UK Government is proposing security and resilience for data centres operating in the UK as protection against potential disruption – such as cyber-attacks and extreme weather.
The Department for Science, Innovation and Technology (DSIT) has published a consultation asking for views, before February 22. It’s proposed that data centres would have to take ‘appropriate and proportionate technical and organisational measures to protect and enhance the security and resilience’, to a baseline. That would take in the IT networks, BMS (Building Management Software) and the like; and the physical and cyber security of facilities; besides personnel and incident reporting, and the supply chain (whether the electricity grid or equipment).
As for how to make such proposals happen, the consultation documents says Government is ‘taking a policy-first and statutory vehicle-agnostic approach’. In plainer English, the proposals might come in via specific legislation, or not; Government may align data centres with other regulations, or include data centres in the NIS (Network & Information Systems) Regulations. In the consultation document the Government says it does not (for now) propose a new, regulatory body.
In a foreword, Minister for Data and Digital Infrastructure at DSIT, Sir John Whittingdale, said that the abundance, importance and value of data accumulating in or passing through such infrastructure makes it an attractive target to those who may have the intention or capability to threaten the UK’s national security, economy, or ways of life, or seek access to data for other malign or criminal purposes.
Sir John Whittingdale wrote: “Like any infrastructure, data centres can also be vulnerable to natural phenomena, especially extreme weather, which have the potential to disrupt continuity of data access. Ensuring the security and resilience of data storage and processing infrastructure is of national interest. The UK government’s unique position as steward of the economy and society, with sight across the entire system, means we have a responsibility to identify aggregate, emergent and national security risks that may not be a priority for any single organisation or sector.”
As for how to test to any standard and have assurance, the consultation document says that UK Government intends to work with the UK official National Cyber Security Centre (NCSC) and the National Protective Security Authority (NPSA), the British Standards Institute (BSI), ‘industry, experts, and regulators’, on how ‘standards can inform sector-appropriate security and resilience measures’.
The proposals arise from the risks; of what the consultation calls ‘national harm resulting from significant security or resilience shocks’, that ‘could be far greater than commercial harm to any one operator, and thus commercial drivers are not sufficient to drive the level of security/resilience standards required in the national interest’. The document says some risks are ‘unmitigated, under-mitigated, or inconsistently mitigated’. It’s probable, the document states, that the risk and frequency of many of these threats, hazards and vulnerabilities manifesting will increase over time, ‘as the attack surface across sites and interconnected infrastructure grows, means of penetration evolve and become more sophisticated, and natural hazards intensify with climate change’.
