Nuclear Security: Attitude Check

The IAEA record

The importance of such a culture is not lost on the United Nations. In the past several years, the International Atomic Energy Agency (IAEA) has aggressively promoted the concept of a nuclear security culture as a tool to improve the physical protection of nuclear material. A 2001 IAEA report titled “Fundamental Principles of Physical Protection of Nuclear Material and Nuclear Facilities” identified the security culture as one of 12 principles underlying fissile-material security:

“All organizations involved in implementing physical protection should give due priority to the security culture, to its development and maintenance necessary to ensure its effective implementation in the entire organization.” 2

The growing threat of catastrophic terrorism and other new security challenges have made it clear that the scope of nuclear security and the associated culture need to extend beyond the traditional task of protecting weapons-usable materials at their sites. Radioactive sources must be rigorously protected while undergoing transport, storage, or handling for a variety of other purposes. Accordingly, the IAEA Advisory Group on Nuclear Security recently embraced a new and wider understanding of nuclear security, defining it as “the prevention and detection of and response to theft, sabotage, unauthorized access, illegal transfer, and other malicious acts involving nuclear material, other radioactive substances, or their associated facilities.”

This broad interpretation is largely consistent with the guidelines set forth in U.N. Security Council Resolution 1540, which seeks to prevent the spread of weapons of mass destruction (WMD). The resolution is innovative in that, for the first time, a document of this type offers a comprehensive vision of what is needed to curb the supply side of the proliferation problem. The main body of the resolution requires all U.N. member states to:

All resolutions issued under Chapter VII of the U.N. Charter–as Resolution 1540 was–are binding on all members, which means that all U.N. member states are now accountable for implementing the terms of the resolution whether or not they are parties to the relevant treaties, agreements, and regimes.

Dedicated leadership within organizations entrusted with fissile materials is one of the chief determinants of security, but so is broad participation at all levels of government, business, and civil society. Security planning and management must be assigned a higher priority. Educating both the workforce and the public and eliciting their support is the best way to assure that security receives the attention and resources commensurate with its importance.

In an effort to reflect new realities and concerns, a recent IAEA document, the “Code of Conduct on the Safety and Security of Radioactive Sources,” urged every state to take appropriate measures to promote both safety culture and security culture with respect to radioactive sources, thereby protecting individuals, society, and the environment. That document defined nuclear security culture as “characteristics and attitudes in organizations and of individuals which establish that [nuclear] security issues receive the attention warranted by their significance.” 3 However, the IAEA has not yet issued detailed guidance or recommendations regarding the concept of nuclear security culture, its content, or ways to make it a reality.

Safety and security sometimes at odds

Events in the Soviet Union, and later Russia, prodded the world community to begin thinking more about nuclear safety and, subsequently, nuclear security. The 1986 Chernobyl accident, a result of human error and violations of safety regulations, prompted the IAEA to embark on an arduous and time-consuming search for universally acceptable standards for a “safety culture.” By the 1990s it was obvious that inadequate skills and low motivation in the workforces at Russian nuclear sites imperiled international security.

By now, the need to develop a security culture, distinct from a safety culture, is widely acknowledged. And although safety and security have much in common, at times their requirements are at odds. For example, as the security processes to enter the “operating island” of a nuclear plant become more extensive, the number of visits that office staff, such as engineers and managers, routinely pay to the field go down substantially. We know from experience that field presence is a vital part of a strong safety culture, both in terms of helping staff meet standards and in spotting equipment and other problems, so reduced accessibility under security pressures is undesirable. There can also be an occasional issue when access to a safety-critical area has to be kept locked for security reasons when it would be safer to keep it unlocked. This ambiguous relationship is captured in another IAEA document, “The Physical Protection of Nuclear Material and Nuclear Facilities,” which declares: “Safety specialists, in cooperation with physical protection specialists, should evaluate the consequences of malevolent acts, considered in the context of the State's design basis threat, to identify nuclear material, or the minimum complement of equipment, systems, or devices to be protected against sabotage. Potential conflicting requirements, resulting from safety and physical protection considerations, should be carefully analyzed to ensure that they do not jeopardize nuclear safety, including during emergency conditions.” 4

The tension between the two concepts arises because they embody two fundamentally different approaches to enhancing the operational reliability of vital systems, equipment, and components. Proponents of safety typically call for building increased redundancy into at-risk systems, while proponents of security point out that greater redundancy might render these systems, equipment, and components even more vulnerable. Increased redundancy might also create a situation in which there are more components and equipment than can affordably be secured against malicious acts–making security costlier and more elusive than it already is.

OPEN IN VIEWER

Measures in place: Employees at the Columbia Generating Station in Washington State reporting to work.

