9 minute read
Minister of State Ossian Smyth TD overviews the National Cyber Security Strategy
Minister of State Ossian Smyth TD: Implementing the National Cyber Security Strategy
The Government recognises the resilience of public sector IT systems and the protection of critical infrastructure as vitally important, including to safeguard the delivery of services through digital means, writes Minister of State with responsibility for Procurement and eGovernment and Communications and Circular Economy, Ossian Smyth TD.
Our vision for the future is to expand further the range of online services and to maximise the opportunities offered by the development of cloud services. The ongoing crisis in Ukraine has once again highlighted the threat of cyberattacks, including second-order impacts. In our connected society it is vital that governments take all necessary steps to enhance the cyber resilience of essential services.
The National Cyber Security Strategy is a whole-of-government approach to address the growing threat of cyber security incidents and to ensure that Ireland can benefit fully from the digital transformation. The strategy includes 20 separate measures to safeguard public sector networks and essential services, to facilitate the development of the cybersecurity industry and to promote awareness raising and international cooperation.
A number of measures are being led by the Department of the Environment, Climate and Communications, where, as Minister of State, I am responsible for Communications and Circular Economy. I am pleased to report that good progress is being made on their delivery. For example, the Department has published the Public Sector Cyber Security Baseline Standards to be applied by all government departments and agencies. The NCSC has worked with colleagues across government to develop the standards which will support public bodies to identify cyber risks, deploy appropriate mitigation measures, and protect personal and other important data. At its publication in 2019, we committed to reviewing the strategy at its mid-point. My officials have recently begun this mid-term review and will be engaging with relevant stakeholders in the coming months.
The National Cyber Security Centre (NCSC) is the lead government cybersecurity agency. Its functions are to lead in the management of major cybersecurity incidents, provide guidance and advice to citizens and businesses, and manage cyber security related risks to key services. The NCSC provides works with over 200 constituents from business, educational
institutions, and the charitable and voluntary sector. The NCSC works closely with partner agencies in the UK, US, in other EU member states, and with the EU cybersecurity agency ENISA.
Strengthening our National Cyber Security Centre is a key component of the National Cyber Security Strategy and. In July 2021, the Government agreed to a significant expansion in the NCSC’s staffing and resources, which has progressed significantly. A dedicated HQ facility is being developed for the NCSC as part of my department’s new HQ facility in Dublin.
In January 2022, Richard Browne was appointed as director of the NCSC, and there have been a number of additional staff appointed in recent months. My officials are also engaging with relevant departments to progress the drafting of legislation to provide a mandate for the NCSC, as well as appropriate powers to carry out its vital functions.
Like its counterparts across Europe, the NCSC is presently operating at a state of enhanced readiness in response to the war in Ukraine. I have been heartened by the high degree of coordination and information exchange in the EU and with likeminded partners. From my engagement with my colleagues in other member states, it is clear that we are united in our support for Ukraine, and in our desire to enhance the cybersecurity and resilience of critical infrastructure across the EU.
The recent agreement on a successor to the Network and Information Security Directive represents a step change for the EU cybersecurity regulatory framework. The expansion of scope including, for the first time, public administration bodies, will ensure all critical services are captured. The Directive also provides for a more robust system of sanctions and fines to ensure compliance by regulated bodies. I welcome the EU’s commitment to defining global standards for cybersecurity and look forward to working further with Commissioner for the Internal Market, Thierry Breton, and my ministerial colleagues to implement the Directive and to advance further regulatory measures, such as the proposed Cyber Resilience Act.
My department is committed to ensuring that all citizens can benefit from the myriad benefits of the digital transition. There is a massive development of national infrastructure under the National Broadband Plan State-led Intervention, which will be delivered by National Broadband Ireland (NBI) under a contract to roll out a high-speed and future-proofed broadband network within the Intervention Area. This area covers 1.1 million people living and working in almost 560,000 premises, including almost 100,000 businesses and farms along with some 679 schools.
The National Broadband Plan network will offer those premises in the intervention area a high-speed fibre broadband service with a minimum download speed of 500Mbps from the
Minister of State Ossian Smyth TD
outset. In the first two years of the contract, construction commenced in all 26 counties and construction is ongoing.
This plan is the largest infrastructural project in rural Ireland since rural electrification, spanning 96 per cent of Ireland’s land mass. It will bring highspeed broadband to 23 per cent of Ireland’s population (69 per cent of the national total of farms). It will deliver fast, reliable broadband through laying 140,000km of fibre cable, utilising over 1.5 million poles and over 15,000km of underground duct networks. This marks a huge development in national critical infrastructure and is important in the rapid digitalisation of the many aspects of people’s lives.
