Understanding the Threat

This unit provides an overview of the wide range of threats facing nuclear and other
radioactive material and their associated facilities. It defines what is meant by nuclear and
other radioactive material and presents a variety of statistics and real life examples to
demonstrate the issues. It also takes a closer look at unwitting threat, threats from
criminals, threats from terrorists, and cyber threats. The unit is divided into four sections.

Section 1 provides some basic definitions and an overview of the threats to nuclear and
other radioactive material.
Section 2 discusses some of the external threats to nuclear and other radioactive material
from unwitting thieves, criminals and non-state actors.
Section 3 defines what is meant by insider threat and demonstrates why insiders’ access
and ability to bypass dedicated security measures is of such concern. 
Section 4 discusses the cyber threats that organizations around the world face, as well as
specific threats to nuclear facilities.
You learned about the evolving threat environment in the Foundation Module.
This unit will further expand on threats to nuclear material and how they relate to
your job as an STE. To help you fully understand the concepts, it is useful to define
some of the terms used in this course and in industry. Organisations typically
divide the material with which they work into two major categories: nuclear
material and other radioactive material.

The IAEA defines the term nuclear material to be any material that is either
special fissionable material or source material as defined in Article XX of the IAEA
Statute. This includes uranium in various forms (powders, pellets, fuel rods, solid
metal, alloys) at different levels of enrichment, as well as plutonium and thorium.
Special fissionable material (U-233, U-235 and Pu-239) are isotopes that can be
used to create nuclear weapons.

The IAEA defines other radioactive material as any radioactive material that is not
classified as nuclear material. Other radioactive material is often broken down
into two categories: radioactive sealed sources and radioactive material.

Radioactive sealed sources include material that is mainly used for calibration or
measuring equipment, medical purposes, and irradiation of food and other
products to make them sterile. Such materials are usually found in a solid,
encapsulated form that keeps the radioactive material from escaping.

Radioactive material comprises a huge range of materials and forms—from high

purity radioactive liquids used for medical testing or treatment of patients in
hospitals to large containers of highly radioactive waste containing fission
products (like caesium and strontium) from nuclear fuel reprocessing operations.
Such wastes will remain radioactive for hundreds of years and must be stored
safely and securely.
IAEA Classification of Material

The IAEA has created a system for categorising nuclear and other radioactive
material according to their ability to harm human health. Although the system
was originally created to meet the needs of safety risk determination, the security
community has also adopted it, and the vast majority of international
recommendations and national regulatory requirements for the security of
nuclear and other radioactive material are developed from it.

Classifications for nuclear material: As outlined in the Foundation Module and in

IAEA Nuclear Security Series No. 13 (also titled INFCIRC/225/Revision 5), the IAEA
assigns nuclear material content to three basic categories ranging from the most
hazardous material (Category I) to the least hazardous (Category III). There is also
an uncategorised category for material that is less likely to cause harm than those
in Category III. The category to which material is assigned depends upon its
element, isotope, quantity and irradiation.

Classifications for radioactive sealed sources: In Safety Guide No. RS-G-1.9, the
IAEA assigns radioactive sealed sources to five levels ranging from Category 1
(Extremely Dangerous) to Category 5 (Unlikely to be Dangerous). Protecting this
material is discussed extensively in the WINS Academy Elective for Radioactive
Source Security Management.

Multiple Threats, Multiple Responsibilities

Hello! My name is Robin Sage, and I am a 25-year-old cyber threat analyst at the Naval

Network Warfare Command in Norfolk, Virginia. As a graduate of MIT with 10 years of work

experience in the security field, I am looking for a challenging position as a consultant with a

growing organisation that is on the cutting edge of technology.