Even so, the two concepts can be mutually reinforcing. Despite occasional tension between the tenets of security culture and safety culture, the former is emerging as a distinct and important approach to enhancing physical protection. There are several reasons for emphasizing the development of a distinct security culture:

Notwithstanding the tension between the two concepts, the characteristics of a good security culture would likely result in improved safety, quality, and productivity within the organization, since closer attention to personnel performance tends to produce better results in every area.

Depending on history, tradition, and security-related developments in individual countries, the emphasis afforded to safety and security cultures varies considerably. Governments blessed with a relatively peaceful domestic environment unaffected by terrorist upheavals will often choose to downplay security culture as an unaffordable luxury. Some governments with poor safety records work to enhance safety, integrating security into the overall architecture of the nuclear complex. Still others inadvertently confuse the terms because in some languages “safety” and “security” are often translated into the same word (bezopasnost in Russian, for example).

Properties of a security culture

The exigencies of the post-9/11 security environment will shape nuclear security culture for the foreseeable future. A nuclear security culture can be judged by:

Security is not a matter for security specialists alone. It should be part of the overall organizational culture, and all employees who work at a facility should be included. The objectives and standards of a nuclear security culture should not vary based on the social culture.

Security is defined in similar terms around the world; however, different elements of nuclear security culture will be harder to implement in some organizational and social settings than in others. For example, inhabitants of different countries will tend to make different assumptions about the vulnerability of the nuclear complex to insider and outsider threats, ranking these threats differently against one another.

An important element of security culture is that it defines, among other things, the instinctive behavior of personnel. An efficacious security culture expects employees to take an active, security-based stance in any situation in which nuclear material and/or the facility itself are at risk. They are expected to innovate, since risks are too numerous to predict and no amount of planning or policy making can account for all contingencies. This element is particularly important in view of growing and unpredictable terrorist threats. At a facility that boasts a supportive security culture, employees will respond to security issues out of habit rather than conscious effort. In an unsupportive environment, employees and management will tend to ignore security–or even to circumvent security precautions when they become inconvenient.

Finally, cultures are not good or bad in themselves, but they are good or bad at producing certain results. There is always some kind of security culture in an organization. The important questions are whether it is what it should be and whether it is improving or decaying. The leaders of an organization have a particularly strong influence over the assumptions and ideas that need to be promoted to achieve and maintain a successful security culture.

Developing a security culture

Cultures are based on a set of shared, underlying assumptions about reality. Practically speaking, this means that an organization will instill tangible behaviors in the workforce that derive from what the organization's leaders assume should be most important. Even the most astute assumptions will atrophy, however, unless the leadership actively works to spread them throughout the organization. Staff will simply form other assumptions based on their own experiences, or even on their whims. Top managers need to lead the way in forging the appropriate pattern of ideas. Often underlying assumptions are unconsciously held and never discussed in the daily course of business. They simply become “the way we do things.” But a culture needs conscious attention if it is to thrive. 5

A good security culture is founded on a healthy respect for the threat. From the most senior leaders down to the lowliest technician, the staff needs to understand that security measures truly matter. This underlying conviction then permeates the way people work, and it drives their behavior under normal and abnormal conditions. In a facility that enjoys a good security culture, personnel typically display a deep-rooted belief that there are credible insider and outsider threats, including theft, sabotage, unauthorized access, illegal transfer, and other malicious acts, and that it is their duty to counteract those threats. A sense of mission goes a long way toward fissile material security.

The next level in deconstructing underlying assumptions is to conceptualize the basic principles and values conducive to the behaviors and physical arrangements that make up a vibrant security culture. The necessary principles and values include honesty, integrity, and a sense of responsibility; a commitment to keeping equipment in good working order; obedience to procedure; a commitment to learning and process improvement; and effective leadership throughout the organizational hierarchy. These traits contribute to the tangible core of security culture.

The core consists of four major elements: facility leadership, proactive policies and procedures, personnel performance, and learning and professional improvement. The main element within the facility is the performance of leaders. Top managers are responsible for developing and implementing a specific set of policies and procedures that shape the behavior of their subordinates. Of particular importance to the core is a manager's emphasis on clear roles and responsibilities, visible security policies, cyberprotection, contingency plans and drills, and personal accountability. Continuous training is the primary tool to get the required results.

These desired traits are not, of course, confined to security; they are mainstays of healthy management practices. Conversely, a poorly managed work environment in which these attributes are lacking will be indifferent to efforts to achieve a high standard of security culture. Accordingly, any campaign to promote nuclear security culture–whether nationally sponsored or funded primarily through international assistance–should seek to better the overall professional culture.

