discouraged employees from questioning authority and encouraged them to inform on their peers.
Learning and Professional Improvement: D-2/1. Initial training. New employees should receive baseline instruction on policies, issues, and incident response/reporting procedures. The training should be tailored to an individual’s job within the facility, and it should be short enough to be easily comprehensible. Accession training can range from classroom instruction to computer-driven self-study modules. New employees should be quizzed briefly to assure that they grasp the essential elements of the training, and they should be required to sign a statement certifying that they understand its content. D-2/2. Periodic training. The essential elements from the initial training should be reviewed regularly. Special sessions should be held when policies and procedures are updated. Attendees should be quizzed again to assure comprehension and required to sign a new statement verifying their attendance. Refresher training can be performed annually, quarterly, or as needed. D-2/3. Ongoing programs. Ongoing programs are one of the most effective tools available to the security-conscious facility. They include traditional methods such as wall posters, handouts, and memos, as well as more interactive methods such as monthly email updates and special bulletins reviewing the lessons learned from internal and external security incidents. D-2/4. Ongoing assessment. This will vary considerably, depending on the resources available to the facility and the facility’s actual security needs. Still, management should conduct appropriate and random assessments to ensure the training is effective. Top managers should drop in on training sessions unannounced. D-2/5. Quality assurance on training and trainers. It is important to elicit feedback on the training programs and materials, as well as the trainers themselves. Those responsible for training should include quality assessment as part of the program. Feedback should be requested of those who undergo the training, in the form of posttraining evaluations. The insights gleaned from the evaluation process should be used to refine the training curriculum.
122
Security Culture: Concept and Model
The performance of a nuclear security regime ultimately hinges on how people behave. A workforce made up of individuals who are vigilant, question irregularities, execute their work diligently, and exhibit high standards of personal and collective behavior will maintain tight security. Management must do its part. Managers must apprise workers of what is expected of them, encourage them to do the right thing, and dole out rewards and punishments to shape their behavior. Failures of leadership are the most common single problem besetting an organization that needs to improve its nuclear security culture. Having reviewed the tenets of nuclear security culture, this report will now focus in on Russia as a case study. The following chapters examine the security regimes at Russian nuclear facilities and discuss the current status of security culture in Russia. Among the questions to be answered are: To what extent are Russia’s political and industrial leaders committed to better nuclear security? Do these leaders have the organizational acumen and the funding to generate higher security standards at the facility level? Do Russia’s perception of the threat and security requirements differ from those of the West, and, if so, with what consequences? What can be done to reshape the mentality of the personnel entrusted with security, and to introduce effective security culture standards? Answering these questions will help policymakers in Russiaand beyondbolster international security.
Appendices
This page intentionally left blank
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
125
Appendix I Case Studies The two case studies below were developed to illustrate the point that a group of unscrupulous employees including managers and lower ranking operators, acting in collusion, can effectively divert and steal valuable materials at their work place despite seemingly airtight security and anti-theft precautions. A good security culture could have prevented such acts or at least made it much more difficult. One case describes the criminal operation at Elektrokhimpribor, a top-secret nuclear weapons facility in the closed city of Lesnoy, while the other at a major gold-refining plant near a small town of Kasimov not far from Moscow, both in Russia.
CASE STUDY I Isotope Diversion at Elektrokhimpribor Facility A major scandal related to nuclear facilities in Russia took place in the early 1990s at the Elektrokhimpribor Facility, a top-secret nuclear weapons plant in the closed city of Lesnoy. The scandal, which surrounded the theft of a large amount of rare and expensive isotopes, attracted major attention from the international community and was a major catalyst behind the decision to create the Cooperative Threat Reduction program. The case involved not only employees from all levels at the facility, ranging from workers to top management, but also senior officials at the Ministry of Atomic Energy (Minatom). Much has changed since that incident; still, the case illustrates several enduring themes about the Russian nuclear sector: x
x
x
It is a simple matter to steal or divert strategic materials from a Russian nuclear facility when workers and managers are complicit in the theft or diversion. The conspiracy at Elektrokhimpribor was discovered by a fluke; otherwise it could have kept going indefinitely. A culture of obedience to the law is not common in Russia, where the public tends to excuse illegal actions as “a way out of poverty.” The participants in the Elektrokhimpribor proliferation ring denied that they had done anything wrong. Their colleagues who had not been involved in illegal activities justified the conspirators’ actions by claiming that “there was no other way for people to make money.” Whistle-blowing practices do not work in Russia; thus nobody reported the crime. The law is not rigidly enforced. Participants in the “isotope affair” received no punishment apart from the time served awaiting trial. Their property was not
126
Appendix I. Case Studies
x
seized, and they even returned to work at the same closed facility, albeit without the security clearances they had formerly enjoyed. Although the case garnered tremendous international attention, and despite the extensive international security assistance allocated to Elektrokhimpribor, the security situation at Lesnoy did not improve noticeably. In March 2002, three armed Chechen nationals were detained in the Sverdlovsk region, one of whom had a pass to the closed city. Several incidents were reported. In November 2000, for instance, a soldier on duty at the Elektrokhimpribor Combine opened fire on his fellow soldiers before committing suicide. In August 2002 a conscript soldier, Denis Bragin, deserted the military unit assigned to guard Lesnoy while on duty. Bragin wounded a fellow soldier with a knife when the latter attempted to stop him and left the unit with an AK-74 Kalashnikov gun and the associated ammunition. Media reports indicated that Bragin should not have been entrusted with a weapon in any event, as he had a history of psychological problems.
