Human and Technology Failures in Nuclear Facilities

This is interesting:

We can learn a lot about the potential for safety failures at US nuclear plants from the July 29, 2012, incident in which three religious activists broke into the supposedly impregnable Y-12 facility at Oak Ridge, Tennessee, the Fort Knox of uranium. Once there, they spilled blood and spray painted "work for peace not war" on the walls of a building housing enough uranium to build thousands of nuclear weapons. They began hammering on the building with a sledgehammer, and waited half an hour to be arrested. If an 82-year-old nun with a heart condition and two confederates old enough to be AARP members could do this, imagine what a team of determined terrorists could do.

[...]

Where some other countries often rely more on guards with guns, the United States likes to protect its nuclear facilities with a high-tech web of cameras and sensors. Under the Nunn-Lugar program, Washington has insisted that Russia adopt a similar approach to security at its own nuclear sites­ -- claiming that an American cultural preference is objectively superior. The Y-12 incident shows the problem with the American approach of automating security. At the Y-12 facility, in addition to the three fences the protestors had to cut through with wire-cutters, there were cameras and motion detectors. But we too easily forget that technology has to be maintained and watched to be effective. According to Munger, 20 percent of the Y-12 cameras were not working on the night the activists broke in. Cameras and motion detectors that had been broken for months had gone unrepaired. A security guard was chatting rather than watching the feed from a camera that did work. And guards ignored the motion detectors, which were so often set off by local wildlife that they assumed all alarms were false positives....

Instead of having government forces guard the site, the Department of Energy had hired two contractors: Wackenhut and Babcock and Wilcox. Wackenhut is now owned by the British company G4S, which also botched security for the 2012 London Olympics, forcing the British government to send 3,500 troops to provide security that the company had promised but proved unable to deliver. Private companies are, of course, driven primarily by the need to make a profit, but there are surely some operations for which profit should not be the primary consideration.

Babcock and Wilcox was supposed to maintain the security equipment at the Y-12 site, while Wackenhut provided the guards. Poor communication between the two companies was one reason sensors and cameras were not repaired. Furthermore, Babcock and Wilcox had changed the design of the plant's Highly Enriched Uranium Materials Facility, making it a more vulnerable aboveground building, in order to cut costs. And Wackenhut was planning to lay off 70 guards at Y-12, also to cut costs.

There's an important lesson here. Security is a combination of people, process, and technology. All three have to be working in order for security to work.

Slashdot thread.

Posted on July 14, 2015 at 5:53 AM • 48 Comments

Comments

Bob S.July 14, 2015 6:54 AM

It's bad enough they are turning over the water supply to foreign incompetent predatory corporations, but the nukes, too?

JEEEZUZZZ!

(is it time to run yet?)

Kyle RoseJuly 14, 2015 6:58 AM

"Slashdot thread."?

You may as well have posted a link to a Youtube video of monkeys throwing feces at each other.

paulJuly 14, 2015 9:03 AM

Other lesson: align the interests of your contractors/employees with the security interests in question. When the worst that happens when you fail to do the job is that you get fired (and even that is only semi-likely), looting is by far the rational thing to do.

DanielJuly 14, 2015 9:23 AM

"Security is a combination of people, process, and technology."

Correct. Yet this is something that cannot seem to penetrate so many dull heads, especially the geek ones. I was trying to explain to a colleague the other day that the reason why I still use Windows was because of opsec. I don't understand Linux, I don't have any interest in learning Linux, and even if I did have the interest I don't have the time to devote to learning a new OS. So even if Linux is theoretically safer than Windows it's not safer for me--I'd rather dance with the devil I know. My colleague couldn't comprehend this. Linux was better security technology (mostly because if was open source) and that was the end of the security discussion.

Anonymous, Silk Road, Sony, Hacking Team...these guys didn't get taken out because they used the wrong technology. They got taken out because they forgot that security is also about processes and people and that no amount of technology can cover up bad opsec or poor hiring decisions.

bcsJuly 14, 2015 10:08 AM

Anything that's not tested, doesn't work.

Run a penetration test (call it a special forces training operation) every X weeks and any time they aren't caught, dock the contracts 3*X weeks of payments.

Clive RobinsonJuly 14, 2015 10:35 AM

Hmm,

From the article,

Where some other countries often rely more on guards with guns, the United States likes to protect its nuclear facilities with a high-tech web of cameras and sensors.

Arguably the US is correct...

With regards physical protection it's accepted in the industry, that if you are alowed in then anyone can get in with enough time and resources.

Thus the physical security overview is,

1, Deterrence,
2, Detection,
3, Response.

Deterrence, is more a "mind game" than an actuality, for some people any physical deterrence you can imagine is just an obstical to be circumvented, likewise legal punishment, upto and including cessation of existance, during or after their access attempt. As long as the desired target exists and those who own it require even occasional access then there is a demonstrated access path to be exploited. Even the ancient Egyptions were well aware of this with tomb robbers.

Given enough undesturbed time all deterrence will be overcome which brings us to the second point.

Detection, because deterrence is ineffective against determined or motivated individuals, who will overcome any deterance given time the sooner you detect such people the easier it is to prevent them getting to far into the defences.

