Critical infrastructure security assessment under Perpres 82/2022

Indonesia operates a network of physical and digital infrastructure that is deeply interdependent: power grids managed through SCADA systems, gas pipelines monitored from centralized control rooms, ports running terminal management systems, and water treatment plants governed by automated control systems. When any of these is disrupted, the impact extends well beyond a single organization and into the public services that depend on it.

Presidential Regulation No. 82 of 2022 (Perpres 82/2022) responds to this reality by establishing a framework for the protection of National Critical Information Infrastructure (Infrastruktur Informasi Kritis Nasional, or IIKN). The regulation designates BSSN as the coordinating agency, covers 11 sectors, and requires operators to conduct security assessments of their information systems.

This page is written for IT managers, operations directors, and compliance officers at organizations that fall within the IIKN designation, or are likely to, and need to understand what is required and how to get started.

Eleven sectors in scope

Perpres 82/2022 designates 11 sectors as National Critical Information Infrastructure. Each sector has a supervisory ministry that coordinates with BSSN on implementation.

The sectors covered are: government, energy (including oil, gas, and electricity), transportation (ports, airports, and rail), finance, health, information and communications technology, food, water, defense, national industry, and emergency services.

For operators in these sectors, designation as IIKN carries concrete obligations: conducting security assessments of information systems, reporting cyber incidents, and implementing protective measures appropriate to the level of risk.

OT and IT as two distinct layers

Most critical infrastructure operators run two layers of technology with fundamentally different characteristics. The IT layer handles business systems, communications, and data, and follows security patterns that are more widely understood. The OT layer, which includes SCADA, DCS, PLC, and RTU systems, directly controls physical processes.

PLN operates SCADA systems for electricity distribution management. Pertamina and PGN manage pipeline networks through centralized control systems. Pelindo uses terminal management systems across major ports. PDAM and PAM Jaya control water treatment and distribution through automation systems. In all of these environments, a disruption to the control system can mean a disruption to a real physical service.

BSSN has published the Cybersecurity Guide for Industrial Control Systems to assist operators in securing their ICS/SCADA environments. This serves as one of the key local references for OT security assessments in the Indonesian context.

What an IIKN security assessment covers

A security assessment in the context of Perpres 82/2022 spans several interconnected areas.

The first is asset identification and inventory: mapping which systems fall within the IIKN scope and understanding how components connect to each other. This step frequently surfaces undocumented assets or unplanned connections between IT and OT networks.

Next is threat and risk analysis for the OT environment, which accounts for the characteristics of industrial protocols, patch availability for legacy devices, and attack scenarios relevant to the specific sector. Unlike a general IT risk assessment, OT risk analysis must weigh the impact on physical processes, not just data.

Security control assessment is conducted against applicable frameworks: IEC 62443 for OT components and ISO 27001 for the IT layer. This covers policy review, configuration, network segmentation, access management, and logging. Finally, incident response capability review assesses the operator's readiness to detect, contain, and report incidents affecting their critical systems.

How Alpha Code helps

Alpha Code provides security assessment services for OT/ICS and IT environments operating under the Perpres 82/2022 framework. We begin by understanding the client's operational architecture, including network topology, control systems in use, and which parts of the operation fall within the IIKN scope.

From there we run an assessment tailored to the environment, using a methodology that accounts for the availability sensitivity of OT systems. Any active testing on OT environments is fully coordinated with operations teams to avoid disrupting running processes.

Assessment results are presented in a report that separates OT and IT findings, maps risks according to operational impact, and provides recommendations that can be acted on by both technical teams and management.

Next steps

Security assessment obligations for IIKN operators are ongoing, not a one-time exercise at the point of designation. Building a routine internal assessment capability, supported by periodic external assessments, is more sustainable than responding only when regulators ask.

If your organization operates in one of the 11 sectors designated under Perpres 82/2022 and does not yet have a clear picture of your OT and IT security posture, our team is ready to help you structure a first step that is concrete and proportionate to your operations.

This page is provided for general information purposes and does not constitute legal or regulatory compliance advice. For interpretation of obligations that apply to your specific organization, consult legal counsel or engage directly with BSSN and the supervisory ministry for your sector.