PSAM 16 - Session W01 Overview

PSAM 16 Conference Session W01 Overview

Session Chair: Gregory Wyss (gdwyss@sandia.gov)

Paper 1 SH288

Lead Author: Shawn St. Germain Co-author(s): Robby Christian, robby.christian@inl.gov Vaibhav Yadav, vaibhav.yadav@inl.gov Steven Prescott, steven.prescott@inl.gov

A Risk-Informed Approach to Linked Safety-Security Modeling
The requirements for U.S. nuclear power plants to maintain a large onsite physical security force contribute to their operational costs. The cost of maintaining the current physical security posture is approximately 10% of the overall operation and maintenance budget for commercial nuclear power plants. The goal of the Light Water Reactor Sustainability (LWRS) Program Physical Security Pathway is to develop tools, methods, and technologies and provide the technical basis for an optimized physical security posture. The conservatisms built into current security postures may be analyzed and minimized in order to reduce security costs while still ensuring adequate security and operational safety. The research performed at Idaho National Laboratory within LWRS Program Physical Security Pathway has successfully developed dynamic forceon-force (FOF) modeling framework using various computer simulation tools and integrates them with the dynamic assessment Event Modeling Risk Assessment using Linked Diagrams (EMRALD) tool.

A Risk-Informed Approach to Linked Safety-Security Modeling

The requirements for U.S. nuclear power plants to maintain a large onsite physical security force contribute to their operational costs. The cost of maintaining the current physical security posture is approximately 10% of the overall operation and maintenance budget for commercial nuclear power plants. The goal of the Light Water Reactor Sustainability (LWRS) Program Physical Security Pathway is to develop tools, methods, and technologies and provide the technical basis for an optimized physical security posture. The conservatisms built into current security postures may be analyzed and minimized in order to reduce security costs while still ensuring adequate security and operational safety. The research performed at Idaho National Laboratory within LWRS Program Physical Security Pathway has successfully developed dynamic forceon-force (FOF) modeling framework using various computer simulation tools and integrates them with the dynamic assessment Event Modeling Risk Assessment using Linked Diagrams (EMRALD) tool.

Paper SH288 | | Download the presentation PowerPoint file.

Name: Shawn St. Germain (shawn.stgermain@inl.gov)

Bio: Shawn St. Germain is the manager of the Reliability, Risk, and Resilience Sciences Department at Idaho National Laboratory. Additionally, he is the principal investigator for the Physical Security Pathway work at INL, an LWRS program that seeks to improve the efficiency of physical security at commercial nuclear power plants through the application of new technologies and risk methods. St. Germain has been with INL more than 15 years and has reactor operations, process engineering and Probabilistic Risk Assessment (PRA) experience. He holds a master’s degree in nuclear engineering, an MBA and a bachelor’s degree in mechanical engineering. He was previously an SRO certified Shift Technical Advisor and Shift Support Supervisor at Columbia Generating Station, a commercial BWR, and a Nuclear Trained Surface Warfare Officer in the US Navy.

Country: USA
Company: Idaho National Laboratory
Job Title: Manager: Reliability, Risk, and Resilience Sciences

Paper 2 BC226

Lead Author: Brian Cohn Co-author(s): Emily Sandt, esandt@sandia.gov Douglas Osborn, dosborn@sandia.gov Tunc Aldemir, aldemir.1@osu.edu

A Dynamic, Integrated Approach to Vital Area Identification
The Vital Area Identification (VAI) process is a widely used method to determine which locations at a nuclear power plant (NPP) site need to be protected from sabotage. The intent of VAI is to identify a combination of systems that, if successfully protected, ensure that adversary sabotage cannot cause significant core damage. However, the VAI process does not consider what happens if a vital area is sabotaged by adversaries. Security analysis assumes that the sabotage of any vital area results in an imminent onset of core damage, even if there is other, non-vital, equipment that could be used to perform the same function as the sabotaged equipment. Integrated safety-security (2S) assessment using dynamic probabilistic risk assessment (DPRA) has been explored as a method to determine the consequences of sabotage of a vital area, and previous efforts have successfully demonstrated that the 2S methodologies are able to incorporate the loss of reactor safety systems and mitigation efforts on the reactor response for a previously identified attack scenario. However, current methods are unable to systematically identify combinations of adversary targets that would result in a realistic likelihood of core damage. A method is under development to identify and evaluate dynamic vital areas at a NPP site that an adversary would need to sabotage to affect core damage. The process integrates multiple dynamic risk assessment technologies. System theoretic process analysis (STPA) is used to identify components within a NPP where an adversary can perform an insecure control action, i.e., an adversary action that places elements of a NPP at risk. A dynamic pathway analysis uses these components and identifies all of their permutations that an adversary could sabotage (target sets). The dynamic pathway analysis then determines which permutations could lead to the onset of core damage; the analysis takes into consideration dynamic changes in the reactor state and the full suite of systems that can mitigate damage to the NPP. Finally, these permutations of target sets are used in adversary attack scenarios for 2S assessment to determine which scenarios need to be protected against by the NPP’s physical protection system. Sandia National Laboratories is a multi-mission laboratory managed and operated by National Technology & Engineering Solutions of Sandia, LLC, a wholly owned subsidiary of Honeywell International Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA0003525. SAND2022-0824 A