Russia accounted for up to 80 percent of the world market in stable isotopes by 1990. Only three facilities in Russia produced the isotopes sold abroad: Elektrokhimpribor, the Electrochemical Instrument Building Combine, which produced 80 percent of the country’s total, the Electrochemical facility in Krasnoyarsk, which accounted for some 15-18 percent of production, and the Kurchatov Institute, which made up the remaining 2-3 percent. The key Russian competitor on the export market was the Oak Ridge National Laboratory in the United States, while China ranked third among producers of stable isotopes. After the collapse of the Soviet Union, Russian companies tried to export isotopes on their own, but the increase in supply due to their efforts decreased prices on the world market. Russian isotope exports dropped dramatically with the slide in prices. In 1992 the Russian government established an export company, Stabis Ltd, to structure, centralize, and improve Russian isotope exports. Stabis was headed by Alexander Podkidyshev. The Elektrokhimpribor Combine is located in the closed city of Lesnoy, formerly known as Sverdlovsk-45. The plant was responsible for assembling, and later dismantling and storing, nuclear warheads. Construction of Elektrokhimpribor began in 1947 with Plant 418, which initially produced highly enriched uranium (HEU) using an electromagnetic separation technique. In the late 1950s the separation facility was redirected to produce stable isotopes of elements such as thallium, rubidium, zinc, and other non-uranium elements, while a portion of the plant was used to house a warhead assembly/disassembly facility. As a closed city, Lesnoy did not exist on the map before the end of Cold War. Access is still restricted to holders of a special pass. Elektrokhimpribor remains the key facility in town. Its employees were highly paid during the Cold War and did not experience any financial problems. The collapse of the Soviet Union, however, hurt them, as it did employees elsewhere in the nuclear industry. Inefficient management and marketing, products of the Soviet-era economy, hampered efforts to export isotopes efficiently. Far away from the big cities and tied to jobs at their facility, managers at Elektrokhimpribor tried to find a way to improve their financial situation. Stable isotopes are rare and expensive goods used in different industries; the facility managers knew the price their product could command and tried to sell it on their own. The scheme was so well managed that the fact of diversion became known only by a fluke. The conspirators did not hide their expensive cars and houses, which were
Appendix I. Case Studies
127
incongruous in a very small town where the main industry, Elektrokhimpribor, paid small salaries. This incongruity drew the attention of law-enforcement officers who drew a parallel between the financial well-being of several employees at the facility and the situation on the very small world isotope market, where prices had dropped dramatically and it had become surprisingly hard to sell anything. Initial accounting audits at the facility, however, provided few leads. The investigation ultimately revealed that the members of the group had used their positions to produce “unaccounted for” isotopes beyond officially reported production. Because the conspirators worked at each stage of production, they were able to establish a parallel isotope production process – producing isotopes identical to those turned out by the plant during normal operations. The core of the conspiracy included nine employees of Elektrokhimpribor: Kascheyev, director of the production of stable isotopes; Yaroslavtsev, his deputy; Tunin, the head of the technical section; Tuinov, an engineer; Konoplina, the head of the chemical production department; Usoltsev, her assistant; Dubinin, a specialist in finished chemical production; Chernousov, a specialist in chemical apparatus and production; and Korolev, the deputy head of the financial department of the combine. They diverted stable isotopes from the plant, such as thallium-203, zinc-68, rubidium87, ytterbium-168, and tantalum. The total loss to the Russian economy from illegal sales reached as high as $500 million. The scheme was devised by Kascheyev, an academician and inventor, who claimed that, because he had used waste materials and a method he had invented isotope purification, the activities of the group were perfectly legal. He also pointed to the fact that the isotopes had been exported through a legitimate federal isotope-exporting company. The conspirators were skimming off 5-10 percent of the enriched isotope solution they were using in the production process, and then diluting the solution with distilled water to avoid detection. The diverted solution was accumulated separately, and then processed using experimental units which were being tested at the facility. The illegally produced isotopes were sealed in tubes and easily removed from the facility without detection. At first, the group had difficulty finding customers or middlemen for the material. Then they established a stable distribution channel through Stabis Ltd., a Moscow-based private company. The director of Stabis, Alexander Podkidyshev, who was also head of the Russian State Center for Stable Isotopes, purchased the illegal isotopes at below-market prices, and then resold them to his own company at a large profit. Most of the isotopes, which are used for medical and industrial purposes, were then exported from Russia. The investigation and trial took several years. In May 2000 a federal court found all members of the group guilty in accordance with Article 160 of the Criminal Code. (Titled “Misappropriation and Peculation of Federal Property,” Article 160 prescribes jail sentences ranging up to three years. Those found guilty of repeated acts of misappropriation, as well as individuals who abuse official authority in commission of a crime, are subject to prison terms ranging up to six years.) The court sentenced them to three years’ imprisonment without seizure of property, but it freed them because they had already been in custody for over three years by the time the sentence was handed down, and because of an amnesty granted them. All of the participants in the isotope case except for the head of Stabis, Alexander Podkidyshev, were released following the verdict. Podkidyshev received an additional two-year term. The convicted thieves resumed work at the site, although their security clearance status was reduced and they
128
Appendix I. Case Studies
could not return to their previous positions of authority. The government rewarded the enforcement officers who had cracked the case.
CASE STUDY II Corruption and Theft at Priokskiy Gold Refining Factory Another case involving massive corruption, racketeering, conspiracy, and collusion among responsible personnel took place at Priokskiy, a gold refining plant near the small town of Kasimov, not far from Moscow. The case illustrated just how vulnerable are sensitive industries in Russia to corruption and criminal infiltration, and it underscored how important it is to establish and nurture a culture of security among those entrusted with sensitive goods and technology – from the top down. During the years of steady economic decline, especially in the late 1980s, the Soviet Union had managed to deplete its strategic gold reserves to almost nothing. Given the weakness of the national economy, gold was seen as a way to generate much-needed hard cash and to provide a foundation for making the ruble a freely convertible currency. In 1989, the Soviet government decided to build a new goldrefining factory in the town of Kasimov, in Ryazan oblast. The new factory would produce gold bullion of higher quantity and purity than the three existing facilities: Its total annual output was 500-600 tons of 99.99 percent refined gold and 2,000 tons of silver. The factory was built from scratch in 18 months and received the most elaborate security system available at the time. The first warning signs came in 1992, when a string of strange and seemingly unrelated murders and disappearances, involving local businessmen, visitors, unemployed citizens, and some factory personnel took place. Investigators suspected that these events might be connected to illegal activity at the gold-refining factory and ordered a surprise inspection. They, however, discovered that not a single milligram of gold was missing. The next warning bell rang in 1994, when two individuals were detained in Nizhny Novgorod after asking a grocery shop attendant to weigh a kilogram of industrial gold bullion. During the ensuing investigation, the two admitted to acquiring the gold through a chain of accomplices from someone who was working at the Kasimov factory. Moreover, both admitted to having previously sold 22 kilograms of gold from the same source. The gold had apparently originated from the factory, despite the fact that the inspectors had been unable to find a single missing milligram. Due to the large volume of material stolen, a special, high-level investigating team was appointed, and a new, more thorough inspection and accounting was carried out at the factory. But again, not a single missing milligram of gold was uncovered. In the next few months the factory’s security system was re-evaluated and rechecked. The system consists of two security perimeters: An internal Perimeter B includes the main production line and is surrounded by two rows of barbed wire, a sand strip for intruder detection, and a system of security cameras and motion detectors. Perimeter A on the outside includes auxiliary services and access to the city. To get from Perimeter B to Perimeter A, an employee had to go through a “nude zone,” where all employees had to be strip-searched. None of the components of this security system seemed at the time to have been compromised. Realizing that the missing gold must have come from somewhere, the investigators kept searching for a drop spot, and after some days discovered a workman’s glove that
Appendix I. Case Studies
129
contained a large piece of gold bullion. After further investigation, a group of employees from the same shift admitted to taking 78kg of gold and hiding it in various locations within the facility. They all maintained, however, that they had not carried the gold out of the factory. Although they admitted to having been paid for the drops, none of the employees would reveal the source of the payments. In the course of the interrogations, investigators came up with the following findings: x x
x x
Large quantities of gold continued to be diverted from the factory despite the arrest of the group. Organized criminal groups must have played a large role in the scheme. This would explain the refusal of the arrested employees to reveal who had paid them to purloin the gold, not to mention the continued string of assassinations and murders. Some security personnel at the factory must have been involved, because it was not possible to bypass the security perimeter without their knowledge. Finally, there was no explanation for the fact that the factory continued to produce the highest-quality gold bullion. This implied that other employees and officials were involved.
In early 1995, intelligence was received indicating that large quantities of illegal gold bullion had appeared on the black markets in several former Soviet republics and Turkey. Investigators began a massive search for drop spots and hiding places throughout the facility, uncovering numerous locations and apprehending several employees, who revealed the means by which gold had been spirited out of the secure zone. Despite common knowledge among the workforce about these 24-hour spot searches and raids, a large volume of gold continued to be stolen, including even a standard gold bar used for weighing and measurement. One trick involved literally shooting gold outside the perimeter: During one of the raids, investigators discovered an axe used to hew gold bullion bars into smaller pieces and a slingshot used to shoot the fragments out. The pieces were retrieved later. Another trick involved welding open sewer pipes, allowing packets of gold to be transported outside. And walls were broken through to the outside, repaired, and then broken again to allow small packets to be thrown outside the compound. Investigators managed to uncover other pieces of the puzzle. First, they suspected and subsequently confirmed that a head of the security guard detachment at the perimeter access point was part of a group of security personnel who themselves had carried, or allowed others to carry, large quantities of gold. During security checks, these security officers would manually turn off the metal detectors used to scan each employee leaving the security perimeter, and pretend that they had performed the checks. Second, it finally became clear how the plant had managed to produce the same quantity and quality of gold despite massive theft. During the refining process and electrolysis, a local engineer, showing remarkable ingenuity, had found a way to add extra quantities of copper to the process which did not affect the final product. His nickname was Academician. The engineer was identified by the investigators, arrested, interrogated, and then released. Several days later he was found dead in his car, apparently murdered for disclosing information about the scheme. When finally the whole picture of the conspiracy was revealed, it turned out that virtually everybody at the plant was involved, ranging from operations personnel to
130
Appendix I. Case Studies
security guards to management, and that an outside network of distributors was involved as well. Among many of those caught were the coach of the factory soccer team, the deputy director and head of a specially appointed internal investigation team, and a head of the security guard, who held the rank of major and, on one occasion, had personally carried 30kg of gold two miles outside of the perimeter.1 Overall, a total of 400kg of gold was found to have been stolen, and another 210 kilograms were later recovered. Fifty-two people were murdered as part of internal fighting within the organized criminal groups. One hundred twenty-eight facility employees were convicted of various felonies; 30 security personnel, all officers of the Ministry of the Interior hired with best recommendations to guard the facility, were convicted and sentenced to time in prison for their participation in the scheme.2 Since 1997, when all of the cases were closed, no organized criminal activity has been reported in the area, and no gold has been found missing.
