Current approaches to securing high consequence facilities (HCF) and critical assets are linear and static and therefore struggle to adapt to emerging threats (e.g., unmanned aerial systems) and changing environmental conditions (e.g., decreasing operational control). The pace of change in technological, organizational, societal, and political dynamics necessitates a move toward codifying underlying scientific principles to better characterize the rich interactions observed between HCF security technology, infrastructure, digital assets, and human or organizational components. The promising results of Laboratory Directed Research and Development (LDRD) 20-0373—“Developing a Resilient, Adaptive, and Systematic Paradigm for Security Analysis”—suggest that when compared to traditional security analysis, invoking multilayer network (MLN) modeling for HCF security system components captures unexpected failure cases and unanticipated interactions.
Recent examples provide a significant concern for the resilience of the U.S. electric grid and represent a need for enhanced decision-making to address an increasingly wide range of complex system interactions and potential consequences. In response, this LDRD project produced a proof-of-concept evaluation called the Resilience and Hazard Assessment to Prioritize Security Operations for Decisions and Impacts (RHAPSODI) methodology as an agile and flexible analytic framework capable of addressing multiple, diverse threats to desired electric grid performance. After empirically grounding needs for the future of U.S. electric grid resilience, this project employed the systems-theoretic process analysis (STPA) to develop a systems engineering risk model. The results of a completed feasibility study of a notional high voltage transmission system demonstrate an improved ability to incorporate both spatial (e.g., geographically distributed) and temporal (e.g., dynamic and time-dependent) elements of security risk to the gird. The success of this LDRD project provides the foundation for further evolution of the systems engineering risk model for the grid; derivation of quantitative approaches to evaluate risk and resilience performance; facilitation of agile experimenting and grid sensitivity to a range of vulnerabilities; and development of tools to assist decision-makers in enhancing U.S. electrical grid resilience.
Systems engineering today faces a wide array of challenges, ranging from new operational environments to disruptive technological — necessitating approaches to improve research and development (R&D) efforts. Yet, emphasizing the Aristotelian argument that the “whole is greater than the sum of its parts” seems to offer a conceptual foundation creating new R&D solutions. Invoking systems theoretic concepts of emergence and hierarchy and analytic characteristics of traceability, rigor, and comprehensiveness is potentially beneficial for guiding R&D strategy and development to bridge the gap between theoretical problem spaces and engineering-based solutions. In response, this article describes systems–theoretic process analysis (STPA) as an example of one such approach to aid in early-systems R&D discussions. STPA—a ‘top-down’ process that abstracts real complex system operations into hierarchical control structures, functional control loops, and control actions—uses control loop logic to analyze how control actions (designed for desired system behaviors) may become violated and drive the complex system toward states of higher risk. By analyzing how needed controls are not provided (or out of sequence or stopped too soon) and unneeded controls are provided (or engaged too long), STPA can help early-system R&D discussions by exploring how requirements and desired actions interact to either mitigate or potentially increase states of risk that can lead to unacceptable losses. This article will demonstrate STPA's benefit for early-system R&D strategy and development discussion by describing such diverse use cases as cyber security, nuclear fuel transportation, and US electric grid performance. Together, the traceability, rigor, and comprehensiveness of STPA serve as useful tools for improving R&D strategy and development discussions. In conclusion, leveraging STPA as well as related systems engineering techniques can be helpful in early R&D planning and strategy development to better triangulate deeper theoretical meaning or evaluate empirical results to better inform systems engineering solutions.
As the frequency and quantities of nuclear material shipments escalate internationally to meet the increased demand for small modular (SMR) and advanced (AR) reactors, the risks and costs associated with shipping activities also likely to increase with them. The primary objective of this study is to evaluate possibilities for risk reduction via avoidability—or, avoiding or reducing the need for nuclear shipments, where possible, either by reducing the frequency or quantities of materials contained in shipments.
The PRO-X program is actively supporting the design of nuclear systems by developing a framework to both optimize the fuel cycle infrastructure for advanced reactors (ARs) and minimize the potential for production of weapons-usable nuclear material. Three study topics are currently being investigated by Sandia National Laboratories (SNL) with support from Argonne National Laboratories (ANL). This multi-lab collaboration is focused on three study topics which may offer proliferation resistance opportunities or advantages in the nuclear fuel cycle. These topics are: 1) Transportation Global Landscape, 2) Transportation Avoidability, and 3) Parallel Modular Systems vs Single Large System (Crosscutting Activity).
