LETTERPRESS: Post-Simulation Report
Transcript of LETTERPRESS: Post-Simulation Report
LETTERPRESS: Post-Simulation Report v2.0
1
LETTERPRESS: Post-Simulation Report
LETTERPRESS Simulation
0
LETTERPRESS: Post-Simulation Report v2.0
2
Executive Summary
This report provides an overview of the planning and execution of LETTERPRESS.
LETTERPRESS was a nuclear weapons disarmament verification simulation carried out by
the Quadrilateral Nuclear Verification Partnership, known as the ‘Quad’, comprising the United
Kingdom, the United States, Norway and Sweden. The objective was to carry out a nuclear
weapons verification simulation in a representative nuclear weapons facility, using non-
proliferative, but representative, treaty items. The first instance of its kind, it was designed to
enable Nuclear Weapon State (NWS) and Non-Nuclear Weapon State (NNWS) actors to
participate in an arms control scenario. It was intended to assist the development of
techniques, procedures and methods that could be used to inform nuclear weapons
verification requirements.
The simulation focused on two site inspections as part of a wider scenario in which two NWS
have agreed to a significant reduction in their respective nuclear weapon stockpiles and have
invited two neighbouring NNWS to be part of the Inspectorate tasked with technical verification
of the state declarations.
The simulation took place at RAF Honington, UK, between the 16th and 19th of October 2017.
It used genuine former nuclear weapon storage bunkers and ballistic casings of retired nuclear
weapon systems to enhance the realism of the exercise.
LETTERPRESS was considered a success. It provided players with experience of verification
activities associated with managed access to nuclear weapon facilities, deployment and use
of verification equipment, and host-inspector interactions. It enabled the Quad partners to
identify opportunities where concepts, technologies, and measures might be applied to inform
future verification requirements, and it provided the partners with the experience of developing
a protocol and associated verification procedures.
The priorities identified for future work within the Quad are:
• To take a systems-level approach to derive verification concepts, parameters, and
objectives applicable to nuclear weapons arms control;
• To investigate the management, encryption, and authentication of data collected
during an inspection.
Based upon the experiences of the players and planners in the LETTERPRESS simulation,
the continued engagement between NNWS and NWS is necessary to foster trust and
ownership of technical and procedural solutions. Engaging in these simulation activities helps
to develop understanding of the demands and limitations in ensuring protection of sensitive
information whilst allowing verification of declarations in a nuclear weapons context.
LETTERPRESS: Post-Simulation Report v2.0
3
Table of Contents Executive Summary ............................................................................................................... 2
1.0 Introduction ................................................................................................................. 5
Background ............................................................................................................................... 5
Simulation Objectives ............................................................................................................... 5
Simulation Scenario .................................................................................................................. 5
2.0 Simulation Design ....................................................................................................... 8
Simulation Planning & Organisation ......................................................................................... 8
3.0 Protocol Development ................................................................................................. 9
Protocol Background ................................................................................................................ 9
Inspection Mandate.................................................................................................................. 9
3.2.1 Site Visits .......................................................................................................................... 9
3.2.2 Ambiguity Resolution ..................................................................................................... 10
Establishing a Chain of Custody over Retired Weapons ......................................................... 10
3.3.1 Maintaining the Chain of Custody over Weapons in Storage ........................................ 10
4.0 Creating a Realistic Nuclear Enterprise ......................................................................11
5.0 Technology ................................................................................................................12
Functional Requirements ....................................................................................................... 12
5.1.1 Confirmation of TAIs ...................................................................................................... 12
5.1.2 Verification of Absence of a Treaty Accountable Item .................................................. 12
5.1.3 Chain of Custody Over Locations and Equipment.......................................................... 13
5.1.4 Unique Identification of Treaty Accountable Items ....................................................... 13
5.1.5 Chain of Custody of Treaty Accountable Items During Transportation ......................... 14
Certification ............................................................................................................................ 14
5.2.1 Safety ............................................................................................................................. 14
Authentication ........................................................................................................................ 15
Managed Access and Chain of Custody of Verification Equipment and Data ........................ 15
6.0 Training ......................................................................................................................17
7.0 Future Research ........................................................................................................18
Verification Concepts ............................................................................................................. 18
Verification Technologies ....................................................................................................... 19
8.0 Achievements of the Simulation .................................................................................21
9.0 Acknowledgement ......................................................................................................22
Annex 1: Glossary ................................................................................................................23
LETTERPRESS: Post-Simulation Report v2.0
4
Figures
Figure 1 - The B5 weapon, which was represented by using a decommissioned ballistic casing
of the UK's WE177 weapon………………………………………………………………………...6
Figure 2 - The container used to house the WE177, and thus used in LETTERPRESS as the
B5 transport containers …..………………………………………………………………………...13
LETTERPRESS: Post-Simulation Report v2.0
5
1.0 Introduction
Background
In 2015, Norway (NO), Sweden (SE), United Kingdom (UK) and the United States (US)
initiated a multi-year arms control initiative, referred to as the ‘Quad’. The Quad builds on
previous experience from the UK-Norway and UK-US bilateral work to study the challenges
associated with monitoring aspects of future nuclear arms control treaties and agreements.
