LETTERPRESS: Post-Simulation Report

LETTERPRESS: Post-Simulation Report v2.0

1

LETTERPRESS: Post-Simulation Report

LETTERPRESS Simulation

0


2

Executive Summary

This report provides an overview of the planning and execution of LETTERPRESS.

LETTERPRESS was a nuclear weapons disarmament verification simulation carried out by

the Quadrilateral Nuclear Verification Partnership, known as the ‘Quad’, comprising the United

Kingdom, the United States, Norway and Sweden. The objective was to carry out a nuclear

weapons verification simulation in a representative nuclear weapons facility, using non-

proliferative, but representative, treaty items. The first instance of its kind, it was designed to

enable Nuclear Weapon State (NWS) and Non-Nuclear Weapon State (NNWS) actors to

participate in an arms control scenario. It was intended to assist the development of

techniques, procedures and methods that could be used to inform nuclear weapons

verification requirements.

The simulation focused on two site inspections as part of a wider scenario in which two NWS

have agreed to a significant reduction in their respective nuclear weapon stockpiles and have

invited two neighbouring NNWS to be part of the Inspectorate tasked with technical verification

of the state declarations.

The simulation took place at RAF Honington, UK, between the 16th and 19th of October 2017.

It used genuine former nuclear weapon storage bunkers and ballistic casings of retired nuclear

weapon systems to enhance the realism of the exercise.

LETTERPRESS was considered a success. It provided players with experience of verification

activities associated with managed access to nuclear weapon facilities, deployment and use

of verification equipment, and host-inspector interactions. It enabled the Quad partners to

identify opportunities where concepts, technologies, and measures might be applied to inform

future verification requirements, and it provided the partners with the experience of developing

a protocol and associated verification procedures.

The priorities identified for future work within the Quad are:

• To take a systems-level approach to derive verification concepts, parameters, and

objectives applicable to nuclear weapons arms control;

• To investigate the management, encryption, and authentication of data collected

during an inspection.

Based upon the experiences of the players and planners in the LETTERPRESS simulation,

the continued engagement between NNWS and NWS is necessary to foster trust and

ownership of technical and procedural solutions. Engaging in these simulation activities helps

to develop understanding of the demands and limitations in ensuring protection of sensitive

information whilst allowing verification of declarations in a nuclear weapons context.


3

Table of Contents Executive Summary ............................................................................................................... 2

1.0 Introduction ................................................................................................................. 5

Background ............................................................................................................................... 5

Simulation Objectives ............................................................................................................... 5

Simulation Scenario .................................................................................................................. 5

2.0 Simulation Design ....................................................................................................... 8

Simulation Planning & Organisation ......................................................................................... 8

3.0 Protocol Development ................................................................................................. 9

Protocol Background ................................................................................................................ 9

Inspection Mandate.................................................................................................................. 9

3.2.1 Site Visits .......................................................................................................................... 9

3.2.2 Ambiguity Resolution ..................................................................................................... 10

Establishing a Chain of Custody over Retired Weapons ......................................................... 10

3.3.1 Maintaining the Chain of Custody over Weapons in Storage ........................................ 10

4.0 Creating a Realistic Nuclear Enterprise ......................................................................11

5.0 Technology ................................................................................................................12

Functional Requirements ....................................................................................................... 12

5.1.1 Confirmation of TAIs ...................................................................................................... 12

5.1.2 Verification of Absence of a Treaty Accountable Item .................................................. 12

5.1.3 Chain of Custody Over Locations and Equipment.......................................................... 13

5.1.4 Unique Identification of Treaty Accountable Items ....................................................... 13

5.1.5 Chain of Custody of Treaty Accountable Items During Transportation ......................... 14

Certification ............................................................................................................................ 14

5.2.1 Safety ............................................................................................................................. 14

Authentication ........................................................................................................................ 15

Managed Access and Chain of Custody of Verification Equipment and Data ........................ 15

6.0 Training ......................................................................................................................17

7.0 Future Research ........................................................................................................18

Verification Concepts ............................................................................................................. 18

Verification Technologies ....................................................................................................... 19

8.0 Achievements of the Simulation .................................................................................21

9.0 Acknowledgement ......................................................................................................22

Annex 1: Glossary ................................................................................................................23


4

Figures

Figure 1 - The B5 weapon, which was represented by using a decommissioned ballistic casing

of the UK's WE177 weapon………………………………………………………………………...6

Figure 2 - The container used to house the WE177, and thus used in LETTERPRESS as the

B5 transport containers …..………………………………………………………………………...13


5

1.0 Introduction

Background

In 2015, Norway (NO), Sweden (SE), United Kingdom (UK) and the United States (US)

initiated a multi-year arms control initiative, referred to as the ‘Quad’. The Quad builds on

previous experience from the UK-Norway and UK-US bilateral work to study the challenges

associated with monitoring aspects of future nuclear arms control treaties and agreements.

