Publication Date: 11/1/73
Pages: 5 Date Entered: 2/22/84 Title: GENERAL USE OF LOCKS IN THE PROTECTION AND CONTROL OF FACILITIES AND SPECIAL NUCLEAR MATERIALS November 1973 U.S. ATOMIC ENERGY COMMISSION REGULATORY GUIDE DIRECTORATE OF REGULATORY STANDARDS REGULATORY GUIDE 5.12 GENERAL USE OF LOCKS IN THE PROTECTION AND CONTROL OF FACILITIES AND SPECIAL NUCLEAR MATERIALS A. INTRODUCTION Paragraph 50.34(c) of 10 CFR Part 50, "Licensing of Production and Utilization Facilities," requires each application for a license to operate a production or utilization facility and paragraph 70.22(b) of 10 CFR Part 70, "Special Nuclear Material," requires certain applications for a license to possess or use special nuclear material (SNM) to include a physical security plan to demonstrate how the applicant plans to meet the physical protection requirements of 10 CFR Part 73, "Physical Protection of Plants and Materials." Paragraphs 50.54(p) and 70.32(e) require existing licensees licensed under Part 50 and certain licensees licensed under Part 70 who have not submitted a physical security plan to submit such a plan to the Commission for approval. Section 73.40 of 10 CFR Part 73 requires that certain licensees provide physical protection against industrial sabotage and afainst theft of SNM at the fixed sites where licensed activities are conducted. Locks are acceptable devices to be used in adhering to the physical protection requirements identified above to assist in controlling access to areas, facilities, and materials through doors, gates, container lids, and similar material or personnel access points, and are considered essential components of a physical barrier. This guide provides criteria acceptable to the Regulatory Staff for the selection and use of commercially available locks in the protection of facilities and SNM. B. DISCUSSION Locks are very important components of a physical barrier. Their effectiveness, however, lies in their use in conjunction with other security measures such as intrusion alarm systems and seals. Although some locks are difficult to pick or manipulate, no lock can claim to be "manipulation proof." Because of the large variety of locks available, it is necessary to subdivide the discussion on locks into the following types: (1) combination, (2) key, (3) electrical, and (4) pushbutton mechanical locks. The discussion of each type includes a general section on advantages and disadvantages, a section on control over the locks, and a section on the applicable standards and specifications. 1. Combination Locks a. General. It is desirable that a combination lock be designed to afford a choice of a large number of combinations. The number of combinations is determined by the number of tumbler wheels in the lock mechanism and the number of graduations on the dial. High-quality locks usually have 100 divisions on the dial and three tumbler wheels; such a lock is capable of providing a theoretical 10(6) combinations which in practice reduces to tens of thousands. Some combination locks are made with four tumbler wheels, but it is considered that the added number of combinations possible does not proportionally improve the security of the lock and does increase the inconvenience of dialing the combination. It is desirable for a combination lock to be designed so its combination can be easily changed but at the same time be tamper resistant. The combination of some locks can be changed by disassembly of the tumbler wheel pack and relocation of screws or pins. In this method the effective number of combinations possible is restricted. Another method involves taking apart the wheel pack and resetting an insert in each wheel. This method requires substantial skill on the part of the operator. The most desirable method of changing a combination is by a special key which requires minimal training of the operator and provides a maximum number of combinations. The special key is inserted in the back of the lock case to release the wheels from their present combination while a new combination is imposed by dialing. The combination of some locks can be covertly determined by using a radiographic technique. Resistance to this form of attack is designed into certain locks by utilizing materials in the mechanism that are not easily radiographed, e.g., plastics. Combination locks are vulnerable to compromise if the back of the lock is readily available, e.g., when the lockable access is open. Removing the back cover from the lock usually allows the combination to be determined. The combinations of some key-change locks can be changed directly when the lock is in the open position, while other must have the existing combination redialed to a different index when the access is in the open position to permit the combination change. The former type permits an intruder to make a quick change of the combination to one of his own choosing; this would permit him to enter following the closing of the lock and would deny entry to the user. For these reasons it is desirable to protect the back of the lock by back plates or other devices. High-quality combination locks are designed for use in two basic forms: (1) in a lock case to be mounted on