Security engineering approaches can often focus on a particular domain—physical security, cyber security, or personnel security, for example. Yet, security systems engineering consistently faces challenges requiring socio-technical solutions to address evolving and dynamic complexity. While some drivers of this complexity stem from complex risk environments, innovative adversaries, and disruptive technologies, other drivers are endogenous and emerge from the interactions across security engineering approaches. In response, INCOSE's Systems Security Working Group identified the need to better coordinate “disparate security solutions [that] operate independently” as one of eleven key concepts in their IS21 FuSE Security Roadmap. From this perspective, this need for “security orchestration” aligns with the perspective that security is a property that emerges from interactions within complex systems. Current efforts at Sandia National Laboratories are developing a systems security engineering approach that describes high consequence facility (HCF) security as a multidomain set of interacting layers. The result is a multilayered network (MLN)-based approach that captures the interactions between infrastructure, physical components, digital components, and humans in nuclear security systems. This article will summarize the MLN-based approach to HCF security and describe two preliminary results demonstrating potential benefits from incorporating interactions across disparate security solutions. Here, leveraging the logical structure of networks, this MLN model-based approach provides an example of how security orchestration provides enhanced systems security engineering solutions.
Advances on differentiating between malicious intent and natural "organizational evolution"to explain observed anomalies in operational workplace patterns suggest benefit from evaluating collective behaviors observed in the facilities to improve insider threat detection and mitigation (ITDM). Advances in artificial neural networks (ANN) provide more robust pathways for capturing, analyzing, and collating disparate data signals into quantitative descriptions of operational workplace patterns. In response, a joint study by Sandia National Laboratories and the University of Texas at Austin explored the effectiveness of commercial artificial neural network (ANN) software to improve ITDM. This research demonstrates the benefit of learning patterns of organizational behaviors, detecting off-normal (or anomalous) deviations from these patterns, and alerting when certain types, frequencies, or quantities of deviations emerge for improving ITDM. Evaluating nearly 33,000 access control data points and over 1,600 intrusion sensor data points collected over a nearly twelve-month period, this study's results demonstrated the ANN could recognize operational patterns at the Nuclear Engineering Teaching Laboratory (NETL) and detect off-normal behaviors - suggesting that ANNs can be used to support a data-analytic approach to ITDM. Several representative experiments were conducted to further evaluate these conclusions, with the resultant insights supporting collective behavior-based analytical approaches to quantitatively describe insider threat detection and mitigation.
Security assessments support decision-makers' ability to evaluate current capabilities of high consequence facilities (HCF) to respond to possible attacks. However, increasing complexity of today's operational environment requires a critical review of traditional approaches to ensure that implemented assessments are providing relevant and timely insights into security of HCFs. Using interviews and focus groups with diverse subject matter experts (SMEs), this study evaluated the current state of security assessments and identified opportunities to achieve a more "ideal" state. The SME-based data underscored the value of a systems approach for understanding the impacts of changing operational designs and contexts (as well as cultural influences) on security to address methodological shortcomings of traditional assessment processes. These findings can be used to inform the development of new approaches to HCF security assessments that are able to more accurately reflect changing operational environments and effectively mitigate concerns arising from new adversary capabilities.
Traditional systems engineering demonstrates the importance of customer needs in scoping and defining design requirements; yet, in practice, other human stakeholders are often absent from early lifecycle phases. Human factors are often omitted in practice when evaluating and down-selecting design options due to constraints such as time, money, access to user populations, or difficulty in proving system robustness through the inclusion of human behaviors. Advances in systems engineering increasingly include non-technical influences into the design, deployment, operations, and maintenance of interacting components to achieve common performance objectives. Furthermore, such advances highlight the need to better account for the various roles of human actors to achieve desired performance outcomes in complex systems. Many of these efforts seek to infuse lessons and concepts from human factors (enhanced decision-making through Crew Resource Management), systems safety (Rasmussen's “drift toward danger”) and organization science (Giddens' recurrent human acts leading to emergent behaviors) into systems engineering to better understand how socio-technical interactions impact emergent system performance. Safety and security are examples of complex system performance outcomes that are directly impacted by varying roles of human actors. Using security performance of high consequence facilities as a representative use case, this article will outline the System Context Lenses to understand how to include various roles of human actors into systems engineering design. Several exemplar applications of this organizing lenses will be summarized and used to highlight more generalized insights for the broader systems engineering community.
