Richard Chiu | Sales Engineering Manager for Hong Kong
Critical infrastructure includes all the assets, systems, facilities, and networks that are essential to the proper functioning of a society’s economy, national public health or safety, security. It has never been more crucial to protect this critical physical and cyber infrastructure to assure the health and security of every citizen. Implementing critical infrastructure security requires a comprehensive and proactive approach that addresses various security aspects. Similar to many other places, Hong Kong is also about to the Protection of Critical Infrastructures (Computer Systems) Bill ready.
Even though the Bill is not going to be effective until 2026, Critical Infrastructure organizations in Hong Kong should begin preparations as early as possible. With this in mind, here’s an overview of the Protection of Critical Infrastructures (Computer Systems) Bill, its requirements, and how Thales’ solutions can help organization for this coming journey.
What is the Hong Kong Protection of Critical Infrastructures Bill?
The Hong Kong SAR government has developed the Protection of Critical Infrastructures (Computer Systems) Bill to enhance cybersecurity standards for essential services – including energy, information technology, and healthcare sectors - and critical societal or economic activities – such as performance venues and research and development parks - in the region.
Specifically, the Bill aims to protect the security of:
- Critical Computer Systems (CCS): Computer systems essential for core functions and the provision of essential services and systems that, if interrupted or damaged, will seriously impact the normal functioning of critical infrastructure.
- Critical Infrastructure Operators (CIO): Designated operators who operate a Specified CI.
Failure to comply with these Codes of Practices (CoPs) when the regulation comes may result in fines, the maximum amount of which ranges from HK$500,000 to HK$5 million, and additional daily fines for persistent non-compliance for certain continuing offenses, the maximum of which ranges from HK$50,000 to HK$100,000.
It’s that the obligations and requirements under the Bill, which will result in offenses and penalties for non-compliance, will be imposed on CIOs at the organizational level only and are not designed to target their staff at the individual level.
Requirements of the Protection of Critical Infrastructures Bill
The Hong Kong Protection of Critical Infrastructures Bill lays out requirements in the form of Code of Practice (CoP). While we don’t have time to cover each CoP in detail, the table below provides a broad overview of key elements of Computer-system security management plan.
| Code of Practice | Description |
| Establish a Monitoring and Detection Mechanism | Implement anomaly detection and review the monitoring system bi-annually. |
| Adopt a Security by Design Approach | Integrate security throughout the CCS lifecycle. |
| Asset Management | Maintain inventory and limit access on a “need-to-know” basis. |
| Access Control and Account Management | Authorize users, enforce the principle of least privilege, and conduct period access reviews |
| Privileged Access Management | Control admin access and designate privileged users. |
| Cryptographic Key Management | Secure key generation, storage, and usage. |
| Physical Security | Secure data centers and computer rooms. |
| Network Security Control | Allow authorized traffic only, implement firewalls, etc. |
| Implement Cloud Computing Security | Define responsibilities and implement protections. |
How Thales Can Help You Meet Compliance Requirements
Thales offers a comprehensive suite of cybersecurity solutions spanning three key areas – Application Security, Data Security, and Identity and Access Management – that can help organizations meet the Codes of Practice laid out in the Hong Kong Protection of Critical Infrastructures (Computer Systems) Bill.
Application Security
Our Application Security offering, provided by Imperva, a Thales company, protects applications and APIs at scale in the cloud, on-premises, or hybrid models. It includes various market-leading solutions, including Web Application Firewall (WAF) protection against Distributed Denial of Service (DDoS) and malicious BOT attacks, security for APIs, a secure Content Delivery Network (CDN), and Runtime Application Self-Protection (RASP) to ensure you meet the requirements laid out in the Protection of Critical Infrastructures Bill.
Data Security
The Thales Data Security product suite helps discover and classify sensitive data across hybrid IT and automatically protects it anywhere - whether at rest, in motion, or in use - using advanced encryption, tokenization, and key management. Thales’ solutions identify, evaluate, and prioritize potential risks for accurate risk assessment. They also identify anomalous behavior and monitor activity to identify potential threats and verify compliance, allowing organizations to prioritize where to allocate their efforts.
Identity and Access Management
Thales Identity and Access Management ensures seamless, secure, and trusted access to applications and digital services for your customers, employees, and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and multi-factor authentication, helping ensure that the right user is granted access to the right resource at the right time.
Read the Full eBook
To find out more about Hong Kong’s Protection of Critical Infrastructures (Computer Systems) Bill and how Thales’ comprehensive portfolio of cybersecurity solutions can help your organization meet compliance requirements, download our eBook, Complying with The Protection of Critical Infrastructures Bill in Hong Kong.