Background
Nuclear operators seek to employ personnel who can be trusted with sensitive information, critical technology, and hazardous nuclear and radioactive materials. This requires employees who are honest, dependable and mentally and physically stable. Certain social backgrounds and external influences, as well as a host of other influential factors, can create undue levels of vulnerability, altering a person’s dependability, moral character, motivations and allegiances. History has repeatedly shown how such changes have resulted in insider threats and weaknesses in nuclear safety and security, sometimes leading to serious consequences.
Past incidents have clearly demonstrated that insiders can take advantage of their access rights and knowledge of a certain facility, as well as their authority over staff, to bypass dedicated security measures. They can also threaten cyber security, safety measures, and material control and accountancy (MC&A). Insiders are likely to have the time to plan their actions; in addition, they may work with others who share their objectives. Employees may also sometimes cause harm unintentionally, particularly in the cyber realm.
States around the world have faced a number of terrorist attacks perpetrated by individuals claiming to having been inspired by, amongst others, religiously oriented groups like the Islamic State (IS) and Al Qaeda, and by right-wing anti-government militias and white supremacist groups. These attacks have led to the death of innocent civilians and shocked society by their indiscriminate violence. Often referred to as violent extremists (VEs), such individuals are often lone actors who might have been radicalised by passively consuming violent extremist material online. They tend to have few, or no, connections to radical groups or individuals in other countries before they engage in solo acts of violence. From the perspective of the nuclear sector, one of the most serious security concerns is that employees could become radicalised—or that inidividuals who have already been radicalised are hired—and subsequently use their positions of trust and authority to carry out a malicious act.
With the support of other stakeholders such as specialised law enforcement agencies, nuclear operators can take concrete actions to protect their materials and facilities from insiders, including violent extremists. For example, they can develop a comprehensive insider threat mitigation strategy that provides the foundation for the effective implementation of plans and procedures. This includes implementing specific measures for pre-employment vetting, as well as during-employment behaviour observation and aftercare. Effective insider mitigation programmes should also include measures to reduce the risk of an unwitting insider who unknowingly assists an adversary in performing a malicious act.
Countering the insider threat requires that all individuals within the nuclear organisation play their part, not simply the Security Department. This begins with the commitment of leadership. Both executive and line management must demonstrate their belief that a credible threat exists and that nuclear security is important. They must lead by example. The human resources department also plays a crucial role by creating employment policies, procedures and programmes that support a security-aware culture amongst staff.
Objectives
The workshop reviewed credible insider threats in the nuclear sector and highlighted the importance of comprehensive insider mitigation programmes. Specifically, the event identified the motivation, intentions and capabilities of potential internal adversaries and emphasised the use of vetting programmes and other selected preventive and protective measures as best practices to reduce the risk. It also explored the role of different stakeholders involved in identifying internal threats and how to assess their current contribution to mitigate them.
The key objectives of the workshop were:
- To review how the insider threat landscape has evolved in the last few years;
- To review the process for identifying the motivation, intention and capabilities of insiders and to discuss real life examples and applicable case studies;
- To identify and explore the role of different stakeholders involved in the identification and mitigation of insider threats with specific reference to the nuclear sector;
- To review the key components of insider mitigation programmes, with a focus on human reliability and employee satisfaction programmes, and to highlight the importance of a robust security culture;
- To identify methodologies and metrics for measuring the performance of the insider mitigation programme and to share practices for reporting it to senior management.
Expert speakers from the nuclear industry were invited to share their experiences and lessons learned from implementing security arrangements against insiders. Participants were encouraged to identify immediate steps that can be taken to strengthen nuclear security programmes and mitigate insider threats in their organisations and countries.
Audience
The workshop was opened to a group of 60 participants.
WINS is promoting gender parity and diversity in all of its events. This event had both female and male subject matter experts. Female participants and people from all backgrounds were strongly encouraged to apply for this event.
The workshop targeted security managers and other security professionals from nuclear operators and regulatory bodies as well as human resources managers, psychologists and other experts in human factors. It will also target senior officers from law enforcement agencies and representatives of international organisations.
This event was conducted in collaboration with CRDF Global. CRDF Global was responsible for the registration and selection of participants.
Process
The workshop was conducted online on 17, 22 and 23 of February 2022. All live sessions were organised from 11:00am to 02:15pm CET.
The workshop was conducted in English only. It was professionally facilitated and delivered online using Zoom or a similar platform. Pre-recorded materials were made available to support the preparation of the workshop.
The live sessions were not recorded. The workshop materials have been made available to the participants.
The workshop included expert presentations, plenary and group discussions, and a TTX.
It provided participants the opportunity to interact amongst themselves and with the subject matter experts to exchange their thoughts and professional experiences on the topic. The discussions were unclassified but subject to Chatham House rules (what was said can be reported, but not attributed).
The workshop was designed having regard to gender parity and diversity in relation to the choice of imagery to promote the workshop, the selection of subject matter experts and their distribution among the range of topics covered in the workshop.
