Integrated Security System (ISS) Design and Evaluation for Commercial Nuclear Power Plant

,


Introduction
In the nuclear field, physical protection systems are considered as an essential field of research to protect its facilities and activities. Sandia Laboratories were the leader in this field. In 1996, Sandia cooperated with some US institutes by forming work groups to develop research and education in the nuclear security field. As a result of Sandia Laboratories efforts, Mary Lynn Garcia published her first textbook in the year 2000, followed by its 2 nd editionin 2008, which is ref. [1] in this paper. e book was the essence of 25 years of Sandia experience and research in the security field. is book and other Sandia publications [2][3][4] focused on the definitions, detection theory, general concepts, and evaluation methodologies of physical security systems. SANS Institute, USA, also issued a report in the same arena in 2016 describing how to plan for a security program [5].
IAEA in 2017 published Handbook of Physical Protection Systems Design for Nuclear Materials and Nuclear Facilities [6] describing the general methodology of security system design. e book was a part of a long series of IAEA Security publications in this regard such as references [7,8].
To assess the effectiveness of any security system, Sandia developed analytical codes such as ASSESS and EASI described in reference ( [1], p. 272; [9]) to measure quantitatively the effectiveness. Primarily, these codes have been used to evaluate security systems for nuclear research facilities, such as the examples described in references [10,11] by assuming a single attack scenario against the spent fuel pools or research center in research reactors.
A paper titled "Nuclear Security Assessment of Physical Protection System in Nuclear Power Plants" [12] studied attack scenarios against commercial nuclear power plants (NPPs), by a code called Vensim considering extending the adversary delay time which is one of the important parameters used in the existing paper.
NRC, the US Nuclear Regulatory Commission published also its NPP Security Assessment Guide [13], which recommended accepted ranges for P E and P D .
In 2018, a hypothetical nuclear power plant (HNPP) layout has been published in the 27th International IAEA training course [14] to be used as a common base structure for the security system designs, which is used in the existing paper as a layout for the designed security system devoted to the commercial NPPs. e HNPP abovementioned had been modified to be analogous to a real layout of a common commercial NPP, 3 rd generation, having a natural cooling water source as already published in a manufacturer manual ( [15], p. 21). is paper designed a security system to protect the HNPP boundaries and vital area buildings. e NPP layout is studied here to identify the critical intrusion routes as a step to calculate the security effectiveness through different attack scenarios. During the evaluation process, the relations between the security effectiveness factor and its components are analyzed and graphed to propose the necessary improvements required for the security system to achieve the targeted effectiveness.

Nuclear Power Plants Threats
NPP's could be exposed to terror attacks which could lead to widespread radioactive contamination. e attack threats are of several general types such as commando-like groundbased attacks on cooling pumps or other equipment which could lead to a reactor core meltdown or widespread scattering of radioactivity. An attack on a reactor's spent fuel pool could also be serious. e release of radioactivity could lead to thousands of short-term deaths and a greater number of long-term fatalities. is paper is concerned about the man-made (human) threats to NPP's generated only from the first two categories of the following major threat sources: (1) civil disobedience (NPP opponents), (2) nuclear terrorism, (3) sabotage by insiders, (4) military attacks, and (5) cyberattacks.

Hypothetical Nuclear Power Plant
e IAEA HNPP mentioned in the introduction's last paragraph is a site located on a coastal front with a natural cooling inlet. e site perspective is illustrated in Figure 1 and its map is shown in Figure 2, indicating the controlled area boundaries surrounded by a concrete wall fence guarded by guard towers. Both of the protected and vital zone areas are surrounded by double wire mesh fences which are monitored by CCTV and perimeter intrusion detection systems. e security buildings are located outside the vital zone including the Security Command Center (SCC) (#18 in Figure 2) and Security Response Force building (#20). e vital zone includes the most important buildings such as the reactor containment (#1 in Figure 2), turbine-generator (#2), water treatment plant (#6), control building (#9), fuel building (#13), and emergency safety building (#14). e vital zone and its buildings are considered as the highest security, which are usually the target of any adversary aiming for nuclear sabotage or theft. e vital zone boundary is controlled by the inspection gate (#15).