In general humans are very bad at detecting attacks, our sense systems are easily some of the worst in the animal kingdom. Where we score is intelligence to interpret a myriad of signals and decide on if a threat is present or not.

So traditionaly we have recruited the assistance of those in the animal kingdom with better senses but not much inteligence. They act as an extension to our lack of physical senses. Thus guard dogs with better eyes, better hearing, better sense of smell, with sufficient intelligence to be trained to subsume their natural instincts in prefrence to the human wants and desires. Usually such creatutes are "hunting pack" animals.

Since WWII it's become clear that human technology can be as good if not better than those in animals that can be trained. And the mass production scalability brings the costs down and adds other advantages such as safe environment at a distance from hazzards.

Unfortunatly human intelligence counts against such systems in that lack of fear and comfort makes humans bored and inatentive. And just like attackers there are few deterants that will make them otherwise.

Unfortunatly man power is an "endless cost" that cuts profits, and thus "cost savings" are sort for "shareholder benifit" thus man power gets de-skilled and reduced where profit is a consideration and profit is the single most significant market driver...

Thus man power will decrease with time, and even where there are contractual obligations, lack of career, pay increases etc will cause a decrease in the quality of man power. No if's no but's no maybe's that is the way of the market, as King Kunut showed "There are somethings no man may have command of" and whilst the "dereliction for profit" motive is not quite one of them it's as near as makes no difference, unless you are prepared to make heads roll not just at the senior level but in the investors as well.

The other problem is one the defence industry knows by hart, which is "You only know you've not spent enough on deterance / defence, after you've been attacked and lost". Thus talking up risk of attack is a great way to open the purse strings, because if you get it wrong, there will be nobody there to make your head roll.

Thus the market is always open to knew technical gizmos. But they have a dark little secret, they are "static determanistic defence" systems with both technical and operator limitations. Thus they can always be "out evolved" by attackers. Especialy when the number and quality of the operators decreases with time...

And that's the problem, because acurate diagnosis of signals in a timely fashion is what determines the third stage,

Response, is actually what all reasonable physical defence is about. In essence it's getting overwhelming defense response at the point of attack to repel, capture or eliminate the attack.

To be able to do this effectivly you need to have effective warning in a timely fashion...

And that's the rub, if the operator is not attentive to the signals, in the right way with the intelligence to work out that a threat is present and what it is to give timely alarm to the response forces then the attack will either be successful or more damaging than it might otherwise have been.

The US system when it works is going to be more effective, but in practice it fails due to the operators failings.

The Russian system with men on the ground with dogs and guns works in practice, because the "operator" "has skin in the game", it's his life that will be lost when the attackers come, thus they tend to be more alert...

A big mistake the designers of the US system are making is trying to replace the operator with technology. It won't work no matter what they try because of the knock on effects of "determinism" that such systems have, plain and simple.

If you want an effective system, ensure that those most responsible for how it runs (directors and shareholders and "loved ones") have real life expectation terminating skin in the game. When they realy have something to lose they will ensure the system has a chance of working, otherwise the "profit motive" will take control of the system. It realy is that simple.

JaysonJuly 14, 2015 10:36 AM

"Anything that's not tested, doesn't work."

The good news is that nobody's nuclear missiles work.

keinerJuly 14, 2015 11:09 AM

Outsourcing and "buy the cheapest" f*ck up everything. In every part of life.

albertJuly 14, 2015 11:30 AM

@U235 (cute),
They don't need to remove material. A hundred pounds of C4 lowered through the roof would do the trick. Cleanup costs alone would be astronomical. Wankenhut would probably bid on that contract as well. :)
.
@Bruce,
"...There's an important lesson here. Security is a combination of people, process, and technology. All three have to be working in order for security to work...."
.
Yes, there is. It's a lesson about security, but it's part of a larger lesson: privatization and profiteering. It's a small part of a big, dysfunctional economic system, where money trumps everything else. Nuclear storage facilities should be considered part of our military, regardless of their product or function. They should be guarded by military personnel, who function under real accountability (yer ass on the line). This situation exists everywhere in our infrastructure security systems. Reactive systems are generally good at catching perps*, but not so good at preventing disasters.
.
Technology is like the little girl with the curl, right in the middle of her forehead. When she was good, she was very, very good, when she was bad, she was horrid.
.
...
*The Oak Ridge Three must have been laughing so hard they peed their pants, waiting to be captured. The prosecutorial overreaction further illustrates how dysfunctional the system is. It's a system that reacts like a spoiled child, when he gets caught being stupid. That's a metaphor.

