This country update provides insights into how the United Kingdom protects its civil nuclear materials, facilities, and other assets, drawing on interviews with government officials and industry practitioners. As a mature nuclear country, the UK has decades of experience implementing nuclear security at a wide range of facilities. Rather than attempt to summarize this in its entirety, this update focuses on three important and recent developments – the adoption of a goal-setting approach to nuclear security regulation; increased efforts to develop nuclear security culture programmes within industry; and the UK’s response to the COVID-19 pandemic. Exploring these topics in detail can provide useful lessons that may be relevant to other countries. After providing a brief overview of the UK’s nuclear sector, this memo then considers the UK’s nuclear security regulatory transition, before exploring how industry has sought to strengthen security culture, and then finally examining how security has been affected by COVID-19.
Nuclear Sector – An Overview
The United Kingdom has a longstanding civil nuclear programme that dates back over sixty years and includes the development of the world’s first commercial nuclear power reactor, Calder Hall, which came online in 1956.1“Sellafield completes defueling of Calder Hall,” World Nuclear News,, last modified 3rd September 2019, https://world-nuclear-news.org/Articles/Sellafield-completes-defueling-of-Calder-Hall. Over time, the UK has developed the full nuclear fuel cycle, including enrichment and reprocessing. The latter of which has been utilized to separate significant amounts of plutonium from spent nuclear fuel, creating the world’s largest civil stockpile currently estimated at 139 metric tons.2Christopher Fichtlscherer, Friederike Frieß, and Moritz Kütt, ”Britain has 139 tons of plutonium. That’s a real problem,” Bulletin of the Atomic Scientists, last modified17 April 2020, https://thebulletin.org/2020/04/britain-has-139-tons-of-plutonium-thats-a-real-problem/. Originally intended for reuse in commercial UK power plants, this has yet to be realized. Consequently, its long-term management has come under increasing scrutiny, given the potential safety and security risks the stockpile poses.
In terms of nuclear power generation, the UK is currently in a state of transition. Half of the UK’s 15 operating nuclear power reactors, that supply approximately twenty percent of Britain’s electricity, are set to be retired in the next four years.3“Nuclear Power Generation in the United Kingdom,” World Nuclear Association, last modified August 2021, https://world-nuclear.org/information-library/country-profiles/countries-t-z/united-kingdom.aspx . A nuclear new build programme was initiated in the late 2000s, with the first reactor under construction at Hinkley Point C forecast to begin electricity generation in 2026.4“Hinkley Point C delayed until at least 2026,” World Nuclear News, last modified 27 January 2021, https://world-nuclear-news.org/Articles/Hinkley-Point-C-delayed-until-at-least-2026. In total, the UK nuclear industry currently employs approximately 60,000 people, who work in a diverse range of environments, from low-level waste facilities, to operational nuclear power plants, to large legacy sites undergoing decommissioning.5“Sites/Facilities that we regulate”, Office for Nuclear Regulation, https://www.onr.org.uk/regulated-sites.htm (Accessed 5 October 2021).
The UK’s most important national nuclear security legislation is the 2014 Energy Act, which established the Office of Nuclear Regulation (ONR) as a public corporation responsible for regulating nuclear safety and security.6“Energy Act”, UK Parliament, https://bills.parliament.uk/bills/1110 (19th December 2013). The Act also includes as a relevant statutory provision the 2003 Nuclear Industries Security Regulations (NISR), which categorizes different types of nuclear material from a security perspective, requires nuclear sites to have a security plan in place, and specifies how they should be reviewed and maintained.7“Nuclear Industries Security Regulations 2004”, Cabinet Office, April 2014, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/365957/Nuclear_Industries_Security_Regulations.pdf. The NISR also outlines security requirements for the transportation of nuclear material and the protection of sensitive nuclear information. The approach taken in these, and associated regulatory documents is consistent with international nuclear security treaties, such as the Amended Convention on the Physical Protection of Nuclear Material, to which the UK is a long-term signatory. The UK’s approach to nuclear security is also underpinned by principles and concepts outlined in key international guidance.8For examples, guidance found within the International Atomic Energy Agency’s (IAEA) Nuclear Security Series https://www.iaea.org/resources/nuclear-security-series (Accessed 5 October 2021). For example, the development of a Design Basis Threat, referred to in the UK as the Nuclear Industries Malicious Capabilities (Planning) Assumptions (NIMCA), outlines adversary capabilities; the establishment of a nuclear regulatory body independent of government and industry; a graded approach to the implementation of nuclear security, where measures are proportionate to the potential consequence of a successful attack; and the promotion of defense-in-depth, where layers of security are constructed around potential targets.
