The human threat to nuclear safety and security

Andrew Healey discusses the implications of internal and external threats to nuclear safety and security and how human factors can help to mitigate these threats.

Civil nuclear organisations must provide evidence for the resilience of their systems in mitigating a variety of human threats to their safety and security. For the UK nuclear sector, the Office for Nuclear Regulation (ONR) requires licensees to manage both security threats and safety hazards. In varying degrees of psychological depth and sociological breadth, human factors feature in the cause and in the mitigation of the different threats. While there is an established framework for the application of ergonomics and human factors (EHF) in the nuclear industry, especially for safety, it does not follow that there is a full and adequate application of EHF for the threats to both safety and security. One way to understand where EHF fits in the civil nuclear industry is to consider the relevant regulatory frameworks for both safety and security.

Safety and security differ in the following ways, as defined by the International Atomic Energy Agency: “Nuclear safety is the achievement of proper operating conditions, prevention of accidents, or mitigation of accident consequences, resulting in protection of workers, the public and the environment from undue radiation hazards.” Nuclear security on the other hand is “characterised as the prevention and detection of and response to theft, sabotage, unauthorised access, illegal transfer or other malicious acts involving nuclear materials, other radioactive substances, or their associated facilities”.

In respect of the full spectrum of human threats to nuclear safety and security, the framework for nuclear safety therefore deals predominantly with the internal threat from human failure in a bounded system, while the framework for nuclear security deals predominantly with external threats from human intent to do harm, including those from insiders, which are relatively unbounded. It is for the safety case to argue that systems are safe, and for the security plan to show how the whole organisation secures itself against external attacks and malicious acts from within. While safety and security functions diverge purposefully for risk management, there is however, some notable convergence of the variety of human threats to both safety and security. In other words, there is an internal threat to security from human failure, as there is to safety; conversely, there is an insider threat to safety, as there is to security. This convergence of threat types at some point requires holistic management of the collective risk.

To manage the risk associated with nuclear assets from a human factors perspective we need a model that delineates the landscape of threat according to the attributes of the variety of threats. A model, or taxonomy, of the threat landscape will help safety and security functions ensure that, together, they address the full threat landscape without gaps. On a single dimension of human threat there is a range of human error, misuse and abuse threatening any given system from within. These threats can apply to both safety and security. Internal threats include a range of human failures and a range of potential misuses of a system, which the safety case will typically address.

There is the further potential for human abuse of systems and the malicious intent to do harm from external forces and from the so-called insider threat, which the security function typically addresses. While the malicious intent to do harm is a security concern, it is a risk to safety. For existing safety and security risk management frameworks, the threat from insiders is problematic. Whether implanted or emergent, the insider amounts to a rogue element within a system, knowingly breaking security rules. They operate outside of the boundary of accepted behaviour, as defined by the security plan, and they possibly operate outside of the safe operating boundary of a safety system, as defined by a safety case. Indeed, the insider may intentionally exploit human failings in both safety and security management.

On the one hand, the insider is not so distinct from the internal threat; both can cause harm, and some define the insider to include sub-types of human failure. On the other hand, there are unique influences on the malicious insider threat versus those factors shaping the internal threat of human failure, particularly in respect of psychology, in motivation and in threat development. For safety, there is the implicit assumption that those with authorised access are of a sound mind and free from any malicious intent or motivation to do harm. For security, however, there is a clear requirement to reject all such assumptions. Understanding these influences and the factors shaping the internal and insider threat will help in their mitigation.

Mitigating the threat from those with intent to cause harm may be quite different to that of human failure because the factors shaping human failure and the influences on the human intent to abuse a system are quite different. Therefore, guards might prevent the theft of a valued asset, whereas adequate protective containment might reduce the damage to a valued asset if dropped when transported. On the other hand, there is also overlap in managing the risk from human error and intended harm, with the potential for synergy. For example, teamwork can reduce the effects of human error, but it can also help mitigate the insider threat, whereby team cohesion can help prevent, detect and recover from an insider attack.

It follows naturally therefore that there is considerable potential for the EHF discipline to contribute to the understanding and the mitigation of threats to security for security management, and to the understanding and the mitigation of threats to safety for safety management. This is helpful for the systems engineering and risk management endeavour. For the EHF analyst, and for the purpose of assessment, the functional distinction of controls as serving safety or security is unimportant to the task of assessing and substantiating those controls. What is important to the EHF analyst is that they assess a set of controls logically derived from the identification of requirements, and that those requirements, when de-conflicted and synergised, serve an integrated system.

Nuclear licensees therefore need to adopt a systems approach to the holistic risk management of civil nuclear safety and security to ensure they cover all possible human threats and their interactions. Evidently, for managing the risk of nuclear safety and security, there is a need for EHF to address a more complex landscape of threat than either safety or security address alone. An integrated approach will depend on a model of the human threat landscape, which disambiguates the variety of threats and their corresponding mitigation. Given the changing threat landscape, we need further research and development in this area to address the human, system and organisational factors that serve to mitigate the variety of threats and manage the collective risk.

By Andrew Healey of AWE

This article first appeared in issue 534 of The Ergonomist, December 2014