1 For more information, see “Gold-Diggers,” Sovershenno Sekretno 4 (2000), . 2 “Heavy Gold of Kasimov,” Market of Precious Metals and Precious Stones Newsletter, May 16, 2003, .
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
131
Appendix II Learning and Professional Improvement: A Methodology for Better Security Culture in Russia The main element of the security-culture mechanism designed to operate inside the nuclear facilities is the performance of leadership. Top managers (director and deputy directors of the site) are responsible for initiating, developing, and implementing a specific set of policies and procedures to shape the behavior of their subordinates. Continuous training is the primary tool to get the required results. While in Western societies leaders rely primarily on legal norms and time-tested management practices in the course of their daily work, in transitional countries like Russia leaders enjoy more legal leeway and can do much more at their own discretion. Thus, site leadership in Russia is far more important to the process of improving or degrading nuclear security culture. Training of top managers is intended to reinforce their assumption of vulnerability as a prerequisite for introducing a healthy security culture (see Figure 1), as well as to provide the state-of-the-art managerial tools necessary to implement this culture in practical terms. The training curriculum for top managers includes three modules and a workshop (see below). The applicability of each module depends on the mission of a specific facility, the prevailing risk assessment, and the time which can be allocated to training. It should be compatible with the level of educational background, experience, knowledge and skills, and goals of the trainees. Modules would include: a general security threat assessment/nonproliferation block; a block introducing the security system and explaining its main components and how it operates; and a personnel management block. Training of top managers must be followed by training of other site employees, tailored specifically to their needs. Other target groups include: • • • • • • •
Mid-level managers (heads of shops, offices, laboratories, etc.) Reserve top managers Specialists/experts (technical experts) Other personnel (those who have access to nuclear material) Guards (departmental, interior troops, military, escorts) Outside inspectors Experts from the psychological and medical service
The training modules for these groups will consist of the following:
132
Appendix II. Learning and Professional Improvement
•
•
•
•
•
Initial Training. New employees should receive baseline instruction on policies, issues, and incident response/reporting procedures. The training should be tailored to an individual’s job within the facility and short enough to be easily comprehensible. Accession training can range from classroom instruction to computer-driven self-study modules. New employees should be quizzed briefly to assure that they grasp the essential elements of the training, and they should be required to sign a statement certifying that they understand its content. Periodic Training. The essential elements from the initial training should be reviewed regularly. Special sessions should be held when policies and procedures are updated. Attendees should be quizzed again to assure comprehension, and required to sign a new statement verifying their attendance. Training can be performed annually, quarterly, or as needed. Ongoing Programs. Ongoing programs are one of the most effective tools available to the security-aware facility. They include traditional methods such as wall posters, handouts, and memos, as well as more interactive methods such as monthly email updates and special bulletins reviewing the lessonslearned from internal and external security incidents. Ongoing Assessment. This will vary considerably depending on the resources available to the facility and its actual security needs. Still, management should conduct appropriate and random assessments to ensure the training is effective. Top managers should drop in on training sessions unannounced. Quality Assurance on Training and Trainers. It is important to get feedback on the training programs and materials, as well as the trainers themselves. Those responsible for training should include quality assessment as part of the program. Feedback should be solicited from those who undergo the training, in the form of post-training evaluations. The insights gleaned from this process should be used to refine the training curriculum.
CURRICULUM OUTLINE FOR TOP MANAGERS I. Nuclear Security Threat Assessment (general-scope block) This block is of particular importance to those sites which currently are not involved in international nonproliferation training programs, and thus are less aware of nonproliferation threats and international practices. 1. Nuclear Security Threat Assessment This course will introduce nuclear managers to the basics of nonproliferation, improving their awareness and helping them understand why nuclear security awareness is important. It will include such lectures as: • Threat assessment. Types of threats, perception and response, introduction to design basis threat analysis.
Appendix II. Learning and Professional Improvement
133
• Terrorism involving weapons of mass destruction. Terrorism threat assessment. • Importance of nonproliferation and security awareness; case studies involving smuggling and diversions; best security awareness practices; • Model of security-culture mechanism and ways to develop a security culture.
2. Nuclear Materials Management in Russia and International Practices The course will cover general Russian and international practices and approaches to nuclear-materials storage, disposition, transactions, packaging, transportation, and consolidation; MPC&A, including reporting requirements and data submission, safeguards, information protection, and waste management. International approaches to and practices for developing and improving nuclear security awareness and nuclear security culture will also be covered. 3. Cooperation on Nuclear Security This block will provide an overview of U.S.-Russian bilateral programs and G-8 programs by U.S. and Russian experts, covering the origins of these programs, subsequent developments, changes in the programs’ scope, positive and negative case studies, as well future possibilities for development and ways to improve sustainability.
II. Materials Protection, Control, and Accounting The block introduces the security system, outlines its main components, and explains how it operates, its main functions, and its goals. It is most important for those managers who have no background in nuclear security, as it will help them recognize a problem and find ways to solve it. 1. Fundamentals of Materials Protection, Control, and Accounting (generalscope course) The main focus of the course will be to explain why security awareness and MPC&A are important. It will go into greater detail than the first section/block, and will provide basic knowledge of a security system and ways to improve it. The course will cover the following elements: • • • •
MPC&A as an integrated system, and the elements of MPC&A. Nuclear Materials Control: administrative controls, access controls, surveillance, containment, and detection/assessment mechanisms. Nuclear Materials Accountability: generally accepted accounting principles, accounting systems, physical inventories, inventory difference control limits, measurements and measurement control, and reporting. Nuclear Materials Physical Protection: threat definition, target identification, sensors and alarms, response forces, analysis and evaluation techniques, and transportation of nuclear materials.
134
Appendix II. Learning and Professional Improvement
• •
Site and Personnel Security. Operational security. Evaluating the effectiveness of MPC&A programs.