Security Systems for Concrete Wall Fence.
e outside concrete fence is monitored by the Guard Towers described in [16] distributed at every 500 m distance each. Guards direct viewing is essential and is considered as the first detection barrier. e direct naked eyes or using the binoculars are more distinguishing to the real attacks and avoiding false alarms. In most situations, distances between concrete fence and wire mesh fences are short.
is is allowing the guards to supervise also the interior mesh fence and is acting as triple verification source for alarms with the intrusion detection and the CCTV systems. Guards are having their communication devices to transfer the data to the Security Command Center (SCC).
Each guard tower is working as a base for PTZ CCTV cameras ( [17], p. 22, [18]) specified as a 10 Megapixel IP Camera, 30X Optical Zoom lens with focal length f � 12.5-375 mm plus 12X digital zoom to cover a range of 500 m distance according to the lens design tool software [19].

Security Systems for Double Wire Mesh Fences.
e second barrier for the protected area is the double wire mesh fence. e two parallel wire mesh fences are separated by an 8-meter distance. ese fences are physical barriers to deter and delay the adversaries. ey are monitored by two synchronized electronic systems of automatic detection: the perimeter intrusion detection system [20,21] and the CCTV system. e CCTV fixed cameras ( [17], p. 7) are installed at every 200 meters, supported by 4-125 mm focal length lenses as calculated by a lens design tool [19]. ese outdoor cameras are fixed type; each one is powered by 200-watt solar cells. ese cameras are connected to a video server and monitor screens in the SCC ( [18], p. 57).
e CCTV system is interfaced to the fiber optic intrusion detection system via integrated security system software to follow up any intrusion incidental cases or any activity at the site perimeter ( [22], p. 5). All activities are stored in event logs and video records for a period of one year. e proposed F/O intrusion detection system [20,21] is composed of fiber cables buried between the two mesh fences linked to a series of transponders connected to the SCC. Each transponder can cover a 20 km range and could be cascaded many times to achieve 80 km of detection range ( [21], p. 8]. is range is divided into zones of 200 m each to match with the CCTV camera range. e F/O detection system supports a cut-immune feature, which enables the system to remain fully operational in the event of a F/O sensor cable cut. e sensor cable incorporates single-mode operation in both double fibers to provide redundancy. e cable is jacketed in an armored case to avoid physical damage. e sensor cable is immune to all forms of electromagnetic energy and intrinsically safe within explosive atmospheres.

Security System for Seaside.
e NPP coastal front boundary is protected by the double wire mesh as shown in Figures 1 and 2, in addition to an immersed marine wire mesh made of plastic polyethylene terephthalate (PET) [22] for protection against coastal underwater hidden intrusions.
is marine wire mesh is working as a physical security barrier against diving adversaries.
Additionally, an electronic "underwater sonar detection system" ( [23], p. 5) is installed inside the seawater to achieve a detection radius of 5 km for each detector. Each zone has a sonar transceiver which is transmitting the alarm signals to the SCC. e SCC automatically will alert the cameras on the double wire mesh fence at the sea shorefront, direct the PTZ cameras on the guard towers at seafront wing, and alert the ground patrol vehicles as well as sea patrol vessels. is system will support long-range detection for different types of underwater threats such as divers using rebreathing apparatus, scuba divers, and unmanned underwater vehicles (UUVs) as shown in Figure 3. e lower part of Figure 4 illustrates the underwater sonar detection system and its connectivity within the integrated security system for the NPP. Science and Technology of Nuclear Installations 3 Figure 4 illustrates the ISS and its following subsystems:

Integrated Security System (ISS) for NPP Boundaries.
(1) e CCTV system consisting of outdoor fixed cameras and outdoor PTZ cameras.  e diagram is also showing the component sequence starting from field sensors passing to the signal coding transmitters via the fiber optic cables necessary for long-distance transmission in such a wide site. All cables are organized in mainframes for data switching via the (IP) data network up to data center servers. Every server carries the management software for each subsystem and its data storage. Finally, all server outputs are monitored on PCs and video wall in the SCC. e effectiveness of the above security system should be tested and evaluated in Section 4.