The initial aim of the Quad was to develop a repeatable, highly realistic arms control simulation
within which monitoring capabilities and approaches could be developed, exercised, and
evaluated. The simulation was to take place in representative facilities using non-proliferative,
but representative, treaty items. This would enable Non-Nuclear Weapon State (NNWS) and
Nuclear Weapon State (NWS) actors to participate in arms control scenarios and develop
methodologies, techniques, and procedures such that future treaty verification regimes may
address both NNWS and NWS concerns, thereby increasing the confidence and success
probability for those regimes.
The first simulation undertaken by the Quad, called LETTERPRESS, took place between the
16th and 19th of October 2017.
Simulation Objectives
The following goals for planning and executing LETTERPRESS were set in response to the
aims of the Quad:
• Goal A - Provide players with the experience of verification activities associated with
managed access to nuclear weapon (NW) facilities, deployment and use of verification
equipment, and general host-inspector interactions.
• Goal B - Enable Quad partners to identify opportunities where future concepts,
verification technologies and measures may be applied, or where changes to
procedures may be required to support future verification requirements.
• Goal C - Provide Quad partners with the experience of developing a protocol and
associated verification procedures.
Simulation Scenario
Two nuclear weapon states (NWS), states A and B, agreed to a significant reduction in their
respective nuclear weapon stockpiles. The two NWS further agreed to include two
neighbouring non-nuclear weapons states (NNWS) as part of the Inspectorate tasked with
confirming the technical aspects of the monitoring regime.
LETTERPRESS simulated single inspections at two nuclear sites within State A. The sites
were called “Notinghon” and the “Dismantlement Site”.
LETTERPRESS: Post-Simulation Report v2.0
6
Notinghon was described as an Interim Storage Site where nuclear weapons that have been
removed from active service were stored awaiting either retirement and dismantlement, or
refurbishment. The Supplementary Storage Area, or SSA, at RAF Honington in the east of
England, served as “Notinghon” for the simulation.
The Dismantlement Site was described as a site where retired nuclear weapons were sent to
be dismantled. Separate buildings within the SSA at RAF Honington were used to simulate
the relevant buildings within the Dismantlement Site.
The weapons in the scenario were designated as “B5” free fall weapons (see Figure 1).
The simulation was predicated upon critical verification activities having taken place at a point
in time prior to the inspection simulated during LETTERPRESS itself. Specifically, the
Inspectorate was assumed to have sufficiently verified facility design information related to
certain buildings that were featured during LETTERPRESS. The Inspectorate had then
installed a monitoring system to maintain a continuity of knowledge over the status of the
buildings themselves and the contents of the buildings. The buildings for which this was
assumed to have taken place were:
• A bunker used to store the retired weapon once initiated into the verification regime
(termed the Treaty Monitored Storage Bunker, or TMSB, in the simulation).
• A bunker used to store the inspectors’ equipment and to subject B5 bombs to
verification measurements (termed the Measurement and Equipment Storage Bunker,
or MESB).
• The equivalent storage building at the Dismantlement Facility (termed the
Dismantlement Site Measurement and Equipment Storage Location, or DSMESL).
The relevant locations were therefore pre-set with pre-installed monitoring equipment, and
data was produced to demonstrate the prior fulfilment of these inspection activities before the
simulation began.
Figure 1: The B5 weapon, which was represented by using a decommissioned ballistic casing of the UK's WE177 weapon
LETTERPRESS: Post-Simulation Report v2.0
7
Thus, LETTERPRESS began with a request made by the Inspectorate for an inspection visit
to the site, triggered by a notification of state A’s intent to send some B5s for dismantlement.
At the time of the inspection, B5s earmarked for the enduring stockpile were also present at
the site for refurbishment.
The inspection proceeded as follows:
• Inspectors arrived on site and collected data to verify whether the chain of custody
over the TMSB and the MESB had been maintained.
