17th January 2018
Good morning everyone, and welcome.
Firstly, I’d like to thank you all for coming today. This marks an important step in the measures being undertaken by the State to adapt to the challenges posed by cyber security. It is also the first time that the State has brought together in one room, actors from across a range of sectors to discuss issues in this area.
Government is very much aware of the opportunities offered by digital technologies, but also, inversely, of the new threats to these technologies which leave the State vulnerable.
Just as the State has the ability to facilitate security in the physical environment, now, in the digital age, there is also the need to have resilient, safe and secure digital technologies for citizens, business and the State itself. There is a crucial need to ensure that citizens have access to resilient services, especially where these services are deemed critical.
The aim of this overall process is to determine how we’re going to ensure the security of those services we consider as critical national infrastructure. The services provided by the organisations in this room are critical to the functioning of the country and it is for this reason that today’s meeting and the process in general are so important.
The aim of today is to provide a forum to discuss both the identification process for Operators of Essential Services and the consultation paper published in November on the proposed security measures and incident reporting guidelines. It is important to note at this point, that we are very aware that these additional security measures will bring new challenges to your organisations. We also understand that there are costs involved with this process and the implications that these will have on you.
Rest assured that we are very much focused on ensuring that the system works for everyone and in that light are happy and willing to discuss any questions or concerns you may have, either bilaterally or at this meeting.
The issue of cybersecurity has never been too far from the headlines in the past year, with documented examples of critical infrastructure being taken offline. These range from successive ransomware attacks such as WannaCry to what was, possibly, state-sponsored interference with the democratic process in the United States and France. We are highly aware that there are no simple solutions to these very real and generally new types of threats.
The actions that the State is taking are a part of an EU agreed approach. We, as part of the EU, are putting in place a set of measures to ensure that all EU citizens have access to robust, secure and high quality infrastructure and services. We are still very much in the early stages of this process, with more measures still to come at an EU level.
As you will be aware, this process is being driven by an EU Directive on the security of Network and Information Systems. However, the State has already been doing work in this area for a number of years.
Ireland, having identified Cyber Security as an issue of national importance, has been steadily building its Cyber Security capacity to ensure that the State is protected against threats to the security, confidentiality, integrity, and availability of the Network and Information Systems of critical national infrastructure operators and providers. This new Directive, which was launched as part of the first EU Cyber Security Package, gives a formal shape to Ireland’s process.
There is no doubt that this is a new cultural shift for Ireland and this Directive represents a steep change in the manner in which the State engages in Cyber Security. It marks a shift to a legally binding, quasi-regulatory style system for certain critical infrastructure operators and so called Digital Service Providers.
In light of this new direction for Ireland, my Department is heavily engaged with other EU member states and with the EU itself. We are placing high importance on ensuring the measures we adopt are proportionate, robust and heavily aligned with those taken up by other Member States.
In terms of next steps, this Directive will officially come into effect in May of this year but it will be November before it is fully implemented. It is important to note that this is an ongoing process and the list of entities that are identified as Operators of Essential Services this year will not be set in stone. This list will be re-evaluated as becomes necessary, but at least every 2 years, with the possibility of some entities being undesignated and others being newly designated.
We sincerely hope that this is the beginning of an ongoing process of cooperation in order to share best practices across organisations. In that regard, a key outcome that we hope to achieve from this meeting is the formation of a standing OES working group, which will assist and inform the Department in its work in transposing and operating the Directive. This group will be chaired by an industry representative and steered by industry itself.
I sincerely hope that you find the presentations and discussions that are to come today useful and that you leave here with a clear understanding of what is expected of you during this process. As well as what we as a Department can do to support you throughout.
The identification of 'Operators of Essential Services' and the establishment of a set of security measures to be met by those organisations are requirements under the EU's Network and Information Security Directive. The 'Operators of Essential Services' are from sectors which are deemed to include 'Critical National Infrastructure' such as energy supply, water supply, the transport network, among others.