Publication Date: 11/1/73
    Pages: 5
    Date Entered: 2/22/84
    Title: GENERAL USE OF LOCKS IN THE PROTECTION AND CONTROL OF FACILITIES AND SPECIAL NUCLEAR MATERIALS
    November 1973
    U.S. ATOMIC ENERGY COMMISSION
    REGULATORY GUIDE
    DIRECTORATE OF REGULATORY STANDARDS
    REGULATORY GUIDE 5.12
    GENERAL USE OF LOCKS IN THE PROTECTION AND CONTROL OF
    FACILITIES AND SPECIAL NUCLEAR MATERIALS
A. INTRODUCTION
    Paragraph 50.34(c) of 10 CFR Part 50, "Licensing of Production and
    Utilization Facilities," requires each application for a license to
    operate a production or utilization facility and paragraph 70.22(b) of
    10 CFR Part 70, "Special Nuclear Material," requires certain
    applications for a license to possess or use special nuclear material
    (SNM) to include a physical security plan to demonstrate how the
    applicant plans to meet the physical protection requirements of 10 CFR
    Part 73, "Physical Protection of Plants and Materials." Paragraphs
    50.54(p) and 70.32(e) require existing licensees licensed under Part 50
    and certain licensees licensed under Part 70 who have not submitted a
    physical security plan to submit such a plan to the Commission for
    approval. Section 73.40 of 10 CFR Part 73 requires that certain
    licensees provide physical protection against industrial sabotage and
    afainst theft of SNM at the fixed sites where licensed activities are
    conducted.
    Locks are acceptable devices to be used in adhering to the
    physical protection requirements identified above to assist in
    controlling access to areas, facilities, and materials through doors,
    gates, container lids, and similar material or personnel access points,
    and are considered essential components of a physical barrier. This
    guide provides criteria acceptable to the Regulatory Staff for the
    selection and use of commercially available locks in the protection of
    facilities and SNM.
B. DISCUSSION
    Locks are very important components of a physical barrier. Their
    effectiveness, however, lies in their use in conjunction with other
    security measures such as intrusion alarm systems and seals. Although
    some locks are difficult to pick or manipulate, no lock can claim to be
    "manipulation proof." Because of the large variety of locks available,
    it is necessary to subdivide the discussion on locks into the following
    types: (1) combination, (2) key, (3) electrical, and (4) pushbutton
    mechanical locks. The discussion of each type includes a general section
    on advantages and disadvantages, a section on control over the locks,
    and a section on the applicable standards and specifications.
1. Combination Locks
    a. General. It is desirable that a combination lock be
    designed to afford a choice of a large number of combinations. The
    number of combinations is determined by the number of tumbler wheels in
    the lock mechanism and the number of graduations on the dial.
    High-quality locks usually have 100 divisions on the dial and three
    tumbler wheels; such a lock is capable of providing a theoretical 10(6)
    combinations which in practice reduces to tens of thousands. Some
    combination locks are made with four tumbler wheels, but it is
    considered that the added number of combinations possible does not
    proportionally improve the security of the lock and does increase the
    inconvenience of dialing the combination.
    It is desirable for a combination lock to be designed so its
    combination can be easily changed but at the same time be tamper
    resistant. The combination of some locks can be changed by disassembly
    of the tumbler wheel pack and relocation of screws or pins. In this
    method the effective number of combinations possible is restricted.
    Another method involves taking apart the wheel pack and resetting an
    insert in each wheel. This method requires substantial skill on the
    part of the operator. The most desirable method of changing a
    combination is by a special key which requires minimal training of the
    operator and provides a maximum number of combinations. The special key
    is inserted in the back of the lock case to release the wheels from
    their present combination while a new combination is imposed by dialing.
    The combination of some locks can be covertly determined by
    using a radiographic technique. Resistance to this form of attack is
    designed into certain locks by utilizing materials in the mechanism that
    are not easily radiographed, e.g., plastics.
    Combination locks are vulnerable to compromise if the back
    of the lock is readily available, e.g., when the lockable access is
    open. Removing the back cover from the lock usually allows the
    combination to be determined. The combinations of some key-change locks
    can be changed directly when the lock is in the open position, while
    other must have the existing combination redialed to a different index
    when the access is in the open position to permit the combination
    change. The former type permits an intruder to make a quick change of
    the combination to one of his own choosing; this would permit him to
    enter following the closing of the lock and would deny entry to the
    user. For these reasons it is desirable to protect the back of the lock
    by back plates or other devices.