The cyber risks of Europe’s quest for green energy and energy independence
Soaring energy prices and increased geopolitical tensions confronted us with many open questions regarding European energy security. The current world is deeply interconnected, especially when it comes to energy supplies and the global energy trade.
Maintaining complex, but reliable business and nation-state relationships is critical to ensuring an uninterrupted functioning of the energy supply chain. Yet the crisis in Ukraine and the consequences of various economic sanctions in European and global energy markets show that these oftendurable relations can be broken, and that countries need to rethink how much energy they generate themselves, where they buy energy and how do they protect production, transmission, and distribution from the ever-increasing risk of cyberattacks.
Even before this, governments faced many cyberthreats from organised criminal groups, which have been increasingly willing to work together towards a common goal. Just witness the close cooperation in the recent years between sophisticated ransomware groups that used botnet access to target victim industries and
organisations. Unfortunately, governments and industry are not always so willing to work together defensively.
In this digital age, where a nearunlimited supply of energy, especially electricity, is fundamental to the normal functioning of society, it is crucial to ensure we can not only meet our energy needs, but also guarantee that it is transported and distributed safely. So, talking about energy and energy security is increasingly a matter of cybersecurity.
However, the current climate should also highlight the need for governments, institutions, and businesses to examine the state of cyber and digital security across the energy supply chain. We must collectively recognise that computing at a global scale is massively energy-intensive, and that many popular digital technologies sit at the top end of energy-intense operations. While the EU has been focusing on renewable energies for its green transition, another potentially large source, nuclear energy, has been unpopular for the past few decades, but that too might be changing.
In February 2022, French President, Emmanuel Macron announced that France will build at least six new nuclear reactors by 2050. Most of Ireland’s electricity comes from oil and a gas pipeline that originates in Russia, Ireland’s wind, solar, hydro, biofuel, etc are still in their early stages, while none of its power comes from nuclear energy. Although some see it as a “zeroemission clean energy source”, the technology’s use for electricity generation is banned in Ireland.
Ensuring the safety of our electrical grid is just as important as making sure we can deliver the energy we need, mainly when we consider that development is now increasingly dependent on automation, largely driven by IT. “In little over a decade, cybersecurity has been transformed from a primarily technical domain centred on securing networks and technology to a major strategic topic of global importance,” notes the World Economic Forum. Today, the world is concerned about attacks against nations’ critical infrastructure systems, with recent history offering several examples of such damaging attacks. Generation, and transmission and distribution (T&D) are reliant on industrial control software like supervisory control and data acquisition (SCADA) and increasingly the internet, which in the digital age is now a part of critical infrastructure itself. We have a few examples already of what can go wrong when systems offer vulnerabilities.
In 2010, a malicious computer worm called Stuxnet was deployed against Iran’s nuclear energy program, targeting SCADA systems to damage their uranium enrichment process. The deployment of this cyberweapon set the stage for the direct disruption of industrial processes. In November 2015, ESET investigated a set of unique cyberattacks targeting Ukrainian news media companies with destructive KillDisk malware that made systems unbootable. This campaign was followed in December of that year with another KillDisk variant delivered to electricity distribution companies that contained functionality to sabotage specific industrial control systems. The cyberattack operators caused a 4-6hour power outage for around 230,000 people in Ukraine on 23 December 2015. This was the first time in history that a cyberattack was known to disrupt an electrical distribution system. A year on, ESET telemetry picked up new malware named Industroyer. ESET researchers discovered that Industroyer could affect several industrial communication protocols that are used worldwide in critical infrastructure systems for power supply, transportation control, water, and gas.
Before the Ukraine crisis, we had already seen increased activity and capability by ransomware groups and state actors targeting critical national infrastructure and its supply chain for extortion, disruption, and cyberespionage. Despite all difficulties, we can see some efforts being made, as policymakers are now more engaged on working with the scientific community on climate change and with cybersecurity specialists to ensure that progress continues for the generations to come.
Technology has allowed us to automate processes that contributed to the development and progress of humankind. The goal is to change behaviours through improved education about where the key cyber-risks lie and what simple best practices can be learned to mitigate them. Events like last summer’s Colonial Pipeline ransomware attack in the US keep reminding us of the urgency to improve our response capability. It is important to keep in mind that ransomware and other cyberthreats to energy grids and other critical infrastructure are a danger that can be avoided with proper measures and willingness to implement them.
T: 053 914 6600 E: info@eset.ie W: www.eset.ie
