I propose to take Questions Nos. 177 and 178 together. Gas Networks Ireland (GNI) is the designated National Gas Emergency Manager (NGEM) appointed by the Commission for Regulation of Utilities (CRU). GNI prepare a “Natural Gas Emergency Plan” which is subject to approval by the CRU in pursuance of its statutory functions in respect of security of gas supply.
GNI’s Natural Gas Emergency Plan, which is publicly available, sets out in detail the procedure for managing a Network Gas Emergency and provides details on the role of GNI as the National Gas Emergency Manager NGEM. In addition, the Gas and Electricity Emergency Planning Group (GEEP) is chaired by CRU and comprises representation from my Department, EirGrid (electricity Transmission System Operator), ESB Networks and GNI (Gas Transmission System Operator). The GEEP assesses the robustness of existing emergency procedures, including interdependencies between gas flows and electricity generation, on an ongoing basis.
Furthermore, the loss of gas supply to Ireland is considered by CRU by way of Risk Assessment and the preparation of Preventive Action Plans and Emergency Plans to ensure that all necessary measures are taken to safeguard an uninterrupted supply of gas. The risk assessment and plans are required by EU Regulation 2017/1938 concerning measures to safeguard the security of gas supply and CRU is Ireland’s designated Competent Authority for this EU regulation. The Risk Assessment takes into account various scenarios, both short and long term gas supply disruptions and assesses the likely consequences. The Preventive Action Plan and the Emergency Plans contain measures to remove or mitigate identified risks to gas supply disruption.
The European Union Network and Information Services Directive requires that an operator of essential services in the energy and other sectors shall
(a) take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of the network and information systems which it uses in its operations, and
(b) take appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used by it for the provision of the essential services in respect of which it is designated as an operator of essential services with a view to ensuring the continuity of the provision by it of those services.
The measures to be taken by an operator of essential services shall ensure, having regard to the state of the art, a level of security of network and information systems appropriate to the risks posed.
While, like any other company, GNI could be susceptible to a cyber attack, GNI is committed to the highest level of compliance possible within the EU framework of Directives, standards and requirements. I am informed that the company takes a proactive approach to ensure that sufficient controls are in place and tested, and has invested extensively in its security infrastructure and internal controls in recent years.
A dedicated team in the National Cyber Security Centre (NCSC) provides guidance to its constituents, including Government Departments and agencies, together with operators of essential services, on appropriate measures they can take to reduce the risk of ransomware incidents on their networks. Immediately following the recent attack on the HSE, staff at the NCSC were in direct contact with the operators of essential services and this was followed up with a number of detailed confidential briefings for key sectors. The NCSC has also issued a number of confidential advisories to these constituent organisations.