Protecting high consequence facilities (HCF) from malicious attacks is challenged by today’s increasingly complex, multi-faceted, and interdependent operational environments and threat domains. Building on current approaches, insights from complex systems and network science can better incorporate multidomain interactions observed in HCF security operations. These observations and qualitative HCF security expert data support invoking a multilayer modeling approach for HCF security to shift from a “reactive” to a “proactive” paradigm that better explores HCF security dynamics and resilience not captured in traditional approaches. After exploring these multi-domain interactions, this paper introduces how systems theory and network science insights can be leveraged to describe HCF security as complex, interdependent multilayer directed networks. A hypothetical example then demonstrates the utility of such an approach, followed by a discussion on key insights and implications of incorporating multilayer network analytical performance measures into HCF security.
Resilience has been defined as a priority for the US critical infrastructure. This paper presents a process for incorporating resiliency-derived metrics into security system evaluations. To support this analysis, we used a multi-layer network model (MLN) reflecting the defined security system of a hypothetical nuclear power plant to define what metrics would be useful in understanding a system's ability to absorb perturbation (i.e., system resilience). We defined measures focusing on the system's criticality, rapidity, diversity, and confidence at each network layer, simulated adversary path, and the system as a basis for understanding the system's resilience. For this hypothetical system, our metrics indicated the importance of physical infrastructure to overall system criticality, the relative confidence of physical sensors, and the lack of diversity in assessment activities (i.e., dependence on human evaluations). Refined model design and data outputs will enable more nuanced evaluations into temporal, geospatial, and human behavior considerations. Future studies can also extend these methodologies to capture respond and recover aspects of resilience, further supporting the protection of critical infrastructure.
Performance measures commonly used in systems security engineering tend to be static, linear, and have limited utility in addressing challenges to security performance from increasingly complex risk environments, adversary innovation, and disruptive technologies. Leveraging key concepts from resilience science offers an opportunity to advance next-generation systems security engineering to better describe the complexities, dynamism, and non-linearity observed in security performance—particularly in response to these challenges. This article introduces a multilayer network model and modified Continuous Time Markov Chain model that explicitly captures interdependencies in systems security engineering. The results and insights from a multilayer network model of security for a hypothetical nuclear power plant introduce how network-based metrics can incorporate resilience concepts into performance metrics for next generation systems security engineering.
Vital Area Identification (VAI) is an important element in securing nuclear facilities, including the range of recently proposed advanced reactors (AR). As ARs continue to develop and progress to licensure status, it will be necessary to ensure that safety analysis methods are compatible with the new reactor designs. These reactors tout inherently passive safety systems that drastically reduce the number of active components whose failures need to be considered as basic events in a Level 1 probabilistic risk assessment (PRA). Instead, ARs rely on natural processes for their safety, which may be difficult to capture through the use of fault trees (FTs) and subsequently difficult to determine the effects of lost equipment when completing a traditional VAI analysis. Traditional VAI methodology incorporates FTs from Level 1 PRA as a substantial portion of the effort to identify candidate vital area sets. The outcome of VAI is a selected set of areas deemed vital which must be protected in order to prevent radiological sabotage. An alternative methodology is proposed to inform the VAI process and selection of vital areas: Systems-Theoretic Process Analysis (STPA). STPA is a systems-based, top-down approach which analyzes a system as a hierarchical control structure composed of components (both those that are controlled and their controllers) and controlled actions taken by/acted upon those components. The control structure is then analyzed based on several situational parameters, including a time component, to produce a list of scenarios which may lead to system losses. A case study is presented to demonstrate how STPA can be used to inform VAI for ARs.
Multilayered networks (MLN), when integrated with traditional task analyses, offer a model-based approach to describe human performance in nuclear power plant security. MLNs demonstrate the interconnected links between security-related roles, security operating procedures, and technical components within a security system. However, when used in isolation, MLNs and task analyses may not fully reveal the impacts humans have within a security system. Thus, the Systems Context Lenses were developed to enhance design for and analysis of desired complex system behaviors, like security at Nuclear Power Plants (NPPs). The System Context Lenses integrate systems engineering concepts and human factors considerations to describe how human actors interact within (and across) the system design, operational environment, and sociotechnical context. Through application of the Systems Context Lenses, critical Performance Shaping Factors (PSFs) influencing human performance can be identified and used to analytically connect human actions with technical and environmental resources in an MLN. This paper summarizes the benefit of a tiered-lens approach on a use case of a multilayered network model of NPP security, including demonstrating how NPP security performance can be improved by more robustly incorporating varying human, institutional, and broader socio-technical interactions.