A Regulatory Transition – From Prescriptive to Goal-setting
The UK’s approach to nuclear security regulation has transitioned over the past decade from a largely prescriptive rules-based system to one that operates a goal-setting approach. The difference between these two general approaches to regulation, a rules-based regulatory (RBR) regime and a goals-based regulatory (GBR) regime, including their strengths and weaknesses, are summarized in Figure 1. For RBR regimes, regulations are precise, telling operators what they can and cannot do, with limited exceptions or flexibility. This can lead to largely mechanical decision-making on the part of the operator and regulator. In contrast, GBR regulations tend to specify higher-level objectives rather than particular actions. This provides more flexibility with implementation and encourages operators to take greater responsibility when thinking through what measures to apply, while also allowing the regulator to tailor its approach to enforcement. As outlined in Figure 1, both regimes have their advantages and disadvantages. Their use will depend on the industry in question, what it is to be regulated, and other factors.
The UK’s change in regulatory approach was driven by growing interest in a nuclear newbuild programme and a push by the UK government for more efficient regulation with better integration of nuclear security and safety—nuclear safety has long been regulated through a goals-based system. More broadly, this move also reflected the UK’s “longstanding policy interest in alternatives to traditional regulation across a range of areas of activities”, with the goal of providing “better” regulation and “reducing the regulatory burden on business”.10Christopher Decker, ”Goal-Based and Rules-Based Approaches to Regulation”, BEIS Research Paper Number 8, last modified May 2018, pp. 9, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/714185/regulation-goals-rules-based-approaches.pdf. In the nuclear security context, an effectively implemented goal-based regulatory framework has the potential to empower industry to develop more innovative and efficient security solutions. This can be particularly beneficial when it comes to responding to rapidly changing threats, such as the deployment of cyber security measures, and the regulation of new technologies, for example, next-generation Advanced Modular Reactors and Small Modular Reactors.
The UK’s first major step towards a goals-based system came with the publication of National Objectives, Requirements and Model Standards (NORMS) for nuclear security in 2012.11“ONR rolls out new security guidance to industry”, Office for Nuclear Regulation, 29 October 2012, https://news.onr.org.uk/2012/10/onr-rolls-out-new-security-guidance-to-industry/. This replaced the existing Technical Requirements Document as the basis for nuclear security assessment and was intended to encourage industry to adopt an approach where solutions were developed to meet higher-level objectives. In practice, however, implementation suffered from several challenges. First, while operators were consulted prior to its publication, their ability to input into its formulation was relatively limited, reducing initial levels of buy-in and understanding.12Findings from author interviews with various UK nuclear industry stakeholders (January-August 2021 Second, the language within NORMS was largely directive in tone, making it unclear where flexibility existed for coming up with new approaches.13Findings from author interviews with various UK nuclear industry stakeholders (January-August 2021) Third, the inclusion of Model Standards within NORMS meant that these could be closely followed by operators without the need to develop independent capability and understanding in this area.14Findings from author interviews with various UK nuclear industry stakeholders (January-August 2021) Finally, and arguably most importantly, there still existed a culture of prescription within the industry, embedded within both the regulator and operators, which proved difficult to shake and served to stifle potential innovation.
Ultimately, this led to the redevelopment of regulatory guidance from NORMS to Security Assessment Principles (SyAPs), published in 2017.15“Security Assessment Principles (SyAPs),” Office for Nuclear Regulation, https://www.onr.org.uk/syaps/ (Accessed 5 October 2021). These SyAPs were distinct from their predecessors in that they were a series of high-level principles, formulated as objectives, which functioned as the foundation upon which security practices could be designed. Given the high level at which these were written, it also meant that they could be published openly along with associated Technical Assessment Guides, helping improve transparency and broader confidence in the regulatory regime.