Image Source: https://en.wikipedia.org/wiki/File:Robin_Sage.png

Would you offer a consulting position to Robin? Apparently, Google and Lockheed Martin did.
Unfortunately—in spite of the bios on her Facebook, LinkedIn and Twitter accounts—Robin
does not exist. She is the brainchild of Thomas Ryan, a security specialist and white hat hacker
from New York. Ryan (2010) explains that:

Given the vast number of security breaches via the internet, The Robin Sage Experiment seeks to
exploit the fundamental levels of information leakage—the outflow of information as a result of
people’s haphazard and unquestioned trust. The experiment was conducted by creating a
blatantly false identity and enrolling on various social networking websites. By joining networks,
registering on mailing lists, and listing false credentials, the conditions were then set to research
people’s decisions to trust and share information with the false identity. The main factors
observed were: the ability to exploit other individuals’ level of trust based on gender,
occupation, education/credentials, and friends (connections).

From December 2009 to January 2010, “Robin” directly contacted and befriended nearly 300
people, including executives at government agencies like the U.S. National Security Agency
(NSA), the U.S. Department of Defense (DOD), and military intelligence groups. (Among the
few organisations that did not befriend her were the CIA and FBI.) Other contacts came from
Global 500 corporations. 

During the month-long experiment, Robin received numerous offers for government and
corporate jobs. She also received offers of free tickets to—and invitations to present at—various
security conferences. Furthermore, she received numerous offers of gifts, compliments on her
appearance and dinner invitations. One professional with over 10 years of experience asked her
to review a paper he was writing, potentially exposing himself to the theft of his research. 

Ryan was able to use information from Robin’s contacts to access email addresses and bank
accounts and to learn the location of secret military units based on soldiers’ Facebook photos and
the connections among different people and organisations. By the second day of her postings,
some people started realising that something was amiss after they tried to verify her phone
number, check for other email addresses, and use the MIT alumni network to check her story.
Yet no central warning was issued about the profile. 

Ryan concludes that:

The false identity combined with carefully chosen false credentials led to a false trust that could
have resulted in the breach of multiple security protocols.

In the Foreword to this course Sagarin discussed evolutionary biology and adaptability. The
Robin Sage case might be compared to an evolutionary concept called mimicry, whereby an
organism evolves because their resemblance to another organism is selectively favoured. This
can confer an advantage in that a predatory species will shy away from the mimic, or (as with
Robin Sage) a predator can use mimicry to avoid detection and even lure their prey.  

We can therefore expect that adversaries may try to adopt similar methods. As noted by Sagarin,
it’s not surprising in this biologically focused view that humans—not organisations or
infrastructure or protocols or regulations—should be the most important part of the security
system. 
Changing Perceptions of the Threat
In the early days of the nuclear industry, nuclear security was mainly concerned with
national security and the development of nuclear weapons systems. Its responsibilities
were similar to security responsibilities in other industries: checking identification badges
and providing access protection. Over the past five decades, however, security threats
have not only risen steadily, but they have also changed dramatically. 

The perception of the threat to nuclear organisations changed dramatically as a result of

the airplane attacks on 11 September 2001. Prior to this event, nuclear power plants and
other nuclear facilities depended mainly on security guards. Some countries required their
guards to have paramilitary training and undergo background checks and screening; other
countries did not. Furthermore, reactors were designed to withstand safety events such as
earthquakes and the impact of small military jets, not commercial airliners containing 200
tonnes of aviation fuel.

After 9/11, the nuclear community was forced to reconsider the complexity and scale of a
potential terrorist attack, where sabotage and mass casualty is the goal rather than theft.
Nuclear facilities began to re-examine whether they could withstand airline impacts while
protecting reactor cores, spent fuel pools, and other sensitive areas. The community also
began to consider the real possibility that a security incident could turn into a safety
disaster. In Nuclear Security Series No. 4: Engineering Safety Aspects of the Protection
of Nuclear Power Plants against Sabotage, the IAEA states that:
The perception of the potential terrorist threat to nuclear installations has changed
significantly...additional analyses could and should be performed to determine whether
the structures, systems and components important to safety at nuclear power plants
provide optimum physical protection against potential terrorist attacks.
For all of these reasons, the belief that managing a complex nuclear security programme
simply involves the management of guns, guards and gates is both simplistic and
outdated. Nuclear security management is every bit as sophisticated, challenging and
important as nuclear safety management, and it consequently needs similar amounts of
consideration and attention. 
Documented Incidents
Threats to nuclear and other radioactive material can come from a variety of individuals and
groups ranging from thieves and criminals to terrorists. As outlined in the Foundation Module,
the IAEA established in 1995 the Incident and Trafficking Database (ITDB) to monitor incidents
of illicit trafficking and other unauthorised activities and events involving nuclear and other
radioactive material outside of regulatory control. (Detailed information in the database is not
publicly available, however.)

