IAEA-CN-184/187
Verification of Components and Sub-Assemblies for Containment and Surveillance in
International Safeguards
M. Koskeloa, S. Kadnera, M. Ondrika, D. Johnsona, C. Martinezb, B. Wishardb
a
Aquila Technologies, Albuquerque NM
International Atomic Energy Agency, Vienna, Austria
b
Abstract. The International Atomic Energy Agency (IAEA) makes extensive use of containment
and surveillance techniques to indicate that material was neither introduced into nor removed
from a container or a location under safeguards. This provides the Agency continuity of
knowledge on nuclear material it has verified and confirms that the facility under safeguards is
operating as declared in its design information provided by the State. The traditional regime for
verifying that an NDA instrument, a camera or a seal has not been tampered with requires that an
inspector be able to visually inspect the instrument or camera housing, or the entire length of the
seal cable. However, the various systems are used more and more in areas that are difficult to
access or where it is not practical to inspect the entire length of the seal cable. We propose that an
initiative be launched to evaluate methods to confirm the integrity of the components and/or subassemblies of an NDA instrument, a camera or a seal in an automated fashion using the
technology that is rapidly becoming available. Use of such techniques would permit deployment
of technology for safeguards even in scenarios where eventual access to the location will be
impractical or next to impossible.
1. Introduction
Safeguards and nuclear security share many common goals, such as the deterrence and timely
detection of unauthorized removal or diversion of nuclear material, and assurance of
accountability for all nuclear material [1]. Budgetary limitations imposed upon the International
Atomic Energy Agency (IAEA) and other multinational and national organizations who share
similar safeguards and nuclear security responsibilities; make it clear that improving the costeffectiveness and efficiency of safeguards solutions must be a high priority consideration.
The International Atomic Energy Agency (IAEA) makes extensive use of containment and
surveillance techniques to indicate that material was neither introduced into nor removed from a
container under safeguards. This provides continuity of knowledge on nuclear material it has
verified and confirms that the facility under safeguards is operating as declared in its design
information provided by the State. However, a critical prerequisite to any such conclusion is
assurance that the instrumentation upon which the conclusion is based can be trusted, i.e. it has
not been tampered. The traditional regime for verifying that an NDA instrument, a camera or a
seal has not been tampered requires an inspector to visually inspect the instrument or camera
housing, or the entire length of the seal cable. However, these devices are used more and more in
areas that are difficult to access or where it is not safe to inspect the entire length of the seal
cable. Consequently, the traditional regime is inherently flawed with respect to the emerging
requirements for assurances and for efficiency of operation. That is, at present only a manual
inspection of the equipment, including seal wires, can provide assurance that the equipment is
untampered; and such manual inspections are increasingly infeasible if not impossible.
1
Judicious use of methods to intrinsically verify integrity of NDA instruments, cameras and seals
component by component offers the safeguards oversight authorities the possibility to accomplish
a long-standing desire and policy to perform more and more of the monitoring in an unattended
mode [2,3,4,5]. In particular, verification of components and subassemblies would permit
deployment of technology for safeguards even in scenarios where eventual access to the location
of the measurement will be impractical or next to impossible.
In the following, we will provide a summary of the some of the technologies that seem to be
appropriate for further investigation and a short discussion of the potential advantages of such an
approach
2. Present Technology
The general safeguards philosophy today involves first using various off the shelf containers and
instruments to provide the requisite measurements and detections, and then building the
containment or security enclosure around it using seals and cameras. However, the secure use of
seals in this manner is far from simple [6,7] and has resulted in the development of a number of
both active and passive seals. An active fiber optic loop to secure a perimeter of a structure for
nuclear security is an already established concept [8]. In such systems, a light pulse is transmitted
down the fiber optic cable at periodic intervals. If the reflection does not match the reference
image, the system signals a breach. This concept is incorporated into the ReflectoActiveTM Seals
system [9]. Optical Time Domain Reflectometry (OTDR) can quickly determine if a seal has
been opened or tampered by detecting discontinuities in the fiber [10]. Reflective particles have
been added to the seal body to enhance the tamper resistance [11], although such a feature cannot
be read remotely. Fiber optic cables that are commonly used in safeguards seals such as the
COBRA and VACOSS seals can also be inspected with ODTR [12].An example of some of the
typical seals presently in use by the IAEA is shown in Figure 1.