A Dynamic, Integrated Approach to Vital Area Identification

The Vital Area Identification (VAI) process is a widely used method to determine which locations at a nuclear power plant (NPP) site need to be protected from sabotage. The intent of VAI is to identify a combination of systems that, if successfully protected, ensure that adversary sabotage cannot cause significant core damage. However, the VAI process does not consider what happens if a vital area is sabotaged by adversaries. Security analysis assumes that the sabotage of any vital area results in an imminent onset of core damage, even if there is other, non-vital, equipment that could be used to perform the same function as the sabotaged equipment. Integrated safety-security (2S) assessment using dynamic probabilistic risk assessment (DPRA) has been explored as a method to determine the consequences of sabotage of a vital area, and previous efforts have successfully demonstrated that the 2S methodologies are able to incorporate the loss of reactor safety systems and mitigation efforts on the reactor response for a previously identified attack scenario. However, current methods are unable to systematically identify combinations of adversary targets that would result in a realistic likelihood of core damage. A method is under development to identify and evaluate dynamic vital areas at a NPP site that an adversary would need to sabotage to affect core damage. The process integrates multiple dynamic risk assessment technologies. System theoretic process analysis (STPA) is used to identify components within a NPP where an adversary can perform an insecure control action, i.e., an adversary action that places elements of a NPP at risk. A dynamic pathway analysis uses these components and identifies all of their permutations that an adversary could sabotage (target sets). The dynamic pathway analysis then determines which permutations could lead to the onset of core damage; the analysis takes into consideration dynamic changes in the reactor state and the full suite of systems that can mitigate damage to the NPP. Finally, these permutations of target sets are used in adversary attack scenarios for 2S assessment to determine which scenarios need to be protected against by the NPP’s physical protection system. Sandia National Laboratories is a multi-mission laboratory managed and operated by National Technology & Engineering Solutions of Sandia, LLC, a wholly owned subsidiary of Honeywell International Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA0003525. SAND2022-0824 A

Paper BC226 | | Download the presentation PowerPoint file.

Name: Brian Cohn (bcohn@sandia.gov)

Bio: Brian Cohn received his doctorate in Nuclear Engineering from The Ohio State University, where he studied dynamic probabilistic risk assessment. After performing research in seismic effects on nonstructural components, Brian began working at Sandia National Laboratories as an intern where he performed research into integrated safety-security analysis. Following his dissertation developing a new method to integrate safety and security simulations, Brian has continued to work in integrated safety-security analysis as a postdoctorate.

Country: USA
Company: Sandia National Laboratories
Job Title: Postdoctoral appointee

Paper 3 AN305

Lead Author: Andrew Thompson Co-author(s): Dusty Brooks, dbrooks@sandia.gov Douglas Osborn dosborn@sandia.gov

Risk-Informing Access Delay Timelines
The Light Water Reactor Sustainability (LWRS) program has developed a new method to modernize how access delay timelines are developed and utilized in physical security system evaluation. This new method utilizes Bayesian methods to combine subject matter expert (SME) judgement and small performance test datasets in a consistent and defensible way. It will enable a more holistic view of delay performance that provides distributions of task times and task success probabilities to account for tasks that, if failed, would result in failure of the attack. Using the current methods, access delay timelines rely on reported data from tests where possible, and on SME judgement to help fill in any blanks that exist in the testing. This data is generally reported using a single time rather than distributions, or as a triangular distribution centered around the minimum time from the test, with minimum and maximum assumed to be +/- 50% of this mean. However, these assumptions are not always realistic and can result in overly conservative timeline risk. The key driver for considering a change in methods is to provide a more accurate assessment of the true delay times as well as consider the probability of successfully completing a task. Bayesian analysis was used to present timeline estimates in a way that is meaningful for timeline analysis and will allow security professionals to focus on areas that will benefit most from additional attention. Sandia National Laboratories is a multi-mission laboratory managed and operated by National Technology and Engineering Solutions of Sandia, LLC., a wholly owned subsidiary of Honeywell International, Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA-0003525.