At the end of 2015, after 20 years of aggregated data, the ITDB contained:

—2,889 confirmed incidents of illicit trafficking in nuclear and other radioactive material.

—762 incidents involving theft or loss of material.

—454 incidents involved unauthorised possession and related criminal activities.

—1,622 incidents involved other unauthorised activities and events.

There are a number of problems with the data. First, incidents are only reported at the discretion
of Member States so the information is incomplete. Second, the severity of incidents is very
different, yet they are grouped together in single categories. Furthermore, the classification of
incidents by type may be inaccurate. Nevertheless, important information can be gleaned from
the public report. According to the ITDB, where information on motives is available, financial
gain is the principal incentive behind the majority of events. One of the database’s conclusions is
that the actual number of successful transactions involving the illegal sale of nuclear and other
radioactive material is unknown.

Another database—the Global Incidents and Trafficking Database—is maintained by the James
Martin Center for Nonproliferation Studies (CNS) in California with funding from the Nuclear
Threat Initiative (NTI). The database collects information on nuclear and other radioactive
material that has been lost, stolen or otherwise gone out of regulatory control. CNS publishes an
annual report, which can be publicly downloaded from NTI’s website, on the incidents that took
place during the prior year. The 2015 report (published in March 2016) states that:

Nuclear terrorism continues to be the single largest threat to peace and security in the United
States and the world. The nuclear-weapons states are aware of that risk and have put
considerable effort into securing nuclear facilities and fissile material. Unfortunately, fissile
materials are not the only radioactive material in circulation. Radioactive isotopes are widely
used in industry and in medicine. Some radioactive isotopes would be suitable for radiological
terrorism, and the risk of them falling into terrorist hands remains high.

In 2015, 26 countries publicly reported a total of 188 incidents in which nuclear or other
radioactive material went outside of regulatory control. Only eight of these involved nuclear
material (uranium, thorium and plutonium-beryllium), and in all eight cases the material was
recovered. However, the majority of incidents involved contaminated scrap metal and other
material that could pose serious health hazards. Two cases involved Category I radioactive
material and seven involved Category 2 radioactive material. 

Following are the some of the report’s key findings and implications.

Theft, trafficking, and physical security  

More than 20% of the 2015 incidents involved theft, although it remains unclear whether
the thieves were targeting radioactive material or more likely, the sophisticated and
expensive-looking equipment that uses the material. The intent of the smugglers in the
three recorded trafficking cases was clearer: All three targeted radioactive material with
the intent of earning a large profit. In one case in Moldova, the suspect openly expressed
his hope that ISIS would use the material to attack US citizens.

Human negligence

Over half of the incidents in the 2015 database were the result of negligence. This was
especially the case with lost material, but it was also a contributing factor in many of the
reported thefts. In most instances, the problem does not seem to have been a lack of
published standards but rather an inability to enforce the standards.

Conclusion

For the third year in a row, lax physical security and human negligence are major themes
of the report. Governments concerned about the threat of radiological or nuclear terrorism
could potentially receive a large benefit at reasonable cost by focusing more on end-user
training and other capacity building efforts to address these key areas.

The report also concluded that radioactive material is much more likely to go out of regulatory
control than nuclear material, particularly when it is used in industrial and medical applications.
One reason for the comparatively high number of incidents is the fact that such material is used
in vast numbers around the world. According to the IAEA:

Millions of radioactive sources have been distributed worldwide over the past 50 years, with
hundreds of thousands currently being used, stored, and produced.

