Government announces new mandatory cybersecurity requirements

20 Sep 2018

Energy providers will be under the remit of the new cybersecurity rules. Image: Lumppini/Shutterstock

Minister Denis Naughten, TD, has announced important new security requirements for critical national infrastructure in Ireland.

Speaking at the Data Summit yesterday (19 September), Minister for Communications, Climate Action and Environment Denis Naughten, TD, announced important new national cybersecurity requirements.

These will apply to the network and information systems of critical national infrastructure providers in Ireland. These include providers in areas such as energy, digital communications, transport, drinking-water supply and healthcare. The requirements are mandatory principles that all operators of essential services (OES) will have to meet within their organisations.

Cybersecurity protections for vital industries

The requirements have already been subject of a public consultation, and aim to help protect infrastructure against cyberattacks and online threats. Naughten said: “Information technology and digital technology is an integral part of almost all services on which individuals, businesses, families and communities in this State rely.

“Critical national infrastructure such as energy, telecommunications and transport networks, and services such as healthcare, financial services, education, and drinking-water supply and distribution, have been optimised through internet technology, which also increases their vulnerability to cyberattacks.”

The security requirements centre around five themes: identify, protect, detect, respond and recover. Each operator must assess and implement appropriate security measures to address these areas. They need to be aware of sector-specific factors and the identified risks of their own organisation and its environment.

The process of identifying OES has been underway for some time and notification process will commence immediately. The Government has informally notified affected entities of their designation as OES.

Individual risk assessments needed

Methods and timing of implementation of the measures under each theme will vary between OES. This depends on their own risk assessments and the specifics of their sectoral needs.

Naughten continued: “Identifying these operators of essential services in Ireland will help prioritise cybersecurity within those organisations and will also ensure that operations in the relevant critical national infrastructure sectors will have to maximise the preparedness of their computer networks information technology from a cybersecurity perspective.”

He emphasised that OES will be responsible for identifying the systems that will need to comply with the rules. Organisations must also be able to demonstrate that they are applying security principles and appropriate technical measures. “These security principles mark a substantial step forward in that all operators of essential services in the critical national infrastructure sectors will be obliged to secure their network and information systems from a cybersecurity perspective,” Naughten said.

He added: “In the European Union, we have taken a very rigorous and comprehensive approach to cybersecurity, and to the protection of critical infrastructure in particular.”

The Government directive also requires Ireland to apply and police a new regulatory regime on digital service providers. These include providers of cloud computing, search engines and online marketplaces.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com