2. International Approach to MPC&A: Integrated Safeguards and Security Management This course will describe a systematic approach to integrating safeguards and security into different states’ practices using the IAEA approach. It will provide a detailed overview of U.S. and IAEA policies and practices relating to the establishment, development, and improvement of nuclear security awareness and nuclear security culture. 3. The Methodology of Risk Assessment The course will present the Russian, U.S., and IAEA approaches to this important topic, compare them, and build the best model for Russian sites to use. It will include: fundamental concepts of design basis threat (DBT); vulnerability analysis (VA) and threat assessment, risk management, and response design, and the evolution of these techniques in a changing environment; and basic VA terminology and concepts, along with the mechanics of conducting VAs. Threat and target characterization, differentiation between internal and external threats, facility and security and surveillance system characterization, scenario development, system-effectiveness evaluation, and upgrade identification and prioritization will all be covered. 4. Legislative and Regulatory Framework for Russian Nuclear Security Instructors will apprise nuclear facility managers about the basics and the continuously changing legal and regulatory environment associated with nuclear security. Both the Russian national regulatory framework (federal, industry, site) and Russia’s obligations under the multilateral nonproliferation mechanisms will be examined. The instructors will also discuss the Federal Information System, the impact of the general-scope legal basis and the regional legal basis for security, and ways to improve the legal basis. 5. Nuclear Materials Management Liability, Liability for Nuclear Security Violations, and Enforcement This course will be taught by both Russian and U.S. instructors. U.S. instructors will review the U.S. experience in enforcing nuclear security. Russian experts will outline the liabilities associated with nuclear-materials management and operations; the general-scope and security-specific legal bases; and criminal and administrative liability for mishandling nuclear materials or violating regulations. Case studies will be discussed.
Appendix II. Learning and Professional Improvement
135
6. Introduction to Information Security and Cyber Security Awareness The course will cover policies and procedures for control of classified information, regulating Internet access and electronic data transfers, access tracking systems, and communication controls, and will provide an introduction to briefing systems.
7. Emergency Operations and Accident Response Along with operations under emergency conditions and procedures for responding to accidents, the course will cover crisis prevention, management, and negotiation. Instructors will also go through case studies and discuss an industry-wide accident database and mechanisms for learning from experience.
III. Personnel Management 1. Introduction to Personnel Management at Nuclear Facilities in the United States, Russia, and the European Union (general-scope course) The course will include, among other things: • • • • • • • • • • • • •
Personnel management rules, regulations, manuals, and practices Strategic and tactical decisionmaking, policymaking, methods of balancing priorities, and proactive policies and procedures Best leadership practices and tools for establishing effective leadership Position and job classification, personal responsibilities, recruitment, and termination Performance assessment, testing and control, and work measurement Personnel reliability control, screening, and quality control Personnel motivation, including techniques for encouraging teamwork and collaboration Personnel training and retraining Change management Psychological management, including conflict resolution and techniques for establishing an organizational culture and motivating personnel Contingency plans and drills Operations under emergency conditions Information control
2. Introduction to Industrial Psychology and Testing for Nuclear Industry This course will offer nuclear facility managers the tools necessary to evaluate the psychological and emotional state of prospective employees during the recruitment process and periodically throughout their employment. It will also present a methodology and practices for conflict resolution and procedures for mental and psychological evaluation, personnel reliability control, screening, and medical and drugs tests.
136
Appendix II. Learning and Professional Improvement
3. Performance Assessment and Improvement The course will include, among other things, an introduction to work measurement; performance testing (e.g., equipment, procedures, and personnel); benchmarking; peer assessments and self-assessments; developing and compliance with a code of conduct; quality control; developing a teamwork approach; investigation of anomalous conditions; and processes for corrective action. 4. Organizational Culture This course will present both theoretical and practical approaches to forming an organizational culture conducive to a high sense of responsibility among the personnel at nuclear facilities; mechanisms and techniques for developing personal responsibility and accountability; personnel involvement and feedback; and improving lines of communication. Instructors will present best international and Russian practices and approaches, both in the nuclear sector and in other private and public industries, and discuss best leadership and management practices pertaining to organizational culture. 5. Incentives and Motivation for Nuclear Security Personnel The course will cover the use of positive and negative incentives, recruitment, performance evaluation, open communications, the use of authority, supervisory techniques, non-monetary incentives, and other forms of motivation. It will combine Western theories and practices of personnel management with the realities of the Russian corporate and industrial culture and work ethics. 6. Job Classification for Nuclear Personnel This course will offer nuclear facility directors the skills needed to tailor job descriptions for employees at critical facilities, ensuring that these personnel are fully familiar with their duties and responsibilities and that they are properly compensated. Instructors will outline skills and mechanisms for writing and managing efficient instructions and procedures. This course will also discuss recruitment and termination processes and requirements. 7. Personnel Training The course will target top and mid-level managers, helping them establish on-site training courses and programs in security awareness for all types of personnel, including inspector training and “train the trainer” programs, techniques for developing courses and manuals, instruction writing, and personnel supervision. Instructors will discuss procedures and practices for initial training, periodic training, and ongoing training; briefings, contingency plans, and drills; and training standards and expectations. They will share techniques and best practices for quality assurance and for assessing the performance of trainees and trainers.
Appendix II. Learning and Professional Improvement
137
8. Introduction to Marketing and PR One part of the course is intended to help managers market their facilities’ products more efficiently. Since each facility is responsible for paying for security upgrades, it has to be financially sustainable to support these upgrades, keep qualified employees at the facility, and motivate employees to work efficiently and comply with security regulations. Another part will introduce managers to the basics of public relations and public outreach, in order to improve public awareness and help site managers maintain good working relations on environmental issues. Western experience, policies, and practices for improving public awareness will be used widely.
IV. Workshop/Roundtable Discussion Experienced senior managers will discuss strategies and tactics for developing and implementing security culture. Typical seed questions will include, “What are the most critical and the most challenging areas of developing and implementing a security culture?” “To what extent does the security culture exist and to what extent it is being implemented at individual facilities?” and “What can be done to improve securityculture standards?”
This page intentionally left blank
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
139
Appendix III Nuclear Security Culture Evaluation Methodology This questionnaire represents the first iteration of a comprehensive evaluation methodology designed to help nuclear industry management gauge the existing security culture among the management and employees of nuclear facilities. The questions are designed to capture both the tangible aspects of security culture and the working environment, such as procedures, rules, and regulations, and intangibles such as behavior, attitudes, and the prevailing mentality among the workforce. The questionnaires will be administered anonymously to elicit the most candid feedback possible from respondents. The questionnaire includes questions that ask respondents to evaluate elements of the security culture on a scale from 1 (not applicable/nonexistent) to 5 (excellent/fully existent/fully complied with) (2–in bad shape, poor; 3–satisfactory; 4–good). This quantitative methodology will allow users not only to assess the condition of security culture in a given country, but to compare security cultures from country to country. An index of security-culture effectiveness, derived from a weighted average of the scores, will make a useful benchmark for comparison. The index evaluates the security culture in four categories: (1) leadership, (2) policies and procedures, (3) learning and professional development, and (4) personnel performance. Each category has a maximum score of 5. An ideal security culture, then, would earn a perfect score of 20, or 100 percent. Each category is broken down into elements (A, B, C, etc.). The elements are further broken down into individual questions (1, 2, 3, etc.). The score for each element comes from averaging the responses to individual questions, and the score for each category is totaled up by averaging the scores for the constituent elements. The elements will vary in relative importance from country to country. Each element, accordingly, will be weighted numerically according to its relative importance. In one country, the efforts of management to set standards might be more important than open communication within the workforce. The opposite could be true in another country. The relative weights assigned to different features in a particular nuclear security culture will be established by surveying a sizable group of experts in a given country. Respondents will be asked to weight each element based on its importance, using a 100 percent scale, and to define a minimally acceptable score for each element. This survey lays out the questions by thematic categories. The questionnaire is generic to all categories of operational personnel. Further refinement of the methodology will yield questionnaires tailored to different audiences, such as industry management, facility leadership/management, and operations personnel.
140
Appendix III. Nuclear Security Culture Evaluation Methodology
Appendix III breaks down the categories of respondents for whom the methodology will be tailored. Security culture can be evaluated at given facilities or groups of facilities in a particular country, allowing researchers to, say, detect cultural variations from region to region or facility to facility.