A second reason is that the majority of other radioactive material is in civil use, often in low-
security settings such as construction job sites and hospital operating rooms. A third is that
national legislation governing the control of non-nuclear radioactive material is generally weaker
than that covering nuclear material. A fourth is that (until recently) improving the security of
these materials has not been a high priority at the international level.
Theft Concerns
The CNS database now contains hundreds of documented cases in which individuals attempted
to steal a vehicle or obtain scrap metal and were completely unaware of what the cargo or metal
device actually contained. In some cases, the thieves have opened the source out of ignorance or
curiosity and exposed themselves to dangerous levels of radiation. 

For example, on 2 December 2013, thieves stole a truck parked at a gas station about 22 miles
from Mexico City. Inside the truck was a used cobalt-60 teletherapy unit with an activity of
3,000 Ci (e.g. Category 1 material). The truck was found abandoned two days later close to
where it had been stolen. The teletherapy unit was found in a field about a mile away from the
truck. The thieves had removed the radioactive source from its container, exposing themselves to
radiation, but had then abandoned the source as well. Authorities believe they simply intended to
steal the truck, not its cargo.

In other cases, thieves have exposed other unsuspecting members of the public to dangerous
levels of radiation as well. The most famous incident happened in Goiânia, Brazil, in September
1987. Two scrap metal dealers stole a cancer therapy unit from an abandoned hospital facility
and dismantled the core containing 1,200 Ci of caesium-137. They sold pieces of the unit to
another scrap metal dealer, who in turned sold the pieces to others in the community. In the
coming days, alert hospital staff recognised symptoms of acute radiation syndrome (ARS) in a
number of victims. The ensuing panic eventually caused more than 112,000 people—10% of the
population—to request radiation surveys to determine whether they had been exposed. At a
makeshift facility in the city’s Olympic Stadium, 250 people were found to be contaminated.
Twenty-eight had sustained radiation-induced skin injuries (burns), and 50 had ingested caesium.
Tragically, two men, one woman, and one child eventually died from ARS. One of the two scrap
metal dealers who originally dismantled the unit had to have several fingers amputated, and the
other one had to have an arm amputated.

On the other hand, cases of stolen Category 1 nuclear material are relatively infrequent. Tobey
and Zolotarev (2014) note that approximately 20 cases of theft and smuggling of plutonium or
highly enriched uranium (HEU) have been documented since the early 1990s, some of which
were in kilogram quantities. Even small thefts, they say, suggest vulnerabilities that could be
exploited for larger thefts, and small seizures may be samples of larger stocks. Tobey and
Zolotarev also note that weaknesses remain in many countries, that the protective measures in
place are only adequate to protect against modest threats, and that a lack of onsite armed guards
persists in many places. 

This is concerning because criminals have specifically targeted sites with nuclear and other
radioactive material. For example, in 2007 two armed, well-trained teams of men launched an
attack on the Pelindababa site in South Africa. The site contains hundreds of kilograms of HEU.
One team penetrated a 10,000-volt security fence. They disabled intrusion detectors and went to
the emergency control centre, where they shot a staffer who raised the first alarm. They spent 45
minutes inside the guarded perimeter, but were never engaged by the site’s security forces. They
left through the same opening in the fence and were never caught or identified, and the motive
remains unknown. 
Other criminals have targeted nuclear and other radioactive material with the intent to profit from
their theft financially. For example, in 2011 Moldovan officials arrested six people for nuclear
smuggling and seized 4.4 grams of weapon-grade HEU. The smugglers, who claimed to have
access to plutonium, as well as nine kilograms of HEU, were offering to sell the material for $31
million to a real buyer. The identities of the Russian leader of the group and the African buyer
are unknown, and they are still at large.

Threats from Extremists

In recent years, one of the most serious threats has come from extremists and violent groups,
which include terrorists, rebel groups, militias and warlords. 