or into a door as a mortise or rim lock and (2) as a padlock. Protection against forcible attack of a mortise or rim-mounted lock can be increased if the lock is provided with hardened steel plates and if the lock is designed with relocking triggers or devices that deadlock the bolt or bolt-actuating mechanism. Combination padlocks are not vulnerable to the usual rapping techniques and are usually resistant to manipulation. However, common combination padlocks made of a cast aluminum alloy are without great strength, have little resistance to forcible attack, and are not weather resistant. There are others that are weather resistant but offer little protection against attack. b. Combination Lock Control. The most important aspect of lock control for combination locks is the protection of the combination. It is desirable to change the combination of a lock every time that a person who knows the combination no longer requires it as a result of termination or reassignment of duties. This would assure that only those individuals actually required to gain access would know the combination. Losing the combination of a manipulation-proof, well-designed lock in a high-rated door is an expensive situation. This can be prevented by keeping a record of the combination in another location which is as secure as the place protected by the lock. Combination locks can be set to a single number to simplify the daily chore of opening, but this is a very poor practice since it reduces the security of the lock. Frequently four-wheel locks are set to only three different numbers for ease of opening. This defeats the purpose of the fourth wheel but it is not considered serious since the number of remaining combination choices is considered adequate. It is not recommended that one select combinations in common sequences and multiples of ten. It is also not generally recommended that the last number of a combination be set close to zero because in some cases the lock can jam. c. Standards and Specifications. A standard for three- or four-tumbler combination locks issued by Underwriters' Laboratories, UL-768, "Combination Locks,"(1) covers "combination locks designed for attachment on doors of safes, chests, vaults, and the like to provide a means of locking the boltwork against unauthorized opening." Quality assurance provisions covering the description, examination, and testing of the product are included through the UL Label Service. A Federal Specification issued for combination padlocks, FF-P-110F, "Padlock, Changeable Combination (Resistant to Opening by Manipulation and Surreptitious Attack),"(2) includes quality assurance provisions for design, materials, and performance testing. 2. Key Locks a. General. As in the case of combination locks, it is desirable for a key lock to be capable of being set for a large number of different keys. A high-quality six-pin lock with 10 key cutting levels per pin potentially permits 10(6) different keys to be used. However, this large number of key cuts is not as useful as a large number of combinations because less time-consuming techniques for defeating key locks are available. Nevertheless, there is value in specifying at least 10(6) key cuts because it requires careful construction of the lock. It is important that the key cut required to open a lock (bitting of a lock) be changeable to permit changes whenever keys are lost or an employee having access to a key is reassigned to other duties or terminated. Changing the bitting of a lock can be accomplished usually by changing pins, wafers, or levers. To ease the task of a bitting change, some locks have cores that are removable for replacement by means of a special key called a "control key." If all the locks in a given facility are keyed to the same control key, the locks are virtually master keyed because, with the core removed, the problem of opening the lock is elementary. ---------- (1) Copies may be obtained from the offices and testing stations of Underwriters' Laboratories, Inc. located at the following addresses: 207 East Ohio Street, Chicago, Ill. 60611; 333 Pfingsten Road, Northbrook, Ill. 60062; 1285 Walt Whitman Road, Melville, L.I., N.Y. 11746; 1655 Scott Boulevard, Santa Clara, Calif. 95050. (2) Copies may be obtained from business service centers of the General Services Administration Regional Offices located in the following cities: Boston, Mass.; New York, N.Y.; Washington, D.C.; Ft. Worth, Texas; Denver, Colo.; San Francisco, Calif.; Atlanta, Ga.; Chicago, Ill.; Kansas City, Mo.; Los Angeles, Calif.; Seattle, Wash. ---------- Master keying is undesirable from a security point of view because disassembly and inspection of any lock in the system by a competent person provides access to all the other locks in the master-keyed system, and because termination of an employee who had access to a master key would require changing the bitting of all locks set for his master key. The changing of the bitting of a large number of locks can be costly, but the convenience of master systems is such that there is strong pressure for using them. A compromise in this conflict between convenience and security may be to use a nonmastered set of locks for