The Radiation and Nuclear Safety Authority (STUK) supervises nuclear and radiation safety in Finland. As part of this activity, STUK also supervises the security arrangements that the operator has in place to protect the use of nuclear energy and radiation, as well as the operator’s emergency plans, for example by conducting inspections.
STUK has the responsibility for the enforcement of the supervision of national non-proliferation measures targeting nuclear weapons, nuclear-weapon materials and nuclear-weapon technology, including related sensitive information and technology.
STUK maintains a register of radiation sources and a national central accountancy system for nuclear materials.
Information security constitutes part of the operators’ security arrangements, and developing the regulatory control for information security is a topical issue. Information security has become and will become increasingly important because information technology (IT) networks and programmable automated systems (industrial control systems, instrumentation and control systems, ICS/I&C) are also being adopted for an increasingly widespread use. Furthermore, information security management and related procedures are becoming increasingly complex due, for example, to the use of supplier and subcontractor networks.
Requirements for security arrangements are laid down in legislation and in regulatory guides published by STUK
The general obligations pertaining to the use of nuclear energy are laid down in the Nuclear Energy Act (990/1987) and in the Radiation and Nuclear Safety Authority’s Regulation on Security in the Use of Nuclear Energy (Y/3/2016). Other obligations are included in the international agreements entered by Finland, in the agreements concluded between various governments, and in the commitments made by Finland.
Under the Nuclear Energy Act (990/1987, Section 7 l), arrangements for security during the use of nuclear energy shall be based on threat scenarios involved, and on analyses of the need for protection. According to the Radiation and Nuclear Safety Authority’s Regulation on Security in the Use of Nuclear Energy (Y/3/2016) design of security shall be based on design basis threats, risk analyses of the activity to be secured, and protection requirements assessed on the basis thereof. This Decree also puts forth the general principles for the design of security arrangements for the safe use of nuclear energy.
STUK lays down detailed requirements for the security arrangements covering nuclear facilities and nuclear materials in a design basis threat document, as well as in the YVL Guides for nuclear facilities and nuclear safeguards.
Security arrangements related to the use of radiation are regulated by the Radiation Act (592/1991). For example, under Section 31 c of the Radiation Act, the operator is obligated to protect high-activity sealed sources against unlawful action, loss and damage when using such sources. High-activity sealed sources refer to such sealed sources for which, due to their high activity (due to their dangerous nature), the Act contains detailed provisions regarding the security arrangements. The operator is obligated to use every means at its disposal to ensure the restoration of a safe state after a source has been damaged, lost or been subject to unlawful action.
The requirements concerning the security arrangements for radiation sources have been set forth in the STUK Guide ST 1.11, ‘Security arrangements for radiation sources’. In this guide, the various radiation sources have been divided into three categories on the basis of the potential consequences of unlawful action. The graver the potential consequences are, the stricter the requirements are. STUK supervises the implementation of such requirements at the places of use of radiation through inspections, also inspecting the plans regarding security arrangements that the operators have in place.
Design Basis Threat (DBT)
A design basis threat (DBT) specifies the threat that is used as a basis for design and assessment of the security arrangements that are the responsibility of the operator.