• To fulfil the correctness element of the verification protocol, the inspectors confirmed
the presence of one of the B5s declared as being on site for refurbishment, rather than
dismantlement. The weapon’s serial number and location were confirmed against the
declared inventory, and attribute and template measurements were made (the
template serving as the “trusted template” for comparison against all subsequent B5s
encountered during the lifetime of the verification regime).
• Inspectors then initiated into the verification regime a B5, declared as being scheduled
for dismantlement, by checking and recording its identity and location, then by
performing attribute measurements and confirming the radiation signature matched
the “trusted template”.
• A chain of custody was then established over the B5 scheduled for dismantlement and
a treaty-accountable unique identifier assigned to it before transportation to and
storage in the TMSB.
• To address the completeness element of the protocol, the inspectors undertook
absence measurements in a randomly chosen bunker declared to contain no B5s. The
absence measurement confirmed the lack of a neutron signature in the bunker.
• Inspectors then left the Notinghon site.
• The B5 scheduled for dismantlement was transported to the Dismantlement Site and
the Inspectorate notified of the movement, thus triggering an inspection visit to the
dismantlement site.
• Inspectors arrived at the Dismantlement Site and confirmed the authenticity and
integrity of the chain of custody measures on both the B5 and the Dismantlement Site
Measurement and Equipment Storage Location (DSMESL).
• Attribute and template re-confirmation measurements were made on the B5, as well
as confirming the treaty-accountable unique identifier, before the B5 was released by
the inspectors to be processed through dismantlement.
At this point, the scenario ended.
LETTERPRESS: Post-Simulation Report v2.0
8
2.0 Simulation Design
Simulation Planning & Organisation
To facilitate the planning of LETTERPRESS, working groups were created to focus on different
elements. Each working group had a Chair, as well as core working group members from each
of the Quad partner countries.
The Quad Governance Panel was formed to provide oversight of the direction of
LETTERPRESS and to ensure the Quad’s aims and objectives were being met.
The Management Working Group (M-WG) had overall responsibility for the successful
implementation of LETTERPRESS and included the chairs of the working groups below:
• The Protocol Development Working Group (P-WG) was responsible for developing a
protocol and associated backstory for the simulation.
• The Simulation Design Working Group (S-WG) focused on developing the functions of
the nuclear weapon site onto which the in-play implementation of the treaty protocol
could be overlaid.
• The Technology Working Group (T-WG) was responsible for identifying and fulfilling
the technology requirements of the simulation.
• The Training Working Group (Tr-WG) was responsible for developing a training
package to enable all those involved in the implementation of LETTERPRESS to carry
out their roles and tasks as necessary.
Whilst initially the Protocol Development and Simulation Design Working Groups worked
separately on their given responsibilities, they were later merged in order to pool together
resources to facilitate the creation and development of the inspection procedures and
supporting documentation.
For the running of the exercise, a simulation control team hosted two teams of players, a host
team and an inspection team.
LETTERPRESS: Post-Simulation Report v2.0
9
3.0 Protocol Development
Protocol Background
The New START protocol and the IAEA Comprehensive Safeguards Agreement served as
guides for the development of a protocol for the treaty in LETTERPRESS. The following
hierarchy emerged to translate high-level treaty aims into verification objectives and
procedures:
• Treaty: Described what the signatories agree to do, defined rights and obligations.
• Protocol: The high-level description of the verification approach and system – for
instance, defining the information to be shared and actions to be taken by the state to
fulfil obligations, and the verification provisions for verifying the information and
actions.
• Site specific procedures: The detailed description of how to execute the verification
tasks identified in the protocol on a specific site.
• Technical operating manuals: Describe how to use designated technical equipment in
line with verification procedures.
The LETTERPRESS simulation itself therefore only covered one aspect of the wider treaty,
i.e. the on-site verification of weapons before dismantlement. The elements of the protocol
exercised in LETTERPRESS are outlined in Section 1.3.
Inspection Mandate
3.2.1 Site Visits
In LETTERPRESS, each state shared with the Inspectorate the location, serial number, and
status of declared weapons, and that no other weapons existed. The inspection team was
mandated to verify this declared information, following agreed procedures.
Declaration correctness was verified by checking serial numbers and locations of weapons,
and by verifying that the declared weapons contained plutonium and produced the same
radiation signature as the trusted template.
The completeness of the declaration was tested by allowing measurements to verify the
absence of neutron emitting objects from a randomly chosen location on-site that had been
declared to not contain any treaty accountable items.
A chain of custody was then established over weapons that had been scheduled for
dismantlement.
It was the responsibility of the host team to work with the inspection team to understand the
objectives of the verification tasks, and to develop a plan to manage inspector access onto
the site. This enabled the collection of mandated data whilst protecting other sensitive
information.