I. Leadership (Unless otherwise noted, please answer the following questions on a scale from 1 (not applicable/nonexistent) to 5 (excellent/fully existent/fully complied with).) A. Standards and expectations 1. To what extent does the facility management set clear standards and expectations for personnel in the security area? 2. How aggressive has the facility management been in promulgating a. Sets of rules and regulations? b. Guidelines, manuals, or instructions? c. Specific, security-related items in the organizational charter/mission? 3. To what extent does the facility management promote an organizational culture focused on continuous improvements to security? B. Decisionmaking 1. To what extent does the facility have strategic and operational plans in place to improve security? 2. To what extent does management work to improve security at the facility? 3. As far as you know, do top managers themselves always follow established security procedures and directives? 4. How frequently/regularly does the facility management conduct the following for individual personnel? (Rate each activity from 1 (not at all) to 5 (regularly in accordance with established policy).) a. Planning? b. Setting performance benchmarks? c. Assigning responsibilities? d. Monitoring? e. Rating performance? f. Rewarding good performance and punishing substandard performance? C. Use of authority 1. To what extent does the facility management use its authority effectively to achieve strategic and operational goals? 2. To what extent is the facility management aware of security-related problems and needs? 3. To what extent does the facility management use training to encourage security awareness among employees of the site? 4. To what extent does the facility management offer a. Monetary and non-monetary performance incentives? b. Other forms of employee motivation? 5. To what extent does the facility management offer conflict resolution?
Appendix III. Nuclear Security Culture Evaluation Methodology
141
D. Supervision 1. How effectively does the facility management supervise employees? 2. Does the facility have in place written policies, rules, or procedures for recruitment, appraisal, and termination of employees as they pertain to security? 3. To what extent does management encourage and/or enforce a. Teamwork? b. Personal responsibility/accountability for security improvements? E. Involvement of staff 1. Are employees sufficiently involved in the decisionmaking process? 2. To what extent are employees involved in developing instructions, rules, and regulations? 3. To what extent does the facility management a. Require/request feedback from employees? b. Seek recommendations and suggestions relating to security improvements? F. Open communication 1. Do managers make themselves readily available to employees to discuss questions, procedures, or concerns regarding security improvements? It there an open-door policy? 2. To what extent does the facility management encourage employees to report problems, security breaches, violations of instructions, failures by management, hazardous conditions, and other security-related problems? 3. Do rank-and-file employees at your facility consider themselves valuable members of the organization? Do they believe management values their contributions? G. Improving performance 1. To what extent is the facility management committed to improving employee performance? 2. How regularly does the facility management conduct performance evaluations? (From 1 (not applicable/nonexistent) to 5 (regularly in accordance with established policy)) 3. How regularly does the facility management discuss accidents and derive lessons-learned in order to prevent similar events from happening in the future? (From 1 (not applicable/nonexistent) to 5 (regularly in accordance with established policy))
II. Policies and Procedures (Unless otherwise noted, please answer the following questions on a scale from 1 (not applicable/nonexistent) to 5 (excellent/fully existent/fully complied with).)
142
Appendix III. Nuclear Security Culture Evaluation Methodology
A. Visibility of security policies 1. Are security procedures posted in the workplace? If not, has management made other efforts to apprise employees of their security-related responsibilities? 2. How effectively does management communicate information about security policies to the workforce? 3. To what extent is the facility’s accident database available to facility employees for their use and review? 4. To what extent is the industry-wide accident database available to facility employees for their use and review? B. Employee code of conduct 1. Has your facility instituted an employee code of conduct? 2. To what extent are security-related duties included in the code of conduct? 3. How familiar are employees with the code of conduct? 4. How regularly are employees briefed on, and required to know, the code of conduct? (From 1 (not applicable/nonexistent) to 5 (regularly in accordance with established policy)) C. Roles and responsibilities 1. To what extent does your facility have special procedures for developing employee job descriptions and position requirements? 2. To what extent does your facility have position requirements? 3. To what extent are job descriptions in line with position requirements? 4. To what extent are responsibilities assigned to employees by the managers in line with position requirements and job descriptions? D. Performance measurement 1. To what extent does your facility have special performance measurement procedures? 2. To what extent is security-related performance a part of overall performance assessment? 3. To what extent does performance assessment include a. Team/group performance assessment? b. Self-assessment? c. Individual peer assessment? 4. To what extent is satisfactory performance in security-related duties a prerequisite for continued employment? E. Work environment 1. To what extent does the facility management provide and encourage a positive work environment? 2. To what extent are employees satisfied with their work environment? 3. To what extent does the facility management provide the resources necessary to improve security? 4. Is equipment maintenance conducted on time?
Appendix III. Nuclear Security Culture Evaluation Methodology
143
(From 1 (not applicable/nonexistent) to 5 (regularly in accordance with established policy)) F. Work measurement 1. To what extent does the facility management follow and enforce strategic and operational plans? 2. To what extent does the facility management effectively control employees? 3. To what extent does your facility have adequate recruitment and training procedures? 4. Would a person be laid off/terminated in case of failure to follow security regulations? G. Information control 1. To what extent does the facility have specific rules on handling security information? 2. To what extent does the facility enforce information control policies? 3. To what extent are these rules followed by employees? 4. How regularly does the facility management offer briefs on handling classified information? (From 1 (not applicable/nonexistent) to 5 (regularly in accordance with established policy)) H. Material accounting system 1. To what extent does your facility have a modern material accounting system? 2. How adequate are special nuclear materials access/equipment operation procedures? 3. How effectively have these procedures been implemented? 4. As far as you know, how regularly are material accounting audits taken? (From 1, not applicable/nonexistent, to 5, regularly in accordance with established policy) 5. To what extent have materials control and accounting (MC&A) reporting procedures been instituted at your facility? 6. To what extent does the facility comply with MC&A reporting procedures? 7. To the best of your knowledge, is your facility’s procedure for reporting a loss of material adequate? I. Cyber protection 1. Is your facility adequately protected from cyber attack? 2. How effectively is Internet use controlled and restricted? 3. To the best of your knowledge, how effective are your facility’s precautions against transfers of sensitive information a. Outside the facility? b. Within the facility? J. Employee screening 1. Are employees adequately screened by the security service prior to starting work at your facility?
144
Appendix III. Nuclear Security Culture Evaluation Methodology
2. 3.
To the best of your knowledge, to what extent is the screening procedure compatible with the requirements for a particular position? To the best of your knowledge, are the following conducted at your facility? (From 1 (not applicable/nonexistent) to 5 (regularly in accordance with established policy)) a. Background checks? b. Medical screening? c. Psychological screening? d. Drug screening? e. Alcohol screening?
K. Quality control 1. To what extent does the facility have effective product/process quality-control measures? 2. Are these measures adequately enforced? 3. To what extent do quality-control measures include security improvements? 4. To what extent do quality-control measures include a. Process mapping and visualization? b. Process control and audit? c. Process improvement? d. Integration of people, process, and technology? L. Change management 1. To what extent does change at your facility influence security? 2. To the best of your knowledge, does management have the special capabilities/practices needed to manage change without negatively affecting security? 3. To what extent does management encourage initiative and innovation, particularly with respect to improvements in security? 4. To what extent is management resistant to change? M. Operating experience feedback 1. To what extent are management and operating personnel aware of externally imposed performance benchmarks and other facilities’ experiences with improving security? 2. How regularly are accidents at your or other facilities analyzed and discussed in order to prevent similar events from happening in the future? (From 1 (not applicable/nonexistent) to 5 (regularly in accordance with established policy))
III. Learning and Professional Improvement (Unless otherwise noted, please answer the following questions on a scale from 1 (not applicable/nonexistent) to 5 (excellent/fully existent/fully complied with).) A. Initial training 1. To what extent does the facility have a developed employee training plan? 2. Do employees undergo initial training at the start of their tenure at the facility?