MikeAJuly 14, 2015 12:05 PM

I doubt that "cost savings" are the true motivator of this sort of outsourcing. It is much more likely that Wackenhut et al are chosen for some mix of:

- Way to funnel taxpayer money into a reliable campaign fund contributor
- Way to achieve plausible deniability when the inevitable CF happens
- Way to perform "off the reservation" operations with less chance of blowback from military personnel who decide to take their oaths seriously at the "wrong" time

All of these boil down to "having a cut-out", a time-honored practice.

cost benefit analJuly 14, 2015 12:42 PM

Off the napkin reservation:

Securing uranium storage area? Simple, some fat guards and perhaps a few working cameras. Sounds actually perfect to me. Shocking? Let's discuss: It's heavy. It's deadly. You won't be moving it by hand, so guards need to watch for heavy equipment/trucks, not individuals. You can't make a nuke with it, not without trucking in several other large parts for moving, compressing, imploding, etc. You can't really make an improv dirty bomb, since the 'bricks' of uranium aren't just stacked willy-nilly in the middle of a giant atrium, but are instead in lead lined containers, usually submerged in water. More than a few hundred pounds of C4 would be required to disperse radiation, heck even a direct missle/bomb strike would preduce very limited results. Cleanup? Bulldozers and dirt, bury it all on site. Goes back to where the site was built to begin with.

tl;dr;bad formatting;

Guards needed to watch for heavy trucks/equipment, nothing else.

WinterJuly 14, 2015 12:44 PM

I think the classical way is still pretty good: geese.

Outsmarting guard geese is a real challenge. They have evolved to detect any attacker down to foxes (which tend to be smart). They also are smart enough to distinguish between wildlife. And they have feathers in the game. Combine them with guard dogs for a phased response.

But without people actually "manning" their posts, every fortress will fall.

On the outsourcing of public tasks. This never works. The obvious reason is that with the outsourcing, the "public" always loses the know-how to do the outsourcing properly. In this case, there likely was no one left who would know what good security looks like.

albertJuly 14, 2015 1:01 PM

@cost benefit anal,
I'm not gonna research it, for obvious reasons. A skilled team could have gained roof access, and probably inside access without much trouble. This ain't Fort Knox. There are man-doors, and probably doors for transport. You don't want to steal or disperse anything, you just want to make a big, hard, and dangerous to clean up mess.
.
Do you catch my drift?
.
My point, yet again, is: our infrastructure is not secure enough, and it's dangerously vulnerable.
.
...

en respons ehJuly 14, 2015 1:07 PM

@Winter • July 14, 2015 12:44 PM

I think the classical way is still pretty good: geese.


I prefer Peacocks, myself.


Chris • July 14, 2015 12:50 PM

Babcock and Wilcox? Didn't they design Three Mile Island?


Yes, and all the equipment they design worked perfectly. The humans manning the dials, too lazy to double check the multiple backup gauges, just kept lowering the water level, lower and lower, cause the one dial in front of their fatass chair was stuck.
The rods, now almost fully exposed to air, couldn't cool fast enough and melted. Just as it says it would in the Operator's Manual.


"When this gauge points here- Turn this dial to the left until it stops."

Versus

"Before raising or lowering of coolant level, verify that all indicators are working correctly, using visual/remote viewing if neccasary. If operation is not as expected, in duration or effect, notify supervisor or begin fission slowdown precedures/increase coolant levels until proper control opperation and problem cause and effect of problem can be ascertained."

Clive RobinsonJuly 14, 2015 1:10 PM

@ Winter,

I think the classical way is still pretty good: geese.

I guess you've never been poaching?

Geese generaly form a matriarchal groups, and the gander in charge is usually greedy and likes the smell and taste of dark rum soaked current and other dried fruit.

When I was a much younger man than I am today that knowledge used to put a nice fat goose on my Christmas table for years and at other times of the year as well. I even ended up on one occasion with a swan, but they realy are not that good to eat, and are the devils own job to get in a domestic oven.

All animals have their weaknesses it's just knowing how to exploit them... you can train a dog not to go for raw meat, but you try stopping it going for warmed up pemmican or similar.

Worse, some "guard dogs" are dual trained, that is their real purpose is to sniff out contraband, and the get dicked just like their handler to stand stagg or do a roving guard. If they sniff what they've been trained to do they are easy to out whit.

Cost BenefitJuly 14, 2015 1:19 PM

@albert • July 14, 2015 1:01 PM
You don't want to steal or disperse anything, you just want to make a big, hard, and dangerous to clean up mess.

Congrats, you blew up something heavy. With no people around it. Something so heavy, that it really doesn't go anywhere, but instead sinks into the ground. This is why 'dirty bombs' are not a viable threat. It's heavy because of its fissable properties, so it sinks like a lead balloon. We can't even do proper airosol of medium/neutral density particulates in open air without a pathogen. Concealed spaces, that's differnt.

But you said the hypothetical attacked doesn't want to disperse, just make a mess. I think my above points still stand: A small group of people without equipment can indeed gain surriptios access, but with the equipment needed would be detected almost immediattly. Even supposeing an overwelming strike force, their location would be known, and their time limited. As for making a mess, this isn't Cherynoble/Fukishima! A massive ball of self-sustaining fission, big problem. A few rods of matieral, heavy and laying on the ground. No biggie. Suits, water, dirt and a hole and your done.

Appoligiz for spelling errors. Also I enjoy debate, nothing above is meant to be personal.

PU240July 14, 2015 1:36 PM

"If an 82-year-old nun with a heart condition and two confederates old enough to be AARP members could do this, imagine what a team of determined terrorists could do."