The initial aim of the Quad was to develop a repeatable, highly realistic arms control simulation

within which monitoring capabilities and approaches could be developed, exercised, and

evaluated. The simulation was to take place in representative facilities using non-proliferative,

but representative, treaty items. This would enable Non-Nuclear Weapon State (NNWS) and

Nuclear Weapon State (NWS) actors to participate in arms control scenarios and develop

methodologies, techniques, and procedures such that future treaty verification regimes may

address both NNWS and NWS concerns, thereby increasing the confidence and success

probability for those regimes.

The first simulation undertaken by the Quad, called LETTERPRESS, took place between the

16th and 19th of October 2017.

Simulation Objectives

The following goals for planning and executing LETTERPRESS were set in response to the

aims of the Quad:

• Goal A - Provide players with the experience of verification activities associated with

managed access to nuclear weapon (NW) facilities, deployment and use of verification

equipment, and general host-inspector interactions.

• Goal B - Enable Quad partners to identify opportunities where future concepts,

verification technologies and measures may be applied, or where changes to

procedures may be required to support future verification requirements.

• Goal C - Provide Quad partners with the experience of developing a protocol and

associated verification procedures.

Simulation Scenario

Two nuclear weapon states (NWS), states A and B, agreed to a significant reduction in their

respective nuclear weapon stockpiles. The two NWS further agreed to include two

neighbouring non-nuclear weapons states (NNWS) as part of the Inspectorate tasked with

confirming the technical aspects of the monitoring regime.

LETTERPRESS simulated single inspections at two nuclear sites within State A. The sites

were called “Notinghon” and the “Dismantlement Site”.


6

Notinghon was described as an Interim Storage Site where nuclear weapons that have been

removed from active service were stored awaiting either retirement and dismantlement, or

refurbishment. The Supplementary Storage Area, or SSA, at RAF Honington in the east of

England, served as “Notinghon” for the simulation.

The Dismantlement Site was described as a site where retired nuclear weapons were sent to

be dismantled. Separate buildings within the SSA at RAF Honington were used to simulate

the relevant buildings within the Dismantlement Site.

The weapons in the scenario were designated as “B5” free fall weapons (see Figure 1).

The simulation was predicated upon critical verification activities having taken place at a point

in time prior to the inspection simulated during LETTERPRESS itself. Specifically, the

Inspectorate was assumed to have sufficiently verified facility design information related to

certain buildings that were featured during LETTERPRESS. The Inspectorate had then

installed a monitoring system to maintain a continuity of knowledge over the status of the

buildings themselves and the contents of the buildings. The buildings for which this was

assumed to have taken place were:

• A bunker used to store the retired weapon once initiated into the verification regime

(termed the Treaty Monitored Storage Bunker, or TMSB, in the simulation).

• A bunker used to store the inspectors’ equipment and to subject B5 bombs to

verification measurements (termed the Measurement and Equipment Storage Bunker,

or MESB).

• The equivalent storage building at the Dismantlement Facility (termed the

Dismantlement Site Measurement and Equipment Storage Location, or DSMESL).

The relevant locations were therefore pre-set with pre-installed monitoring equipment, and

data was produced to demonstrate the prior fulfilment of these inspection activities before the

simulation began.

Figure 1: The B5 weapon, which was represented by using a decommissioned ballistic casing of the UK's WE177 weapon


7

Thus, LETTERPRESS began with a request made by the Inspectorate for an inspection visit

to the site, triggered by a notification of state A’s intent to send some B5s for dismantlement.

At the time of the inspection, B5s earmarked for the enduring stockpile were also present at

the site for refurbishment.

The inspection proceeded as follows:

• Inspectors arrived on site and collected data to verify whether the chain of custody

over the TMSB and the MESB had been maintained.

• To fulfil the correctness element of the verification protocol, the inspectors confirmed

the presence of one of the B5s declared as being on site for refurbishment, rather than

dismantlement. The weapon’s serial number and location were confirmed against the

declared inventory, and attribute and template measurements were made (the

template serving as the “trusted template” for comparison against all subsequent B5s

encountered during the lifetime of the verification regime).