Appendix III. Nuclear Security Culture Evaluation Methodology
3.
145
(From 1, not applicable/nonexistent, to 5, regularly in accordance with established policy) Is there an employee security briefing system at your facility? (From 1 (not applicable/nonexistent) to 5 (regularly in accordance with established policy)) Specifically, how regularly does the facility conduct a. Initial briefings? b. Comprehensive briefings? c. Refresher briefings? d. Termination briefings?
B. Periodic training 1. How regularly do employees undergo periodic training during their tenure? (From 1, not applicable/nonexistent, to 5, regularly in accordance with established policy) 2. How well developed is the on-site training system? 3. How regularly does the facility send employees to central locations/institutes for continued professional training? (From 1 (not applicable/nonexistent) to 5 (regularly in accordance with established policy)) 4. Does the facility have its own trainers? C. Ongoing training 1. To what extent does the training provided at/by the facility address employee/facility needs? 2. To what extent does the facility have training manuals, guidelines, or handbooks? 3. To what extent does the facility have “train the trainer” programs? 4. Are adequate training facilities and materials available? D. Ongoing assessment 1. Are employees assessed periodically on their knowledge and skills? (From 1 (not applicable/nonexistent) to 5 (regularly in accordance with established policy)) 2. To what extent are special training assessment procedures and techniques available? 3. To what extent does the facility management measure the effect of training on employee job behavior? 4. To what extent does training contribute to improvements in worker attitudes and security awareness? E. Quality assurance on training and trainers 1. To what extent does the facility exercise quality control over the training subject matter and the trainers themselves? 2. How regularly does management disseminate special surveys and questionnaires to assess the quality of training and trainers? (From 1 (not applicable/nonexistent) to 5 (regularly in accordance with established policy))
146
Appendix III. Nuclear Security Culture Evaluation Methodology
3.
To what extent is this feedback taken into account when future training sessions are planned?
F. Contingency plans and drills 1. To what extent does the facility have contingency plans and drills? 2. Are these contingency plans updated regularly? (From 1 (not applicable/nonexistent) to 5 (regularly in accordance with established policy)) 3. To what extent are these plans and drills adequate to the security threat? 4. How regularly does the facility conduct drills? (From 1 (not applicable/nonexistent) to 5 (regularly in accordance with established policy)) 5. To what extent does the facility cooperate with rescue teams, emergency management agencies, and other response personnel?
IV. Personnel Performance (Unless otherwise noted, please answer the following questions on a scale from 1 (not applicable/nonexistent) to 5 (excellent/fully existent/fully complied with).) A. Professional conduct 1. To what extent do employees, generally speaking, consider their work valuable and prestigious? 2. To what extent do you personally consider your work valuable and prestigious? 3. To what extent do employees consider themselves personally responsible for security at the facility? 4. To what extent do you consider yourself personally responsible for security at the facility? B. Personal responsibility/accountability 1. To what extent do employees know their job responsibilities and assignments? 2. To what extent do employees know the security norms, rules, and procedures relevant to them? 3. To what extent are the roles and responsibilities of employees clearly defined in their job descriptions? 4. How often are employees requested to perform work they are not qualified to do? (From 1 (not applicable/nonexistent) to 5 (regularly in accordance with established policy)) C. Following procedures 1. To what extent does the facility have developed instructions, procedures, policies, and normative documents related to security? 2. Are the facility’s instructions on security clear, relevant, up-to-date, userfriendly, and results-oriented? 3. Do employees usually follow procedures and instructions?
Appendix III. Nuclear Security Culture Evaluation Methodology
4.
147
(From 1 (not applicable/nonexistent) to 5 (regularly in accordance with established policy)) To what extent do visible enforcement measures exist at the facility to encourage employees to follow procedures?
D. Teamwork and collaboration 1. To what extent are employees encouraged to work as a team? 2. To what extent are the roles and responsibilities of team members clearly defined? 3. Are there restrictions in place to prevent employees from performing functions not officially assigned to them? 4. How regularly is cross-training conducted? (From 1 (not applicable/nonexistent) to 5 (regularly in accordance with established policy)) E. Whistle-blowing procedures 1. To what extent are employees encouraged to question suspicious activities and report on such to their supervisors about such activities? 2. To what extent are special reporting procedures in place? Does the facility have a hotline and/or a specific person in charge of these procedures? 3. To what extent are anonymity and job security guaranteed to a person who reports security problems? 4. To what extent do employees know the reporting procedures? Do they know whom to notify about security problems?
This page intentionally left blank
149
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
Appendix IV List of Workshop Participants Name 1. 2. 3. 4. 5. 6. 7. 8.
Alter, Joseph Bazarkina, Maria Bertsch, Gary Biro, Lucian Bonne, Arnold Braguts A.V. Bunn, Matthew Carr, Christopher
9.
Carroll, Peter
10. Danilov, Sergey 11. De Castro, Kara 12. Djaloeis, Azhar 13. Doyle, Griff 14. 15. 16. 17. 18.
Draxler, William Dushutin, Konstantin Dvorkin, Vladimir Dyakov, Anatoliy Ebel, Paul
19. Ellis, Dori 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38.
Flory, Denis Gavrilyuk, Anna Geraskin, Nikolay Golovchenko, Sergey Gorinov, Ivan Gutschmidt, Wolf Dieter Habiger, Eugene Harutyunyan, Levon Holgate, Laura Holladay, Krister Holmes, James Ischenko, Nikolay Izmailov, Alexander Jones, David Khersonsky, Julia Khripunov, Igor Kondratov, Sergey Konevets, Boris Kornelyuk, Vladimir
Affiliation
Country
Israel Atomic Energy Commission Department of Energy, U.S. Embassy, Moscow Center for International Trade and Security Romanian Nuclear Regulatory Agency, CNCAN SCK-CEN 12 GUMO, Ministry of Defense Harvard University Office of Senator John Isakson, U.S. Senate Office of Nuclear Policy and Programmes, Department of Trade & Security IBR, Co. Brookhaven National Laboratory Atomic Energy Agency Office of Government Affairs, University of Georgia Center for International Trade and Security MIPK Atomenergo PIR Center Moscow Physics and Technology Institute BE Incorporated International Security Center, Sandia National Laboratory Embassy of France George Kuzmycz MPC&A Training Center Moscow Engineering and Physics Institute MSUTs Nuclear Regulatory Agency
Israel USA USA Romania Belgium Russia USA USA United Kingdom Russia USA Indonesia USA USA Russia Russia Russia USA USA France Ukraine Russia Russia Bulgaria
Physical Protection Department, GRS
Germany
CITS/UGA Armenian Nuclear Regulatory Authority Nuclear Threat Initiative Office of Senator Saxby Chambliss, U.S. Senate Center for International Trade and Security MIPK Atomenergo Eleron Washington Safety Management Solutions Center for International Trade and Security Center for International Trade and Security Institute of National Security Problems VNIITFA MIPK Atomenergo
USA Armenia USA USA USA Russia Russia USA USA USA Ukraine Russia Russia
150 39. 40. 41. 42. 43. 44.
Appendix IV. List of Workshop Participants Kornietsky L. I. Kovchegin, Dmitriy Krupchatnikov, Boris Kryuchkov, Eduard Kuzelev, Nikolay Lata, Vasiliy
45. Lauth, Thomas 46. 47. 48. 49. 50.
Limonayev, Vladimir Martellini, Maurizio Masuda, Manabu Matikas, Theodore Mladineo, Stephen
51. Nabakhtiani, Giorgi 52. 53. 54. 55.
Nikonov, Dmitriy Nilsson, Anita Paliukhovich, Vasili Petrenko, Vitaliy
56. Pikayev, Alexander 57. Price, Debra 58. Prostakov, Vadim 59. Pshakin, Gennadiy 60. Ramirez-Guerrero, Ruben 61. Renha, Jr., Geraldo (K) 62. Rumyantsev, Victor 63. Sabas, Renaldas 64. Shepherd, Christine 65. 66. 67. 68. 69. 70. 71. 72. 73. 74. 75.