Figure 1. Some of the present IAEA seals. Passive metal and COBRA seals in the top
row, active VACOSS and EOSS seals in the bottom row.
2
There is existing research into using eddy current measurements [13] and non-optical time
domain reflectometry (TDR) [14] to detect tamper in seals that use metal wires. With eddy
current measurements, the coil and the seal are a coupled system and the electrical impedance
sensed by the reader is a characteristic of the seal wire. If the wire is tampered, the eddy current
pattern induced by the reader is altered, allowing the reader to detect the attempted tamper. With
the TDR method a short electrical pulse is applied to the wire under test. A portion of the signal is
reflected back to the reader whenever it encounters a change in electrical impedance due to
tampering or other damage. By examining the pattern of the reflected signal, it is possible to
determine whether the wire has been tampered with. Metal wire technology originally developed
for active RF seals can be designed in such a way that while it can be cut, it cannot be soldered
together again, thus also providing direct tamper evidence [15].
Another approach that is still under development is to employ a counterfeit-resistant surface
coating for enclosures [16] using Optically Stimulated Luminescence (OSL) or Infra Red (IR)
techniques. In this case, the coating itself becomes the tamper indicator. The benefit of this
approach is that the coating relies on passive methods of detection and does not require power to
operate. Different variations of OSL or IR materials combined with optimized light sources and
optical filters can be used for best performance under different conditions. The coating itself
could be transparent, which would allow the appearance of the enclosure to remain unchanged
[17].
The next generation IAEA surveillance system, XCAM [18,19,20] includes an advanced camera
design and construction with improved built-in cryptographic key protection, and an improved
tamper detection and indication. The image sensor (the camera) is directly integrated into tamper
detection architecture, where if the core camera module is tampered with the encryption and
authentication keys are destroyed thereby leaving proof of the attempt. At the same time, the
encryption and authentication use modern standards, such as AES/RSA image encryption, DSA
authentication, and HTTPS/TLS secure communication. An illustration of the X-CAM is shown
in Figure 2. All signals from the camera module are secure, while simple maintenance, such as
replacing the backup battery can be performed without jeopardizing the integrity of the system.
3
Figure 2. The X-CAM safeguards surveillance system.
In a similar manner, the next generation unattended NDA platform (UNAP) has the encryption
and authentication at the board level in such a way that all signals out of the enclosure are already
secure [21,22]. An artist’s illustration of the UNAP is shown in Figure 3. While this is a
significant improvement over the present generation of multichannel analyzers and shift registers,
it still leaves the connection between the detector and the UNAP potentially vulnerable.
Figure 3. An artist's concept of the UNAP.
3. Future Directions
The miniaturization of the instruments and systems used for safeguards has been underway for
decades. The minicomputer gave way to the PC and then to laptops and notebooks. The
4
multichannel analyzers changed from laboratory instruments with weights up to 30 kg to handheld identifiers that include the processor with more processing capability than the old
minicomputers, include the detector(s), have GPS and wireless communication capabilities and
weigh less than 0.4 kg (< 1lbs.). An example of a miniaturized detector and electronics
combination unit is shown in Figure 4.
Figure 4. Example hand-held gamma spectrum analyzer.
As illustrated above with the example of a hand-held identifier with the built-in detector,
measurements like the verification of uranium enrichment that is typically performed by
safeguards inspectors using equipment that is quite heavy and bulky can be envisioned to be
performed with a smart phone size device.
The location of the safeguards measurements and observations is often also of great interest. With
the advent of GPS devices and algorithms to estimate the GPS location from the last satellite
signal for large structures where the satellite signals are not detectable, one can pinpoint the
location of many measurement locations rather accurately today. For safeguards purposes, it is
desirable to combine the GPS data, image data and other measurements all into a single packet
that can then be used for safeguards conclusions. Since the newer smart phones have built-in
GPS, if all the data integration is performed with a dedicated smart phone software application, it
becomes entirely feasible to combine all this information seamlessly on the spot.