• Inspectors then initiated into the verification regime a B5, declared as being scheduled

for dismantlement, by checking and recording its identity and location, then by

performing attribute measurements and confirming the radiation signature matched

the “trusted template”.

• A chain of custody was then established over the B5 scheduled for dismantlement and

a treaty-accountable unique identifier assigned to it before transportation to and

storage in the TMSB.

• To address the completeness element of the protocol, the inspectors undertook

absence measurements in a randomly chosen bunker declared to contain no B5s. The

absence measurement confirmed the lack of a neutron signature in the bunker.

• Inspectors then left the Notinghon site.

• The B5 scheduled for dismantlement was transported to the Dismantlement Site and

the Inspectorate notified of the movement, thus triggering an inspection visit to the

dismantlement site.

• Inspectors arrived at the Dismantlement Site and confirmed the authenticity and

integrity of the chain of custody measures on both the B5 and the Dismantlement Site

Measurement and Equipment Storage Location (DSMESL).

• Attribute and template re-confirmation measurements were made on the B5, as well

as confirming the treaty-accountable unique identifier, before the B5 was released by

the inspectors to be processed through dismantlement.

At this point, the scenario ended.


8

2.0 Simulation Design

Simulation Planning & Organisation

To facilitate the planning of LETTERPRESS, working groups were created to focus on different

elements. Each working group had a Chair, as well as core working group members from each

of the Quad partner countries.

The Quad Governance Panel was formed to provide oversight of the direction of

LETTERPRESS and to ensure the Quad’s aims and objectives were being met.

The Management Working Group (M-WG) had overall responsibility for the successful

implementation of LETTERPRESS and included the chairs of the working groups below:

• The Protocol Development Working Group (P-WG) was responsible for developing a

protocol and associated backstory for the simulation.

• The Simulation Design Working Group (S-WG) focused on developing the functions of

the nuclear weapon site onto which the in-play implementation of the treaty protocol

could be overlaid.

• The Technology Working Group (T-WG) was responsible for identifying and fulfilling

the technology requirements of the simulation.

• The Training Working Group (Tr-WG) was responsible for developing a training

package to enable all those involved in the implementation of LETTERPRESS to carry

out their roles and tasks as necessary.

Whilst initially the Protocol Development and Simulation Design Working Groups worked

separately on their given responsibilities, they were later merged in order to pool together

resources to facilitate the creation and development of the inspection procedures and

supporting documentation.

For the running of the exercise, a simulation control team hosted two teams of players, a host

team and an inspection team.


9

3.0 Protocol Development

Protocol Background

The New START protocol and the IAEA Comprehensive Safeguards Agreement served as

guides for the development of a protocol for the treaty in LETTERPRESS. The following

hierarchy emerged to translate high-level treaty aims into verification objectives and

procedures:

• Treaty: Described what the signatories agree to do, defined rights and obligations.

• Protocol: The high-level description of the verification approach and system – for

instance, defining the information to be shared and actions to be taken by the state to

fulfil obligations, and the verification provisions for verifying the information and

actions.

• Site specific procedures: The detailed description of how to execute the verification

tasks identified in the protocol on a specific site.

• Technical operating manuals: Describe how to use designated technical equipment in

line with verification procedures.

The LETTERPRESS simulation itself therefore only covered one aspect of the wider treaty,

i.e. the on-site verification of weapons before dismantlement. The elements of the protocol

exercised in LETTERPRESS are outlined in Section 1.3.

Inspection Mandate

3.2.1 Site Visits

In LETTERPRESS, each state shared with the Inspectorate the location, serial number, and

status of declared weapons, and that no other weapons existed. The inspection team was

mandated to verify this declared information, following agreed procedures.

Declaration correctness was verified by checking serial numbers and locations of weapons,

and by verifying that the declared weapons contained plutonium and produced the same

radiation signature as the trusted template.

The completeness of the declaration was tested by allowing measurements to verify the

absence of neutron emitting objects from a randomly chosen location on-site that had been

declared to not contain any treaty accountable items.

A chain of custody was then established over weapons that had been scheduled for

dismantlement.

It was the responsibility of the host team to work with the inspection team to understand the

objectives of the verification tasks, and to develop a plan to manage inspector access onto

the site. This enabled the collection of mandated data whilst protecting other sensitive

information.

