Published on 

Minister announces public consultation on new draft cyber security measures for Critical National Infrastructure

Minister for Community Development, Natural Resources and Digital Development, Sean Kyne T.D., has announced a new set of draft security measures for operators of key critical national infrastructure within the State.

The set of security measures relates to the EU’s Network and Information Security Directive which will be implemented on the 10th May 2018. In order to achieve the Directives’ objectives, each Member State has to establish a set of security requirements that ‘Operators of Essential Services’ will be required to implement within their organisation. These operators will be selected and defined in law early in 2018, however those entities likely to be selected have already been informed as such. The set of security principles describe the mandatory principles that all operators will be required to achieve within their organisation.

The model set of security principles consist of five themes which provide a high level view of an organisation’s management of cybersecurity risk. These five themes are Identify, Protect, Detect, Respond and Recover. The method and timing of implementation of the actions and controls under each theme will vary between OES, depending on their own risk assessments and the specifics of the sector in which they operate. Each operator should evaluate, and implement as appropriate, measures to address the five key areas taking into account the individual environment and sector within which they operate and the identified risks of their own organisation.

It will be the responsibility of the OES to be able to demonstrate to the National Competent Authority (the National Cyber Security Centre) that they are applying these mandatory security principles, and measures associated with those principles that allow for the protection of network and information security within their organisation. OES will be responsible for identifying the network and information systems that will need to comply with the Directive’s security requirements around the security of the essential service they provide.

Minister Kyne said: “The model set of security principles mark a substantial step forward that all operators of essential services in the critical national infrastructure sectors will have to implement in order to help secure their organisations from a cyber security perspective. There are continuous challenges that operators of essential services emerging every day and it is critical that we rise to meet them.

The scale and impact of cyber attacks continue to grow, largely because IT and digital technology underpins almost all services on which households, businesses and communities rely. Infrastructure such as energy, telecommunications and transport networks and services such as healthcare and education, have been optimised through internet technology. This connectedness, however, can also make an organisation or a system vulnerable.

"In government we are working to ensure our country is safe and has the capability to tackle any and every cyber security incident. The National Cyber Security Centre has seen a substantial increase in resourcing and has relocated to a new premises, all since I became Minister of State for Digital Development.

"Identifying the 'Operators of Essential Services' in Ireland will help prioritise cyber security within those organisations while also ensuring that the NCSC will be able to continue to provide guidance and support for combatting attacks as and when they arise."

These draft measures will be open for consultation until the 20th of December.