As the inspection process was choreographed by the procedures, the inspection report
focused on whether the inspection team could collect all mandated data as per the procedures
and provided an official record of the data. The inspection team included records of
LETTERPRESS: Post-Simulation Report v2.0
10
complications and comments on whether the monitoring procedures were successfully
applied. This included any concerns of hindrance, in addition to the collected data and any
ambiguities found. The purpose of the report was not to record any judgement on treaty
compliance.
3.2.2 Ambiguity Resolution
In the event of minor ambiguities, the simulation control team encouraged the inspection and
host team leaders to agree on a resolution that could be recorded in the inspection report.
Such minor events might include a delay to a scheduled inspection activity, or a minor incident
whilst on site.
Major problems on the other hand, such as an inability to carry out mandated procedures,
were to be recorded in the inspection report for consideration at a higher level, analogous to
the Bilateral Consultative Commission as part of the implementation of the New START treaty
between the United States and Russia. This higher consideration would not form an explicit
part of the LETTERPRESS simulation.
Establishing a Chain of Custody over Retired Weapons
The purpose of including the chain of custody requirement in the LETTERPRESS scenario
was to investigate the potential challenge of maintaining a chain of custody through inter-site
transportation of Treaty Accountable Items (TAIs).
For LETTERPRESS, the chain of custody requirement applied to all B5 weapons declared to
be retired. This was to ensure that once items had been declared as such, they could be
effectively tracked from storage at Notinghon through to the dismantlement facility.
3.3.1 Maintaining the Chain of Custody over Weapons in Storage
As described in section 1.3, the chain of custody over the relevant facilities and their contents
was established prior to the start of the simulation. In the scenario, this was said to have been
achieved through the verification of facility design information and the establishment of a
monitoring system during previous site visits by a different team from the Inspectorate. The
system consisted of four layers:
• Unique identifiers for the weapons;
• Seals on the weapon container;
• CCTV to monitor the bunker environment; and
• Active seal on the bunker entrance to allow for, and recording when, the host had
accessed the bunker.
LETTERPRESS: Post-Simulation Report v2.0
11
4.0 Creating a Realistic Nuclear Enterprise
The activities described below were the defined host country ‘nuclear enterprise activities’
(NEAs) that would take place during the chosen B5 lifecycle covered by LETTERPRESS,
following standardised pre-established procedures. State A was considered to perform these
activities whether or not there is a treaty regime in place:
i. The B5s were transported by convoy from their deployment location to the interim
storage site where they arrived at the gate and are processed.
ii. The B5s were transported intra-site to a maintenance facility where they were prepared
for interim storage. This may have included the removal of any limited-life or safety
components.
iii. Post-maintenance, the B5s were transported intra-site to a storage bunker. The
segregation of B5s awaiting refurbishment from retired B5s awaiting dismantlement
was at the discretion of the site operator according to host country policies and
procedures.
Dismantlement/refurbishment processes
iv. When a B5 approached its scheduled processing date, it would progress to the next
stage of the respective dismantlement or refurbishment process. To initiate the
process, the B5 would be loaded onto transportation and would depart as part of a
convoy for the dismantlement or refurbishment facility, after ‘processing out’ actions
and records had been completed.
v. After transportation to the corresponding facility, the B5s were ‘processed in’.
vi. The B5s were then transported intra-site to a temporary staging bunker.
vii. The B5s would subsequently be dismantled, or refurbished, using established
procedures.
LETTERPRESS: Post-Simulation Report v2.0
12
5.0 Technology
Functional Requirements
Based on the simulation scenario, five areas that required verification technologies were
identified:
i. Confirmation of TAIs
ii. Verification of absence of a TAI or other nuclear or radioactive material
iii. Chain of Custody over locations and equipment
iv. Unique Identification of TAIs
v. Chain of Custody of TAI during transportation
5.1.1 Confirmation of TAIs
In support of verifying the accuracy of declarations, the B5s underwent radiation
measurements to confirm that they were B5s. The UK-Norway Initiative (UKNI) Information
Barrier (IB) and the Trusted Radiation Identification System (TRIS) were identified as
technologies to use in measuring gamma attributes and confirming radiation signature
templates, respectively. These technologies had been identified at the outset; therefore, the
T-WG did not need to consider alternative technologies or confirmation measures, such as
neutron signature or the presence of high explosives.
The important distinction between the IB and TRIS systems is how they confirm the presence
of a TAI. The UKNI IB evaluates whether the gamma spectrum of an object indicates the
presence of a declared attribute of the TAI, in this case the presence of weapons grade
plutonium. TRIS determines that the gamma signature of a declared item is similar to a
previously measured TAI, within the resolution of the 15 spectral energy windows measured
by TRIS’s gamma detector.
