
New-build case studies
Hinkley Point C
The UK is a ‘developed’ nuclear country with defence and civil nuclear programmes. As recently as the 1990s, the UK had been at the forefront of nuclear research and development and encouraged the growth of a significant nuclear industry across the nuclear fuel cycle, including enrichment, fuel manufacture, electricity generation and reprocessing. Levels of nuclear capability in the UK were high in terms of trained staff, research establishments and a competent, respected and well-resourced regulator, and the industry made a major contribution to the UK’s economy. However, since the early 1990s, the profile of the nuclear industry in the UK has been in decline and the capability of the industry has waned to such an extent that when a decision was made to maintain the capability to generate a proportion of the UK’s electricity from nuclear power plants, the domestic nuclear sector had lost the ability to design and construct a British nuclear power plant.
The Office for Nuclear Regulation (ONR) is the UK regulator for safety and security in the civil nuclear industry and is responsible for ensuring that operators comply with current UK regulatory requirements. In 2007, the ONR announced a Generic Design Assessment (GDA) process to scrutinize candidate designs for new build nuclear power plants in the UK, with the express purpose of verifying that such designs could be safely and securely constructed and operated within the UK. The process involved the development of sophisticated procedures to enable the exchange of sensitive nuclear information between national jurisdictions, particularly between the UK and France.
The GDA conducted an intense and comprehensive examination of the candidate designs submitted for approval, and the first to complete the process successfully was the predominantly French European Pressurized Reactor (EPR) for construction at Hinkley Point C in Somerset.
The Areva-designed twin EPR that will be built at Hinkley Point C will generate 3,200 megawatts of electricity (MWe), enough to meet the electricity needs of nearly 6 million homes.34 When construction started in 2016, the total anticipated cost of Hinkley Point C was estimated at £18 billion. However, this estimation rose by roughly 10 per cent in July 2017, to £20.3 billion, as a result of delays in complying with UK regulations.35 It is expected that the plant will begin generating electricity for the UK market in 2025, eight years behind schedule.36 To pay for it, the British government has entered into a complex financial agreement with the energy giant Electricité de France (EDF), of which 83.5 per cent is owned by the French government, with the remaining 16.5 per cent being distributed principally between institutional and individual shareholders. EDF energy projects cover thermal, nuclear and renewable electricity generation at sites in Africa, Asia, Europe and North America.37 Of the 584 terawatts an hour produced by EDF, 78 per cent is supplied from nuclear facilities.38 The company also controls a large electricity distribution network, Enedis,39 which covers 95 per cent of the French metropolitan area.
When construction started in 2016, the total anticipated cost of Hinkley Point C was estimated at £18 billion
As well as EDF’s investment in the Hinkley Point C power station, China General Nuclear Power Group (CGN), a state-run Chinese energy company,40 agreed in 2015 to acquire a 33.5 per cent stake in the construction project.41 As part of the Hinkley Point C deal, CGN also took a 20 per cent stake in the development phase of a new project at the Sizewell nuclear power generating site, Suffolk,42 and discussions began on proposals for the construction of a new Chinese-designed nuclear power station at an existing site at Bradwell-on-Sea in Essex.43 CGN is the largest nuclear power operator in China and the largest nuclear power constructor worldwide.44 CGN’s domestic stature has encouraged international expansionism, and the company plans to be among the top three global producers of nuclear energy by the year 2020.45 CGN is also vertically integrated in the nuclear industry, owning stakes in various stages of the nuclear fuel cycle, often through complex ownership arrangements. Supplementing CGN’s nuclear electricity production and uranium mining, the company also has clean-energy projects in Singapore,46 gas- and oil-powered facilities in South Korea,47 and the Edra project, an extensive multilateral energy operation, which provides power from 13 oil and gas facilities to five states participating in the Belt and Road Initiative (Malaysia, Egypt, Bangladesh, the UAE and Pakistan).48
CGN’s investment in Hinkley Point C, and its aspiration in the long term to construct a Hualong One reactor at Bradwell, raised security concerns among the UK’s defence and security community. In October 2015, senior military and intelligence figures warned UK ministers that the scheme posed a threat to UK national security, as corrupted components might have hidden functions or access (backdoor) capabilities that could be inserted into IT systems,49 thereby allowing Chinese intelligence agencies to bypass British cybersecurity measures.50 The EECSP noted in a 2017 recommendation report that, given the opacity of backdoors, ‘a state actor might use these functions in the near or far future to control critical components of power systems’.51 As a consequence of these concerns, in July 2016, British Prime Minister Theresa May announced a surprise review of the Hinkley Point C plan, which temporarily delayed its approval.52 The prime minister’s caution with regard to foreign investment in the UK’s national infrastructure is consistent with her earlier security concerns when home secretary during the 2010–15 coalition government.53 Theresa May’s political adviser at the time, Nick Timothy, also reportedly cautioned her that Chinese investment in critical infrastructure might be troublesome, given that CGN states that part of its mission was the responsibility for ‘the building of national defence’.54
Senior military and intelligence figures warned UK ministers that the scheme posed a threat to UK national security, as corrupted components might have hidden functions or access capabilities
It is important to acknowledge risks that foreign equipment and systems may pose to the UK’s nuclear power plants, and to ensure that necessary resilience measures are sufficient to offset such risk. Foreign suppliers should meet all cybersecurity requirements and provide evidence that they would protect their equipment and systems throughout the latter’s life cycle.
