Security technology has seen remarkable advancements in recent years, particularly in industries tasked with safeguarding critical assets, such as the civil nuclear sector. Facial and fingerprint recognition, Automatic Number Plate Recognition (ANPR), and even technologies that identify individuals by their MAC addresses or unique gait now play a vital role in security strategy. However, as with any workplace initiative, be it a simple recycling policy or a corporate password protection directive, technology is only as good as those who implement or operate it. Whilst technology can be fallible and gremlins do arise, it’s never as flawed as mere humans.
We carry the ability to reason and to override procedures, or ignore policy, should we wish. Or, as it happens, just make mistakes. In fact, according to a recent Verizon report, two out of three insider attacks happen as a result of negligence, and 74% of organisations are saying that insider threats are becoming more of a concern for them.
Security breaches aren’t limited to insider facilitated external threats though. Whether intentionally or not, they can come from within. Humans can, and do, ‘go rogue’, whether that’s pre-meditated criminal or malicious intent, or just by taking shortcuts.
In fact, for the nuclear sector, while threats from terrorism, military action, sabotage, cyberspace, and unauthorised exposure pose the biggest security headaches, as with any industry, human error or human malpractice is always present.
Nuclear security is defined by the International Atomic Energy Agency (IAEA) as the prevention and detection of, and response to, theft, sabotage, unauthorised access, illegal transfer or other malicious acts involving nuclear material, other radioactive substances or their associated facilities.
Employee negligence and insider threats
Insider negligence remains one of the leading causes of security breaches. Employees who share passwords or access cards may do so out of convenience, ignorance, or a misplaced sense of trust. Unfortunately, this creates vulnerabilities that are left open to exploitation. When multiple employees share credentials, it becomes difficult to trace actions to a single individual. This lack of accountability can complicate incident investigations and allows malicious activities to go undetected.
The sharing of passwords or access cards also means inaccurate accounting of personnel, and in the event of an evacuation or major incident, central IT systems will hold misleading information on employee locations which could have a huge impact upon safety and potentially emergency services resources.
Employees with malicious intent can exploit shared credentials to carry out unauthorised activities while shifting blame to others, increasing the risk of deliberate sabotage or theft of sensitive data. Even when there is no malicious intent, employees who share access credentials risk unintentionally exposing them to unauthorised individuals, such as contractors, visitors, or external attackers.
Access cards, for example, are designed to limit entry to restricted physical locations. When shared, this creates opportunities for sabotage, theft, or even corporate espionage.
Likewise, shared passwords can lead to unauthorised entry into IT systems, allowing hackers to install malware, ransomware, or spyware. For example, a cybercriminal gaining access to an energy grid system could shut down power to entire regions, causing chaos to millions of people, and disrupting essential services.
And not all data breaches are caused by online hackers gaining entry through unsecure firewalls. Sensitive information held within critical sites, such as blueprints, system controls, and customer records, becomes vulnerable when access credentials are shared too, and the disclosure of such information can have a serious impact upon bottom line, operations, reputation and for the civil nuclear sector, the safety of personnel and civilians.
One well known reported example of human error occurred in 1979, when David Learned Dale, a contracted laboratory technician at a General Electric fuel-fabrication facility in Wilmington, North Carolina in the United States, decided to demonstrate how an insider can test security systems by stealing low-enriched uranium (LEU).
Security guards failed to notice that the identification card presented was not an authorised access card, but in fact his drivers’ licence, and Dale was able to access restricted areas, bypass a faulty locking mechanism and leave the facility in a one-hour window, before embarking upon a failed extortion attempt.
Efforts to improve the human element
A Taylor & Francis report of 2022, ‘Exploring the human dimension of nuclear security: the history, theory, and practice of security culture’, examines security culture across several nuclear sites within the United Kingdom, over a number of decades.
In line with IAEA guidelines, it concludes that while nuclear security has progressed less quickly than it has in nuclear safety – driven partly by the aftermath of disasters such as Chornobyl – “International efforts to promote the importance of nuclear-security culture at the operational level are now gaining momentum, with an upsurge over the past decade in initiatives aimed at understanding and strengthening the human factor and placing greater emphasis on the active involvement of all personnel in security”.
While data breaches court most news headlines in this digital era, some of the most significant security risks are those posed when employees neglect fundamental security practices such as sharing passwords or access cards. It is therefore important to mitigate human risk at an operational level.
One way to prevent human error, or to thwart malpractice is to reduce the burden upon employees to be compliant, and eliminate human flaws, is by using technology that requires no intervention, decision-making or reason.
Facial recognition is widely used in the civil world now, despite the concerns of various lobbyists. Used correctly it is not a ‘catch all’, but allows instant recognition of persons of interest cross-referenced against a database of known suspects.
Car parks are typically governed by ANPR to gain access in and out, while border controls are using advanced biometrics for everything from facial and fingerprint recognition, through to recognition of human characteristics and gait, for both entry and to apprehend individuals if required. Smart, cloud-based technology being used by governments and law enforcement authorities have cascaded down through the civil and corporate worlds.
For critical national infrastructure (CNI) sites, like nuclear power plants, the key question is the potential cost of a security breach. Security conscious organisations are now diligently removing human error, by eliminating the human burden. With cloud managed software not only are access points managed through biometric integration, but it also overcomes the issues around accountability – the cloud will always register who has passed through an access point, or out of it.
This is critical for both immediate safety and security but also for matters arising from a crisis, or emergency situation. It’s also less admin heavy, more cost effective and can manage and store employee records, including background checks. Employee or contractor data is encrypted, their information is safe, their interactions are secure, and businesses are protected.
Simple acts of negligence, such as sharing passwords or access cards, can open the door to catastrophic consequences, operational disruption, financial loss, and even, in the case of nuclear, national security risks. To mitigate this, organisations can do worse than to implement robust access management systems, and in doing so, release employees from having to be accountable for ensuring the security of the sites in which they work.
As artificial intelligence evolves even more robust biometrics will come to the fore, and we work and live in environments that are controlled without us even knowing security checkpoints are all around us, and access management happening at every step. It will become as ‘every day’ as an automatic door allowing entry into our local supermarket – but we’re not quite there yet.
