11/23/2021 | Press release | Distributed by Public on 11/23/2021 06:40
Ireland published the National Cyber Security Strategy in December 2019. Measure 7 of the Strategy sets out how government will introduce a new and specific set of security requirements for the telecommunications sector, with detailed risk mitigation measures to be developed by the National Cyber Security Centre (NCSC) to assist the Commission for Communications Regulation (ComReg) in fulfilling its statutory functions under existing European Communities (Electronic Communications Networks and Services) (Framework) Regulations 2011, S.I. No. 333 of 2011 ("Framework Regulations"), and the European Electronic Communications Code (Directive 2018/1972).
In parallel to this process, EU Member States published the EU 5G Security Toolbox in January 2020 which represents our coordinated approach to securing 5G networks. One of the major recommendations of the toolbox was that Member States implement technical security measures which "strengthen the security of 5G networks and equipment by reinforcing the security of technologies, processes, people and physical factors".
The Electronic Communications Security Measures (ECSM) working group was established in March 2020 to design a set of security requirements for the electronic communications sector. The working group was co-chaired by the National Cyber Security Centre (NCSC) and the Network Operations Unit (NOU) of ComReg. The group also had membership from selected providers of electronic communications networks and services.
The group held a series of thematic workshops focussing on the areas identified as presenting the highest risk in the National and EU risk assessments. The workshops included presentations by guest speakers from industry, academia and relevant public bodies, as well as detailed technical discussions and submissions, which provided insights on the key risks, challenges, and best practices in the relevant security topics. The workshops resulted in the development by the NCSC of the series of documents known as the Electronic Communications Security Measures or ECSMs. In total, ten ECSMs have been drafted:
|ECSM 002||Risk Management|
|ECSM 003||Physical and Environmental Security|
|ECSM 004||Training, Awareness and Personnel Security|
|ECSM 005||Network Management & Access Control|
|ECSM 006||Signalling Plane Security|
|ECSM 007||Virtualisation Security|
|ECSM 008||Network, Monitoring and Incident Response|
|ECSM 009||Supply Chain Security|
|ECSM 010||Diversity, Resilience & Continuity|
The security measures contained in the ECSMs will be provided with a legislative basis through the transposition of the European Electronic Communications Code. Further detail on the purpose, scope and applicability of the ECSMs can be found in ECSM 001 - General.
The purpose of this technical stakeholder consultation is to gather the views of interested parties, in particular third parties who are directly affected, such as providers of public electronic communications networks and publicly available electronic services, equipment manufacturers and suppliers, and cybersecurity professionals.
In gathering submissions, we want to evaluate the technical merit of the proposed security measures and the impact their implementation will have on the security and networks and services.
In making submissions, you should consider the following questions:
Respondents may submit general observations and/or detailed drafting suggestions. In cases where responses exceed five pages, we would ask that you include a concise executive summary.
Where respondents are making detailed commentary or suggesting drafting changes, they should refer to the document title and the line number of the relevant text.
Submissions should include ECSM Consultation in the subject field and be sent by email to [email protected]
The closing date for submissions is 5.30pm Friday 14 January 2022
We may hold a stakeholder information session in December to answer initial queries in relation to this consultation. Please contact the email above to register interest.
We are committed to engaging with stakeholders in a clear, open and transparent manner. Any person or organisation can make a submission in relation to this consultation. All submissions and feedback will be taken into consideration in informing positions to be adopted in negotiations.
Please note that responses to this consultation are subject to the provisions of the Freedom of Information Act 2014 (FOI), Access to Information on the Environment Regulations 2007-2014 (AIE) and the Data Protection Act 2018.
Please also note that we intend to publish the contents of all submissions received to this consultation on our website. We will redact personal data prior to publication. In responding to this consultation, parties should clearly indicate where their responses contain personal information, commercially sensitive information or confidential information which they would not wish to be released under FOI, AIE or otherwise published.
We would like to draw your attention to our Data Privacy Notice which is available on our website and explains how and when we collect personal data, why we do so and how we treat this information. It also explains your rights in relation to the collection of personal information and how you can exercise those rights.