Cyber-security experts say that worries about Chinese involvement in the Hinkley Point nuclear power programme are misdirected, and that there are far greater issues to be concerned about.
In particular they expressed concerns about internal versus external threats, security updates and the security of the plant's industrial control systems and SCADA.
Today China's ambassador to the UK warned the British government that delays in the Hinkley Point nuclear power plant deal jeopardise relations between the two countries as well as billions of pounds worth of investment.
This follows the surprise announcement at the end of July that the government would postpone signing the final contracts for the project until the autumn to allow time for a full review. The timing of the decision was awkward given that the board of the French energy company EDF had voted on 28 July to give final approval for raising the money needed for the project.
As unexpected as the move was, there are grave concerns within the intelligence agencies and the prime minister's own staff about the wisdom of allowing the Chinese to supply IT hardware and software for a key piece of the UK's critical national infrastructure (CNI).
Last year, concerns within the intelligence agencies came to a head when senior Whitehall intelligence sources briefed newspapers that GCHQ should be allowed to have “unfettered” access to the contractors working at the new Hinkley Point plant, to allay concerns about the Chinese involvement.
These concerns were picked up by Nick Timothy who is now joint chief of staff to prime minister Theresa May. Timothy, writing in a blog for Conservativehome.com, voiced security, human rights and trade concerns about China, and said state-owned companies involved at Hinkley and other planned nuclear plants could “build weaknesses into computer systems which will allow them to shut down Britain's energy production at will”.
Nick Timothy quoted US national security adviser Susan Rice. As he paraphrased her: “Chinese cyber-enabled espionage ‘isn't a mild irritation, it's an economic and national security concern to the United States.' Not mincing her words any further, Rice said Chinese hacking ‘that targets personal and corporate information for the economic gain of businesses undermines our long-term economic cooperation and it needs to stop'.”
Timothy's words put into perspective the apparent volte face of May's administration, putting on hold (with an implicit threat of reversing) a deal that had been years in the making in the Cameron-Osborne government.
However, worrying specifically about the Chinese building “loopholes” and backdoors into the IT systems at such a complex project are not focused on the real problem, according to the cyber-security experts SC spoke to.
“Yes, backdoors are a real problem. But even with no backdoors, an installation of this size and importance will be a magnet for external hacking,” said Norman Shaw, CEO at ExactTrak.
He questioned why the government was postponing the project at this time, given that coincidentally there is a UK trade delegation in China. “If we don't want their money, why go out there?” he asked.
Joe Sturonas, CTO of encryption company PKWARE, pointed out that it's not just nuclear facilities that hold sensitive data. “If the data is not protected properly from not only outside attack vectors, but also from insider threats, that infrastructure is at risk,” he said.
And he pointed out that the IT supply chain is truly global. “Assuming that hardware and software is secure, because it was produced in-country, is a fallacy. The way to mitigate bad actors, whether they be foreign, domestic, or even internal is through defence in depth and separation of duties.”
Steve Armstrong, managing director at Logically Secure, pointed out that on a project of this size it would be virtually impossible to avoid sourcing components from China.
His concern is ensuring that GCHQ gets unfettered access to Hinkley for the 35-year lifetime of the project – and that the agency be given additional funding for that. “Given the complexity and size of this undertaking, part of the contract should have included funding for GCHQ to be able to support this project and that should be regardless of the provider; this will take thousands of man-days to test, secure and monitor the systems correctly,” he said.
“One of the biggest challenges for this type of always-on, mission-critical system is that of ‘Security vs Stability' which will result in older and potentially vulnerable software being deployed,” he said. “We have all seen what happens when updates go wrong on our home or work systems – imagine if a nuclear power station had a Window's Blue Screen of Death?”
Keeping software and firmware secure and up to date will be difficult, especially as the update mechanism itself can be a source of vulnerability. He said the project will have to ensure that “any reach back to overseas support companies is secure and not hijacked by others for malicious purposes”.
This system will not be generating power for another nine to 11 years so there could be several versions of hardware and software installed, updated and deprecated in that timeframe, he said, a problem particularly relevant because SCADA/ICS systems have a poor history of software vulnerabilities and hardcoded weaknesses.
“Regardless of the prime contractor and their backers, building a modern nuclear power station in this day and age is a massive cyber-security undertaking and I hope it is given the attention, support and funding necessary to do it properly,” he said.
“Am I concerned that China is investing in the running of a UK nuclear power plant? In the grand scheme of things, no. Am I worried that the government will struggle to give GCHQ the funding to support the project and thus fail to be able to provide UK citizens with enough assurances as to its overall security? In the wake of recent events and the other demands on their time, sadly yes.”