5.1.2 Verification of Absence of a Treaty Accountable Item
The site declaration detailed the locations on site which contained TAIs. The inspectors were
thus able to randomly choose a location that should not contain TAIs in which to perform a
measurement to confirm the absence of TAIs. In order to prevent unauthorised movement of
items in or out of the location before the inspectors arrived, an active seal called a CoCIM
(Chain of Custody Item Monitor) was placed on the locked entrance of the chosen location,
another bunker, within 45 minutes of the bunker being chosen. The data from the CoCIM
allowed the inspectors to confirm on arrival at the chosen location that the entrance had been
sealed within the correct timeframe and not opened until the inspectors arrived.
The absence of TAIs in the randomly chosen location was verified by confirming that no
eligible object in the location produced a neutron signal significantly above the background
rate. The RDE (Radiation Detection Equipment) used in New START was chosen for
performing this measurement due to its availability and the fact that it was a proven technology
from an existing verification regime.
The RDE could only be used to interrogate an item in qualifying circumstances. The object
had to be larger than a minimum dimension and the owner must have declined to open it and
reveal its contents. A tape measure was used to establish whether containers/items exhibited
LETTERPRESS: Post-Simulation Report v2.0
13
a dimension larger than the threshold dimension (as agreed in the protocol) and would thus
be eligible for interrogation. (Figure 2 shows a B5 container, which was eligible for
interrogation).
Figure 2: The container used to house the WE177, and thus used in LETTERPRESS as the B5 transport containers
The RDE was used to monitor two eligible objects and was able to determine the absence of
a B5 by confirming the lack of a neutron signature from either object.
5.1.3 Chain of Custody Over Locations and Equipment
Chain of custody measures were employed on the measurement and storage locations to
indicate any unauthorised attempts to gain access to the location and the equipment within.
Chain of custody measures were also emplaced on the inspectors’ equipment whilst left
unattended during the inspection and overnight, to maintain confidence in their authenticity.
5.1.4 Unique Identification of Treaty Accountable Items
Both applied and intrinsic unique identifiers (UID) were considered for the TAIs. It was decided
to use at least one of each during the simulation, providing redundancy through differing
approaches. In the end, availability of technologies was the deciding factor in choosing what
to use for LETTERPRESS.
Adhesive seals, Reflective Particle Tags (RPT), and a CoCIM were used to provide applied
UID signatures to verify the container identity during inspection: the RPT and adhesive seals,
being analogue signatures, and the CoCIM, a digital signature. Both the adhesive seals and
CoCIM are also designed to indicate unauthorised access to the container. Application of a
physical UID to the weapon was not allowed.
Eddy Current Tagging (ECT) was used to provide intrinsic UID of the B5 itself, to simulate
scenarios where an applied UID could not be used.
The Technology Working Group discussed whether the need for physical contact between the
ECT scanner and the weapon would present an issue for the weapon owner, and therefore
whether its deployment could be considered realistic. Though this might be a realistic
constraint, the risk posed could be assessed for individual weapon types. The decision was
LETTERPRESS: Post-Simulation Report v2.0
14
therefore taken to continue with the deployment of the ECT as the intrinsic UID technology.
Other technologies were considered (a non-contact laser interferometer for example), but the
ECT was the only deployable technology, which could signify a capability gap amongst Quad
participants.
The ECT, due to its low technology readiness level (TRL), was unable to verify the intrinsic
UID of the B5. Nevertheless, the impact of the failure of the ECT “in-play” was minimised due
to a layered approach in the chain of custody system; inspectors instead relied upon the
integrity and UID of the B5’s container.
5.1.5 Chain of Custody of Treaty Accountable Items During Transportation
CoC measures, specifically CoCIM and adhesive seals, were emplaced on the B5 containers
to provide evidence of whether they had been opened since inspection, and whether the B5s
had been tampered with during their transportation between sites.
Certification
Certification is the process by which the host party gains confidence that technologies conform
to necessary safety and security requirements for deployment at a specific location. Different
locations will have differing safety and security requirements based on the equipment and
materials present and the operations that take place. The host is likely to inspect thoroughly
all equipment used in the regime, potentially disassembling equipment and conducting tests
that must be passed prior to being certified for use.