Shirokova, Olga Shmelev, Vladimir Sinev, Andrey Smirnov, Pavel Starodubtsev M. V. Steinhaeusler, Friedrich Suhoruchkin, Vladimir Tardy, Jean-François Taylor, John Van Dassen, Lars Victorov, Vladimir
76. Viglasky, Tomas 77. 78. 79. 80. 81. 82.
Watson, Samuel Weil, Leopold Wieland, Beat Williams, Adam Willson, Jane Winter, Denis Jacques
83. Zibricka, Maria
12 GUMO, Ministry of Defense Booz, Allen & Hamilton Rostekhnadzor Moscow Engineering and Physics Institute VNIITFA PIR Center School of Public and International Affairs, University of Georgia Department of Personnel Management, Rosatom Landau Network - Centro Volta Japan Nuclear Security System Co Ltd Greek Atomic Energy Commission Pacific Northwest National Laboratory Nuclear and Radiation Safety Service, Ministry of Environmental Protection and Natural Resources Center for International Trade and Security Office of Nuclear Security, IAEA Chief State Nuclear & Radiation Safety Inspector Institute of Nuclear Physics Institute of World Economy and International Relations, Russian Academy of Sciences Embassy of Canada Department of Protection of Information, Materials and Facilities, Rosatom IPPE Comision Nacional de Seguridad Nuclear y Salvaguardias IRD/CNEN MEPhI State Nuclear Power Safety Inspectorate Intern, Center for International Trade and Security MIPK Atomenergo Kurchatov Institute NEC, Inc. VNIIEF, Sarov 12 GUMO, Ministry of Defense Division of Physics and Biophysics, University of Salzburg Kurchatov Institute
Russia Russia Russia Russia Russia Russia USA Russia Italy Japan Greece USA Georgia USA IAEA Belarus Uzbekistan Russia Canada Russia Russia Mexico Brazil Russia Lithuania USA Russia Russia Russia Ruissia Russia Austria Russia
Embassy of France BNFL Swedish Nuclear Power Inspectorate (SKI) VNIIEF, Sarov Nuclear Security Division, Canadian Nuclear Safety Commission CITS/UGA Federal Office for Radiation Protection Office federal de l'energie OFEN Center for International Trade and Security CITS/UGA
France United Kingdom Sweden Russia
Institut de Radioprotection et de Surete Nucleaire
France
Nuclear Regulatory Authority of the Slovak Republic
Slovak Republic
Canada USA Germany Switzerland USA USA
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
151
Appendix V International Conference on Nuclear Security: Global Directions for the Future Findings of the President of the Conference London, United Kingdom March 16-18, 2005 The Conference recognised that prevention of the malicious use of nuclear and other radioactive material and the sabotage of nuclear installations has been a feature of the programmes of the IAEA, States and international organizations for several years. These activities were expanded somewhat in the mid-1990s as a result of a number of illicit trafficking incidents, but the terrorist attacks in 2001 in the USA were a wake-up call that alerted the international community to the need to significantly enhance the protection of nuclear and other radioactive material from coming into the hands of criminals or terrorists and being used in malicious acts. Subsequent events in Spain, Indonesia and the Russian Federation have shown that the threat has not diminished since 2001. The international community has reacted strongly and taken several initiatives aimed at preventing nuclear or other radioactive material from falling into the hands of criminals and terrorists. These initiatives include: • • • • • • • •
The IAEA Nuclear Security Plan of Activities UN Resolution 1373 UN Resolution 1540 Strengthening the Convention on the Physical Protection of Nuclear Material (CPPNM) Code of Conduct for the Safety and Security of Radioactive Sources (Code of Conduct) G8 Global Partnership against the Spread of Weapons and Materials of Mass Destruction EU Strategy against the Proliferation of Weapons of Mass Destruction Global Threat Reduction Initiative
152
Appendix V. Global Directions for the Future
The International Conference on Nuclear Security:1 Global Directions for the Future was convened by the IAEA in cooperation with the European Commission, the European Police Office, the International Criminal Police Organization, the Organization for Security and Cooperation in Europe and the World Customs Organization and hosted by the Government of the United Kingdom. The Conference considered the threat of malicious acts involving nuclear and other radioactive material; the experiences, achievements and shortcomings of national and international efforts to strengthen the prevention of, detection of and response to malicious acts involving these materials; and the ways and means to achieve future improvements.
Facing the Challenges The Conference noted that nuclear terrorism is one of the greatest threats to society. The threats remain the same in nature as they were three years ago; however, the international community and individual States have made important progress in their level of preparedness in preventing, detecting and responding to these threats. The threats involve criminals or terrorists acquiring and using for malicious purposes (a) nuclear explosive devices, (b) nuclear material to build an improvised nuclear explosive device, (c) radioactive material to construct a radiological dispersal device (RDD), and/or (d) the dispersal of radioactivity through sabotage of installations in which nuclear and other radioactive material can be found or of such material in transport. The periodic reports of illicit trafficking in nuclear and other radioactive material, as well as reports that terrorist organizations have shown interest in obtaining this material, make clear that there is no room for complacency. The political and economic consequences, as well as the health impacts, of a successful malicious use of radioactive material could be devastating. There is a distinct belief that the response to date is not commensurate with the potential consequences from these threats. In facing these challenges, the Conference recognised that the international community must continue to work to identify specific threats; share and make the best use of the information available about illicit nuclear trafficking and other nuclear security related events; strengthen prevention against such acts; raise the level of awareness of the need for nuclear security among senior officials; and maintain the confidentiality of the sensitive information involved. The relationships and synergies between security, safety and safeguards should be recognized and taken into account in the development of nuclear security programmes.
Enhancing the Global Nuclear Security Framework The Conference noted that instruments that underpin the international nuclear security framework include the CPPNM, the Code of Conduct, other relevant conventions, and safeguards agreements and additional protocols that IAEA Member States conclude with the Agency. 1
Nuclear Security: The prevention and detection of and response to, theft, sabotage, unauthorized access, illegal transfer or other malicious acts involving nuclear material, other radioactive substances or their associated facilities.
Appendix V. Global Directions for the Future
153
High priority should be given to expeditiously strengthening the CPPNM, which will be discussed at a diplomatic conference to be convened in July 2005. The strengthening of the CPPNM represents a significant step forward for nuclear security. An amended CPPNM can guide the enhancement and updating of the IAEA’s existing programmes of assistance to States in the area of nuclear security and in the development of new initiatives. The Conference recognized that consideration should be given to revising INFCIRC/225/Rev. 4 following the conclusion of the CPPNM diplomatic conference. More than 70 States have declared their intention to implement the Code of Conduct. Further discussion of policy and technical issues of relevance for the Code will be held in Bordeaux in June 2005. Continued and enhanced efforts are needed to provide for the full and effective implementation of the CPPNM and Code of Conduct, facilitated by the establishment of IAEA nuclear security guidelines and recommendations.
Strengthening Nuclear Security in States The conference recognised that while the responsibility for nuclear security rests uniquely with each State, it is of global concern and that international support and cooperation can assist States in their efforts. Through programmes implemented by individual States and by the IAEA, awareness of the measures needed to address nuclear security for all activities involving nuclear or radioactive material has grown significantly over the past three years. In many States steps have been taken towards improving regulatory infrastructure. The physical protection and accountability within many States have been improved. Some States and regions have also begun to establish a second line of defence based on radiation detection at border crossings, as well as to prepare measures for responding to a criminal act or terrorism. These efforts must continue and be strengthened globally.