As the inspection process was choreographed by the procedures, the inspection report

focused on whether the inspection team could collect all mandated data as per the procedures

and provided an official record of the data. The inspection team included records of


10

complications and comments on whether the monitoring procedures were successfully

applied. This included any concerns of hindrance, in addition to the collected data and any

ambiguities found. The purpose of the report was not to record any judgement on treaty

compliance.

3.2.2 Ambiguity Resolution

In the event of minor ambiguities, the simulation control team encouraged the inspection and

host team leaders to agree on a resolution that could be recorded in the inspection report.

Such minor events might include a delay to a scheduled inspection activity, or a minor incident

whilst on site.

Major problems on the other hand, such as an inability to carry out mandated procedures,

were to be recorded in the inspection report for consideration at a higher level, analogous to

the Bilateral Consultative Commission as part of the implementation of the New START treaty

between the United States and Russia. This higher consideration would not form an explicit

part of the LETTERPRESS simulation.

Establishing a Chain of Custody over Retired Weapons

The purpose of including the chain of custody requirement in the LETTERPRESS scenario

was to investigate the potential challenge of maintaining a chain of custody through inter-site

transportation of Treaty Accountable Items (TAIs).

For LETTERPRESS, the chain of custody requirement applied to all B5 weapons declared to

be retired. This was to ensure that once items had been declared as such, they could be

effectively tracked from storage at Notinghon through to the dismantlement facility.

3.3.1 Maintaining the Chain of Custody over Weapons in Storage

As described in section 1.3, the chain of custody over the relevant facilities and their contents

was established prior to the start of the simulation. In the scenario, this was said to have been

achieved through the verification of facility design information and the establishment of a

monitoring system during previous site visits by a different team from the Inspectorate. The

system consisted of four layers:

• Unique identifiers for the weapons;

• Seals on the weapon container;

• CCTV to monitor the bunker environment; and

• Active seal on the bunker entrance to allow for, and recording when, the host had

accessed the bunker.


11

4.0 Creating a Realistic Nuclear Enterprise

The activities described below were the defined host country ‘nuclear enterprise activities’

(NEAs) that would take place during the chosen B5 lifecycle covered by LETTERPRESS,

following standardised pre-established procedures. State A was considered to perform these

activities whether or not there is a treaty regime in place:

i. The B5s were transported by convoy from their deployment location to the interim

storage site where they arrived at the gate and are processed.

ii. The B5s were transported intra-site to a maintenance facility where they were prepared

for interim storage. This may have included the removal of any limited-life or safety

components.

iii. Post-maintenance, the B5s were transported intra-site to a storage bunker. The

segregation of B5s awaiting refurbishment from retired B5s awaiting dismantlement

was at the discretion of the site operator according to host country policies and

procedures.

Dismantlement/refurbishment processes

iv. When a B5 approached its scheduled processing date, it would progress to the next

stage of the respective dismantlement or refurbishment process. To initiate the

process, the B5 would be loaded onto transportation and would depart as part of a

convoy for the dismantlement or refurbishment facility, after ‘processing out’ actions

and records had been completed.

v. After transportation to the corresponding facility, the B5s were ‘processed in’.

vi. The B5s were then transported intra-site to a temporary staging bunker.

vii. The B5s would subsequently be dismantled, or refurbished, using established

procedures.


12

5.0 Technology

Functional Requirements

Based on the simulation scenario, five areas that required verification technologies were

identified:

i. Confirmation of TAIs

ii. Verification of absence of a TAI or other nuclear or radioactive material

iii. Chain of Custody over locations and equipment

iv. Unique Identification of TAIs

v. Chain of Custody of TAI during transportation

5.1.1 Confirmation of TAIs

In support of verifying the accuracy of declarations, the B5s underwent radiation

measurements to confirm that they were B5s. The UK-Norway Initiative (UKNI) Information

Barrier (IB) and the Trusted Radiation Identification System (TRIS) were identified as

technologies to use in measuring gamma attributes and confirming radiation signature

templates, respectively. These technologies had been identified at the outset; therefore, the

T-WG did not need to consider alternative technologies or confirmation measures, such as

neutron signature or the presence of high explosives.

The important distinction between the IB and TRIS systems is how they confirm the presence

of a TAI. The UKNI IB evaluates whether the gamma spectrum of an object indicates the

presence of a declared attribute of the TAI, in this case the presence of weapons grade

plutonium. TRIS determines that the gamma signature of a declared item is similar to a

previously measured TAI, within the resolution of the 15 spectral energy windows measured

by TRIS’s gamma detector.