I don't wish to get into a discussion about Isreal's place in the world but there's long been suspicion that the Isrealis pwned the US badly years ago.

http://www.wsj.com/articles/u-s-suspected-israeli-involvement-in-1960s-uranium-theft-1407352852

http://www.theguardian.com/world/2014/jan/15/truth-israels-secret-nuclear-arsenal

The nuclear world seems to be a very cynical place.

JustinJuly 14, 2015 1:51 PM

@cost benefit anal

Securing uranium storage area? Simple, some fat guards and perhaps a few working cameras. Sounds actually perfect to me. Shocking? Let's discuss: It's heavy. It's deadly. You won't be moving it by hand, so guards need to watch for heavy equipment/trucks, not individuals.

I'll grant you it's heavy, but it might be a bit of an exaggeration how deadly this stuff is. First of all, the depleted stuff, U-238, slightly radioactive, but probably not enough to kill you. I mean they even make bullets out of the stuff, not to mention pottery glazes and such commonly made of uranium compounds. The enriched U-235 is several times more radioactive, true. Even so, it still has a half-life of 700,000,000 years. In any case, it seems like it would take a certain critical mass to really be deadly.

It reminds me of the time in high school when we had a science experiment where we put a small piece of uranium ore in a cloud chamber with dry ice and alcohol vapor. The alpha particles caused small visible trails of condensation in the cloud chamber, and I almost imagined I heard them go "Pooff, pooff."

I wonder if they still do experiments like that in high school anywhere.

Anonymous CowJuly 14, 2015 2:12 PM

...the depleted stuff, U-238, slightly radioactive, but probably not enough to kill you...

Not right away. But how much time can you be exposed to it and not be affected, even if not fatally affected? If you've seen pictures from nuclear facilities you might notice everybody wearing dosimeters. Even the US Navy, which is maniacal about nuclear safety, has dosimeters. The Chernobyl area is allowing people into the hot area but limits how many and how much time they spend in the area.

The main concern would by why it took so long for any force to arrive at the breach. And yes it's not Fort Knox: you might get in, but will you be able to get out? (Also keep in mind that Fort Knox is a military establishment where deadly force is allowed!)

d33tJuly 14, 2015 2:47 PM

"Cold War 1.0" is over and we won remember? (joke)

Until "Cold War 2.0" (Working Title: "Rogue States Get Nukes" or "Terrorists Import Dirty Bombs") is completely ramped up, there are just not enough good propaganda possibilities detailing security failings at nuclear facilities to bother with (or well maintained, complete security systems). This is all on par with the TSA bomb screening fails though, which is also nearly played out for "PR" (TSA scandals etc). I always thought it was silly to worry about "bombs" when from 9/12/2001 forward, cell phone and laptop batteries were allowed within reach at all times on aircraft. I even explained to some congressional types the horror (and ease) of lithium-ion battery explosions on an aircraft under pressure. They weren't really interested in 2001. Cell phone makers / service providers probably would have been angry at them for dinging their burgeoning markets and yanked campaign contributions (and other corrupt income). Unless there is a big potential force in herding the cattle with a security situation (or propaganda piece), it goes on unnoticed and likely neglected. Particularly now.

The "Nuclear Nun" is even parodied in a sitcom.

Green SquirrelJuly 14, 2015 3:29 PM

As others have pointed out, this issue isn't as simple as:

Security is a combination of people, process, and technology.

Yes, I think we all wholeheartedly agree that this oft repeated triumvirate are the building blocks of security.

However, the problem is bigger, deeper and more systemic. No solution can really be implemented as long as organisations (public and private sector are equally to blame) believe security:


  • Can be outsourced to the cheapest bidder

  • Is a cost to the business which needs to be minimised

  • Can be fully risk managed via contracts

  • Can be properly delivered by suppliers who are, in turn, driving down their own costs and outsourcing as much as possible

The fundamental problem is that the goals, incentives and risks are all out of alignment. The service "providers" are basically given incentives to cut costs (deliver profits to their own shareholders) but the end client is still carrying the risk.

In this example, if the Evil TerroPhiles of the Apocalypse steal weapons grade nuclear material it is the citizens of the US / World who will suffer from the profits made by Babcock shareholders.

That is so unbalanced a risk equation, there can never be a real solution as long as the private company is in place.

Green SquirrelJuly 14, 2015 3:34 PM

from the quote from the original article:

Private companies are, of course, driven primarily by the need to make a profit, but there are surely some operations for which profit should not be the primary consideration.

I agree - and these operations must never be allowed into private hands. Why should any company in the world fail in its fundamental duty to its owners/shareholders?

