The Minister for Communications, Climate Action and the Environment, Mr. Richard Bruton T.D. today (Friday the 27th of September 2019) published new cybersecurity guidelines for operators of essential State services to safeguard against cyber-attacks and other cyber risks.
There are around 70 organisations designated as 'Operators of Essential Services' in the State. These are bodies which manage critical infrastructure and are spread across the health, energy, transport, financial services, drinking water and digital sectors.
Minister Bruton said,
"We must ensure that those who operate essential services in the State are protected from hacking and other cyber risks. These new guidelines will ensure that the relevant organisations have the necessary safeguards in place to protect themselves and the people they serve."
In accordance with the guidelines, operators are required to follow best practice, identifying risks to their systems and putting in place robust protection and detection mechanisms. The guidelines also set out a protocol in relation to responding to a cyber-security incident.
The guidelines set out a number of principles, which operators are expected to apply when putting in place safeguards. Security measures must be:
- Effective now and into the future
- Tailored to the individual organisation's needs
- Compatible with organisation's needs and services it provides
- Proportionate to the risks
- Concrete and easy to understand, with clear lines of responsibility
- Verifiable to ensure the service can provide evidence that the relevant policies have been followed
These guidelines will complement a broader suite of measures for protecting State infrastructure, which will be contained in the new National Cyber Security Strategy, which is currently being finalised.
Minister Bruton said,
"Internet based technologies are now fully embedded in everything we do. This has huge benefits but brings with it new risks which we must safeguard against. These new guidelines will ensure our essential services operate in accordance with best practice."
The full guidelines are attached.
Notes to Editor
The guidelines relate to the EU's Network and Information Systems Security Directive, transposed into Irish Legislation under S.I. 368 of 2018 on 18th September 2018. The Guidelines are designed to assist Operators of Essential Services (OES) in meeting their network and information system security and incident reporting obligations under Regulations 17 and 18 of S.I. 360 of 2018: European Union (Measures For A High Common Level Of Security Of Network And Information Systems).
The guidelines were initially published in draft form, for the purposes of affording persons an opportunity to make written representations. The deadline for submissions was 27 February 2019. The representations have been considered prior to publication of the final version of the guidelines
National Cyber Security Strategy
The National Cyber Security Strategy is being finalised, led by a High Level Steering Group consisting of representatives from across Government. A detailed public consultation was launched in March, and five thematic consultation groups were also used to engage in a more detailed way with the key challenges. The Strategy will also benefit from the operational experience of the National Cyber Security Centre, both in terms of incident response and the implementation of the mechanisms under the NIS Directive. The Strategy is in its final stages of drafting, and will be published in due course, following Government Approval.