5.1.2 Verification of Absence of a Treaty Accountable Item

The site declaration detailed the locations on site which contained TAIs. The inspectors were

thus able to randomly choose a location that should not contain TAIs in which to perform a

measurement to confirm the absence of TAIs. In order to prevent unauthorised movement of

items in or out of the location before the inspectors arrived, an active seal called a CoCIM

(Chain of Custody Item Monitor) was placed on the locked entrance of the chosen location,

another bunker, within 45 minutes of the bunker being chosen. The data from the CoCIM

allowed the inspectors to confirm on arrival at the chosen location that the entrance had been

sealed within the correct timeframe and not opened until the inspectors arrived.

The absence of TAIs in the randomly chosen location was verified by confirming that no

eligible object in the location produced a neutron signal significantly above the background

rate. The RDE (Radiation Detection Equipment) used in New START was chosen for

performing this measurement due to its availability and the fact that it was a proven technology

from an existing verification regime.

The RDE could only be used to interrogate an item in qualifying circumstances. The object

had to be larger than a minimum dimension and the owner must have declined to open it and

reveal its contents. A tape measure was used to establish whether containers/items exhibited


13

a dimension larger than the threshold dimension (as agreed in the protocol) and would thus

be eligible for interrogation. (Figure 2 shows a B5 container, which was eligible for

interrogation).

Figure 2: The container used to house the WE177, and thus used in LETTERPRESS as the B5 transport containers

The RDE was used to monitor two eligible objects and was able to determine the absence of

a B5 by confirming the lack of a neutron signature from either object.

5.1.3 Chain of Custody Over Locations and Equipment

Chain of custody measures were employed on the measurement and storage locations to

indicate any unauthorised attempts to gain access to the location and the equipment within.

Chain of custody measures were also emplaced on the inspectors’ equipment whilst left

unattended during the inspection and overnight, to maintain confidence in their authenticity.

5.1.4 Unique Identification of Treaty Accountable Items

Both applied and intrinsic unique identifiers (UID) were considered for the TAIs. It was decided

to use at least one of each during the simulation, providing redundancy through differing

approaches. In the end, availability of technologies was the deciding factor in choosing what

to use for LETTERPRESS.

Adhesive seals, Reflective Particle Tags (RPT), and a CoCIM were used to provide applied

UID signatures to verify the container identity during inspection: the RPT and adhesive seals,

being analogue signatures, and the CoCIM, a digital signature. Both the adhesive seals and

CoCIM are also designed to indicate unauthorised access to the container. Application of a

physical UID to the weapon was not allowed.

Eddy Current Tagging (ECT) was used to provide intrinsic UID of the B5 itself, to simulate

scenarios where an applied UID could not be used.

The Technology Working Group discussed whether the need for physical contact between the

ECT scanner and the weapon would present an issue for the weapon owner, and therefore

whether its deployment could be considered realistic. Though this might be a realistic

constraint, the risk posed could be assessed for individual weapon types. The decision was


14

therefore taken to continue with the deployment of the ECT as the intrinsic UID technology.

Other technologies were considered (a non-contact laser interferometer for example), but the

ECT was the only deployable technology, which could signify a capability gap amongst Quad

participants.

The ECT, due to its low technology readiness level (TRL), was unable to verify the intrinsic

UID of the B5. Nevertheless, the impact of the failure of the ECT “in-play” was minimised due

to a layered approach in the chain of custody system; inspectors instead relied upon the

integrity and UID of the B5’s container.

5.1.5 Chain of Custody of Treaty Accountable Items During Transportation

CoC measures, specifically CoCIM and adhesive seals, were emplaced on the B5 containers

to provide evidence of whether they had been opened since inspection, and whether the B5s

had been tampered with during their transportation between sites.

Certification

Certification is the process by which the host party gains confidence that technologies conform

to necessary safety and security requirements for deployment at a specific location. Different

locations will have differing safety and security requirements based on the equipment and

materials present and the operations that take place. The host is likely to inspect thoroughly

all equipment used in the regime, potentially disassembling equipment and conducting tests

that must be passed prior to being certified for use.