If it is important that something is done correctly - "whatever the cost" - then it shouldn't be in private hands.

albertJuly 14, 2015 4:06 PM

OK, I'm not getting through to you guys, but I gotta drop it.
.
@PU240, (so many isotopes, so little time, eh?)
Israel has powerful friends in Congruous, the White House, and corporate Amerika. It's not about money. They have contingency plans for obtaining necessary products should they ever lose US aid. It's about ideology, which, as you know, trumps everything.
.
@Chris, @en respons eh,
Ah, TMI. Brings back memories. It was one of those 'cascading' failure scenarios, like so many aircraft disasters. They have a lot in common. It it started with the failure of a relief valve. Because of the valves totally sealed design, the valve position was essentially a indication of whether it was activated or not. A series of operator errors followed. Other contributors were improper maintenance procedures. This was a preventable accident. Operators did not understand the operation of the unit well enough to analyze the unfamiliar scenario. Any possible situation in the main coolant system needs to be documented. I wonder if this one was. I recall an excellent article in Scientific American about it. Wiki did OK, but I'd go for SA.
.
@Anonymous Cow,
DU kills by inhalation. It's an alpha emitter and a toxic metal.
In some nuclear subs, there are marked areas where you're not allow to stand during full power operation:)
Who said anything about getting out?
.
...

albertJuly 14, 2015 4:30 PM

@Winter,
A local college had a large population of Canada geese, which attacked students walking along the sidewalks. The more petite girls were terrified of them. _I_ wouldn't want to fall down in a group like that. They'd be all over you like a cheap suit. They peck hard and fast, and if they got your eyes.....
.
@Green Squirrel,
"...Is a cost to the business which needs to be minimised...". Boy, you hit it there. This is the thinking that pervades all of government and all corporations. I can't comment on the military. Security is a necessary evil. Unlike taxes (can be evaded), regulations (can be ignored), and benefits (can be privatized), you gotta have _some_ security, and even security theatre costs something. It must really gall CEOs having to spend more money on security, when they can't afford that fourth vacation home in Aruba, and have to settle for Costa Rica instead. Life's a bitch, when you're rich. (Just don't use the company email to talk to your GF)
.
...

tyrJuly 14, 2015 5:42 PM


There are few things on earth that can approach the
level of mis-understandings that radioactivity can
cause. The worst danger is hysterical nitwits and
their mis-guided solutions for security. I knew
Wackenhut guards whose job was to guard the Nevada
test sites, real estate that didn't need to be
guarded from anyone with a few working brain cells.

Radioactive materials cannot be made safe they can
only be handled with caution and leaving them in
a condition where an aged nun with a bolt cutter
can get access to them is the height of folly.
The US Navy is paranoid because their reactors
are not a long distance away they are on the same
ship with you. People who have been medically
decontaminated become even more fanatical about
it. If you think a Nuke inspector is a stickler
for regs you haven't seen how they are after a
lung scrubbing job because someone made a mistake.

A rational government would only hire nuclear
physics graduates as security guards on nuke
facilities but instead you get military retirees
or ancient policemen for a minimal salary. As
long as nothing happens it seems to work. If you
get an incident then the theatre of security and
political grandstanding are out in full force.

With the right dogs the boldest adventurer will
be turned into dog excrement but then the lawsuits
rain upon the owner.

@Clive
If you kill them first the swan is a lot more
cooperative about getting in the oven. I had four
friends who stole a live turkey and made their
getaway in a Fiat 850. The next day they looked
like they had engaged a heavyweight boxer due to
its disagreement with them during the ride.

An industrial society requires a lot of material
that isn't safe if you disturb it. Short of going
to Luddite solutions education might help deal
with it as a problem. The current idea of deliberately
creating more enemies and more failed states is
not going to make anyone any safer.

SkepticalJuly 14, 2015 7:03 PM


From the quoted portion:

Washington has insisted that Russia adopt a similar approach to security at its own nuclear sites­ -- claiming that an American cultural preference is objectively superior. The Y-12 incident shows the problem with the American approach of automating security.

This happened years ago, but reading this sparked my curiosity, so I looked up the DOE-IG's reports on the incident.

And actually this has little to do with "automation" versus people or cultural differences. Instead the Y-12 incident demonstrated a failure by the US Government to monitor the performance of the contractors and ensure that their performance met specified standards. And even when failures were observed, the federal officials tasked with such monitoring were not empowered to do much about it.

For example, if a camera failed, the contractor would be permitted to implement "compensatory measures" (e.g. more frequent visual patrols of the area that the camera was to monitor) until the camera was repaired. The officials had little power to force a repair to be made immediately, or even within a specified timeframe, so the "compensatory measure" would become a permanent replacement. One official described the approach to the IG as "eyes on, hands off." To me that sounds like, "I can file a report and make disapproving expressions." And that's just not good enough.

This is the same facility where there were multiple reported instances of test materials (simulations and written tests) being obtained by the personnel to be tested prior to the test, where canine units were working their dogs past the point of effectiveness, etc.

So let's toss this nonsense about the incident having anything to do with national "cultural preferences".

From a great distance and with a very casual acquaintance with the facts, what I see is a clear lack of singular accountability for security that is combined with the authority and power to effect that security. Two contractors, one who provides the personnel, one who provides and maintains the equipment, is a recipe for each attempting to shift costs and responsibility to the other. Add what is likely a laborious and lengthy contracting process that adds layers of bureaucracy, include what appears to be a misguided attempt to let "private sector efficiency" control "how things are done" while federal officials simply state the goals (misguided in that it seems to have deprived federal officials of the requisite authority to demand immediate remedies for operational deficiencies), and you have all the ingredients for mission failure.

