PARIS/FRANKFURT (Reuters) - Metre-thick concrete walls and 1950s-style analog control rooms help protect nuclear plants from bomb attacks and computer hackers, but Islamist militants are turning their attention to the atomic industry's weak spots, security experts say.
Concerns about nuclear terrorism rose after Belgian media reported that suicide bombers who killed 32 people in Brussels on March 22 originally looked into attacking a nuclear installation before police raids that netted a number of suspected associates forced them to switch targets.
Security experts say that blowing up a nuclear reactor is beyond the skills of militant groups, but that the nuclear industry has some vulnerabilities that could be exploited.
"The insider threat is one of the most difficult to deal with, as this hinges on the ability to screen employees and figure out the nature of their intentions," said Page Stoutland at the U.S.-based Nuclear Threat Initiative (NTI), citing recent reported incidents in Belgium.
His assessment reflects growing anxiety among Western governments and regulators, including the U.N. nuclear watchdog (IAEA), about the risk of radicalized individuals gaining access to sensitive energy infrastructure, including nuclear sites.
In 2014, an investigation into a deliberate act of sabotage at Belgium's Doel 4 nuclear reactor found that a former employee of the plant had died earlier in the year while fighting with Islamist militants in Syria.
In December, Belgian police found a video tracking the movements of a senior nuclear industry official during a search of a flat as part of investigations into the Islamic State attacks in Paris on Nov. 13 that killed 130 people. Security around Belgian nuclear power stations was ramped up as a result.
Industry experts say that deliberately triggering a disastrous meltdown of a nuclear reactor would be difficult as nobody is ever alone in its control room, which typically has four to six operators there at all times.
This, according to Bertrand Barre, a former executive at Areva, the state-owned nuclear reactor manufacturer, would reduce the risk of a suicide mission like the Germanwings disaster last year in which a pilot locked himself in the cockpit and crashed his plane into a mountain.
Deliberate acts of sabotage cannot be ruled out, though. In 2014, the Doel 4 reactor was halted four months after someone purposely damaged its turbine by draining 65,000 litres of oil. The perpetrator was never found.
The risk of cyber attacks is also increasing. Most nuclear plants were built before the Internet or even the computer age, and their control rooms run on 20th-century analog technology. But the NTI says that nuclear plants are now digitalizing quickly, increasing the risk that hackers could commandeer them.
The biggest risk arises from the nuclear fuel cycle, which involves the enrichment of uranium, fuel production and recycling, transport and storage of radioactive material.
Specialists say the pools in which spent nuclear fuel is left to cool are more vulnerable than the reactors themselves.
"A scenario which leads to water loss by damage to the pools could lead to a release of radioactivity of the same or higher order than a core meltdown," said Yves Marignac, director of energy consultant WISE-Paris.
Installations like La Hague in France or Sellafield in Britain - where spent fuel from dozens of reactors is stored in pools before it is reprocessed or put in casks for dry storage - pose a particular worry.
Following the Sept. 11, 2001 attacks on the United States, French authorities deployed ground-to-air missiles in La Hague, though these were removed a few months later after the threat level was deemed to have receded.
Every week, plutonium - one of the two key ingredients in nuclear bombs, along with highly enriched uranium - is transported overland from La Hague to Marcoule in southern France for recycling into mixed-oxide fuel.
"We cannot have a number of identified high-level terrorists on the loose and put emergency legislation in place while at the same time shipping plutonium over public roads on a regular basis," World Nuclear Industry Status Report lead author Mycle Schneider told Reuters.
France has been under a state of emergency since the Islamic State bombing and shooting rampage in Paris, with increased powers of search and arrest for police.
Areva defends the plutonium shipments, saying they are coordinated with state authorities, have armed escorts and are housed in containers that are "real fortresses" secured by 100 kg (220 pounds) of steel for every kg of plutonium.
Experts also worry about militants pilfering radioactive material from medical or industrial installations.
Radioactive isotopes are used in dozens of applications, from cancer treatment to pipeline-welding inspections, and thousands of packages with small amounts of radioactive material are shipped across Europe every year.
Stolen radioactive material from these shipments could be combined with traditional explosives to create a "dirty bomb".
While the radioactivity spread by such a device is unlikely to be lethal, it would create huge panic and pollute a vast area that would be very expensive to decontaminate.
In 1995, Chechen rebels placed a cylinder of radioactive caesium in a Moscow park, but did not detonate it and alerted Russian authorities, who deactivated the device.
Since the mid-1990s, member states of the watchdog International Atomic Energy Agency have reported about 2,800 instances of radioactive material going missing.
IAEA Director General Yukiya Amano said last month only a handful of these incidents involved material that could be used to make a nuclear explosive device, but some of the missing material could go toward devising a dirty bomb.
"The fact there has never been a major terrorist attack involving radioactive material does not mean it could not happen," Amano said.
Editing by Mark Heinrich