In New START, for example, inspector-provided equipment goes through a 30-day inspection
by the host for certification before its entry into the state’s territory. This equipment is used
only to measure the absence of nuclear weapons; any equipment to be used in the vicinity of
nuclear weapons would likely face a significantly longer certification process. Following
certification, the equipment, in both New START and in LETTERPRESS, is then protected by
seals between uses and kept in inspector (or jointly controlled) storage. The host, at the
direction of the inspector, then operates it.
5.2.1 Safety
Certification for the safe operation of equipment on a host site would be driven by concerns
over explosives, electrical, and radiation safety. It is possible that the safety requirements will
be quite diverse between different nuclear weapon states.
For the simulation, the real-world safety assessments of the deployed technologies,
undertaken by the logistics team to ensure the simulation took place safely were also used as
a proxy for facility certification within the simulation itself.
Certification of equipment to ensure that it does not reveal sensitive information is of great
importance to the host party. This includes hardware, data, processes, and procedures. In
LETTERPRESS, all verification equipment was presumed to be host-supplied and host-
operated as part of the security certification. A combination of technology and procedures
ensured that no “sensitive” information was revealed to the inspectors during the exercise. For
example, gamma and neutron counters were only directly used for measuring absence of
material, while confirmation measurements on simulated classified materials were made
utilising information barriers or encrypted templates.
LETTERPRESS: Post-Simulation Report v2.0
15
Authentication
Authentication is the process by which the inspecting party gains confidence that the
information reported by a monitoring system accurately reflects the true state of the object
targeted by the system. A major concern which authentication measures are proposed to
address is the possibility of equipment having been purposefully modified to alter the data
received by the inspecting party. Authentication may be a crucial component of technical
verification measures in the future since good decisions need reliable data. Nevertheless,
authentication of equipment was not a primary focus of LETTERPRESS since the time
available for the simulation and the goals set for it meant it was not well suited to testing
authentication options.
The technology working group was asked to consider how they might authenticate equipment
given the set of conditions described in the scenario. Two important conditions were that the
host state would provide all inspection equipment and would operate it in-field. A linked
approach consisting of four complementary testing levels was suggested:
i. Initial tests could be done in the inspecting party’s country on a randomly selected set
of equipment. This testing could be destructive, since the equipment will not be
returned to the host and would not be used in the monitoring regime. Equipment
presented by the host but not selected for initial tests could be placed under a joint
chain of custody ready for use in the field and could be subject to the next level of
testing, “acceptance tests”.
ii. Acceptance tests could be conducted when the host supplies equipment to be used in
the monitoring regime. These tests could be done in the presence of the host, likely
taking place in the host country.
iii. Inspection tests could be conducted at the beginning of each inspection and could be
more limited in scope than acceptance tests, designed to provide confidence that the
equipment is the same equipment that was accepted and that the accepted equipment
has not been tampered with since last inspection. These tests could also be performed
in the presence of the host.
iv. Daily tests could be conducted each subsequent day after the inspection tests and
would be most limited in scope. These tests would be designed to provide confidence
that the equipment functions as expected before being used.
It was noted that the host requirement to maintain the safety and security certification of
equipment would limit the scope of possible authentication measures on field-deployable
equipment. Because of the need to balance both inspecting party and host party concerns,
the group recommended that authentication requirements form a core part of the
considerations during the development of a verification regime for scenarios similar to
LETTERPRESS. This would enable both equipment design and procedural development to
be influenced by the requirements of authentication.
Managed Access and Chain of Custody of Verification Equipment and Data
Generally, managed access issues affected the procedures more than the selection of
technologies. In order to maintain confidence in the certification of all hardware, the inspecting
party would not be allowed to touch or operate any of the equipment; all equipment was to be
LETTERPRESS: Post-Simulation Report v2.0
16
operated by the hosts. Therefore, the procedures were written from the perspective of host
operation and inspector observation.
It was therefore important that the inspectors were able to maintain custody over equipment
(and the data that it collects) whilst in storage, during transport, and in use.
A notional CCTV system was supposed to form the backbone of the containment and
surveillance system designed to maintain custody over the facilities and their contents.
Unfortunately, the pre-simulation training and communication to the inspectors regarding this
system was not sufficient, which led to the inspectors not feeling confident about its integrity.
The inspectors instead relied on a combination of Tamper Indicating Enclosures (TIEs) and
observation to manage the risk of the host team accessing equipment and data. Secure vials
that could only be opened by irreparably damaging them were used to transport data.