Put differently, there seems to be insufficient unity of command, in which both authority and accountability are combined. That's not a cultural problem (unless you think Russia has some innate cultural edge in creating streamlined and effective organizations with proper incentives). Instead I suspect it's an unintended consequence of a system designed to minimize costs and embed the awarding of contracts within a thick set of rules to minimize corruption. These are important goals, but they seemed to have been pursued without giving due weight to the need for combined authority and accountability to ensure that the actual mission - i.e. the security of the facility - is continually accomplished.

milkshakenJuly 14, 2015 8:48 PM

contrary to what some commenters here are claiming, the U235 stored in Y12 facility can be very easily assembled into improvised nuclear weapon on site: it is not too radioactive - it can be handled with bare hands, no shielding necessary, you need to steal about 200-300 pounds of U235 metal, which is quite a small volume (5 to 7 gallons) assemble it in a near critical pile (preferably surrounded by metal), then drop another chunk on top by few meters per second. Elevator shaft or air handler pipe and a piece of rope would work perfectly well for the purpose. You don't need any neutron source, no explosive charges, nothing - just determination and a little expertise. The improv nuclear device will be ineffective for the amount of U235 used, and there would be a chance of a nonexplosive criticality excursion accident (flash of heat and radiation lethal to persons nearby) but you can get a 5 kiloton yield with better than 90% chance.

JustinJuly 14, 2015 9:54 PM

@milkshaken

Yeah they shoved a pillow in my face last time I talked about that kind of stuff.

shakemathJuly 14, 2015 10:22 PM

@milkshaken

My quick in the head math reads that 3 to 4 tonnes of U235 would be needed to go critical assuming no other items or materials present?

Even then, this 'bomb' is not mobile, takes relatively long time to arm and detonate, and is quite visisble/trackable an undertaking.

I'm sure someone else can do better math. All in all, it reminds me of the old smoke detector nuke misconception. You just can't physicaly put so much material in one spot before add-on effects derail your quest for critical mass. I do believe you'd have a flash-over, melt and seperation, etc well before going crit, but as I said, this is all real quick in my head...

milkshakenJuly 14, 2015 11:13 PM

@shakemath: You need about 20 kilos of 90% U235 for implosion type of device (which is non-trivial). For the gun type device you need a little more, 100 kilos or so (slightly less than what was used in the Hiroshima bomb) and if you omit the initiator source of neutrons it only decreases the yield and reliability, but you can still get low kiloton range yield, even by just assembling the core by dropping one U235 piece onto another, through a chimney. This is no secret, Luis Alvares pointed this out in open press in 1950s. (This primitive method would not work with Pu).

Coyne TibbetsJuly 15, 2015 12:09 AM

@cost benefit anal - You won't be moving it by hand, so guards need to watch for heavy equipment/trucks, not individuals. You can't make a nuke with it, not without trucking in several other large parts for moving, compressing, imploding, etc.

Yes, you will be moving it by hand. Critical mass of U-235 is 33 KG, about 73 pounds. You wouldn't want it in one backpack anyway, so two backpacks, 40 pounds each, easy. Even the more radioactive isotope would not give you a lethal dose for days.

Moreover, you shouldn't be thinking nuke. Just ten pounds of uranium, vaporized in downtown New York, would (at a guess) be hundreds of millions of dollars in cleanup. Not to mention the terror.

Finally, uranium is extremely flammable (you would have to get the solid metal pretty hot, but powdered uranium burns on contact with air). I shudder to think about a uranium fire in one of these places.


@Skeptical - ...demonstrated a failure by the US Government to monitor the performance of the contractors and ensure that their performance met specified standards.

@Skeptical - So let's toss this nonsense about the incident having anything to do with national "cultural preferences".

The trouble is, you're looking at the wrong cultural preference; it's not a preference for technological solutions that is the problem. The problem is the cultural preference for profit, profit and profit; to the exclusion of all else.

Profit is fine in principle, but when it is combined with a "Wink, wink, nudge, nudge," attitude toward enforcement of minimum standards and a cozy you-scratch-my-back-I'll-scratch-yours sweetheart deals, it leads to massive failures. When you further combine that with the need to protect something that could kill thousands or millions...

And, yes, we are exporting this cultural preference, demanding other countries do the same.

mooJuly 15, 2015 12:55 AM

This story reminds me of the book "Engineering a Safer World" by Nancy Leveson. Its available as a free download from MIT Press, and I believe her ideas about how to engineer safer systems, and study safety failures, might also have some application to engineering secure systems and studying security failures.