The UK is one of the leading countries in the world in implementing cybersecurity measures across the CNI sectors, and it is to be expected that the relevant UK authorities are alert to the potential threat posed by such a significant foreign interest in UK CNI. It is to be expected that the UK has the capability and financial resources to take appropriate measures against threats should the need arise. However, not all states with a new build nuclear programme have the same level of expertise and resources, and projects similar to Hinkley Point C should not necessarily view the UK experience as a blueprint to follow.
Barakah nuclear power plant, UAE
In marked contrast to the UK, the UAE is developing its nuclear capability with very little domestic nuclear experience but with the clear imperative to identify and deploy an affordable alternative to oil and gas to meet its domestic electricity demands, particularly for desalinization plants. Countries with similar nuclear ambitions to the UAE have in many cases chosen to develop their nuclear capability incrementally over a period of many years, ‘growing’ domestic expertise through education and training, gradually introducing legal and regulatory frameworks, and adequately preparing their citizens through training and experience to step up to important positions of responsibility within the national nuclear framework.
With the Bakarah nuclear power plant, the UAE’s goal is to deliver nuclear energy to the country and to diversify energy sources; to increase economic growth and, through this new industry, to increase the employment opportunities in the country.55 In embarking on their nuclear programme, the Emiratis had neither the luxury of sufficient time for an incremental approach – due to the economic requirement to reduce their dependency on oil – nor the human resources to sustain the size of programme their economic position required. Instead, they chose to rely on engaging foreign expertise across the board to enable the construction of four nuclear reactors at Barakah and to ensure that, in every respect, the UAE could comply with the nuclear safety and security expectations of the international community as articulated through guidance issued by the IAEA. In 2009, the Korea Electric Power Corporation (KEPCO) was awarded the contract to design, build and operate the UAE’s first nuclear power station.56
This bold approach has delivered the first of four units57 at Barakah, constructed by a South Korean consortium led by KEPCO, while the regulatory framework has been created through the recruitment of experienced expatriates, with a clear commitment to transition to Emirati citizenship over time in order to provide sustainable expertise. It remains to be seen whether those countries whose expatriates have provided these skills will be able to transfer that expertise to Emiratis in the long term. In the case of the Barakah nuclear project, employing expatriates of proven ability and broad experience has created an Emirati ‘competent authority’, whose standards of regulation comply with internationally recognized norms.
Currently, there are delays in beginning operations at the Bakarah reactors, due to the long approval process for an operating licence; the lack of availability of operating staff; and the conclusion of repairs in the second and third reactors.58 In 2018, the Emirati Nawah Energy Company signed an agreement with EDF whereby the latter would provide operational and maintenance services.59
Despite delays, the Bakarah project has been a notable success for the Emiratis, albeit with a heavy reliance on foreign expertise and design, and with an almost total dependence on a globalized supply chain. In seeking to judge how cybersecurity by design might have been integral to this project, it is reasonable to assume that the Barakah units incorporate any improvements to the design identified at existing similar power plants in South Korea. Potential concerns about the integrity of the supply chain are likely to be limited as South Korea was the major source of components and assemblies for Barakah. The onus for maintaining the security of the facility will remain with KEPCO, which has an overwhelming financial and reputational interest in its continuing success. Furthermore, since the UAE’s Federal Authority for Nuclear Regulation comprises experienced, expatriate regulators (many previously employed at the US Nuclear Regulatory Commission), it could be expected that tough, impartial questions would be asked of designers and constructors to ensure that the need for effective security was considered from the start of the project.
South Korea was the major source of components and assemblies for Barakah, and therefore potential concerns about the integrity of the supply chain are likely to have been limited
It is worth noting that the state-owned South Korean nuclear plant operator Korea Hydro and Nuclear Power was subject in December 2014 to a cyberattack, which was attributed to North Korea. Although the nuclear control systems were not compromised, the attack served to illustrate that the South Korean nuclear facility design was no more immune to cyberattack than its competitors. Hence, it will be important for the UAE to maintain a dialogue promoting the exchange of matters of mutual nuclear security interest with South Korea to protect its nuclear power plants against cyberattack: indeed, the UAE should benefit from the lessons learned from such attacks.
The Bakarah nuclear power plant could be a test case for establishing the desired procurement model for cybersecurity when there is total reliance on foreign companies through the supply chain. If the UAE, through its contract with KEPCO, could ensure the integrity of the supply chain for the main components and assemblies, then there would be less reason for the Emiratis to be concerned about long-term vulnerabilities within the project.