This miniaturization allows the possibility to include technology such as TDR and OTDR directly
into the safeguards devices, making them inherently secure at the component level and therefore
suitable for unattended or remote monitoring. There does not appear to be any technical
impediment to create a wire tester of a smart phone form factor that uses eddy current or TDR
methodology, or an optical cable tester using OTDR methods to test seal cables. A smart phone
like device with the ability to take pictures and compare them to reference images could be
envisioned to check for tamper indications in cameras and instruments that have been coated with
tamper indicating coatings. An enhanced wireless system can also be envisioned to check the
tamper indicators that have been built into board level components of the next generation cameras
and NDA instruments, if such tamper indications were designed to permit such interrogation.
5
This generic confluence of technology still has one weakness. Electronics for safeguards need to
have low power consumption so that they can be used for long periods of time without relying on
external power sources. At the same time, the data that is being collected needs to be
preprocessed or analyzed right on the spot with rather sophisticated algorithms and for safeguards
security reasons, it needs to be encrypted and authenticated whether it is required to be only
stored locally, or transmitted immediately to Vienna. In many cases the essential cryptography
consumes more energy than the safeguards measurements themselves. In all cases, this requires
very significant processing power and it has been difficult to achieve both in the same package.
There seems to be a development underway that may solve this problem. While the market for
mobile-device chips is “extremely fragmented” with many producers, this may be changing with
the purchase of McAfee by Intel. This has the potential of bringing sophisticated computer
security into the future of Internet-connected smart phones [23,24]. Furthermore, Intel’s prior
purchase of Wind River last year means it can customize specific security functions, plausibly
things like authentication and encryption functions, so they run faster and more efficiently on
specific cores. Wind River systems are basically operations that are programmed for high
performance and unique code using less power without interfering with the rest of the processor
[25]. These are exactly the kinds of characteristics that are desirable for safeguards applications.
4. Conclusion
Historically, the IAEA and other safeguards oversight agencies have integrated standard off-theshelf instruments into whatever combination was appropriate and then created the security
envelope around them after the fact. The technology is now rapidly moving towards having the
low power consumption and the computing capability in the same package, with the necessary
security features like encryption and authentication built right into the processors. This
miniaturization makes it possible to consider integrating smart tamper indication algorithms and
security technologies at component levels of the safeguards instrument designs as an integral part
of the safeguards inspection regime. This allows the possibility of a comprehensive “rearchitecting” of the entire safeguards regime, including not only the safeguards instruments, but
the policies and processes as well, to improve not only the security of the process, but its
economics as well. It should be noted that this does require careful thinking and proper
implementation and we therefore propose that an initiative be launched to evaluate methods to
confirm the integrity of the components and/or sub-assemblies of an NDA instrument, a camera
or a seal in an automated fashion using the technology that is rapidly becoming available.
5. References
[1] J. M. Crete, “Synergy between Safeguards and Nuclear Security”, Presented at the IAEA
International Symposium on Nuclear Security, Vienna, Austria, March 30 – April 3, 2009.
[2] W. Koehne, E. Adrian, L. Persson, P. Schwalbach, and A. Terrasi, “European Commission
Safeguards in modern MOX Fuel Fabrication Plants”, Presented at the JAEA-IAEA
Workshop on Advanced Safeguards Technology for the Future Nuclear Fuel Cycle, Tokai,
Japan, 13-16 November 2007.
[3] N. Khlebnikov, M. Aparo, R. Abedin-Zadeh, and G. Bosler, “In Search of New Technologies
that will Enable the International Atomic Energy Agency to Fulfill its Mission”, Presented at
the 46th Annual INMM Meeting, Phoenix, Arizona, July 10-14, 2005.
6
[4] “IAEA Safeguards: Staying Ahead of the Game”, International Atomic Energy Agency,
Vienna, Austria, 2007.