Here's a small excerpt:

"In major accidents, precursors and warnings are almost always present but ignored or mishandled. While what appear to be warnings are sometimes simply a matter of hindsight, sometimes clear evidence does exist. In 1982, two years before the Bhopal accident, for example, an audit was performed that identified many of the deficiencies involved in the loss. The audit report noted factors related to the later tragedy such as filter-cleaning operations without using slip blinds, leaking valves, and bad pressure gauges. The report recommended raising the cability of the water curtain and pointed out that the alarm at the flare tower was nonoperational and thus any leakage could go unnoticed for a long time. The report also noted that a number of hazardous conditions were known and allowed to persist for considerable amounts of time or inadequate precautions were taken against them. In addition, there was no follow-up to ensure that deficiencies were corrected. According to the Bhopal manager, all improvements called for in the report had been implemented, but obviously that was either untrue or the fixes were ineffective."

graniteJuly 15, 2015 2:46 AM

@D33t

"I always thought it was silly to worry about "bombs" when from 9/12/2001 forward, cell phone and laptop batteries were allowed within reach at all times on aircraft. I even explained to some congressional types the horror (and ease) of lithium-ion battery explosions on an aircraft under pressure."

No one listened to me when I tried to explain that mh370 was laden with hundreds of pounds of lithium batteries. This was subsequently scrubbed from everywhere including the manifest. All that remains is the weight of "unknown" cargo which is identical to the weight of lithium batteries in crates. Shortly thereafter the FAA -or whoever makes worldwide airline rules - made policy changes limiting the amount of lithium batteries allowed to be carried while passengers are onboard.

d33tJuly 15, 2015 4:49 AM

@granite

"All that remains is the weight of "unknown" cargo which is identical to the weight of lithium batteries in crates."

Sadly, it is this type of cover up that undermines the common trust in leadership everywhere. Corrupt leaders benefit greatly from the public's disheartened attitudes toward participating in society and elections. I think people tend to know when something is not truthfully represented, and yet it is difficult to constantly wade through lies in order to maintain a clear line of thinking.

I'm sorry to hear that your explanation of MH370's fate allowed for the erasure of evidence. The truth is difficult to suppress forever. Hopefully further evidence will surface someday and the official record will be set straight. I hold this same hope for Flight 800 as well.

John Galt IIIJuly 15, 2015 9:35 AM


Some more good reading material on nuclear security is McPhee's biography of Ted Taylor. It's a bit dated, but modern PCs and femtosecond lasers have made it a lot easier to engineer a good device.

The Curve of Binding Energy: A Journey into the Awesome and Alarming World of Theodore B. Taylor
http://www.amazon.com/The-Curve-Binding-Energy-Alarming/dp/0374515980

all the more fascinating, because a Quaker peace advocate revamped the US nuclear weapons program. He wasn't the only Quaker involved with DoD over the years. Hubert Yockey and Smedley Butler went before.

It appears that the Japanese nuclear program may have been further along than most people realize. If this is a hoax, it is a brilliant piece of work:

Hiroshima and Nagasaki atomic bomb documentary
https://www.youtube.com/watch?v=Z6_eXfssseo

My use of the Amazon link should not be confused with an endorsement of Amazon. I don't like doing business with them, except for the part where they are fast and cheap. I invariably used bestbookdeal.com to reference books until they went belly up and ruined my collection of links.

tyco bassJuly 15, 2015 2:43 PM

@MikeA

"having a cut-out"--

Absolutely right. Not that cost saving should be the overriding concern anyway, but these are often no-bid contracts and designed to keep the revolving door spinning.

tyco bassJuly 15, 2015 2:47 PM

@John Galt III et al.

re Amazon: try http://www.addall.com/
They're an aggregator, and many book quotes run through Amazon, but at least there are other options, and you'd be surprised what turns up cheap through the "used" link here.

ZJuly 17, 2015 3:34 AM


I'd certainly endorse the recommendation for 'The Curve of Binding Energy'. A fascinating historical read and some interesting physics for non-experts. Those wanting more unclassified physics could do worse than the 'The Los Alamos Primer'.

Z

RogerJuly 26, 2015 9:10 AM

For those who are interested in a more detailed security analysis of this incident, rather than the New Yorker's frankly very long-winded biography of one of the peaceniks, you can read an online copy of the report from the Office of the Inspector-General here:
http://energy.gov/sites/prod/files/IG-0868_0.pdf
(An 18 page PDF, less than 1 MB.)

A few observations, mostly based on the OIG's report; those based on my own opinions or experience are prefixed "ME":


  • This happened quite a while ago -- even the OIG's report has been available online for several years. Remedial actions were completed years ago, and in fact some were completed within a few hours of the intrusion.

    • ME: Heads have already rolled over this. The site manager for the security contractor was sacked almost immediately.

  • The OIG's report indicates that a major reason for the slow initial response was that when first observed[a], the intruders were mistaken for maintenance workers carrying out minor building repairs. Government funding cuts had caused all maintenance works to fall far behind, and so it had gradually become common practice for maintenance workers to enter restricted areas unannounced, even in the small hours of the morning. This execrable practice and some other poor maintenance practices are the primary cause of every other failure. I won't say "root cause", because the root causes here concern why these poor practices were allowed to arise. I'll discuss some personal observations on that below, because I suspect that on this point the OIG's report may miss the main point. However, unlike several commenters, the OIG's report clearly does not simply place the blame on the contractor's shoulders.