In New START, for example, inspector-provided equipment goes through a 30-day inspection

by the host for certification before its entry into the state’s territory. This equipment is used

only to measure the absence of nuclear weapons; any equipment to be used in the vicinity of

nuclear weapons would likely face a significantly longer certification process. Following

certification, the equipment, in both New START and in LETTERPRESS, is then protected by

seals between uses and kept in inspector (or jointly controlled) storage. The host, at the

direction of the inspector, then operates it.

5.2.1 Safety

Certification for the safe operation of equipment on a host site would be driven by concerns

over explosives, electrical, and radiation safety. It is possible that the safety requirements will

be quite diverse between different nuclear weapon states.

For the simulation, the real-world safety assessments of the deployed technologies,

undertaken by the logistics team to ensure the simulation took place safely were also used as

a proxy for facility certification within the simulation itself.

Certification of equipment to ensure that it does not reveal sensitive information is of great

importance to the host party. This includes hardware, data, processes, and procedures. In

LETTERPRESS, all verification equipment was presumed to be host-supplied and host-

operated as part of the security certification. A combination of technology and procedures

ensured that no “sensitive” information was revealed to the inspectors during the exercise. For

example, gamma and neutron counters were only directly used for measuring absence of

material, while confirmation measurements on simulated classified materials were made

utilising information barriers or encrypted templates.


15

Authentication

Authentication is the process by which the inspecting party gains confidence that the

information reported by a monitoring system accurately reflects the true state of the object

targeted by the system. A major concern which authentication measures are proposed to

address is the possibility of equipment having been purposefully modified to alter the data

received by the inspecting party. Authentication may be a crucial component of technical

verification measures in the future since good decisions need reliable data. Nevertheless,

authentication of equipment was not a primary focus of LETTERPRESS since the time

available for the simulation and the goals set for it meant it was not well suited to testing

authentication options.

The technology working group was asked to consider how they might authenticate equipment

given the set of conditions described in the scenario. Two important conditions were that the

host state would provide all inspection equipment and would operate it in-field. A linked

approach consisting of four complementary testing levels was suggested:

i. Initial tests could be done in the inspecting party’s country on a randomly selected set

of equipment. This testing could be destructive, since the equipment will not be

returned to the host and would not be used in the monitoring regime. Equipment

presented by the host but not selected for initial tests could be placed under a joint

chain of custody ready for use in the field and could be subject to the next level of

testing, “acceptance tests”.

ii. Acceptance tests could be conducted when the host supplies equipment to be used in

the monitoring regime. These tests could be done in the presence of the host, likely

taking place in the host country.

iii. Inspection tests could be conducted at the beginning of each inspection and could be

more limited in scope than acceptance tests, designed to provide confidence that the

equipment is the same equipment that was accepted and that the accepted equipment

has not been tampered with since last inspection. These tests could also be performed

in the presence of the host.

iv. Daily tests could be conducted each subsequent day after the inspection tests and

would be most limited in scope. These tests would be designed to provide confidence

that the equipment functions as expected before being used.

It was noted that the host requirement to maintain the safety and security certification of

equipment would limit the scope of possible authentication measures on field-deployable

equipment. Because of the need to balance both inspecting party and host party concerns,

the group recommended that authentication requirements form a core part of the

considerations during the development of a verification regime for scenarios similar to

LETTERPRESS. This would enable both equipment design and procedural development to

be influenced by the requirements of authentication.

Managed Access and Chain of Custody of Verification Equipment and Data

Generally, managed access issues affected the procedures more than the selection of

technologies. In order to maintain confidence in the certification of all hardware, the inspecting

party would not be allowed to touch or operate any of the equipment; all equipment was to be


16

operated by the hosts. Therefore, the procedures were written from the perspective of host

operation and inspector observation.

It was therefore important that the inspectors were able to maintain custody over equipment

(and the data that it collects) whilst in storage, during transport, and in use.

A notional CCTV system was supposed to form the backbone of the containment and

surveillance system designed to maintain custody over the facilities and their contents.

Unfortunately, the pre-simulation training and communication to the inspectors regarding this

system was not sufficient, which led to the inspectors not feeling confident about its integrity.

The inspectors instead relied on a combination of Tamper Indicating Enclosures (TIEs) and

observation to manage the risk of the host team accessing equipment and data. Secure vials

that could only be opened by irreparably damaging them were used to transport data.