Priorities for Strengthening Nuclear Security Priorities for strengthening nuclear security include: continued efforts to enhance the prevention of terrorist acts; and, the physical protection and accountability of nuclear and other radioactive material, in nuclear and non-nuclear use, storage and transport, throughout the life cycle, in a comprehensive and coherent manner. A graded approach to security should continue to be used under which more stringent controls are applied for material or activities that pose the highest risk; for example, particular attention should be given to high enriched uranium or plutonium. The work towards developing effective approaches, methodologies and equipment for prevention, detection and response must continue. Each of these aspects has an important contribution to play in developing an effective national nuclear security programme.
Sustainability and Nuclear Security Culture The fundamental principles of nuclear security include embedding a nuclear security culture throughout the organizations involved. By the coherent implementation of a
154
Appendix V. Global Directions for the Future
nuclear security culture, staff remain vigilant of the need to maintain a high level of security. While the concept of a security culture is similar to safety culture, it is recognized that there are substantive differences in the assumptions and principles, which underpin security culture. An effort should be made to assure that the two cultures complement rather than conflict with one another The long-term sustainability of nuclear security efforts is a primary concern. The investments made in States, through their own efforts and through assistance programmes, must be sustained in order to continue to upgrade or maintain an adequate level of security. While the level of threat may change from time to time, an effective level of nuclear security must be appropriately maintained.
Improving Regional and International Coordination and Cooperation The Conference recognises that there must be coordination and cooperation at the global, regional and bilateral levels. There is a recognized need to strengthen the coordination of the nuclear security work performed by bilateral cooperation programmes, regional partnerships and the IAEA and other international organizations. Limited resources are available, and coordination is needed to optimize the use of resources. Nuclear security is a matter of global concern; the work should include all countries in all regions, as appropriate and promote sharing of experience and lessons learned. The broader challenges for the international community require new approaches and alliances between nuclear authorities, law enforcement and intelligence authorities and the scientific community.
Role of the IAEA in Underpinning the Global Efforts The Conference recognised that the IAEA has a leading role in the global efforts to improve the global nuclear security framework and for promoting its implementation. The IAEA should continue and strengthen its services in nuclear security, including flexible and modular international advisory service missions, expert advice, training and, on a prioritized basis, the provision of equipment. A focus should be to enhance the sustainability of nuclear security programmes in Member States. The conference recognized the value in developing a systematic and structured approach to establishing effective nuclear security in each country. It requested the IAEA to work towards the development of a series of documents outlining and supporting the elements of this system as a matter of importance. • The Conference urged the IAEA to continue its efforts to: • Support full implementation of the CPPNM and the Code of Conduct. • Establish a comprehensive set of nuclear security guidelines and recommendations. • Help States improve their regulatory and technical nuclear security systems. • Coordinate its efforts with those of other bilateral or multilateral assistance programmes. Integrated nuclear security support plans can be used to ensure this coordination.
Appendix V. Global Directions for the Future
155
• Advise Member States on the importance of becoming party to international instruments relevant to combating nuclear terrorism, and to help States as needed in their efforts in that direction. • Promote research and development on more effective nuclear security approaches and techniques. • Promote the enhanced exchange of nuclear security relevant information. • Take an active role to facilitate effective cooperation and coordination at the international and regional levels. The view of the Conference was that these expanded IAEA efforts will likely require financial resources above those predicted in 2002. Optimal coordination and cooperation with, inter alia, bilateral assistance programmes will significantly enhance the impact of available resources, avoid duplication and identify gaps for improved efforts.
Looking Forward; Sustaining the Progress The Conference expressed the view that a clear focus and concentrated efforts for the following actions are essential: 1. 2. 3. 4. 5.
Accelerate efforts to develop and implement a fully effective global nuclear security framework based on prevention, detection and response. The expeditious agreement among State Parties on amending the CPPNM. Full implementation of the Code of Conduct and an enhanced CPPNM. Enhanced cooperation and coordination at the global, regional and bilateral levels. The IAEA assuming – and being resourced to deliver - a leading role, specifically for supporting the Member States, and for furthering international cooperation.
A follow-up international conference should be convened within five years.
This page intentionally left blank
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 IOS Press. All rights reserved.
157
Appendix VI Joint Statement by President George W. Bush and President Vladimir V. Putin Nuclear Security Cooperation Bratislava, Slovak Republic February 24, 2005 The United States and Russia will enhance cooperation to counter one of the gravest threats our two countries face, nuclear terrorism. We bear a special responsibility for the security of nuclear weapons and fissile material, in order to ensure that there is no possibility such weapons or materials would fall into terrorist hands. While the security of nuclear facilities in the U.S. and Russia meet current requirements, we stress that these requirements must be constantly enhanced to counter the evolving terrorist threats. Building on our earlier work, we announce today our intention to expand and deepen cooperation on nuclear security with the goal of enhancing the security of nuclear facilities in our two countries and, together with our friends and allies, around the globe. To this end the United States and Russia will continue and expand their cooperation on emergency response capability to deal with the consequences of a nuclear/radiological incident, including the development of additional technical methods to detect nuclear and radioactive materials that are, or may be, involved in the incident. We will work together to help ensure full implementation of UN Security Council Resolution 1540 and early adoption of an International Convention on Nuclear Terrorism and the amended Convention on Physical Protection of Nuclear Material. [Note: Resolution 1540 requires all States "to refrain from providing any form of support to non-State actors that attempt to develop, acquire, manufacture, possess, transport, transfer or use nuclear, chemical or biological weapons and their means of delivery" and to "adopt and enforce appropriate effective laws which prohibit any nonState actor to manufacture, acquire, possess, develop, transport, transfer or use nuclear, chemical or biological weapons and their means of delivery, in particular for terrorist purposes, as well as attempts to engage in any of the foregoing activities, participate in them as an accomplice, assist or finance them."]
158
Appendix VI. Joint Statement by President G.W. Bush and President V.V. Putin
U.S. and Russian experts will share "best practices" for the sake of improving security at nuclear facilities, and will jointly initiate security "best practices" consultations with other countries that have advanced nuclear programs. Our experts will convene in 2005 a senior-level bilateral nuclear security workshop to focus increased attention on the "security culture" in our countries including fostering disciplined, well-trained, and responsible custodians and protective forces, and fully utilized and well-maintained security systems. The United States and Russia will continue to work jointly to develop low-enriched uranium fuel for use in any U.S.- and Russian-design research reactors in third countries now using high-enriched uranium fuel, and to return fresh and spent highenriched uranium from U.S.- and Russian-design research reactors in third countries. The United States and Russia will continue our cooperation on security upgrades of nuclear facilities and develop a plan of work through and beyond 2008 on joint projects. Recognizing that the terrorist threat is both long-term and constantly evolving, in 2008 our countries will assess the joint projects and identify avenues for future cooperation consistent with our increased attention to the security culture in both countries. We have established a bilateral Senior Interagency Group chaired by Secretary of Energy Bodman and Rosatom Director Rumyantsev for cooperation on nuclear security to oversee implementation of these cooperative efforts. A progress report will be due on July 1, 2005, and thereafter on a regular basis.
Nuclear Security Culture: From National Best Practices to International Standards I. Khripunov et al. (Eds.) IOS Press, 2007 © 2007 The authors. All rights reserved.
159
Author Index Carroll, P. Habiger, E. Holgate, L. Holmes, J. Ischenko, N. Khripunov, I.
23 9, 15 17 1 7 7
Masuda, M. Nikonov, D. Nilsson, A. Packer, C. Steinhäusler, F. Winter, D.
31 75 13, 15 43 55 63
This page intentionally left blank