    High-quality combination locks are designed for use in two
    basic forms: (1) in a lock case to be mounted on or into a door as a
    mortise or rim lock and (2) as a padlock.
    Protection against forcible attack of a mortise or
    rim-mounted lock can be increased if the lock is provided with hardened
    steel plates and if the lock is designed with relocking triggers or
    devices that deadlock the bolt or bolt-actuating mechanism.
    Combination padlocks are not vulnerable to the usual rapping
    techniques and are usually resistant to manipulation. However, common
    combination padlocks made of a cast aluminum alloy are without great
    strength, have little resistance to forcible attack, and are not weather
    resistant. There are others that are weather resistant but offer little
    protection against attack.
    b. Combination Lock Control. The most important aspect of lock
    control for combination locks is the protection of the combination. It
    is desirable to change the combination of a lock every time that a
    person who knows the combination no longer requires it as a result of
    termination or reassignment of duties. This would assure that only
    those individuals actually required to gain access would know the
    combination.
    Losing the combination of a manipulation-proof,
    well-designed lock in a high-rated door is an expensive situation. This
    can be prevented by keeping a record of the combination in another
    location which is as secure as the place protected by the lock.
    Combination locks can be set to a single number to simplify
    the daily chore of opening, but this is a very poor practice since it
    reduces the security of the lock. Frequently four-wheel locks are set
    to only three different numbers for ease of opening. This defeats the
    purpose of the fourth wheel but it is not considered serious since the
    number of remaining combination choices is considered adequate. It is
    not recommended that one select combinations in common sequences and
    multiples of ten. It is also not generally recommended that the last
    number of a combination be set close to zero because in some cases the
    lock can jam.
    c. Standards and Specifications. A standard for three- or
    four-tumbler combination locks issued by Underwriters' Laboratories,
    UL-768, "Combination Locks,"(1) covers "combination locks designed for
    attachment on doors of safes, chests, vaults, and the like to provide a
    means of locking the boltwork against unauthorized opening." Quality
    assurance provisions covering the description, examination, and testing
    of the product are included through the UL Label Service. A Federal
    Specification issued for combination padlocks, FF-P-110F, "Padlock,
    Changeable Combination (Resistant to Opening by Manipulation and
    Surreptitious Attack),"(2) includes quality assurance provisions for
    design, materials, and performance testing.
2. Key Locks
    a. General. As in the case of combination locks, it is
    desirable for a key lock to be capable of being set for a large number
    of different keys. A high-quality six-pin lock with 10 key cutting
    levels per pin potentially permits 10(6) different keys to be used.
    However, this large number of key cuts is not as useful as a large
    number of combinations because less time-consuming techniques for
    defeating key locks are available. Nevertheless, there is value in
    specifying at least 10(6) key cuts because it requires careful
    construction of the lock.
    It is important that the key cut required to open a lock
    (bitting of a lock) be changeable to permit changes whenever keys are
    lost or an employee having access to a key is reassigned to other duties
    or terminated. Changing the bitting of a lock can be accomplished
    usually by changing pins, wafers, or levers. To ease the task of a
    bitting change, some locks have cores that are removable for replacement
    by means of a special key called a "control key." If all the locks in a
    given facility are keyed to the same control key, the locks are
    virtually master keyed because, with the core removed, the problem of
    opening the lock is elementary.
    ----------
    (1) Copies may be obtained from the offices and testing stations
    of Underwriters' Laboratories, Inc. located at the following addresses:
    207 East Ohio Street, Chicago, Ill. 60611; 333 Pfingsten Road,
    Northbrook, Ill. 60062; 1285 Walt Whitman Road, Melville, L.I., N.Y.
    11746; 1655 Scott Boulevard, Santa Clara, Calif. 95050.
    (2) Copies may be obtained from business service centers of the
    General Services Administration Regional Offices located in the
    following cities: Boston, Mass.; New York, N.Y.; Washington, D.C.; Ft.
    Worth, Texas; Denver, Colo.; San Francisco, Calif.; Atlanta, Ga.;
    Chicago, Ill.; Kansas City, Mo.; Los Angeles, Calif.; Seattle, Wash.