There was one notable exception to the inspector hands-off rule: because TRIS’s procedures

are hardcoded into its firmware, several pieces of data and hardware were brought into and

out of the site by the inspectors. A seed (number) had to be brought in by the inspectors to be

used for public/private key generation in the form of an iButton (a memory storage device) and

had to remain in their possession even upon exit of the facility. If the host party had knowledge

of the seeds that were used, the host could regenerate the private key enabling the creation

of a fake template. In addition, the inspectors needed to bring a copy of the public key, also in

the form of an iButton, in and out with them to confirm the template signature during

confirmation measurements. A theoretical discussion was held in the technology working

group during development of the simulation to consider how to handle the inspector-provided

iButtons. The standard recommended authentication steps for host supplied equipment

followed a process initiated with the inspectors randomly selecting equipment for

authentication. For the iButtons, the group considered whether the roles could be reversed,

i.e. whether the host could suitably certify inspector-provided iButtons following a process

whereby the host randomly selected iButtons for security certification. The low cost of

individual buttons and the simplicity of their design led to a view that this approach could work.

In addition to the iButtons, the inspectors were allowed to bring a sheet of paper that contained

the hash codes that the TRIS should produce in response to a challenge number. This

procedure is part of the TRIS firmware authentication.


17

6.0 Training

The participants, coming from four different nations, had a considerable variety of experience

with nuclear dismantlement verification. As such, the training had to ensure that a base-level

of knowledge was obtained by all to cover the scenario, on-site inspections, technologies, and

procedures. All participants also required site-specific knowledge of the Secure Storage Area

at RAF Honington.

Training was divided into two parts: read-ahead material, and on-site training at Honington,

consisting of both generic and role-specific training. Distributing read-ahead material offered

the benefit of reducing the time required for on-site training and allowed experienced

personnel to skip sections of the training with which they were already familiar.

All LETTERPRESS participants received Training Package A one month ahead of the

exercise. This consisted of:

• Introduction to the exercise, general announcements, and important dates

• Introduction to Radiation Safety

• Introduction to Radiation Detection

• Introduction to Arms Control Principles

Training Package B was given to players on the first day of training at Honington, one version

for the inspectors and another for the host team.

The controllers and evaluators also received a Controller and Evaluator Handbook.


18

7.0 Future Research

This section outlines the overall recommendations from LETTERPRESS. The simulation

provided a range of insights for all participants in the application of verification concepts and

monitoring technologies with multilateral partners in a simulated set of nuclear weapons

facilities. Lessons were identified that are relevant to the development of field-ready

measurement instrumentation, procedures for their use when verifying declarations during on-

site inspections, and the functionality of multilateral inspection teams.

LETTERPRESS emphasised that the continued engagement of NNWS and NWS is necessary

to foster trust and ownership of technical solutions and to understand the demands and

limitations in ensuring the protection of sensitive information in a nuclear weapons verification

context.

The recommendations cover areas for future work in general verification concepts and

technologies.

Verification Concepts

A systems-level approach should be taken to derive verification concepts, parameters, and

objectives. Drawing from the experiences in existing verification regimes (such as IAEA

Safeguards, CWC, and New START), this approach should:

i. Provide partner-agreed definitions of treaty elements, facilities, and monitoring regime

concepts.

ii. Drive the definition of requirements and gaps for possible verification options.

iii. Explore declaration and information exchange options.

iv. Allow evaluation of options for data and information handling, mapped to on-site

inspection and the possibility of remote monitoring.

Further developing a model state as a case study, building on that created for

LETTERPRESS, should be created that can be used as a building block for future exercises

that investigate different parts of a verification regime.

A study should be initiated which focuses on an overarching verification system to verify

declarations made about an inventory of items, rather than focusing on verifying the

characteristics of individual items.

An inspection team’s ability to keep a chain of custody over an enduring weapon stockpile

should be investigated, from an initial inspection visit to a visit that occurs much later in time.

Absence verification, to address the issue of declaration completeness, should be the subject

of further investigation. This should include the development of explicit procedures for

“locking-down” locations chosen for absence measurements, and an investigation of the

statistical significance of the number of locations chosen for absence measurements in

relation to the overall site.

A verification approach that addresses the potential conflict between transparency and

secrecy in acceptance of a treaty accountable item into a verification regime should be


19

explored. Investigations should cover in greater detail what constitutes a treaty accountable

item, and what information is required to identify them uniquely.

Verification Technologies

The management, encryption, and authentication of data collected during an inspection should

be an area of further research.

Variations to the LETTERPRESS monitoring regime that deploy different technologies, or a

combination of technologies, should be exercised and assessed.

