Minister publishes new cybersecurity guidelines for State service operators

27 Sep 2019

Image: © blackzheep/Stock.adobe.com

The Government has published new guidelines mandating operators of essential State services to follow certain cybersecurity protocols.

Minister for Communications, Climate Action and the Environment Richard Bruton, TD, has today (27 September) published new cybersecurity guidelines for operators of essential State services, in the hopes of preventing cyberattacks and warding off other cybercrime-associated risks. These new guidelines relate to the EU’s Network and Information Systems Security Directive.

“We must ensure that those who operate essential services in the State are protected from hacking and other cyber risks. These new guidelines will ensure that the relevant organisations have the necessary safeguards in place to protect themselves and the people they serve,” Bruton said.

There are more than 70 organisations designated as operators of essential services in the Irish State. These are bodies that manage various critical infrastructure in Ireland and are spread across the health, energy, transport, financial services, water and digital sectors.

The guidelines identify cybersecurity best practice, and compel operators to identify risks in their systems and put robust protection and detection measures in place. The guidelines also outline protocol in the event of a cybersecurity incident.

‘Internet-based technologies are now fully embedded in everything we do. This has huge benefits but brings with it new risks which we must safeguard against’
– RICHARD BRUTON

The measures also mandate operators of essential State services to report “any incident affecting the security of their network and information systems that results in a significant impact on the continuity of the service for which they are designated”. This includes disclosing incidents affecting third-party suppliers on which the service relies.

The regulation distinguishes between an ‘event’ and an ‘attack’, meaning that a third-party threat actor does not necessarily need to be involved in order to necessitate a report.

Security measures must be, as per the guidelines, effective now and into the future; tailored to the organisation’s individual needs; proportionate to the risks; verifiable and easy to understand with clearly delineated lines of responsibility, among other recommendations.

Bruton added: “Internet-based technologies are now fully embedded in everything we do. This has huge benefits but brings with it new risks which we must safeguard against. These new guidelines will ensure our essential services operate in accordance with best practice.”

A full copy of the guidelines is available here.

Eva Short was a journalist at Silicon Republic

editorial@siliconrepublic.com