19th September 2018
Speaking at the Data Summit today Denis Naughten, TD, Minister for Communications, Climate Action & Environment announced important new security requirements that will apply to the network and information systems of critical national infrastructure providers in Ireland in areas such as energy, digital communications, transport, drinking water supply and healthcare. The requirements are mandatory principles that all Operators of Essential Services (OES) will have to meet within their organisations.
The security requirements, which have already been the subject of a public consultation will ensure that Ireland's critical national infrastructure is afforded the maximum protection against cyber-attacks and on-line threats.
Minister Naughten said: "Information technology and digital technology is an integral part of almost all services on which individuals, businesses, families and communities in this State rely. Critical National Infrastructure such as energy, telecommunications and transport networks and services such as healthcare, financial services, education and drinking water supply and distribution have been optimised through internet technology, which also increases their vulnerability to cyber-attacks."
The security requirements are built around five central themes; Identify, Protect, Detect, Respond and Recover, which provide an overall view of an organisation's management of cybersecurity risk. Each operator is required to assess and implement appropriate security measures to address the five key areas, taking into account sector specific factors and the identified risks of their own organisation and its environment.
The process of identifying OES has been underway for some time, and notification process will commence immediately, as those entities likely to be selected have already been informally notified that they have been designated as such. However, the method and timing of implementation of the measures under each theme will vary between OES, depending on their own risk assessments and the specifics of the sector in which they operate.
Minister Naughten continued: "Identifying these Operators of Essential Services (OES) in Ireland will help prioritise cyber security within those organisations and will also ensure that operations in the relevant critical national infrastructure sectors will have to maximise the preparedness of their computer networks information technology from a cyber-security perspective."
However, Minister Naughten stressed that OES will be responsible for identifying the network and information systems that will need to comply with the Directive's security requirements around the security of the essential service they provide; and also to be able to demonstrate that they are applying security principles and appropriate technical measures that will ensure the protection of network and information systems within their organisations.
In conclusion, Minister Naughten said: "These security principles mark a substantial step forward in that all operators of essential services in the critical national infrastructure sectors will be obliged to secure their network and information systems from a cyber-security perspective. There are continuous challenges that operators of essential services are experiencing in this area every day and it is critical that Ireland is in a position to guarantee the continuity of those services."
The Directive also requires Ireland to apply and police a new regulatory regime on Digital Service Providers (DSPs). These will include cloud computing providers, search engines providers and providers of online market places. In this regard, there has been ongoing consultation with stakeholders in the Information and Communication Technology sectors to inform and coordinate the process of identification of Digital Service Providers.