Plan of action against potential cyber emergencies

The National Cyber Security Centre (NCSC) has unveiled a whole-of-government emergency plan in the event of future cyber attacks.

The National Cyber Emergency Plan (NCEP), is described as a guidance document, meaning it has no binding obligations, and is a direct response to recent high profile cyber attacks in Ireland.

The plan defines a cyber emergency as any cyber incident which causes or threatens to cause:

• death or serious injury or damage to property, the environment or the economy, or significant incidents impacting two or more critical sectors; and

• which requires the activation of the National Emergency Coordination Group (NECG Cyber) to ensure an effective coordinated response for containment, mitigation, or recovery.

While most cybersecurity incidents are an ongoing challenge that can be managed without a significant societal or economic consequence, certain incidents can pose a risk to economic and social activity.

The activities described in the plan rely upon three co-operation modes:

• Permanent mode: The normal course of business, during which situational awareness is maintained and incident preparedness activities are conducted.

• Warning mode: Activated when evidence indicates that there is a heightened risk of a ‘cyber-emergency’ incident emerging in a specific sector or sectors, this involves communications with stakeholders across government and in the private sector as appropriate.

• Full activation mode: Activated if an incident occurs that meets the threshold of a national cyber-emergency that requires the activation of the NECG.
The NCEP is designed to ensure stakeholders understand their roles and responsibilities during a cyber emergency and the means by which the Government’s approach to incidents is explained and communicated to the public.

Cybersecurity incidents are diverse by their nature e.g., a national cyber emergency could occur because of an incident affecting IT systems owned directly by government, those owned by private sector operators of critical infrastructure, or in systems owned by organisations which provide services to both the Government and private sector contractors.

As a result, there are a vast range of potential scenarios where the NCEP process may be initiated.

It is the NECG which coordinates support and advice from identified support departments in an ongoing emergency while also maintaining situational awareness of the incident.

The NCSC will be designated as the competent authority responsible for the management of large-scale cybersecurity incidents and crisis.

During an emergency, the Department of the Environment, Climate and Communications through the NCSC has overall responsibility for managing the government response with political oversight provided by the Minister for Environment, Climate and Communications.

Lead government departments (LGDs) and relevant agencies, are responsible for managing the impacts of the cyber emergency for its assigned emergency types.

For example, a substantial incident cyber attack which has a “serious impact” on a medium-sized organisation or poses a considerable risk to a large organisation is dealt by the NCSC or law enforcement via remote support or on-site support by exception.

However, a national cyber emergency – the severest cyber attack, which causes sustained disruption of essential services or, affects national security, is responded to immediately with a coordinated government response and is escalated to the NECG.

During a national cyber emergency, the NCSC and those supporting them will:

• identify the scope, impacts and implications of the cybersecurity incident on Ireland, and work to contain incidents as they occur;

• analyse and share indicators of compromise and other technical details with the appropriate stakeholders and peer organisations, nationally and internationally, e.g., relevant competent authorities;

• guide and support victim organisations and their response team during a cyber incident to enable them to remediate and resolve the incident;

• capture the technical and non-technical details of the incident and use that information to manage and communicate ongoing cybersecurity risks in the State;

• the NCSC Operations Team may request government departments, public sector bodies or operators of critical national infrastructure to take certain actions, e.g., isolate their network, preserve logs, in response to the incident; and

• for actual or suspected incidents with all-island implications, there will be bilateral coordination and communication between the NCSC-IE and NCSC-UK in the first instance. After the initial stages of an incident, there will be three-way communications between the NCSCs and the Northern Ireland Executive.

A cybersecurity incident is often a criminal act. Affected organisations should report incidents to An Garda Síochána (AGS) or other regulatory agencies or competent authorities as required under general or specific sector legislation.

The priority during any cyber emergency is the restoration of services critical to the State and ending the emergency.

AGS and the NCSC often share relevant information relating to incident response processes and it is likely that this will occur during any national cyber emergency.

An Garda Síochána has the primary responsibility for the investigation and subsequent prosecution of any criminal acts relating to the cyber emergency and are responsible for liaison with international policing organisations such as EUROPOL or INTERPOL.

In 2015, a White Paper on defence outlines the role of the Defence Forces in cybersecurity stating that “the primary focus of the Department of Defence and the Defence Forces will remain the protection of Defence networks… as in any emergency/crisis situation, once Defence systems are supported, the Department of Defence and Defence Forces will provide support to the NCSC team in so far as resources allow”.