UK government eyes data centre security overhaul; may consider it CNI, create a new regulator
"Risks have also been identified in relation to data centre customer access to sites and facilities, and access by contractors or those providing supply chain services..."
The UK government plans to designate data centres as critical national infrastructure (CNI) and has launched a consultation on proposed new security and resilience rules for the sector, closing on February 22, 2024.
The UK data centre security consultation propses “deliberately outcome-based” rules around penetration testing and “mandatory incident reporting to a regulator, calibrated to an appropriate and proportionate level."
Data centre security and resilience is a “largely unregulated” sector in the UK as one law firm, Morgan Lewis put it this summer; data centres do not, for example, fall under the scope of 2018’s NIS regulations.
The 87-page UK data centre security consultation can be read here [pdf].
Announcing the consultation on December 14, the government (HMG) said: “A new regulatory function is also being considered, to make sure operators of data centre services report incidents and work with the sector to assure and test risk mitigation against threats and hazards.
It added: “The move is intended to encourage better transparency of information and cooperation across industry and the government so risks to the UK can be appropriately identified and addressed…”
The government is also looking to tighten up rules on personnel.
UK data centre security: Did someone say “regulator”?
The consultation proposes that HMG “establish powers for a regulator to mandate assurance, conformity assessment processes, and testing.”
Physical and personnel-related security come in for particular attention.
The consultation specifies that: “Insider threats can be exacerbated by outsourcing security and maintenance staff which interrupts continuous management and background checks of personnel, but can also result from inadequate management and controls related to direct employees, or corporate or operational processes… the government intends for baseline measures for access controls to systems to be set…”
It adds: “Risks have also been identified in relation to data centre customer access to sites and facilities, and access by contractors or those providing supply chain services or products. These risks may be mitigated by relevant operational security processes and protocols, but may justify the introduction of specific requirements” – it is asking for views on “government support that could help you conduct background checks.”
The data centre security consultation comes a year after NCSC’s annual review disclosed that efforts by the government over the past five years to map and strengthen CNI “including their interdependencies and supply chains” this year had “allowed the government to identify previously unknown CNI systems” – widely thought to refer to DCs.