The design and construction of a nuclear power plant must include robust structures and a security boundary that is difficult to penetrate. For security considerations, the reactors would ideally be sited underground, beneath a massive solid block, which would be too thick to be penetrated by tools or explosives. Additionally, all communications and power transfer lines would also be located underground and would be fortified against any possible design basis threats. Limiting access with difficult-to-penetrate physical barriers is a key aspect for determining response and staffing requirements. Considerations considered in a graded approach to physical protection are described.
Nuclear power plants must be, by design and construction, robust structures and difficult to penetrate. Limiting access with difficult-to-penetrate physical barriers is going to be key for staffing reduction. Ideally, for security, the reactors would be sited underground, beneath a massive solid block, too thick to be penetrated by tools or explosives with all communications and power transfer lines also underground and fortified. Having the minimal possible number of access points and methods to completely block access from these points if a threat is detected will greatly help us justify staffing reduction.
Nuclear power plants must be, by design and construction, robust structures and difficult to penetrate. Ideally, for security, the reactors would be sited underground, beneath a massive solid block, too thick to be penetrated by tools or explosives with all communications and power transfer lines also underground and fortified. Limiting access with difficult-to-penetrate physical barriers is going to be key for determining response and staffing requirements.
Researchers from Sandia National Laboratories (Sandia) and the University of Texas at Austin (UT) conducted this study to explore the effectiveness of commercial artificial neural network (ANN) software to improve insider threat detection and mitigation (ITDM). This study hypothesized that ANNs could be "trainee to learn patterns of organizational behaviors, detect off-normal (or anomalous) deviations from these patterns, and alert when certain types, frequencies, or quantities of deviations emerge. The ReconaSense ANN system was installed at UT's Nuclear Engineering Teaching Laboratory (NETL) and collected 13,653 access control data points and 694 intrusion sensor data points over a three-month period. Preliminary analysis of this baseline data demonstrated regularized patterns of life in the facility, and that off-normal behaviors are detectable under certain situations -- even for a facility with anticipated highly non-routine, operational behaviors. Completion of this pilot study demonstrated how the ReconaSense ANN could be used to identify expected operational patterns and detect unexpected anomalous behaviors in support of a data-analytic approach to ITDM. While additional studies are needed to fully understand and characterize this system, the results of this initial study are overall very promising for demonstrating a new framework for ITDM utilizing ANNs and data analysis techniques.
Part of the Presidential Policy Directive 21 (PPD-21) (PPD 2013) mandate includes evaluating safety, security, and safeguards (or nonproliferation) mechanisms traditionally implemented within the nuclear reactors, materials, and waste sector of critical infrastructure—including a complex, dynamic set of risks and threats within an all-hazards approach. In response, research out of Sandia National Laboratories (Sandia) explores the ability of systems theory principles (hierarchy and emergence) and complex systems engineering concepts (multidomain interdependence) to better understand and address these risks and threats. Herein, this Sandia research explores the safety, safeguards, and security risks of three different nuclear sector-related activities—spent nuclear fuel transportation, small modular reactors, and portable nuclear power reactors—to investigate the complex and dynamic risk related to the PPD-21-mandated all-hazards approach. This research showed that a systems-theoretic approach can better identify inter-dependencies, conflicts, gaps, and leverage points across traditional safety, security, and safeguards hazard mitigation strategies in the nuclear reactors, materials, and waste sector. Resulting from this, mitigation strategies from applying systems theoretic principles and complex systems engineering concepts can be (1) designed to better capture interdependencies, (2) implemented to better align with real-world operational uncertainties, and (3) evaluated as a systems-level whole to better identify, characterize, and manage PPD-21's all hazards strategies.
Existing security models are highly linear and fail to capture the rich interactions that occur across security technology, infrastructure, cybersecurity, and human/organizational components. In this work, we will leverage insights from resilience science, complex system theory, and network theory to develop a next-generation security model based on these interactions to address challenges in complex, nonlinear risk environments and against innovative and disruptive technologies. Developing such a model is a key step forward toward a dynamic security paradigm (e.g., shifting from detection to anticipation) and establishing the foundation for designing next-generation physical security systems against evolving threats in uncontrolled or contested operational environments.