SyAPs were also formulated to be consistent in terms of language and approach with the pre-existing nuclear Safety Assessment Principles, which made them digestible to key people outside of the direct security function. This new regulatory formulation was perceived to have a number of advantages over NORMS. First, given the absence of universal standards, operators were forced to internally evaluate risk and design appropriate security systems. Second, the higher-level language and emphasis on strategic issues such as leadership and organizational culture proved useful in further engaging the management of nuclear facilities on security issues.16For a detailed treatment of the UK’s nuclear security regulatory transition please see M. Sims, ”ONR’s Experiences from Adopting an Outcome Focused Approach to Civil Nuclear Security Regulation,” International Conference on Nuclear Security (ICONS), Paper #303, March 2020.
While the relative performance of goal setting compared with prescriptive nuclear security regulation in the UK has not yet been evaluated, there are still a number of useful lessons that can be extracted from this transition. The most important of these is that a move away from prescriptive regulation is likely to take considerable time and effort. Here, detailed consultation with industry can serve as a key enabler and one which can be considered of equal if not greater importance than the development of new regulatory documents.
In the case of the UK, recognizing some of the limitations of NORMS resulted in a prolonged period of consultation with industry over SyAPs. This lasted several years, with industry inputs into the early formulation of this document. This back and forth was deemed by some in industry as equally important as the final document itself, as it enabled trust to build up between the regulator and operators, who were able to better understand what the new regulatory approach aimed to achieve.17Findings from author interviews with various UK nuclear industry stakeholders (January-August 2021).
This prolonged transition is also reflective of the time it takes the operators to establish and utilize greater in-house security-assurance capabilities. Something that may present an intrinsic challenge for smaller license holders where security personnel numbers are necessarily limited. This has been recognized by ONR, who have sought to provide additional support in this area, through the publication of a guide for smaller duty holders on the application of SyAPs.18“Guide for Smaller Dutyholders to the Application of the Security Assessment Principles”, Office for Nuclear Regulation, Last modified July 2019, https://www.onr.org.uk/documents/2019/saps-small-dutyholders.pdf.
Efforts to Strengthen Nuclear Security Culture
The importance of security culture in mitigating a wide range of threats, in particular those posed by cyber-attacks and insiders, has been increasingly recognized in the nuclear sector. This is part of a more holistic approach to security that emphasizes the shared nature of responsibility and the roles that all staff in an organization can play in identifying and combating potential risks.
In the UK context, the importance of security culture has been promoted as part of critical national infrastructure for more than a decade. At the national level, the Centre for the Protection of National Infrastructure (CPNI), established in 2007, and the National Cyber Security Centre (NCSC), set up in 2016, provide important guidance and support for industry in this area. This includes materials for use in awareness-raising campaigns, empirical studies into evolving threats, and tools to support the benchmarking of security culture. For example, CPNI has developed a suite of survey-based Security Culture Assessment Tools (SeCuRE), which are widely utilized within the nuclear industry.19“SeCuRE 4: Assessing Security Culture”, Centre for the Protection of National Infrastructure, Last modified 25 March 2021, https://www.cpni.gov.uk/secure-4-assessing-security-culture.
At the operational level, different nuclear companies have launched a range of different campaigns aimed at growing a culture of security within their workforces. While tailoring the campaigns to the needs of their different organizations is essential, there are nevertheless several commonalities and lessons that can be extracted from these efforts.20Karl Dewey, George Foster, Christopher Hobbs and Daniel Salisbury, Nuclear Security Culture in Practice: A Handbook of UK Case Studies, 2021, https://www.kcl.ac.uk/csss/assets/nuclear-security-culture-in-practice-2021.pdf. First, leadership buy-in and active engagement are critical to the effectiveness and sustainability of the programme. Here, successful engagement and messaging strategies included framing security initiatives around business requirements and the use of broader risk management terminology to help establish security as a “business enabler,” as opposed to an unnecessary and expensive cost.21Karl Dewey, Christopher Hobbs, George Foster, and Sarah Tzinieris, ”Reconceptualising Nuclear Security as a Business Enabler: Opportunities and Challenges”, IAEA International Conference on Nuclear Security, March 2020, https://kclpure.kcl.ac.uk/portal/files/127190987/IAEA_CN_278_FINAL.pdf.
