Ireland’s National Cyber Emergency Plan (NCEP) has been published today, following “extensive engagement” with the public and private sectors, according to the Department of Communications.
In a statement, the Department said that the plan incorporates insights gained from a number of “sector-specific emergency exercises” conducted in 2022 and 2023, along with lessons learned from the notorious 2021 HSE ransomware attack.
The plan details the procedures that would be undergone when declaring, managing, and coordinating the country through a “National Cyber Emergency”. In particular, it seeks to clarify the roles and responsibilities of all parties involved during a cyber emergency, and lays out the Government’s strategy for handling “serious cyber incidents” in a way that can be explained clearly to the public.
A cyber emergency is defined as any cyber incident which causes, or threatens to cause:
– death or serious injury or damage to property, the environment or the economy, or significant incidents impacting two or more critical sectors;
– and which requires the activation of the National Emergency Coordination Group (NECG Cyber) to ensure an effective coordinated response for containment, mitigation and/or recovery.
“Cyber security incidents are diverse by their nature and, as such, there are a vast range of potential scenarios where the plan may be initiated,” the Department’s statement reads.
“This, in turn, has ensured that a very flexible response process has been in-built during its development.”
Speaking on the publication of the plan, the National Cyber Security Centre (NCSC) Director Richard Browne said that it was a “complex” task to put the procedure together.
“Responding to cyber security emergencies effectively at a national level is a complex undertaking due to the very wide range of potential incidents, and the diverse nature, extent and consequences associated with these,” he said.
“This plan establishes an architecture for coordinating the Government response in accordance with Irish and European legislation and policy.”
The plan is primarily designed for the benefit of officials from Government Departments and State Agencies involved in responding to national cyber emergencies, as well as potential victim organisations (providers of essential public and private services), including senior officials, communications staff, and incident response personnel.
According to the statement, it is also designed to deal with “a broad spectrum” of cyber emergencies, “whether of internal or external origin”.
“As the plan has been developed in alignment with the Strategic Emergency Management National Structure and Framework, it establishes the structures for co-ordinating a ‘whole of Society’ approach to preparing for and responding to a cyber emergency,” the Department added.
The activities described in the NCEP rely upon three co-operation modes:
– Permanent Mode: Relates to the normal course of business, during which situational awareness is maintained and incident preparedness activities are carried out.
– Warning Mode: This is activated when evidence indicates that there is a heightened risk of a ‘cyber emergency’ type incident emerging in a specific sector or sectors. It involves communications with stakeholders across government and in the private sector as appropriate.
– Full Activation Mode: This is activated if an incident occurs that meets the threshold of a national cyber emergency which requires the activation of the National Emergency Co-ordination Group chaired by the NCSC to ensure an effective, co-ordinated multi agency and cross-government response for containment, mitigation and/or recovery.
Proposed measures in the plan including using various national authorities to provide intelligence support on what’s happening:
“Intelligence support during a national cyber emergency is provided by national authorities with the capability to do so, including the Defence Forces, NCSC, AGS [An Garda Síochana], and the National Security Analysis Centre,” the document reads.
It also entails a post-incident review, to figure out what exactly transpired during the emergency:
“When the cyber emergency is stood down the experiences and lessons learned will be captured in an After Action Report (AAR), and also used to update the National Cyber Emergency Plan and other incident response playbooks as appropriate,” the plan adds.