Indonesia's Critical Infrastructure Framework
Indonesia's critical infrastructure protection framework is established by Presidential Regulation 82/2022 (Perpres 82/2022), which designates 11 sectors as critical infrastructure: energy, water resources, transportation, finance, health, food security, defense, information technology, government, industry, and media. The regulation assigns responsibility for critical infrastructure protection to the National Cybersecurity Agency (BSSN) as coordinator, with individual sector regulators responsible for their respective domains.
Critical infrastructure protection in the Indonesian context encompasses both cybersecurity and physical resilience. BSSN has progressively integrated business continuity management into its critical infrastructure framework, recognizing that cybersecurity incidents often trigger business continuity requirements and that organizational resilience requires coordinated approaches to security and continuity.
BCM Requirements for Critical Infrastructure Operators
Perpres 82/2022 does not prescribe a specific BCM standard, but it establishes the expectation that critical infrastructure operators have a documented, tested, and continuously improved business continuity capability. The regulation emphasizes that critical infrastructure operators have responsibility to the national economy and public welfare, placing BCM in the context of national security and resilience.
BSSN has increasingly referenced ISO 22301 as the BCM framework that aligns with its critical infrastructure protection expectations. Organizations in designated critical infrastructure sectors that pursue ISO 22301 certification signal to BSSN and their sector regulator that they are implementing BCM in accordance with an internationally recognized standard. This differentiation has become increasingly important as BSSN supervisory scrutiny of critical infrastructure has intensified.
Sector-Specific Requirements
Each critical infrastructure sector has sector-specific BCM requirements. The following table shows how BCM requirements vary across key sectors and how ISO 22301 alignment differs:
| Critical Infrastructure Sector | Regulator | Key BCM Requirement | ISO 22301 Relevance |
|---|---|---|---|
| Financial Services | OJK | POJK 11/2022: Operational risk management includes BCM | High—direct alignment with POJK requirements |
| Payment Systems | Bank Indonesia | PBI 23/2021: 99.5% availability and 2-hour RTO | High—direct alignment with BI technical requirements |
| Telecommunications | Kominfo/Komdigi | Network availability and service continuity | High—critical for business continuity of other sectors |
| Energy | BPH Migas, PLN | Supply continuity and infrastructure resilience | Medium—operational continuity is primary focus |
| Healthcare | Kemenkes | Clinical service continuity and patient safety | Medium—adapted for clinical continuity context |
| Government ICT | BSSN | ICT resilience and national service continuity | High—BSSN framework increasingly aligns with ISO 22301 |
The National Cybersecurity Framework and BCMS
BSSN has published its National Cybersecurity Framework (Framework Keamanan Siber Nasional), which incorporates business continuity as a component of organizational resilience. The framework recognizes that cybersecurity incidents often activate business continuity responses and that BCM capability strengthens overall national resilience. Organizations subject to BSSN oversight (including critical infrastructure operators and government agencies) are increasingly expected to demonstrate both cybersecurity capability (ISO 27001) and business continuity capability (ISO 22301).
Risk Scenarios for Indonesian Critical Infrastructure
Critical infrastructure operators must assess risk scenarios specific to Indonesia's geographic and operational environment. The following table shows key threat scenarios that affect critical infrastructure sectors and the BCM considerations they raise:
| Threat Scenario | Affected Critical Infrastructure Sectors | BCM Consideration | Indonesian Geographic/Operational Context |
|---|---|---|---|
| Earthquake | All, especially finance/telecommunications/government | Alternate site outside fault zones; structural resilience assessment | 2009 Padang earthquake (7.6M), 2018 Palu earthquake (7.5M); Ring of Fire exposure |
| Flooding | Finance, transportation, government, energy | Jakarta flooding risk; alternate site elevation planning | Annual Jakarta flooding; monsoon impact on transport; drainage system capacity |
| Cyber Attack | Finance, government, telecommunications, energy | Ransomware response; BCP activation criteria; data breach handling | BSI 2021 incident; PDNS June 2024 ransomware; increasing threat sophistication |
| Extended Power Failure | All sectors | Generator capacity, fuel supply chain, load shedding impact | Frequent Sumatra/Kalimantan power disruptions; PLN capacity constraints |
| Pandemic/Health Emergency | All sectors | Remote work capability; split-team operations; supply chain continuity | COVID-19 experience; pandemic preparedness expectations post-2024 |
Building a Compliant BCMS for Critical Infrastructure
Organizations in BSSN-designated critical infrastructure sectors building an ISO 22301 BCMS should ensure that scope definition captures all critical functions and dependencies that BSSN recognizes. This means including not only the organization's internal critical functions but also dependencies on other critical infrastructure sectors (power, telecommunications, transportation) and the cascading effects of the organization's disruption on other sectors.
Stakeholder requirements should explicitly include Perpres 82/2022 obligations, sector regulator expectations, and BSSN guidance. Risk scenarios should be informed by Indonesian geographic and infrastructure realities, not generic international templates. For example, a financial services organization in Jakarta must include flooding and earthquake scenarios with realistic impact assumptions based on local infrastructure and history.
Coordination with National Authorities
During a major incident affecting critical infrastructure, BSSN may coordinate national response efforts, potentially bringing together sector regulators and multiple infrastructure operators. Organizations should prepare their BCM coordination procedures to interface with BSSN and sector regulators. This means pre-identifying who in the organization is authorized to communicate with BSSN during a major incident, pre-drafting notification templates, and participating in national-level exercises when BSSN or sector regulators organize them.
| KEY IDEA | Perpres 82/2022 designates critical infrastructure protection as a national security priority. Organizations in designated critical infrastructure sectors that do not have a functioning BCMS face both regulatory risk and potential national security-level scrutiny in the event of a major disruption. |
| IMPORTANT | The PDNS ransomware incident in June 2024 demonstrated that government ICT operators are critical infrastructure targets. The post-incident regulatory environment has significantly increased BSSN expectations for BCM capability among government ICT service providers. |
| BITLION INSIGHT | Critical infrastructure operators that have achieved ISO 22301 certification find it provides a credible basis for engagement with BSSN on BCM capability. The certification demonstrates a structured, internationally-recognized approach that aligns with BSSN's own framework references. |