There was one notable exception to the inspector hands-off rule: because TRIS’s procedures
are hardcoded into its firmware, several pieces of data and hardware were brought into and
out of the site by the inspectors. A seed (number) had to be brought in by the inspectors to be
used for public/private key generation in the form of an iButton (a memory storage device) and
had to remain in their possession even upon exit of the facility. If the host party had knowledge
of the seeds that were used, the host could regenerate the private key enabling the creation
of a fake template. In addition, the inspectors needed to bring a copy of the public key, also in
the form of an iButton, in and out with them to confirm the template signature during
confirmation measurements. A theoretical discussion was held in the technology working
group during development of the simulation to consider how to handle the inspector-provided
iButtons. The standard recommended authentication steps for host supplied equipment
followed a process initiated with the inspectors randomly selecting equipment for
authentication. For the iButtons, the group considered whether the roles could be reversed,
i.e. whether the host could suitably certify inspector-provided iButtons following a process
whereby the host randomly selected iButtons for security certification. The low cost of
individual buttons and the simplicity of their design led to a view that this approach could work.
In addition to the iButtons, the inspectors were allowed to bring a sheet of paper that contained
the hash codes that the TRIS should produce in response to a challenge number. This
procedure is part of the TRIS firmware authentication.
LETTERPRESS: Post-Simulation Report v2.0
17
6.0 Training
The participants, coming from four different nations, had a considerable variety of experience
with nuclear dismantlement verification. As such, the training had to ensure that a base-level
of knowledge was obtained by all to cover the scenario, on-site inspections, technologies, and
procedures. All participants also required site-specific knowledge of the Secure Storage Area
at RAF Honington.
Training was divided into two parts: read-ahead material, and on-site training at Honington,
consisting of both generic and role-specific training. Distributing read-ahead material offered
the benefit of reducing the time required for on-site training and allowed experienced
personnel to skip sections of the training with which they were already familiar.
All LETTERPRESS participants received Training Package A one month ahead of the
exercise. This consisted of:
• Introduction to the exercise, general announcements, and important dates
• Introduction to Radiation Safety
• Introduction to Radiation Detection
• Introduction to Arms Control Principles
Training Package B was given to players on the first day of training at Honington, one version
for the inspectors and another for the host team.
The controllers and evaluators also received a Controller and Evaluator Handbook.
LETTERPRESS: Post-Simulation Report v2.0
18
7.0 Future Research
This section outlines the overall recommendations from LETTERPRESS. The simulation
provided a range of insights for all participants in the application of verification concepts and
monitoring technologies with multilateral partners in a simulated set of nuclear weapons
facilities. Lessons were identified that are relevant to the development of field-ready
measurement instrumentation, procedures for their use when verifying declarations during on-
site inspections, and the functionality of multilateral inspection teams.
LETTERPRESS emphasised that the continued engagement of NNWS and NWS is necessary
to foster trust and ownership of technical solutions and to understand the demands and
limitations in ensuring the protection of sensitive information in a nuclear weapons verification
context.
The recommendations cover areas for future work in general verification concepts and
technologies.
Verification Concepts
A systems-level approach should be taken to derive verification concepts, parameters, and
objectives. Drawing from the experiences in existing verification regimes (such as IAEA
Safeguards, CWC, and New START), this approach should:
i. Provide partner-agreed definitions of treaty elements, facilities, and monitoring regime
concepts.
ii. Drive the definition of requirements and gaps for possible verification options.
iii. Explore declaration and information exchange options.
iv. Allow evaluation of options for data and information handling, mapped to on-site
inspection and the possibility of remote monitoring.
Further developing a model state as a case study, building on that created for
LETTERPRESS, should be created that can be used as a building block for future exercises
that investigate different parts of a verification regime.
A study should be initiated which focuses on an overarching verification system to verify
declarations made about an inventory of items, rather than focusing on verifying the
characteristics of individual items.
An inspection team’s ability to keep a chain of custody over an enduring weapon stockpile
should be investigated, from an initial inspection visit to a visit that occurs much later in time.
Absence verification, to address the issue of declaration completeness, should be the subject
of further investigation. This should include the development of explicit procedures for
“locking-down” locations chosen for absence measurements, and an investigation of the
statistical significance of the number of locations chosen for absence measurements in
relation to the overall site.
A verification approach that addresses the potential conflict between transparency and
secrecy in acceptance of a treaty accountable item into a verification regime should be
LETTERPRESS: Post-Simulation Report v2.0
19
explored. Investigations should cover in greater detail what constitutes a treaty accountable
item, and what information is required to identify them uniquely.
Verification Technologies
The management, encryption, and authentication of data collected during an inspection should
be an area of further research.
Variations to the LETTERPRESS monitoring regime that deploy different technologies, or a
combination of technologies, should be exercised and assessed.
