The Principles of Conduct

Physical and Cyber Security

In designing nuclear power plants, Vendors will:

2.1 Incorporate comprehensive design provisions made for security, including cyber security;

2.2 Ensure security design provisions are compatible with safety and emergency response requirements;6

2.3 Cooperate with the Customer to incorporate the Customer State’s Design Basis Threat;

2.4 Incorporate within design provisions the potential for damage from security threats in accordance with the Customer State’s Design Basis Threat.

Before entering into a contract to supply a nuclear power plant to a Customer, Vendors will have made a reasonable judgment that the Customer State has or in a timely fashion and in good faith will have:

2.5 Provided information to the Vendor on the results of the Customer State’s Design Basis Threat analysis sufficient to allow the Vendor to complete the design. The threat and risk analysis should take into account plant location and conditions in the region, consideration of the threat posed by potential cyber-attacksas well as internationally accepted standards;

2.6 Become an active party to the IAEA’s Convention on the Physical Protection of Nuclear Materials and its 2005 Amendment;

2.7 Participated in the United Nations International Convention for the Suppression of Acts of Nuclear Terrorism; and

2.8 Developed a national legislative and regulatory infrastructure for nuclear security, including adequate policies and procedures governing:7

2.8.1 Allocation of responsibility for security among government and plant management;

2.8.2 Implementation of a security response capability appropriate to the Design Basis Threat; and

2.8.3 The interests of the population at large with respect to physical security provisions

Recognizing their unique expertise in support of effective security provisions, Vendors may provide, if requested by the Customer and separately agreed, relevant information and guidance to the Customer State and the Customer to help establish in a timely fashion that:

2.9 Plant physical security provisions have been undertaken based on a well-established standard, such as the IAEA’s Convention on the Physical Protection of Nuclear Materials, which typically:

2.9.1 Use the Design Basis Threat to determine how to appropriately equip security staff and to limit the potential use of force to only that necessary

2.9.2 Establish appropriate standards for the selection, training, and testing of security staff and provisions to enforce them;

2.9.3 Incorporate and address plant design sensitivities, including provisions for the protection of sensitive information and sensitive information assets;

2.9.4 Take into account provisions for efficient plant operation, safety, and emergency response into security planning; and

2.9.5 Ensure physical plant security and acknowledge respect for human rights.

2.10 Routine evaluations of the sufficiency of security response capabilities are undertaken.

2.11 An integrated safety and security oversight organization is established with responsibility for establishing, monitoring, and continuously adjusting the balance among security, safety, emergency response, and efficient plant operation; and

2.12 Continuous improvement and coordination between law enforcement, other Customer State agencies, and plant security are undertaken through follow-up, support, and joint training.