[5] M. Farnitano, N. Khlebnikov, A. Hamilton and E. Pujol, “Progress and Plans for the IAEA
Department of Safeguards Research and Development Programme”, Presented at the 49th
Annual INMM Meeting, Nashville, Tennessee, 13-17 July 2008.
[6] P. R.V. Horton and I. G. Waddoups, “Tamper-Indicating Devices and Safeguards Seals
Evaluation Test Report”, Report SAND93-1726, December 1993.
[7] R.G. Johnston, “Tamper-Indicating Seals: Practices, Problems, and Standards”, Presented at
the World Customs Organization Security Meeting, Brussels, Belgium, February 11-14,
2003.
[8] W. Gebbia et al., “Optical fiber cable based intrusion detection system”, U.S. Patent
6,980,108, 2005.
[9] G.D. Richardson et al., “ ReflectoActive TM Seals for Material Control and Accountability”,
Presented at the 43rd Annual INMM Meeting, Orlando, Florida, June 23-27, 2002.
[10] D.B. Smith et al., “Method and apparatus for active tamper indicating device using optical
time-domain reflectometry”, U.S. Patent 6,002,501, 1999.
[11] K. Ystesund et al., “Python Fiber Optic Seal”, Presented at the 34th Annual INMM Meeting,
Scottsdale, Arizona, July 18-21, 1993.
[12] M. Koskelo et al., “Using Radiofrequency Identifiers and Optical Time Domain
Reflectometers to Verify Fiber Optic Seals”, Presented at the 51st Annual INMM Meeting,
Baltimore, Maryland, July 11-16, 2010.
[13] M.S. Good et al., “Seal Wire Integrity Verification Instrument: Evaluation of Laboratory
Prototypes”, Presented at the 50th Annual INMM Meeting, Tucson, Arizona, July 12-16,
2009.
[14] P. Ramuhalli, et al., “Time Domain Reflectometry for Seal-Wire Tamper Detection”,
Presented at the Pacific Northwest International Conference on Global Nuclear Security,
Portland, Oregon, April 11-16, 2010.
[15] S. Kadner, et al., “Authenticated RF Seals”, Presented at the 39th Annual INMM Meeting,
Naples, Florida, July 26-30, 1998.
[16] S. Miller et al., “Containment Verification Using Optical Methods”, Presented at the INMM
International Workshop on C/S Safeguards Concepts for the 21st Century, Oak Ridge,
Tennessee, June 7 – 11, 2010.
[17] J.E. Tanner et al., “Container Verification Using Optically Stimulated Luminescence”,
Presented at the 49th Annual INMM Meeting, Nashville, Tennessee, 13-17 July 2008.
[18] W.C. O’Connor, et al., “U.S. Safeguards Technology Support for the IAEA”, Presented at
the 48th Annual Meeting of the INMM, Tucson, AZ, July 8-12, 2007.
[19] M. Stein, et al., “The IAEA’s Next Generation Surveillance System”, Presented at the 48th
Annual INMM Meeting, Tucson, Arizona, July 8-12, 2007.
[20] M. Stein, “C/S Concepts for the 21st Century”, Presented at the INMM International
Workshop on C/S Safeguards Concepts for the 21st Century, Oak Ridge, Tennessee, June 7
– 11, 2010.
[21] M.M. Pickrell et al. “Specifications for the IAEA Universal Nondestructive Assay Data
Acquisition Platform (UNAP)” IAEA, April 1, 2009.
[22] M. R. Sweet, “The IAEA Universal Nondestructive Assay Data Acquisition Platform
(UNAP)”, Presented at the ANIMMA Conference, Marseille, France, June 7-10, 2009.
[23] S. Lohr, “A Different Take on the Intel-McAfee Deal”, Bits, The New York Times
Technology Blog, August 23, 2010.
[24] “McAfee inside: How Intel bid could shake up IT security”, Bloomberg Businessweek,
August 20, 2010.
[25] E. Sperling, “Intel-McAfee, Take Two”, Digital Frontlines, Forbes.com, August 30, 2010.
7