Risk-Informing Access Delay Timelines

The Light Water Reactor Sustainability (LWRS) program has developed a new method to modernize how access delay timelines are developed and utilized in physical security system evaluation. This new method utilizes Bayesian methods to combine subject matter expert (SME) judgement and small performance test datasets in a consistent and defensible way. It will enable a more holistic view of delay performance that provides distributions of task times and task success probabilities to account for tasks that, if failed, would result in failure of the attack. Using the current methods, access delay timelines rely on reported data from tests where possible, and on SME judgement to help fill in any blanks that exist in the testing. This data is generally reported using a single time rather than distributions, or as a triangular distribution centered around the minimum time from the test, with minimum and maximum assumed to be +/- 50% of this mean. However, these assumptions are not always realistic and can result in overly conservative timeline risk. The key driver for considering a change in methods is to provide a more accurate assessment of the true delay times as well as consider the probability of successfully completing a task. Bayesian analysis was used to present timeline estimates in a way that is meaningful for timeline analysis and will allow security professionals to focus on areas that will benefit most from additional attention. Sandia National Laboratories is a multi-mission laboratory managed and operated by National Technology and Engineering Solutions of Sandia, LLC., a wholly owned subsidiary of Honeywell International, Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA-0003525.

Paper AN305 | | Download the presentation pdf file.

Name: Andrew Thompson (andthom@sandia.gov)

Bio:

Country: ---
Company: Sandia National Labs
Job Title:

Paper 4 RI210

Lead Author: Richard John

Framework for Estimating the Value of Deterrence
This paper presents a framework for calculating the value of deterrence related to countermeasures implemented to mitigate an attack by an adaptive adversary. We present a methodology for adapting Defender-Attacker Decision Trees to partition the utility of countermeasures into three components: (1) threat reduction (deterrence), (2) vulnerability reduction, and (3) consequence mitigation. The Expected Utility of Imperfect Control (EUIC) attributable to a specific implementation of the countermeasure is based on calculations from decision analysis and is defined as the difference in the expected utilities of the no countermeasure branch and the branch representing the countermeasure variant (Johnson & Tani, 2013; McNamee & Celona, 2009). The EUIC represents the net benefit of implementing the countermeasure, including all costs associated with development, implementation, and operation. Benefits largely derive from three sources: (1) changes in attack probability (threat reduction (2) changes in detection probability (vulnerability reduction), and (3) changes in the distribution of attack outcomes (consequence mitigation). We partition the EUIC and estimate the unique portion attributable to threat reduction, vulnerability reduction, and consequence mitigation. Calculations follow a subtraction logic, similar to those used to calculate the value of information (VOI). We provide example applications of the value of Deterrence in an airport security domain and a cybersecurity domain. The proposed framework provides a methodology for explicitly accounting for deterrence in benefit-cost analyses (BCA).

Framework for Estimating the Value of Deterrence

This paper presents a framework for calculating the value of deterrence related to countermeasures implemented to mitigate an attack by an adaptive adversary. We present a methodology for adapting Defender-Attacker Decision Trees to partition the utility of countermeasures into three components: (1) threat reduction (deterrence), (2) vulnerability reduction, and (3) consequence mitigation. The Expected Utility of Imperfect Control (EUIC) attributable to a specific implementation of the countermeasure is based on calculations from decision analysis and is defined as the difference in the expected utilities of the no countermeasure branch and the branch representing the countermeasure variant (Johnson & Tani, 2013; McNamee & Celona, 2009). The EUIC represents the net benefit of implementing the countermeasure, including all costs associated with development, implementation, and operation. Benefits largely derive from three sources: (1) changes in attack probability (threat reduction (2) changes in detection probability (vulnerability reduction), and (3) changes in the distribution of attack outcomes (consequence mitigation). We partition the EUIC and estimate the unique portion attributable to threat reduction, vulnerability reduction, and consequence mitigation. Calculations follow a subtraction logic, similar to those used to calculate the value of information (VOI). We provide example applications of the value of Deterrence in an airport security domain and a cybersecurity domain. The proposed framework provides a methodology for explicitly accounting for deterrence in benefit-cost analyses (BCA).

Paper RI210 | Download the paper file. | Download the presentation pdf file.

Name: Richard John (richardj@usc.edu)

Bio: Richard John is a Professor of Psychology, area head for quantitative methods and computational psychology, and Associate Director at the Center for Risk and Economic Analysis of Threats and Emergencies (CREATE) at the University of Southern California. His research focuses on normative and descriptive models of human judgment and decision making and methodological issues in the application of decision analysis and probabilistic risk analysis (PRA). Richard has consulted on a number of large projects involving expert elicitation, including analysis of nuclear power plant risks (NUREG 1150) and analysis of cost and schedule risk for tritium supply alternatives. Richard received his PhD. in quantitative psychology and M.S. in applied mathematics from the University of Southern California, and B.S. in applied mathematics (summa cum laude) from the Georgia Institute of Technology.

Country: USA
Company: University of Southern California
Job Title: Professor of Psychology