A set of eight factors external to an organization also shapes the behaviors and concrete attributes associated with the security culture. These variables will either hamper or facilitate the development of security culture within the organization. They include:

International commitments and assistance. Membership in relevant international agreements and forums is an important prerequisite for promoting nuclear security culture. IAEA programs relevant to security culture include the International Physical Protection Advisory Service (IPPAS), which helps member states evaluate their physical protection systems at the state and facility levels. The work of the IPPAS is based on the recommendations contained in IAEA document INFCIRC/225 and the obligations set forth in the Convention on Physical Protection of Nuclear Material. IPPAS-sponsored workshops introduce national representatives to both the tangible and intangible aspects of nuclear security. External material protection, control, and accounting (MPC&A) assistance from sources such as the Energy Department's program in Russia and other former Soviet republics contributes significantly to the familiarization process and helps upgrade the actual MPC&A infrastructure.

OPEN IN VIEWER

Diablo Canyon maintenance employees work near a potential terrorist target—a spent fuel pool.

National policies and leadership attitudes. The behavior of management and other personnel at a facility reflects the priority accorded nuclear security issues by the nation's leaders. When top political leaders demonstrate their interest in this vital area, they send a powerful signal to staff members at individual sites.

Corporate and industry guidelines. The industry, working with appropriate government agencies, is responsible for clarifying and updating the current threat assessment, in addition to providing training, inspections, and quality assurance. Funding issues ranging from budgetary allocations to recommendations for private operators also fall under the purview of industry.

The “design basis threat” (DBT). The IAEA recommends a DBT methodology, which takes into account the capabilities, intentions, attributes, and characteristics of potential adversaries, as the approach to designing security measures. Drawing on this methodology, individual countries can develop their own national DBTs consistent with best practices and their national traditions and history.

Security equipment. This equipment must be available through appropriate channels, meet national and international standards, and stay affordable by coming in a variety of price ranges to allow sites with smaller budgets to sustain their efforts. The ultimate goal is to make maximum use of automated processes and procedures, thereby limiting the prospect of human error.

Rules and regulations. The texts of written directives must be up-to-date, succinct, and user-friendly. This is especially important for dissemination to personnel who do not routinely deal with security matters. The texts need to send a clear and unambiguous message.

Deterrence through enforcement. National governments should criminalize activities like theft, sabotage, unauthorized access, illegal transfers, and other malicious acts involving nuclear material that might lead to breaches of nuclear security. The appropriate government agencies need to enforce these laws rigidly in order to deter potential perpetrators.

General public awareness. The escalation of terrorism in recent years has created a political climate in which the public is receptive to security concerns. Well-tailored outreach efforts can convince the public that breaches of security could jeopardize the safety of nuclear facilities, and even their own lives. A public that starts caring about nuclear security will be more likely to report attempts at diversion and terrorism, and report inadequate security perimeters or the presence of suspicious people near a facility, or other conditions that could contribute to a breach of security. The public will also be more likely to call media, government, and legislative attention to security problems at nuclear facilities and more likely to form advocacy groups to publicize the importance of nuclear security.

The ultimate goal of security culture is to contribute to the efficient protection of nuclear material by contributing to a security-conscious work environment. The performance of a nuclear security regime ultimately hinges on how people behave. A workforce made up of individuals who are vigilant, question irregularities, execute their work diligently, and exhibit high standards of personal and collective behavior will maintain tight security.

Putting it together

Security culture is not a panacea but must be increasingly looked upon in a time of terrorist threats as a necessary organizational tool. In addition to its other benefits, an efficacious security culture expects employees to take a proactive and innovative stance in a threat milieu where risks are too numerous to predict, even for the most farsighted leaders.

The concept of nuclear security culture is universally applicable. But the international community should not try to impose a one-size-fits-all approach to its development. Local conditions vary. Certain aspects of security culture will require different levels of attention in each country. There is a group of countries whose history, tradition, ongoing economic developments, and other traits complicate their ability to meet the standards of security culture. This group includes transitional societies, countries whose nuclear programs lacked or still lack transparency, countries instituting nuclear power and research programs from scratch, and countries in which the nuclear industry is undergoing ownership reform. Former Soviet and Eastern Bloc countries, to name a few, fall into these categories.

The IAEA, the Group of Eight (G-8), and individual governments should work to develop an internationally accepted concept of nuclear security culture and provide assistance programs to selected countries. This is a matter of pressing importance. The G-8, in particular, should discuss security culture at its annual summit meetings and allocate funding for its promotion. Britain and Russia, which are scheduled to host the summits in 2005 and 2006 respectively, should explicitly request the G-8 countries to address this concept and include this item on the agenda. U.N. Security Council Resolution 1540, which directs U.N. member states to rein in the spread of weapons of mass destruction, can be a useful tool in bolstering nuclear security culture.

If member states were required under U.N. reporting provisions to submit, among other things, information about their efforts to cultivate security culture among nuclear personnel, they would begin to accord nuclear security the high priority it deserves.