Is China's Role in a UK Nuclear Plant Really a Cybersecurity Risk?
The Hinkley Point delay has fuelled speculation that the British government is sceptical of China's involvement. Should we be concerned?
Last week, the UK delayed plans to build the proposed Hinkley Point C nuclear power plant, which would have been the first nuclear plant to be built in the UK in 20 years.
While the government did not give a specific reason for the hold-up, one reason suggested is that it has reservations over China's role in the construction. The state-owned China General Nuclear Power Corporation has agreed to a 33 percent stake in the project, and some suggest that the new British government may be concerned about the cybersecurity of the plant. Nick Timothy, Prime Minister Theresa May's chief of staff, has previously said that experts think the Chinese government could use its involvement to introduce vulnerabilities into systems, which would allow it to tamper with Britain's energy production in the future.
But is this something we really need to worry about? In conversations with Motherboard, researchers and those who work on on critical infrastructure were divided over whether Chinese financing of Hinkley Point is a legitimate concern or not.
"I think it presents an opportunity to either collect intelligence or worse still to have some form of virtual control," Alan Woodward, visiting professor at the University of Surrey's Department of Computer Science, told Motherboard in a Twitter message.
This worry is echoed by Robert Lee, a former US Air Force cyber warfare operations officer and CEO of Dragos Security. He suggested that a Chinese, state-run company's involvement in the project offers the country's intelligence services too good an opportunity to turn down.
"When we look at nuclear environments around the world, anything dealing with the field of nuclear energy tends to be a top priority in intelligence services," Lee told Motherboard in a phone call. "If you are giving access to state-owned companies to those operations, it would almost be a disservice of Chinese intelligence operations not to take advantage of that."
George Osborne, the former chancellor of the exchequer, is reported to have rejected safeguards concerning Chinese investment and Hinkley Point, while the new Prime Minister Theresa May seems to push a more sceptical approach. This week, Chinese state media questioned the latest delay and warned the UK not to drive away any more investments.
Even if Chinese agents didn't surreptitiously plant backdoors into Hinkley Point, just having details about the facility and how the UK handles nuclear operations could be an intelligence resource. And cyberattacks don't necessarily rely on leveraging or introducing vulnerabilities into systems. Lee pointed out that the hackers who hit a Ukrainian power grid in December 2015 were aided mostly by their knowledge of how the stations worked and how to cause a blackout.
But not all security experts agree that having a Chinese company involved in Hinkley Point would give the country extra intel useful for an attack.
"Trust but verify should be our motto"
"The fact that Chinese are putting in money isn't going to affect the safety of the plant," said Joe Weiss, managing partner of Applied Control Solutions, who has worked on the security of industrial control systems for over ten years.
That's because, he said, the same control systems that are going to be used in Hinkley Point are already used in any number of refineries, pipelines, mass transit, and other pieces of UK infrastructure. And they all have vulnerabilities—vulnerabilities that Chinese intelligence may already be aware of.
He said that if normal regulatory procedures are followed to ensure plant safety, there shouldn't be an issue. "There may be a lot of reasons to either build or not build Hinkley Point, but the Chinese and cybersecurity should not be one of them," Weiss said.
Woodward also pointed out that the technicalities of the project are coming from the French, and the Chinese company involved is only really providing money.
If cybersecurity concerns over China are the reason for the UK's hesitation, it certainly wouldn't be the only country to have serious reservations about the supply chain of critical infrastructure. Perhaps unsurprisingly, Lee said he couldn't see something like the Hinkley Point deal happening in the US. On the other side of the world, the Australian government stopped equipment from Chinese corporate giant Huawei being used in a broadband network in 2012, citing national security concerns.
But the UK already has experience in working with Chinese companies on infrastructure. As Woodward pointed out, around 50 percent of BT's 21st Century Network runs on equipment built by Huawei. "The UK government set up a special unit staffed by ex-GCHQ folk to trawl through every inch of the software (and hardware) to make sure there was nothing untoward in there," Woodward said.
GCHQ declined a request to comment, instead directing Motherboard to the Department for Business, Energy and Industrial Strategy (BEIS), which did not respond.
"Trust but verify should be our motto," Woodward said.
But Lee remained unconvinced. "No matter how great it is to try to build bridges, the time and location is generally not national critical infrastructure," he said.