Growing interest in compact, easily transportable sources of baseload electricity has manifested in the proposal and early deployment of portable nuclear reactors (PNRs). PNRs are sought because they are scalable, efficient, and cost-effective for meeting energy demands in unique, remote, or contested areas. For example, Russia's KLT-40S Akademik Lomonosov is a floating nuclear power plant (FNPP) that successfully reached the Arctic coastal city of Pevek. It began providing power to the local grid in December 2019. While providing such key advantages as having a highly flexible power generation mechanism, FNPPs appear to directly challenge international norms and conventions for nuclear safety, safeguards, and security. FNPPs are neither a purely fixed nuclear fuel cycle activity nor a purely transportation-based nuclear fuel cycle activity. In response, Sandia's Mitigating International Nuclear Enogy Risks (MINER) research perspective frames this discussion in terms of risk complexity and the interdependencies between safety, safeguards, and security in FNPPs, and PNRs more generally. This systems study is a technically rigorous analysis of the safety, safeguards, and security risks of FNPP technologies. This research's aims are three-fold. The first aim is to provide analytical evidence to support safety, safeguards, and security claims related to PNRs and FNPPs (Study Report Volume I). Second, this study aims to introduce a systems- theoretic approach for exploring interdependencies between the technical evaluations (Study Report Volume II). The third aim is to show Sandia's ability for prompt, rigorous, and technical analysis to support emerging complex MINER mission objectives.
The Gulf Nuclear Energy Infrastructure Institute (GNEII) at Khalifa University of Science and Technology was created as a regional institute offering education, research and technical services to support nuclear energy safety, security and safeguards (3S) objectives. A mixed methods approach—using the (1) Course Evaluation, (2) GNEH Alumni Survey, (3) Capstone Project and, (4) GNEII-Related Literature data sets—was used to evaluate the effect of implementing this multidisciplinary `3S' educational program and the broader impact of the associated `3S' multidisciplinary institute on nuclear energy human resource development. Data sets (1), (2) and (3) illustrate how well GNEII implemented this novel 3S curriculum and resulted in successful knowledge transfer. Data sets (2), (3) and (4) illustrate how well GNEII's impact has positively influenced professional workplace behaviors and the institute's broader reputation to support responsible nuclear energy program education. Furthermore, GNEII demonstrates one option for successfully providing a multidisciplinary, 3S curriculum to support broader nuclear infrastructure and human resource development aims.
This chapter first describes the traditional view of “context” in systems engineering and identifies challenges to this view related to “the Fourth Industrial Revolution”. It then explores gaps in traditional views, introduces nontraditional approaches to context for systems, and provides more detail on the “context of use” concept for advanced systems engineering. In response to technological evolution(s), advanced systems engineering should seek to more clearly and comprehensively describe operating environments - to include accounting for contextual descriptions consisting of the interrelated human behavior, social, and organizational factors that impact system performance and success. Three academic literatures - systems theory, organization science, and engineering systems - offer insights to better understand and incorporate context into advanced systems engineering. To further make the case for including the context of use in advanced systems engineering, the chapter explores improving systems engineering approaches for security at high consequence facilities.
The Gulf Nuclear Energy Infrastructure Institute (GNEII—pronounced "genie") seeks to develop expertise among future leaders of Gulf-region nuclear power programs in global standards, norms and best practices in nuclear energy programs. More specifically, the institute aims to contribute to the enhancement of nuclear security, safety, and safeguards (the so-called nuclear "3S") by providing an avenue for regional nuclear interaction, technical collaboration, lessons-learned discussions, and best-practices sharing. It is a multidisciplinary human capacity development institute offering education, research and technical services to support responsible nuclear energy programs in the Gulf and Middle East regions. In this Joint Report, Chapter 2 discusses GNEII's origins (including drivers, milestones, and design principles), Chapter 3 discusses GNEII's objectives (including goals, mission, and vision), Chapter 4 discusses GNEII's operations (including education, research, and technical service pillars), Chapter 5 discusses major insights and next steps, and Chapter 6 provides a list of publications offering additional depictions and details of GNEII's evolution. Though only one piece of a multi-faceted, multi-national effort to develop human infrastructure needs for nascent nuclear energy programs, GNEII offers a model that addresses the socio-technical attributes of nuclear 3S that can be replicated globally.