We’re now six months in since the UK Government announced that data centres would be reclassified as critical national infrastructure (CNI), and this second instalment of our deep dive was intended to dig further into the implications for the wider security industry that supports data centres, and examine the benefits of the change for the UK public. However, during the course of researching the issue, it has emerged that there remains a lack of clarity over what designation as CNI means in practice, so this piece is going to attempt to shed some light onto the issue.
Firstly, it’s fair to say that we are currently only beginning to assail the foothills of what is likely to be a long and difficult climb. According to the Government Department for Science, Innovation and Technology (DSIT), “the CNI framework in the UK has no legislative basis and, therefore, has no regulatory impact for organisations deemed ‘critical’.”
And, if the CNI framework has no legislative basis, what does CNI designation really mean?
Security on Screen put several questions to the government department, but the responses back were somewhat vague.
A spokesperson said: “Data centres were designated as CNI because they are critical to the functioning of our economy and society. It signals the government’s intention to better partner with the sector to promote development and mitigate risks. We work directly with data centre operators to support their security and resilience and are committed to ensuring a consistent standard across and protecting UK CNI. Any future policies would be shared if and when confirmed.”
Lack of clarity
To highlight some of the confusion around the issue, it was posited by one of one security professional that we spoke to, that data centres becoming a part of CNI may now need to be compliant with the Telecoms Security Bill (2020), and that, as such, “High Risk Vendors” (some Chinese manufacturers) will need to be excluded from the “system”.
He said that “the system” is not just the site installation but if it is remotely monitored, then any ARC that is currently monitoring a data centre would potentially need to demonstrate they are NOT monitoring ANY other site that has “High Risk Vendor” equipment installed.
“It also means that any on site equipment such as NVR’s, VMS, servers and of course cameras are also not considered high risk vendors.
“You can see the implications are quite far reaching here and could spread throughout the industry,” he said
We put this query to DSIT who told us that the Telecoms Bill wouldn’t apply to data centres.
So, we cast the net wider, and Datalec’s Operations Director – Electronic Security, Glenn Stephenson’s response has been helpful.
He commented: “It is not up to the Government to ensure that a data centre meets any criteria for CNI. Rather the other way round. It is down to the architects and consultants involved in the construction/fit out to ensure the data centre complies. However, it’s worth noting that since the announcement, there will not have been many CNI data centres go live in the UK.”
He added that there is clear guidance from the Government on what should be done to meet the criteria, and shared with us a government guidance document, which you can find, here.
It does seem odd though, that this information wasn’t shared by DSIT directly when we put our questions to them, but maybe it is because it doesn’t relate directly to data centres but to CNI generally.
On the implications be for the wider industry – those directly supplying data centres, and peripheral security services, Stephenson continued: “It will be prudent for anyone supplying security services to the data centre industry to ensure they are aware of the CNI guidance and requirements and to ensure that any recommended products are compliant.
High-risk vendors
We also put our Vendor Member’s query regarding the Telecoms Bill to Stephenson, who told us: “The UK Government banned all Chinese manufactured security products from being used in any buildings (including those covered by CNI status) in November 2022. Demonstrated by the decision to remove Huawei from the UK 5G infrastructure. This is not new. The US Federal Government also implemented a similar ban. Most Data Centres and especially the ones headquartered in the US would follow this.”
He added that the reason that the Telecoms Bill does not apply is that data centres are not public networks.
Finally, we spoke to Andrea Monteleone (pictured right), Segment Development Manager, EMEA, Critical Infrastructure, and Keiran Byrne, Architect & Engineering Manager at Axis Communications. Both agreed that no fixed guidelines are yet in place, and that any legislation to come would likely have to incorporate various global and EU standards and directives, such as NIS2, (Network and Information Security (NIS) Directive, which is the first piece of EU-wide legislation on cybersecurity), the CRA, (the Cyber Resilience Act), and the CER European directive, which is the Critical Entities Resilience Directive.
Compliance with EU and global directives
Essentially, all data centres that are designated with CNI will eventually have to comply with higher cybersecurity standards, and be able to demonstrate strong resilience in the face of any threat.
Monteleone said: “These European directives will impact and are already impacting a lot of critical infrastructure. It is so complex, so wide in terms of scope, and so impactful in terms of consequences on the market, that every government will try to move forward, step by step, leading the many Companies involved in the right direction, incrementally raising the general level of cyber security of all the entities falling under the critical infrastructure definition.
“Roughly 70 to 75% of the market we know right now will be directly or indirectly hit by the change.
“Back to the data centres. They will be the first sub-segment or the first industry forced to completely follow those rules – The EU already issued the first implementing regulation for this specific sub-segment – but the whole framework to follow is not clearly defined yet. Every company is responsible for its own activities and implementation right now, but still without some clearly defined guidance.”
He added that another complexity is that guidelines and certifications, will have to be aligned across the globe, not only nationally or across Europe, approaching the problem in a very consistent way, both for the vendors and the end users.
“This is one of the many reasons Vendors and End Users and engaged in many discussions to find the best way to manage this transition.”
So, what do we know now?
- The CNI designation of data centres won’t be affected by the Telecoms Bill
- The ban on “high risk vendors” may apply, but this is nothing new
- Any coming legislation will have to incorporate various directives including NIS2, CRA and CER and standards, existing or new, will have to apply globally
- No official ‘best practice’ is in place specific to data centres, but many companies are meeting most of the necessary criteria.
- Any regulatory changes will come into force incrementally.
Looking ahead
Looking forward, it is agreed that clarity and regulation is needed, and that the designation of data centres is a good thing.
As Domenico Scordo, NEMEA Surveillance Channel Manager at Seagate Technology, puts it: “Securing the storage and processing of sensitive data is critical for data centres, as the powerhouses of today’s digital economy. Therefore, there needs to be regulation in place to increase security across the industry. This proactive approach can lead to improved protections against cyber threats, ensuring that sensitive and personal information remains secure. It should also foster greater trust and confidence among stakeholders, including businesses and consumers.
“There may be challenges to consider. The costs associated with compliance may increase operational expenditures for data centre providers. Investing in new security infrastructure and processes to meet regulatory requirements could strain budgets, especially for smaller operators.
“On the plus side, an environment of enhanced security may also stimulate innovation within the industry. As data centres and vendors strive to meet higher security standards, we anticipate the development of new security solutions that improve data protection for everyone, benefiting the entire market.”
*top image caption – Artistic rendering of a typical data centre design for conceptual purposes, courtesy of Northumberland County Council (Read the first instalment, here)
For more data centre news, click here