Future technical work should explore authentication and certification methodologies for

verification technologies, as this was not exercised in LETTERPRESS. Deep dive

investigations of authentication on selected equipment are recommended for a future exercise

and should:

i. Prioritise custom-designed equipment (verification technologies deployed in

LETTERPRESS are considered a priority - UKNI IB, TRIS, RDE), and then exercise

developed methodologies on commercial off-the-shelf technologies.

ii. Develop and exercise authentication procedures for the four possible stages in the

monitoring regime, as outlined in Section 5.3 (Initial tests, Acceptance tests, Inspection

tests, Daily tests).

iii. Exercise and evaluate authentication on both host-supplied and inspector-supplied

equipment.

The experiences of using technology in developed arms control regimes (such as New

START) should be reviewed, as appropriate. The objective would be to explore issues of trust

and authentication, safety and certification, and the establishment and maintenance of chains

of custody on selected, representative equipment, such as the UKNI IB and TRIS.

LETTERPRESS partners should continue developing and exercising verification technologies,

and associated procedures, to address arms control and on-site inspection challenges.

Recommendations for future work include:

i. Review verification equipment designs and deployment experiences in order to refine

requirements for future development. Include information barrier system designs and

approaches in the review.

ii. Review and extract best practices for procedures from mature, deployed, and trusted

technologies such as TRIS or RDE. Procedures should specifically address how to

handle equipment failures or ambiguities in analytical results.

iii. Continue development of prototype technologies and associated procedures.

iv. Use verification equipment in exercises like LETTERPRESS to allow the technology

experts to discern gaps that will influence next steps in equipment design and

performance.


20

Future designs of host-operated equipment should consider the need to make operations

observable by the inspectors. The operator’s hands, for example, easily obscure small

screens and buttons which can diminish the inspecting party’s confidence in the procedure.

The integration of results from multiple verification techniques, as part of a wider systems

approach, should be tested in future exercises.


21

8.0 Achievements of the Simulation

This report details the first instance of a quadrilateral initiative involving both NWS and NNWS

to address challenges and to identify potential solutions associated with the verification of

future arms control treaties and agreements. Through joint discussion and specific planning

activities, the Quad was able to implement the LETTERPRESS simulation successfully,

including the following highlights:

• Provided players, both hosts and inspectors, with an insight into the types of

interactions and managed access activities one might experience during a verification

event.

• Provided an element of realism by using a military base previously used to store

nuclear weapons and a ballistic casing and container from a former nuclear weapon

system (shown in Figure 1).

• Deployed technologies to demonstrate concepts of absence and confirmation

measurements.

• Used containment and surveillance equipment to establish and maintain a chain of

custody over bunkers, containers, and the treaty accountable items.


22

9.0 Acknowledgement

The Chair of the Management Working Group would like to thank all those who have

contributed to the successful delivery of LETTERPRESS, from the working group members

and supporting staff who helped facilitate LETTERPRESS, to the players, subject matter

experts, controllers, and evaluators who participated in the final event. Specific appreciation

also goes to all those who have contributed to the creation, review, and editing of this

document.


23

Annex 1: Glossary

Term Meaning

CCTV Closed Circuit Television

CoC Chain of Custody

CoCIM Chain of Custody Item Monitor

CWC Chemical Weapons Convention

DSMESL Dismantlement Site Measurement and Equipment Storage Location

ECT Eddy Current Tagging

HPGe High Purity Germanium

IAEA International Atomic Energy Agency

IB Information Barrier

MESB Measurement and Equipment Storage Bunker

M-WG Management Working Group

NEA Nuclear Enterprise Activities

NNWS Non-Nuclear Weapon State

NO Norway

NW Nuclear Weapon

NWS Nuclear Weapon State

NNWS Non-Nuclear Weapon State

P-WG Protocol Development Working Group

RAF Royal Air Force

RDE Radiation Detection Equipment

RPT Reflective Particle Tags

SE Sweden

SSA Supplementary Storage Area

START Strategic Arms Reduction Treaty

S-WG Simulation Design Working Group

TAI Treaty Accountable Item

TIE Tamper Indicating Enclosure

TMSB Treaty Monitored Storage Bunker

TRIS Trusted Radiation Identification System

TRL Technology Readiness Level

Tr-WG Training Working Group

T-WG Technology Working Group

UID Unique Identifier

UK United Kingdom

UKNI UK Norway Initiative

US United States

WE177 UK legacy nuclear weapon

WG Working Group

Documents

LETTERPRESS: Post-Simulation Report