Future technical work should explore authentication and certification methodologies for
verification technologies, as this was not exercised in LETTERPRESS. Deep dive
investigations of authentication on selected equipment are recommended for a future exercise
and should:
i. Prioritise custom-designed equipment (verification technologies deployed in
LETTERPRESS are considered a priority - UKNI IB, TRIS, RDE), and then exercise
developed methodologies on commercial off-the-shelf technologies.
ii. Develop and exercise authentication procedures for the four possible stages in the
monitoring regime, as outlined in Section 5.3 (Initial tests, Acceptance tests, Inspection
tests, Daily tests).
iii. Exercise and evaluate authentication on both host-supplied and inspector-supplied
equipment.
The experiences of using technology in developed arms control regimes (such as New
START) should be reviewed, as appropriate. The objective would be to explore issues of trust
and authentication, safety and certification, and the establishment and maintenance of chains
of custody on selected, representative equipment, such as the UKNI IB and TRIS.
LETTERPRESS partners should continue developing and exercising verification technologies,
and associated procedures, to address arms control and on-site inspection challenges.
Recommendations for future work include:
i. Review verification equipment designs and deployment experiences in order to refine
requirements for future development. Include information barrier system designs and
approaches in the review.
ii. Review and extract best practices for procedures from mature, deployed, and trusted
technologies such as TRIS or RDE. Procedures should specifically address how to
handle equipment failures or ambiguities in analytical results.
iii. Continue development of prototype technologies and associated procedures.
iv. Use verification equipment in exercises like LETTERPRESS to allow the technology
experts to discern gaps that will influence next steps in equipment design and
performance.
LETTERPRESS: Post-Simulation Report v2.0
20
Future designs of host-operated equipment should consider the need to make operations
observable by the inspectors. The operator’s hands, for example, easily obscure small
screens and buttons which can diminish the inspecting party’s confidence in the procedure.
The integration of results from multiple verification techniques, as part of a wider systems
approach, should be tested in future exercises.
LETTERPRESS: Post-Simulation Report v2.0
21
8.0 Achievements of the Simulation
This report details the first instance of a quadrilateral initiative involving both NWS and NNWS
to address challenges and to identify potential solutions associated with the verification of
future arms control treaties and agreements. Through joint discussion and specific planning
activities, the Quad was able to implement the LETTERPRESS simulation successfully,
including the following highlights:
• Provided players, both hosts and inspectors, with an insight into the types of
interactions and managed access activities one might experience during a verification
event.
• Provided an element of realism by using a military base previously used to store
nuclear weapons and a ballistic casing and container from a former nuclear weapon
system (shown in Figure 1).
• Deployed technologies to demonstrate concepts of absence and confirmation
measurements.
• Used containment and surveillance equipment to establish and maintain a chain of
custody over bunkers, containers, and the treaty accountable items.
LETTERPRESS: Post-Simulation Report v2.0
22
9.0 Acknowledgement
The Chair of the Management Working Group would like to thank all those who have
contributed to the successful delivery of LETTERPRESS, from the working group members
and supporting staff who helped facilitate LETTERPRESS, to the players, subject matter
experts, controllers, and evaluators who participated in the final event. Specific appreciation
also goes to all those who have contributed to the creation, review, and editing of this
document.
LETTERPRESS: Post-Simulation Report v2.0
23
Annex 1: Glossary
Term Meaning
CCTV Closed Circuit Television
CoC Chain of Custody
CoCIM Chain of Custody Item Monitor
CWC Chemical Weapons Convention
DSMESL Dismantlement Site Measurement and Equipment Storage Location
ECT Eddy Current Tagging
HPGe High Purity Germanium
IAEA International Atomic Energy Agency
IB Information Barrier
MESB Measurement and Equipment Storage Bunker
M-WG Management Working Group
NEA Nuclear Enterprise Activities
NNWS Non-Nuclear Weapon State
NO Norway
NW Nuclear Weapon
NWS Nuclear Weapon State
NNWS Non-Nuclear Weapon State
P-WG Protocol Development Working Group
RAF Royal Air Force
RDE Radiation Detection Equipment
RPT Reflective Particle Tags
SE Sweden
SSA Supplementary Storage Area
START Strategic Arms Reduction Treaty
S-WG Simulation Design Working Group
TAI Treaty Accountable Item
TIE Tamper Indicating Enclosure
TMSB Treaty Monitored Storage Bunker
TRIS Trusted Radiation Identification System
TRL Technology Readiness Level
Tr-WG Training Working Group
T-WG Technology Working Group
UID Unique Identifier
UK United Kingdom
UKNI UK Norway Initiative
US United States
WE177 UK legacy nuclear weapon
WG Working Group