This practice was further cemented in several organizations through the establishment of a security-focused executive position and through the incorporation of security targets into corporate milestones. These might include, for example, the alignment of security programmes with broader industry standards or the utilization of national tools and guidance, such as those produced by CPNI and the NCSC. An addition specific to the UK context is certain organizations seeking to utilize the changing regulatory landscape when engaging their leadership on security: emphasizing the potential reputational benefits and reduced regulatory costs that early alignment with SyAPs could bring.22Dewey, Foster, Hobbs and Salisbury, Nuclear Security Culture in Practice: A Handbook of UK Case Studies, pp. 16.
A second lesson is to increase awareness and understanding of security issues within a diverse workforce. It is essential that security culture campaigns are made relatable to different occupational groups. This is arguably best achieved through targeted training and engagement activities: utilizing a mix of strategies with emphasis placed on variety, the encouragement of lateral thinking, and two-way discussion.23Dewey, Foster, Hobbs and Salisbury, Nuclear Security Culture in Practice: A Handbook of UK Case Studies, pp. 18, pp. 27. For example, UK nuclear organizations made use of both large workshops and smaller working groups, the latter of which allow for a detailed discussion on how security is most effectively integrated into different working processes. As for training materials, these were stripped of jargon, regularly refreshed, and used a mix of real-life case studies, short quizzes, scenario-based discussions, table-top exercises, and red-teaming.24Dewey, Foster, Hobbs and Salisbury, Nuclear Security Culture in Practice: A Handbook of UK Case Studies, pp. 28-29.
Third, it is crucial that nuclear security culture is regularly assessed so that any potential deficiencies can be identified and addressed. Such assessments help demonstrate that systems are robust against the full range of threats and inform the development of new nuclear security culture-related initiatives. Here, UK organizations have implemented a number of different approaches, including regular security challenges, such as ID badge checking, and cyber penetration testing exercises. These have been complemented by more involved nuclear security culture self-assessments, utilizing methodologies and tools advanced by the IAEA and key stakeholders such as CPNI’s SeCURE toolkit.
Finally, it is worth emphasizing that security culture does not exist in a vacuum but shares a common basis with safety and broader organizational culture. Consequently, there may be scope for pre-existing approaches and promotional methods to be adapted or combined. This has been the case for several UK nuclear organizations, where joint safety-security-related awareness-raising and training activities were developed, and existing safety systems were adapted to include security.
Responding to COVID-19
Like many countries, the UK has been seriously impacted by the COVID-19 pandemic, which has damaged the economy, put significant strain on the national health service, and disrupted individuals’ daily lives. The nuclear sector has also faced a number of challenges due to COVID-19, which in early 2020 did not feature prominently in many organizations’ risk registers, which aim to capture the likelihood and consequence of key risks and identify mitigation measures. This is despite pandemics being identified in the UK’s national risk register (which provides resilience guidance for industry and the public) as a high-likelihood, high-consequence event.25‘National Risk Register of Civil Emergencies: 2017 Edition’, Cabinet Office, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/644968/UK_National_Risk_Register_2017.pdf (September 2017). Practically, this meant that while some organizations had pandemic plans, these were not regularly exercised or particularly detailed. Consequently, some plans had to be developed and rolled out rapidly: working with key stakeholders in government, ONR, and the Civil Nuclear Constabulary (CNC), who provide an armed response at UK nuclear sites. Despite these limitations, several organizations noted that plans did provide useful starting points, despite requiring considerable fleshing out.26Findings from author interviews with various UK nuclear industry stakeholders (January-August 2021)
There was a considerable focus in the initial response on absenteeism due to COVID-19, both in terms of infections and enforced isolation, and how this could potentially degrade security and safety. Within the CNC in particular, the nature of their work necessarily involves physical patrolling and coming into close contact with colleagues. Absenteeism was combatted, in part, by designating staff as ‘key/critical workers’ and putting them on the priority list for vaccinations, enabling them to take daily tests rather than isolating, and in some cases placing them in ‘bubbles’ to limit interaction outside of their shifts.27Findings from author interviews with various UK nuclear industry stakeholders (January-August 2021) Despite these measures, ONR reported that the UK nuclear sector saw a peak pandemic-related absence of just under 20%, although there was sufficient redundancy in the system to seemingly avoid any major disruptions or degradation of security.28Elodie Broussard, ‘How Safety and Security Regulators Addressed Challenges During the COVID-19 Pandemic’, IAEA, last modified 24 September 2020, https://www.iaea.org/newscenter/news/how-safety-and-security-regulators-addressed-challengesduring-the-Covid-19-pandemic; “Covid-19: ONR Position”, Office for Nuclear Regulation, 12 April 2021, http://news.onr.org.uk/2020/11/Covid-19-onr-position-180920/.
