Alissa Tabirian
NS&D Monitor
1/29/2016
The private sector should do more to promote nuclear security by developing voluntary consensus standards to reduce the risk of terrorism and cyberattacks against nuclear power plant facilities, according to a report released Thursday by the Stimson Center.
The report said existing international oversight mechanisms cannot adequately protect nuclear facilities from today’s threats, while different levels of experience and cultural norms present problems for domestic nuclear regulators. Moreover, operators must implement “sometimes conflicting guidelines with limited industry input and a corresponding lack of commercial motivation,” the Stimson Center said. It argued that policymakers must therefore help develop a “business case for nuclear security” to reduce risks most concerning to stakeholders, essentially using economic benefits as incentive for compliance.
“We can’t continue to rely on governments and intergovernmental institutions to address this issue on their own as civilian nuclear power grows. Industry needs to be more proactive and take responsibility for security — before a disaster occurs,” Stimson Senior Adviser and report co-author Debra Decker said in a statement.
“Market incentives are a virtually untapped asset in building a nuclear security architecture capable of withstanding future threats,” according to report co-author Kathryn Rauhut. “Such an effort could materially change the cost-benefit calculations that cause the current underinvestment in security."
The goal, the report said, is to motivate voluntary compliance with standards developed through international consensus “so that security can become a valuable commodity instead of an add-on cost.” It said incentives might include “external benefits in insurance terms, financings, rating-agency assessments, liability limitations, regulatory recognition, and/or public acceptance” for operators with verified standards compliance. These voluntary standards would involve risks of particular concern for the nuclear industry, namely cybersecurity and human-reliability assurance.
The report suggested the World Institute for Nuclear Security (WINS) lead a working group of industry stakeholders in this process. Roger Howsley, WINS executive director, said at the report launch Thursday that insider and cyberattack threats are of greater concern than outside threats for many nuclear facilities. He said, “You have to ask the question – is the traditional approach of guns, guards, and gates going to work, or do you really need to get involved . . . in engineering, in IT?”
The WINS Academy focuses on the human reliability concern by offering professional development for nonsecurity specialists to support insider threat mitigation. Six hundred individuals across 70 countries have taken part in WINS courses, according to Howsley, who said the courses focus on “behaviors and management styles and how you promote security as something that’s good for the business.”
Howsley said that to advance the goal of consensus security standards, governments funding nuclear security enhancement programs around the world “could tie that funding directly to programs to improve the competence of people who manage nuclear security.” He said they could also work to persuade the nuclear industry that “if they really want regulators to move away from prescription-based regulation . . . to outcome or performance-based regulation, it requires their own people to become much more competent.”
According to the report, these changes could begin with the upcoming Nuclear Security Summit in Washington, D.C. The global community could support a framework for the development of voluntary performance standards through the Amendment to the Convention on the Physical Protection of Nuclear Material that is expected to enter into force at the 2016 summit.