    ----------
    Master keying is undesirable from a security point of view
    because disassembly and inspection of any lock in the system by a
    competent person provides access to all the other locks in the
    master-keyed system, and because termination of an employee who had
    access to a master key would require changing the bitting of all locks
    set for his master key. The changing of the bitting of a large number
    of locks can be costly, but the convenience of master systems is such
    that there is strong pressure for using them. A compromise in this
    conflict between convenience and security may be to use a nonmastered
    set of locks for protected areas, material access areas, vital areas,
    and access to vital equipment and to permit master key sets for other
    less sensitive areas.
    It is necessary for a lock to have some resistance to
    picking and impressioning (a method used to prepare a key by the
    impressions of the bitting of a lock on a blank key). In general, this
    resistance can be provided by precision machining of the mechanisms or
    by special design features such as side bars, odd-shaped pins or a large
    number of levers.
    Protection of key locks against forcible attack can be
    enhanced by the use of hardened steel plates in front of the pins or
    side bars.
    It is essential for a bolt of a lock to be retained in the
    locked position by positive means (dead bolt). In some locks, the bolt
    is held in a locked position by a spring only. This permits, in the
    case of padlocks, the use of appropriate rapping or shimming techniques
    and, in the case of door locks, the opportunity to surreptitiously
    retract the bolt without the use of force.
    b. Lock Control. The security of an access control system
    based on key locks depends on complete denial of keys to unauthorized
    persons. It is essential to have a record of each key and the names of
    individuals to whom keys have been issued and to check all keys at
    periodic intervals.
    A common weakness in mastered key systems is the lack of
    accountability of lock cylinders. To correct this situation, it would
    be necessary to require a control system involving the accountability of
    every mastered lock cylinder having the bitting in present use either
    for the master or, in the case of removable cores, the control key.
    c. Standards and Specifications. A standard for key locks has
    been issued by Underwriters' Laboratories, UL-437, "Key Locks,"(1) and
    includes quality assurance provisions through the UL Label Service.
    Interim Federal Specification FF-P001480 (GSA-FSS), "Padlock, Key
    Operated (Resistant to Opening by Force, Pick, and Bypass
    Techniques),"(2) covers two types of key-operated dead-bolt padlocks:
    the exposed shackle and the shrouded shackle. Quality assurance
    provisions concerning the design, materials, and qualification testing
    are included.
3. Electric Locks
    a. General. In the most popular electric locks, a signal
    generated by magnetized elements in a plastic card or by sequential
    activation of buttons is compared with a stored code to activate an
    electrically operated door strike. In some cases the magnetic card and
    pushbutton systems are used in coincidence. Combined card and
    pushbotton systems provide, in general, higher security than card-only
    systems.
    The advantages of the electric lock are isolation of the
    part containing the code from the exposed part of the lock, versatility
    of programming, and ease of integration into alarm systems.
    Magnetic card systems have some of the problems of common
    key locks because a lost or stolen card can be used by an unauthorized
    person. However, reproduction of a card is more complicated than
    reproduction of a metal key.
    Pushbutton systems require memorization of a few digits,
    usually four, and require more time to operate than the magnetic card
    system. Although the number of possible combinations usually is smaller
    than in the combination lock system, quality electric pushbutton systems
    compensate for this by incorporating devices which prevent trial and
    error methods of surreptitious attack by activating an alarm after a
    number of unsuccessful attempts or by introducing a delay after each
    unsuccessful attempt which prevents operation of the lock for a short
    period of time.
    It is desirable for an electric lock to have the capability
    for an easy change of combinations. The part of the lock where the
    combination is set and the housing of the card reader (if the contents
    of the housing can reveal the combination) should be protected against
    tampering by tamper switches connected to the alarm system.
    Generally, where electric locks are installed, a mechanical
    lock is also installed as a bypass. This lock should be of a quality as
    discussed in the part on key locks in this guide.
    b. Lock Control. The security of an electric lock system
    depends on strict control of combinations and cards. The magnetic codes
    in the cards and the combinations need to be changed whenever an
    employee having had access to them terminates or is reassigned. Strict
    accountability of cards is strongly recommended.
    c. Standards and Specifications. There are currently no
    comprehensive standards or specifications covering electric locks. The
    reputation of the manufacturer, the specification for his product, and
    the experience of users must be carefully considered in their selection
    and use.
4. Pushbutton Mechanical Locks
    a. General. This is a type of combination lock utilizing
    mechanical-pushbutton-activated linkages that connect a gate with an
    external knob to permit opening of the lock. In this lock it is
    difficult to design in penalties for punching a wrong combination as is
    done in electric locks. Therefore, it is important to have a large
    number of possible combinations.
    Provisions for easy change of combinations are desirable.