Security System Evaluation
In any NPP, there are many attack targets. e most critical targets assumed in this study are as follows: (1) e NPP control building upper floor, specifically the reactor control center (# 9) in Figure 2, which can make the reactor out of control, if it is exposed to sabotage. (2) e fuel storage building (# 13) in Figure 2, specifically the spent fuel pool and fresh fuel racks that can create radiation accidents due to sabotage, or can create nuclear safeguard problems, if it is exposed to theft [8].
ese two buildings are adjacent to each other. e route of attack scenarios, which could be started from different exterior points, most probably will be ending at an in-between common area and then branching to either one of the two buildings as explained in Section 4.1.
It is important to test the effectiveness of the system described in Section 3 against any attack. e main functions of the security system are detection, delay, and response to the attack. Detection is the discovery of an adversary activity. Delay is the slowing down of adversary progress to allow the response to act before the end of the adversary mission. Response is the action taken by the response force to prevent the adversary's success [1].
All the above activities are translated into equations addressing the system effectiveness. e quantitative value of a PPS ability to withstand a possible attack P E is a component of the general risk (R) resulting from a successful attack ( [24], p. 3): where P A is the probability of attack occurrence; (1 − P E ) is the probability of an attack to be successful; P E is the effectiveness probability of the PPS; and C is the extent of attack consequences. It is presumed that highly exposed facilities will be subject to a single attack at least. It is only a matter of time; that is, P A � 1.
For a nuclear power station, the successful attack will result in large scale consequences, that is, C � 1, the relation will be e higher the PPS ability to interrupt the attack, the lower the risk. e logic of this equation will be explained further in the forthcoming Section 5.4. P E is the maximum likelihood estimator of the Bernoulli discrete probability distribution of a random variable which takes a value of 1 or 0.
In another form, P E is the product of P I which is the probability of adversary interruption, and P N is the probability of adversary neutralization ( [25], p. 3): (3) For security system, P I is a product of the probability of adversary detection P D and the probability of alarm communicating to Security Command Center P C as follows: erefore, Equations (4) to (6) are the mathematical bases for EASI code ( [1], p. 272) developed to calculate P I . In the EASI program, input parameters representing the security system functions of detection, delay, and response are required for every specific adversary path and must be fed to EASI input tables, which are as follows: should be within the accepted range for the nuclear industry importance, so it will be 0.95 minimum Probabilities of neutralization P N in equation (3) can be calculated by using the software called ASSESS Neutralization Code ([1], p. 271). is program is dealing with the adversary threat capabilities and its sophistication as well as the response force capabilities. In practice, neutralization analysis requires threat data and response force data. reat data include the types and number of adversaries and identification of the specific targets. e information should be collected during the threat definition process. It requires also the response force data containing weapon types, number of guards, transport time, response arrival time, and so forth, for each target.

Attack and Defense Scenarios.
e geographical site conditions of the NPP shown in Figures 1 and 2 were studied to identify the possible attack routes through which adversaries could pass through to execute intentionally planned attacks. A methodology called adversary sequence diagram (ASD) [25], which is a graphical representation used to identify the path elements through protection layers controlling the movement between cascaded areas to identify the paths which adversaries can follow to accomplish their mission. Applying this model to our NPP site, it is found that routes 1, 2, 3, and 4 from the landside and routes 5 and 6 from the seaside can be considered as possible attack routes as shown in Figure 5. ese routes are selected as the most possible routes followed to arrive at the critical targets described above. Route 1 from the landside and route 6 from the seaside are having the shortest distances and the least obstacles which qualify them to be the critical routes. is paper is setting a value of 0.9 as a minimum for the acceptance of P E based on some examples ([10], p. 835; [13], p. 50; [26], p. 5).
In this paper; attack scenarios are developed in coordination with gradual installation of security surveillance and detection equipment; this is to be sure of the necessity of each security device added to the system. P E will be calculated for each scenario. In this plan, if the evaluation test after any scenario fails to achieve the minimum P E value, recommendations should be proposed to enhance the security system and the test should be repeated until the achievement of the accepted P E value.