In this area, one thing that is deemed to have helped, and is likely to be continued even when the effects of COVID-19 subside, was the initiation of expanded reporting. Here a RAG (Red, Amber, Green) model was developed for UK nuclear sites, with information collected daily on key indicators such as absenteeism rates, COVID-19 cases, numbers of people working remotely, and cyber security controls in place.29Findings from author interviews with various UK nuclear industry stakeholders (January-August 2021). This was used by the UK government and the regulator to ascertain levels of operational sustainability, supporting the identification of any concerning trends, and aiding the subsequent response.
As outlined earlier, the UK has transitioned to a relatively unique goal-setting approach to nuclear security regulation that impacted the response to COVID-19. This meant that emphasis was placed on operators modifying and justifying any changes to security, rather than prescriptive directions coming top-down from the regulator. Here, operators perceived flexibility and autonomy as important enablers in the development of bespoke COVID-19 solutions for their individual sites, helping to maintain both security and protect the health of personnel. Furthermore, regulators leaned on the security assurance mechanisms established as part of this new regulatory system, with onsite regulatory inspections reduced to limit the risk of infection. Instead, greater emphasis was placed on desk-based assessments and internal assurance processes. This is also something that is likely to be continued long-term due to the already observable efficiencies that this new approach offers.30Findings from author interviews with various UK nuclear industry stakeholders (January-August 2021).
In terms of physical security, only minor modifications were made, with reductions in on-site staff serving to even simplify certain measures, for example, entry and access points were consolidated at certain sites.Findings from author interviews with various UK nuclear industry stakeholders (January-August 312021). Arguably, the biggest challenge experienced was with regards to physical security maintenance and testing, with some third-party security suppliers unable to come onsite due to the infection risk. This led to delays in security maintenance and testing, as well as broader supply chain issues. To combat the latter of these, some nuclear organizations have continued to pay their security suppliers, despite them being unable to conduct their work, in order to avoid them going into financial difficulties and potential bankruptcy. As for information and cyber security, the rapid move to working from home in early 2020 posed a significant challenge, given the large numbers of staff that had to be transitioned from on-site working. Unsurprisingly, this resulted in a limited number of cases where staff did not fully comply with new computer security protocols.32Findings from author interviews with various UK nuclear industry stakeholders (January-August 2021). However, these were largely flagged automatically via network monitoring tools, with the identified individuals subsequently being provided with additional security training.
This paper has explored a number of key interrelated nuclear security developments that have occurred in the United Kingdom in recent years. Here, focus has been placed on understanding how higher-level issues translate to the operational level, the challenges encountered by industry, and how these have been overcome. While nuclear security remains a national responsibility and the approach of countries vary, it is hoped that useful lessons can be taken from the UK’s experience in the aforementioned areas. In particular, this paper provides insights that may inform those considering a move away from a prescriptive nuclear security regulation and others who seek to promote nuclear security culture and combat the challenges posed by COVID-19.
Christopher Hobbs is Professor of Science and International Security at King’s College London and Director of the King’s Institute for Applied Security Studies. He also serves as Programme Director for the UK’s Nuclear Security Culture Programme (NSCP) and is a member of the Advisory Board for the International Nuclear Security Forum (INSF). A physicist by training, he has published widely on nuclear security and non-proliferation issues.