    Some locks permit a new combination to be dialed in utilizing an Allen
    wrench when the lock is open, a procedure similar to that for some
    combination locks. Others require the replacement of internal parts to
    change the combination.
    The mechanical locks appear to be fairly resistant to
    concealed attack; however, more information is needed on their
    resistance to forcible attack.
    b. Lock Control. Similar to other combination locks, the
    combinations need to be changed when employees having access to the
    combination terminate or are reassigned.
    c. Quality Assurance. There are currently no comprehensive
    standards or specifications for mechanical pushbutton locks.
C. REGULATORY POSITION
    The following guidelines are acceptable to the Regulatory staff for the
    selection and use of locks in the protection of facilities and SNM:
1. Combination locks installed in solid doors such as those in vaults
    or vault-type rooms in protected areas should be three- or four-position
    dial-type changeable-combination locks meeting the Underwriters'
    Laboratories Standard UL-768, "Combination Locks," for Group I locks.(1)2. Combination padlocks should be used when practicable on doors or
    gates to material access areas, in protected and vital area perimeters,
    and for access to vital equipment in preference to key padlocks.
    Combination padlocks should be used on closed vehicles or containers
    holding SNM that are required to be locked. Combination padlocks should
    be three-position-dial type changeable-combination padlocks meeting
    Federal Specification FF-P-110F, "Padlock, Changeable Combination
    (Resistant to Opening by Manipulation and Surreptitious Attack)."(2)3. Key locks used in lieu of combination padlocks on doors or gates
    to material access areas, in protected and vital area perimeters, and
    for access to vital equipment should provide a high degree of resistance
    to opening by force and tamper techniques and should meet Underwriters'
    Laboratories UL-437, "Key Locks."(1)4. Key padlocks used in lieu of combination padlocks on doors or
    gates to material access areas, in protected and vital area perimeters,
    and for access to vital equipment should be of rugged and sturdy
    construction and designed for outdoor use if necessary, and should meet
    Interim Federal Specification FF-P-001480 (GSA FSS), "Padlock, Key
    Operated (Resistant to Opening by Force, Pick, and Bypass
    Techniques)."(2)5. Electric locks should be used inside the protected area as a means
    of access control only if a magnetic card key system is coupled with a
    pushbutton system and integrated into the alarm system. This lock
    combination should have features that resist tampering with the
    combination-changing mechanism and that alarm after a set number of
    errors in punching the combinations is made.
6. Pushbutton mechanical locks are not recommended for use at this
    time because of the lack of comprehensive standards and specifications
    against which the locks can be evaluated.
7. Mechanical locks used as panic locks on emergency exit doors
    within protected area perimeters should be operable only from the
    inside.
8. Combinations, keys and locks should be controlled, protected and
    changed in accordance with the following requirements:
    a. Combinations of locks or padlocks on repositories containing
    SNM or used to secure gates or doors to material access areas, in
    protected and vital area perimeters, and for access to vital equipment
    should be known only to those authorized access to the material or to
    the area. They should be changed when repositories or areas are first
    placed in use, whenever a person knowing the combination no longer
    requires it as a result of reassignment of duties or termination,
    whenever the combination may have been compromised, or at least twice
    every year. A record of the combinations of locks should be kept in a
    location that is secured by a combination lock.
    b. Keys and cards to locks or padlocks on containers holding
    SNM or used to secure gates or doors to material access areas and in
    protected and vital area perimeters should be issued only to persons
    authorized access to the material or to the area. Keys or cards in use
    should be checked in at the end of each shift or workday, and a log
    should be maintained showing keys and cards, users, in and out times,
    and other pertinent information. Keys and cards should be recovered
    from reassigned or terminating personnel. Locks should be immediately
    changed or cores replaced and an inventory conducted whenever a core,
    key, or card is lost or missing; the lock, core, key, or card has been
    compromised; or unrecorded keys or cards are found. In a mastered
    system, a complete remastering of the system should be conducted
    whenever a core, card, master or control key, or a lock is lost or
    compromised.
    c. A record of all locks, cores, keys, and cards should be
    maintained and kept in a location secured by a combination lock. A
    physical inventory of locks, cores, keys, and cards should be conducted
    semiannually when the locks are used for protection of facilities and
    bimonthly when the locks are used for the protection of SNM. Unused
    locks, cores, keys, and cards should be stored in a location secured by
    a combination lock. A specific individual at each site should be named
    and placed in charge of all locks, cores, keys, and cards.
    58