Data Centres – Critical National Infrastructure?

There has been a flurry of activity today on social media regarding the announcement by the UK Government about adding data centres to the list of 'Critical National Infrastructure (CNI)', you can see the BBCs take on this here. and from DCD here.

However, some data centres were already classifed as CNI if they hosted government communications or blue light services, the previous list can be found on this link under the 'telecommunications' section

So, in essence nothing to see here or is there?

Lets look into a bit of detail, the actual announcement on the Department of Science, Innovation and Technology can be found here and I quote '

Today (Thursday 12 September), the Technology Secretary Peter Kyle, has announced the government has now classed UK data centres – the buildings which store much of the data generated in the UK – as ‘Critical National Infrastructure’. It is the first Critical National Infrastructure (CNI) designation in almost a decade, since the Space and Defence sectors gained the same status in 2015.

It means the data housed and processed in UK data centres - from photos taken on smartphones to patients’ NHS records and sensitive financial investment information - is less likely to be compromised during outages, cyber attacks, and adverse weather events. Putting data centres on an equal footing as water, energy and emergency services systems will mean the data centres sector can now expect greater government support in recovering from and anticipating critical incidents, giving the industry greater reassurance when setting up business in UK and helping generate economic growth for all.

So, in effect, data centres have become a Utility, something we have long argued for, but as a Utility, such as electricity, water, emergency services and gas etc, we would expect to see some regulation, such as that contained within the Utilities Act 2000

Lets look at the specific provisions...

Outages

I'm assuming that they mean electrical outages, but most data centres have backup generation systems, UPS, Batteries and Generators anyway, with at least 3 days supply of fuel on site, and specific contracts to obtain more should the grid outage be prolonged (and this is extremely rare in the UK) so Im not sure why this was mentioned.

Cyber Attacks

Colocation Data Centres provide hosting services to their clients, known as 'power, space and cooling' which is self-explanatory, and some provide an 'in-house' network infrastructure to link  'Meet Me Rooms' or 'MMRs' with the clients actual 'cages' or cabinets, in which case it would be the DC operators that is in charge of, and responsible for the network and thus cyber security and I know that they take this very seriously. Other operators allow clients to use their own equipment and in this situation the client is responsible for their own network security. This area could be interesting as it could mean that operators begin to install their own in-house networks in order to comply with the requirements of the CNI.

Adverse weather conditions

This is an interesting one as well, as in my experience, most data centres operate have a disaster recovery plan and will invoke as required, the real issue here I think is that the climate outlook indicates that more instances of extreme weather is likely and that both government, data centre operators and for that matter the rest of us should start to think about 'climate prepardness' what are we doing to mitigate or adapt to extreme weather conditions, luckily there is guidance on this, the 'ISO 14090:2019 - Adaptation to climate change — Principles, requirements and guidelines' which will shortly be available on the carbon3it standards page I fully expect to see that as assessment to this standard (which is not certifiable!) will be required.

Admin

We know that some sites have already been designated 'CNI' but what about the rest of them? Well, I think that the government are going to introduce some data centre energy efficiency and sustainability legislation and it is likely that you will have to report your energy consumption as well as other elements on to a central register, currently there is a UK Climate Change Agreeement (CCA) for Data Centres and approximately 105 sites operated by 65 companies providing energy data, the CCA is currently only open to commercial facing organisations, but it could be extended to cover enterprises in the future, this, in my opinion is where mandatory reporting of your CNI will occur.

 

So, is this good news, on the face of it, it is, but as always it is a 'double edged sword' with CNI comes regulation, and what this looks like is, at the moment shrounded in mystery.

The good news is that Carbon3IT Ltd is well placed to find out and report, we're also geared up to assist all operators with any potential requirements, just drop an email to info@carbon3it.com or use the contact page on the website

 




Leave a Reply