Scenario 1.1: Attack via Route 1 with No Electronic De-
tection System on the Fence. In this scenario, as a trial, the surveillance on the concrete wall fence, double mesh fence, and vital area fence will depend only on human detection; no electronic detection will be used on these fences. e attack through route 1 having these conditions is called attack scenario 1.1 as a basic scenario which will use the inputs of response force delay time indicated in Table 1, P N value � 0.995 calculated by ASSESS code shown in Figure 6.  Figure 7 shows the attack path action sequence in the description column. e input values for the EASI input sheet are derived from the properties of the security sensors, the delay performed by each barrier, and the RFT values from Table 1.
When the values of RFT, ADT, and P C of security detection devices as well as P D of each action along the path of this scenario are introduced to the EASI program, the result is P I � 0.00342 and P E � 0.00339 as in Figure 7 which is extremely low and unacceptable.

Scenario 1.2: Attack via Route 1 with Electronic Detection
System on Fences. P E evaluation test is failed in scenario 1.1, concluding that human detection of adversaries is not enough. at forces the designer to use electronic surveillance and fence intrusion detection devices on the boundary and vital area fences. P D of newly added devices will be fed to EASI program in this scenario 1.2 on route number 1. e EASI code for this scenario calculates P I � 0.218 and P E � 0.217, which are still low and unacceptable values.

Scenario 1.3: Attack via Route 1 with Increasing Adversary
Delay Time. In the previous scenario 1.2, P D was increased to a maximum value based on the addition of surveillance and detection security systems in all intrusion locations, but the P E resulting value is still very small (0.217) compared to the targeted value of 0.9 or above. It is noticed that the total adversary delay time ADT is 298 sec while the total response force time (RFT) is 365 sec. at means although the value of P D is at its maximum which fulfills the early detection function, the adversaries' mission will be completed before the arrival of the response force. at means there is no way for such a situation to interrupt this mission.   Science and Technology of Nuclear Installations According to the above discovery, it is recommended to increase the ADT and repeat the test in a new scenario 1.3, where the attack will be on the same route number 1, with the following modifications: New ADT values are in green color in tasks 9 and 16 of the EASI code Excel input as shown in Figure 9.
Applying the above recommendations will produce a total ADT � 573 sec compared to 298 sec in scenario 1.2; other inputs to the EASI program will stay the same. ese conditions will exercise a new scenario called 1.3 illustrated in Figure 10.
e results of EASI code calculations are depending on the max P D values, ADT total � 573 sec, and the same RFT value of 356 sec as described in Table 1. e calculation is resulting in P I � 0.862 and P E � 0.858.
e P E value has been increased considerably but still less than the targeted 0.9 value. at is requiring additional analysis to determine how to achieve the targeted value of P E . ese analyses have been graphed in Figure 10 showing the relation between P I and consequently P E (as P E � P I × P N ) from one side and its component parameters P D , ADT, and RFT separately from the other side.
Overall, P D value jumps in steps till arriving to its maximum P D , contribution in the P I value; the P I value stands at 0.865 as a fixed maximum value in spite of any new increase in P D which means no more upgrades in the security system could gain a higher P I value. It is not recommended to add security devices as it will add cost with no extra gain.
ADT is making a good contribution to P I . P I is increasing in a positive proportionality shape approaching a saturation value of 0.94 at ADT � 500 sec and above, which means no more increase in P I with the increase of ADT value. e relation between P I and RFT is a negative proportionality shape. P I is increasing with the decrease of RFT. e 356 sec which was used for RFT in scenario 1.3 achieves P I value � 0.88 and P E value � 0.859. e curve shows a better P I value could be achieved if RFT is decreased, which will be seen in the next scenario 1.4.

Scenario 1.4: Attack via Route 1 with Decreasing Response
Force Time. Results of the previous scenario and its analysis shown in Figure 10 are dictating a necessary solution to increase P I by decreasing the RFT. Reviewing the geographical locations of the NPP in Figure 2, there is a possibility to relocate the Security Response Force Center from location #18 to location #26 which was assigned earlier to be Auxiliary Security Center.
is will reduce the response force travel time to 300 sec as shown in Table 2 instead of the previous value of 365 sec in Table 1.
Assuming that PN will stay the same value of 0.995 and introducing the new value of RFT delay time � 300 sec to EASI program will produce a new value for P I � 0.927 and P E � 0.922 as shown in Figure 11, that is, crossing the P E threshold value and being acceptable in this scheme. 4.6. Scenario 6.4: An Attack from Seaside. Referring to Figure 5, route 6 is the most critical route from the seaside. Scenario 6.4 is an attack through route 6, with consideration of all given recommendations in scenario 1.4. e coastal security includes the underwater sonar detection system and the underwater mesh fence as described in Section 3.3. e attack path action sequence and the security parameters PD, ADT, RFT, and PN are introduced to the EASI Program; the result is a value of P I � 0.937 and P E � 0.932. is result is indicating that the proposed security system will perform perfectly.