protected areas, material access areas, vital areas, and access to vital equipment and to permit master key sets for other less sensitive areas. It is necessary for a lock to have some resistance to picking and impressioning (a method used to prepare a key by the impressions of the bitting of a lock on a blank key). In general, this resistance can be provided by precision machining of the mechanisms or by special design features such as side bars, odd-shaped pins or a large number of levers. Protection of key locks against forcible attack can be enhanced by the use of hardened steel plates in front of the pins or side bars. It is essential for a bolt of a lock to be retained in the locked position by positive means (dead bolt). In some locks, the bolt is held in a locked position by a spring only. This permits, in the case of padlocks, the use of appropriate rapping or shimming techniques and, in the case of door locks, the opportunity to surreptitiously retract the bolt without the use of force. b. Lock Control. The security of an access control system based on key locks depends on complete denial of keys to unauthorized persons. It is essential to have a record of each key and the names of individuals to whom keys have been issued and to check all keys at periodic intervals. A common weakness in mastered key systems is the lack of accountability of lock cylinders. To correct this situation, it would be necessary to require a control system involving the accountability of every mastered lock cylinder having the bitting in present use either for the master or, in the case of removable cores, the control key. c. Standards and Specifications. A standard for key locks has been issued by Underwriters' Laboratories, UL-437, "Key Locks,"(1) and includes quality assurance provisions through the UL Label Service. Interim Federal Specification FF-P001480 (GSA-FSS), "Padlock, Key Operated (Resistant to Opening by Force, Pick, and Bypass Techniques),"(2) covers two types of key-operated dead-bolt padlocks: the exposed shackle and the shrouded shackle. Quality assurance provisions concerning the design, materials, and qualification testing are included. 3. Electric Locks a. General. In the most popular electric locks, a signal generated by magnetized elements in a plastic card or by sequential activation of buttons is compared with a stored code to activate an electrically operated door strike. In some cases the magnetic card and pushbutton systems are used in coincidence. Combined card and pushbotton systems provide, in general, higher security than card-only systems. The advantages of the electric lock are isolation of the part containing the code from the exposed part of the lock, versatility of programming, and ease of integration into alarm systems. Magnetic card systems have some of the problems of common key locks because a lost or stolen card can be used by an unauthorized person. However, reproduction of a card is more complicated than reproduction of a metal key. Pushbutton systems require memorization of a few digits, usually four, and require more time to operate than the magnetic card system. Although the number of possible combinations usually is smaller than in the combination lock system, quality electric pushbutton systems compensate for this by incorporating devices which prevent trial and error methods of surreptitious attack by activating an alarm after a number of unsuccessful attempts or by introducing a delay after each unsuccessful attempt which prevents operation of the lock for a short period of time. It is desirable for an electric lock to have the capability for an easy change of combinations. The part of the lock where the combination is set and the housing of the card reader (if the contents of the housing can reveal the combination) should be protected against tampering by tamper switches connected to the alarm system. Generally, where electric locks are installed, a mechanical lock is also installed as a bypass. This lock should be of a quality as discussed in the part on key locks in this guide. b. Lock Control. The security of an electric lock system depends on strict control of combinations and cards. The magnetic codes in the cards and the combinations need to be changed whenever an employee having had access to them terminates or is reassigned. Strict accountability of cards is strongly recommended. c. Standards and Specifications. There are currently no comprehensive standards or specifications covering electric locks. The reputation of the manufacturer, the specification for his product, and the experience of users must be carefully considered in their selection and use. 4. Pushbutton Mechanical Locks a. General. This is a type of combination lock utilizing mechanical-pushbutton-activated linkages that connect a gate with an external knob to permit opening of the lock. In this lock it is difficult to design in penalties for punching a wrong combination as is done in electric locks. Therefore, it is important to have a large number of possible combinations. Provisions for easy change of combinations are desirable. Some locks permit a new combination to be dialed in utilizing an Allen wrench when the lock is