  • While this was certainly a serious incident and shouldn't be understated, many commenters are badly over-stating it. There is no question of the intruders building a bomb, as when they were arrested they hadn't even got inside a building, much less the security containers used to store HEU.You might argue that a better prepared terrorist force could have penetrated further before the armed response arrived. That risk is precisely why the matter was regarded very seriously rather than as a mere stunt. However there are at least two doubtful hypothetical leaps of the imagination required for that scenario:

    1. The intruders only penetrated the detection-and-investigation security zones. The serious security starts on the other side of that wall. As outside observers we simply have no idea what sort of security mechanisms come into play once actually inside the buildings, but we do know that there has been extensive testing of very formidable measures, and they do include lethal force. During the Cold War the containers were meant to inflict maximum delay on a Soviet Parachute Regiment, never mind a terrorist gang. Are they still that formidable, or have these been dumbed down too? I certainly hope not but we simply don't know. At any rate, it is clearly foolish to assume that reaching the outside of the wall means the job is pratically done.

    2. As mentioned above, the intruders actually were observed on the way in, but because they were mistaken for maintenance workers they were initially ignored, and then after excessive delay (half an hour) a solo armed officer responded rather casually. Shortly after that his supervisor raised a general alarm. The illusion would have been unmasked rather more quickly if they started using explosives or toting long arms; further, after the horse had bolted, Wackenhut demonstrated that they were capable of a much more "kinetic" response once fully alerted. Among other things, the OIG's report notes that one of the points from which the intruders could have been monitored as they approached the building -- but weren't, apparently due to a guard's apathy -- was a gun port. The report doesn't state how many gun ports overlooked this area. However, in the Annex on previous investigations there is a remark on an investigation into supply of improperly sized gun ports for concrete walls, a problem since rectified. This paragraph tends to suggest that Y-12 has a lot of gun ports.


  • Commenters both on this site and elsewhere have suggested that the security contractor is responsible for an approach which relied almost exclusively on electronic security instead of men with guns. The OIGs report makes it clear that this is quite false. In fact as well as electronic security Wackenhut had employed a system of roving armed patrols, including night patrols between the perimeter fences. These patrols were stopped by the federal government agency as a cost savings measure.

  • A number of commenters have suggested that B&W (the security contractor responsible for physical infrastructure) is responsible for making lower security decisions in the design of the physical defences. However the OIG's report makes it clear that in fact B&W had wanted additional physical measures but they were deleted from the contract by the federal agency. The investigators received two explanations as to why this had occurred. It was variously stated to be for cost savings, or because the formidable security of the building itself made it unnecessary.

  • A number of commenters elsewhere seem to suggest that electronic systems failed to raise an alarm. This is false. In fact the OIG's report shows that whilst some electronic systems were faulty, the intruders actually tripped multiple alarms, and also were actually recorded on a CCTV that was being monitored at the time by guard. The response was lethargic for reasons apparently unrelated to the alarm system itself.


Hmm, I had about six more dot points to cover, but I see this is already too long; good night.
______
a. To be precise, when they were first observed by a camera, they were cutting a hole in the third fence. The camera was under observation by a guard at the time, who must have been awake and actually looking at it because he operated the PTZ controls. The report doesn't explicitly say why this officer didn't respond. However a little further along it does say that when the intruders reached the building they were initially ignored because they were mistaken for maintenance staff. Unless the officer who saw them cutting the fence had a drug induced brain-failuree, it seems reasonably likely that he made the same error.

SkepticalJuly 26, 2015 4:55 PM


@Coyne: The trouble is, you're looking at the wrong cultural preference; it's not a preference for technological solutions that is the problem. The problem is the cultural preference for profit, profit and profit; to the exclusion of all else.

Profit motive isn't unique to the US, and if you look at corruption levels in the nation of comparison here (Russia) it's very hard to argue with a straight face that the US is trying to export a profit motive to Russia. "Profit motive" was probably one of the biggest sources of concern, in fact, for those examining the possibility of nuclear weapons proliferation from former Soviet sites.

I have a distant and casual acquaintance with the facts of this incident based upon a reading of the DOE-IG reports, but it seems to me that this is just shoddy organizational design in conjunction with personnel who were either not empowered or lacked incentive to prevent this type of failure.

@Roger: I've read the DOE-IG reports as well, and either missed some of what you write or you found information from additional sources. My impression from the IG report, for example, was that the contract company had made a decision to reduce personnel and certain activities at the site, and that a separate contract company did not make timely repairs to equipment considered critical. The IG described the federal agency as being empowered to take a "eyes on, hands off" approach to compliance with specifications. So while your comments somewhat ameliorated my displeasure at the contract companies involved, and increased that with the federal agency responsible, there still seems to be failures by all parties involved and a curious lack of unified accountability and authority for security.

What disturbed me most was the evidence of blatant and corrupt attempts to evade and dilute testing designed to measure the quality of the services being rendered, e.g. advance distribution of tests and test-scenarios. If a contractor's performance cannot be reliably and independently verified, then the value of any metrics one receives is greatly diminished.

Your point about the extent to which the individuals had penetrated, and that greater challenges may have awaited them had they gone farther, is a good one, but the observed performance does not fill me with confidence.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.