Effects of P D on P E .
e previous discussion has pointed out that increasing P D to the maximum possible available values in technology will maximize P E to a certain limit, but it cannot individually raise P E to the required value. e effect of increasing ADT is very vital because there is no usefulness of early detection without Science and Technology of Nuclear Installations having physical barriers to delay the adversaries until the arrival of response force. RFT value should be less than the ADT to allow the response force to arrive before the adversaries can finish their mission by hardening the physical barriers. Figure 12 illustrates P I versus P D for different scenarios, showing constant values of P I with increasing P D . e constant value of P I for each scenario means the detection function is completed if the detection is communicated to the command control center as early as possible and fixed values of P I and P E are set. e next function of the security system is to delay the adversaries. Figure 13 shows P I versus ADT, for different scenarios, showing the proportional increasing contribution values of P I with increasing ADT. is means that if the security system delay function is increased, the adversary mission will be more difficult to be completed. Increasing the ADT could be done by hardening physical barriers.

Effects of RFT on P E .
For the security system, to do its function, RFT should be less than ADT to allow the response force to combat with the intrusion event and neutralize the adversaries. Figure 14 illustrates P I versus RFT for different scenarios, showing increasing contribution values of P I with decreasing RFT, which shows that RFT is having the most influencing factor of the security system.
RFT should be less than the ADT by enough time to allow neutralizing the adversaries. It should be taken into consideration that RFT is having a minimum value by nature.   (2) in Section 4, Figure 15 illustrates P E versus risk (R) for two scenarios 1.1 of the lowest P E and 1.4 of the highest P E , showing the reverse proportionality between risk and effectiveness P E . e curves of P E and risk in the y-axis are against RFT in the x-axis. e red vertical arrow is showing the critical RFT of 325 sec value which is still less than the ADT (573 sec). is RFT Crit is required to gain the minimum acceptable value of P E � 0.9 required to neutralize the adversaries. Science and Technology of Nuclear Installations 13

Conclusion
After designing a physical electronic integrated security system (ISS) applied to a commonly structured commercial NPP, this paper is recommending the designers to use the proposed evaluation methodology for the proposed system and setting a threshold value for its P E � 0.9 to achieve the security license. To achieve this, it is recommended that security system design should be embedded in the early NPP design and site planning stage accompanying the "Defensein-Depth" (DID) principle. It is important to use modern detection devices which have the best detection probability factor from 0.98 up to 0.99. e evaluation process recommends also extending the adversary delay time and reducing the response force arrival time RFT to ensure a successful neutralization for any adversary.

ADT:
Adversary delay time ASD: Adversary sequence diagram ASSESS: Analytic system and software for evaluation of safeguards and security CCTV: Closed circuit television EASI: Estimate of adversary sequence interruption program DID: Defense in depth F/O: Fiber optic HNP: Hypothetical nuclear power plant IAEA: International atomic energy agency IP: Internet protocol ISS: Integrated security system NPP: Nuclear power plant P D : Probability of detection P N : Probability of neutralization P E : Effectiveness probability P C : Probability of communication PPS: Physical protection system PSS: Physical security system PTZ: Pan, tilt, and zoom R: Risk RFT: Response force travel time SCC: Security Command Center SD: Standard deviation SLD: Single-line diagram TCP/IP: Transmission control protocol/internet protocol UWSS: Underwater sonar system.

Data Availability
e data used to support the findings of this study are described in the article and will be available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.  Figure 15: P E versus risk for two scenarios 1.1 (the lowest P E ) and scenario 1.4 (the best P E ) shows the reverse relationship between risk and effectiveness probability P E . e curves of P E and risk are on the x-axis of the RFT.