Case Study: Terrorist Surveillance

Following the November 2015 terrorist attacks in Paris, Belgian investigators uncovered
a 10-hour video during the search of a home belonging to Mohamed Bakkali, believed to
be one of the persons in charge of logistics for a terrorist cell located in Molenbeek, a
district in Brussels. The video contained a static shot of an entrance to a home that
investigators identified as belonging to a top official at the nuclear research centre located
in Mol, Belgium. The research centre hosts two research reactors (BR1 and BR2), a
private company that produces medical isotopes, and facilities in which scientists conduct
research and experiments on radioactive waste. 

The purpose of the video footage on the official’s home is not clear, but experts speculate
that it could have been part of a plot to abduct the man and force him to turn over
radioactive material, possibly for use in a dirty bomb. Furthermore, in the aftermath of
the terrorist bombings, Belgian officials disclosed information suggesting that the Islamic
State of Iraq and Syria (ISIS) was interested in Belgium's nuclear facilities.

This leads to a major security concern about nuclear material: that a malicious individual or
group will obtain enough material to be able to make a nuclear weapon, or a less powerful but
still dangerous improvised nuclear device. This is one of the reasons why the IAEA focuses
strongly on safeguards and nuclear non-proliferation. The security concerns for other radioactive
material are generally associated with the sabotage and intentional release of radioactive material
into the air or water and with the theft of material for later use in a radioactive exposure device
(RED) or radioactive dispersal device (RDD). 

An RED is created by concealing a strong gamma-emitting source in a public place or in the

vicinity of a specifically targeted individual in order to cause harm through radiation. For
example, a concealed radioactive source could be placed on a subway or in a sports arena where
large numbers of people would unknowingly receive radiation exposure. The effects of radiation
from such devices could range from minimal to life threatening depending on source properties
(isotope, activity, amount), proximity to the source, and exposure time.
RDDs, or dirty bombs, are created when conventional explosives like dynamite are used to
spread radioactive material. Any nuclear or other radiological material could be used to create
such a device. RDDs are not considered to be a weapon of mass destruction because they would
not have the same magnitude as a nuclear device. Immediate casualties from an RDD would be
the result of the bomb itself, not of radiation, and there would be no nuclear detonation.
However, people in the area could be exposed to radiation either externally or internally (by
inhaling or ingesting radioactive particles). The surrounding buildings and environment could
also be radioactively contaminated, potentially denying their use for a long period of time.

The first known homicide from radioactive material took place in Moscow in 1993 when
someone placed a caesium source in the chair of Vladimir Kaplun, Director of the Kartontara
Packing Company. After sitting in the chair for several weeks, Kaplun became ill and
subsequently died from radiation exposure. A similar incident occurred in 2003 when a
disgruntled colleague at a medical treatment facility in China placed Ir-192 sources in the ceiling
of a co-worker in an effort to murder him. The intended victim and a number of other persons in
the building exhibited signs of acute radiation sickness, including fatigue, loss of appetite,
headache and vomiting, before the sources were discovered.

To date, authorities only know about one dirty bomb incident that was put into action. It took
place in 1995 in Moscow, Russia, when Chechen rebels planted radioactive caesium packed with
dynamite in Izmaylovsky Park. Fortunately reporters received a tip about the bomb, and it was
defused before it could be exploded. Although no dirty bombs have yet been detonated,
authorities around the world continue to hear that terrorist groups like Al Qaeda and ISIS are
interested in making them, so it is important to remain vigilant. 

Questions for Reflection

Which types and categories of nuclear and other radioactive material do you work
with?

What do you know about the security threats your organisation faces?

To your knowledge, have any incidents involving nuclear or other radioactive

material taken place in your country? At your facility?

Who do you think is responsible for protecting people in your country—and

facility—from the theft, sabotage and misuse of such material?

Do you believe that non-state actors pose a threat to the nuclear/other

radioactive material used in your facility? Why or why not?
Do you believe there is any possibility that the nuclear material and equipment
with which you work could be stolen and sold for financial gain?

What would happen if nuclear or radioactive material were to be stolen from your
facility and used as a weapon (IND, RDD, or RED)? What would the impact be on
your organisation and your job?

If some of the nuclear or other radioactive material you work with were to go out
of control or be intentionally acquired by someone with malicious intent, what
might some of the consequences be?