IAEA Releases Guidelines on Nuclear Material Control and Accounting

More than a decade after its nuclear security recommendations first recognized the threat insiders pose to nuclear facilities, the International Atomic Energy Agency (IAEA) has finally released its guide on nuclear material control and accounting for nuclear security.  (This has been in the works for years.) Many people wrongly think that any material under international safeguards has accounting and control good enough for security purposes as well, but there are important differences.

For example, for safeguards purposes it does not matter much if workers leave potential nuclear bomb material out on the table when they go home for the evening – but for security purposes, that could matter a lot.  Similarly, safeguards inspectors do not check how many people have authorized access to the vault, or whether all operations where people have access to weapons-usable nuclear material are under close surveillance – but those are essential elements of a good security program.

The new guide emphasizes that a nuclear material accounting and control (NMAC) system must be designed to be capable of “detecting in a timely manner any unauthorized removal of nuclear material.”  This, it turns out, is not so easy to do, especially in the case of small removals over a long period of time – what is known as “protracted theft.” A safety, rather than security, incident at the Thermal Oxide Reprocessing Plant (THORP) in the United Kingdom in 2005 highlights some of the difficulties that can arise.  The facility had a state-of-the-art accounting system, which showed that plutonium was missing.  The operators told the accounting staff everything was fine and their accounting system must be having a problem.  In the next accounting period, and the next, and so on, the accounting system showed more and more plutonium missing, and the operators continued to refuse to believe the results.  Finally, after many months, it was discovered the facility had been leaking plutonium-laden acid into a cell in the basement, which contained a swimming pool’s worth of the acid (and 160 kilograms of plutonium) by the time the leak was discovered.  (The facility was shut down for years as a result; Britain plans to close it in a couple of years, after it finally finishes working off its contracts.)

To avoid such problems, the new guide recommends steps such as processing material in modest batches where practical, and launching investigations immediately whenever a discrepancy occurs.  There are important recommendations in the guide that seem basic, but have sometimes been violated in the past in both the United States and Russia:

• “Any nuclear facility operator should conduct periodic physical inventory taking of all nuclear material in every [material balance area],” and ultimately all records of amounts of nuclear material “should be based on measurement.”  In Russia, there are facilities with thousands of canisters of material built up over decades of operations that have not had an actual measurement of the material they contain since the collapse of the Soviet Union.  There is a record for each canister of how much material is supposed to be inside – but who knows if it’s still there?

• Losses to waste “should not be assumed to equal the difference between book and physical inventory.”  What this is saying, in its bureaucratic way, is do not define away the very possibility that nuclear material has been stolen by simply saying any difference between what’s on hand and what should be on hand must be losses to waste – which is exactly what used to be done in Soviet times in Russia and what more than one U.S. facility has been caught doing over the years.

• “Devices that can be easily copied (e.g., lead and or wax seals) or defeated are not appropriate for use as tamper indicating devices in an NMAC system.”  In Russia, wax and lead seals that could be faked by any worker with an authorized stamp used to be the main ones used, though the latest accounting and control regulations bar them, requiring uniquely identifiable tamper-indicating devices (TIDs).  But I would guess that many of the thousands of not-yet-remeasured canisters mentioned above are still equipped with the old wax or lead seals.  Unfortunately, even once you get to the uniquely identifiable TIDs (ones with a bar code, for example) a lot of the TIDs available on the market fall in the “easily… defeated” category.  A decade ago, Roger Johnston and his team reviewed over 200 varieties of commercially available TIDs, from low-tech to high-tech, and found that all of them could be defeated in ways that would not be detected by the inspection protocols in use, using equipment from any hardware store – and the average defeat time was 2.7 minutes.  (Expensive high-tech seals were not generally harder to defeat than cheap low-tech ones.)  Roger tells me things have gotten a bit better since then, but overreliance on TIDs that can be defeated without detection is still a major problem.

• The guide recommends that interactions between people and nuclear material be kept under surveillance, and that surveillance “should ensure at least that… when the two person rule is the surveillance method, the two authorized persons are physically located where they have an unobstructed view of each other or the nuclear material, and each person is trained and capable of detecting unauthorized activities or incorrect procedures.”  Unfortunately, Russia’s regulations on the two-person rule say the two have to come into the material area together – but they don’t necessarily have to stay together.  Even in the United States, it would be hard to make the case that everybody who’s part of a two-person team is “trained and capable of detecting unauthorized activities”; as anyone who has been to a magic show knows, people who are good at sleight of hand can put something in their pocket or up their sleeve without observers noticing, even when the observers are looking right at them.  In general, the probability of detection from the two-person rule alone is not very high – but it likely has some effect in deterring people from attempting to steal material.

As with many IAEA documents, the guide does not venture any thoughts on how effective these various systems should be, leaving that determination to each state handling nuclear material.  It says accounting and control systems should provide “timely” detection of any removal – but how timely is timely?  Only the material control systems – cameras and alarms and the like – have much chance of providing immediate warnings while a theft is still in progress.   Accounting systems might confirm that material was missing days or weeks after a theft had taken place.   The guide says operators should not use TIDs that can be “easily” defeated – but how hard does it have to be to defeat a TID before it makes sense to use it? 

Still, the guide provides a great deal of useful advice.  If all states and operators implemented accounting and control systems that included all of the elements the guide describes in a sensible way, it would become much harder for insider thieves to steal nuclear material without detection.  States participating in the 2016 nuclear security summit should develop a “gift basket” with a joint commitment to implementing these accounting and control guidelines.