open, a procedure similar to that for some combination locks. Others require the replacement of internal parts to change the combination. The mechanical locks appear to be fairly resistant to concealed attack; however, more information is needed on their resistance to forcible attack. b. Lock Control. Similar to other combination locks, the combinations need to be changed when employees having access to the combination terminate or are reassigned. c. Quality Assurance. There are currently no comprehensive standards or specifications for mechanical pushbutton locks. C. REGULATORY POSITION The following guidelines are acceptable to the Regulatory staff for the selection and use of locks in the protection of facilities and SNM: 1. Combination locks installed in solid doors such as those in vaults or vault-type rooms in protected areas should be three- or four-position dial-type changeable-combination locks meeting the Underwriters' Laboratories Standard UL-768, "Combination Locks," for Group I locks.(1)2. Combination padlocks should be used when practicable on doors or gates to material access areas, in protected and vital area perimeters, and for access to vital equipment in preference to key padlocks. Combination padlocks should be used on closed vehicles or containers holding SNM that are required to be locked. Combination padlocks should be three-position-dial type changeable-combination padlocks meeting Federal Specification FF-P-110F, "Padlock, Changeable Combination (Resistant to Opening by Manipulation and Surreptitious Attack)."(2)3. Key locks used in lieu of combination padlocks on doors or gates to material access areas, in protected and vital area perimeters, and for access to vital equipment should provide a high degree of resistance to opening by force and tamper techniques and should meet Underwriters' Laboratories UL-437, "Key Locks."(1)4. Key padlocks used in lieu of combination padlocks on doors or gates to material access areas, in protected and vital area perimeters, and for access to vital equipment should be of rugged and sturdy construction and designed for outdoor use if necessary, and should meet Interim Federal Specification FF-P-001480 (GSA FSS), "Padlock, Key Operated (Resistant to Opening by Force, Pick, and Bypass Techniques)."(2)5. Electric locks should be used inside the protected area as a means of access control only if a magnetic card key system is coupled with a pushbutton system and integrated into the alarm system. This lock combination should have features that resist tampering with the combination-changing mechanism and that alarm after a set number of errors in punching the combinations is made. 6. Pushbutton mechanical locks are not recommended for use at this time because of the lack of comprehensive standards and specifications against which the locks can be evaluated. 7. Mechanical locks used as panic locks on emergency exit doors within protected area perimeters should be operable only from the inside. 8. Combinations, keys and locks should be controlled, protected and changed in accordance with the following requirements: a. Combinations of locks or padlocks on repositories containing SNM or used to secure gates or doors to material access areas, in protected and vital area perimeters, and for access to vital equipment should be known only to those authorized access to the material or to the area. They should be changed when repositories or areas are first placed in use, whenever a person knowing the combination no longer requires it as a result of reassignment of duties or termination, whenever the combination may have been compromised, or at least twice every year. A record of the combinations of locks should be kept in a location that is secured by a combination lock. b. Keys and cards to locks or padlocks on containers holding SNM or used to secure gates or doors to material access areas and in protected and vital area perimeters should be issued only to persons authorized access to the material or to the area. Keys or cards in use should be checked in at the end of each shift or workday, and a log should be maintained showing keys and cards, users, in and out times, and other pertinent information. Keys and cards should be recovered from reassigned or terminating personnel. Locks should be immediately changed or cores replaced and an inventory conducted whenever a core, key, or card is lost or missing; the lock, core, key, or card has been compromised; or unrecorded keys or cards are found. In a mastered system, a complete remastering of the system should be conducted whenever a core, card, master or control key, or a lock is lost or compromised. c. A record of all locks, cores, keys, and cards should be maintained and kept in a location secured by a combination lock. A physical inventory of locks, cores, keys, and cards should be conducted semiannually when the locks are used for protection of facilities and bimonthly when the locks are used for the protection of SNM. Unused locks, cores, keys, and cards should be stored in a location secured by a combination lock. A specific individual at each site should be named and placed in charge of all locks, cores, keys, and cards. 58 |