Overview

What

This guide seeks to:

• Establish a common cross-sector approach to Cyber Resilience and Critical Infrastructure. The guide includes information on the key risks for Scotland and the impact that these may have on infrastructure, and provides information on the resources and support available to organisations.

Who

This guide applies to:

• Government - CI Resilience Policy leads in Scottish Government
• Critical Infrastructure (CI) Operators at a tactical and strategic level
• Responder Communities – Resilience Partnerships (RPs)

Why

Cyber represents a principle and growing disruptive threat to Critical Infrastructure and other essential services. It is necessary that the operators of Scotland’s national and local infrastructure understand and protect their critical assets, understand the cyber threat to their organisation, the risk to their infrastructure, manage the risk from their supply chain and recognise staff as a potential access route.

In addition, they should have adequately planned and prepared for the disruptions a cyber-attack on their organisation could have and should test these plans so that if the threat cannot be prevented, then the organisation responds and recovers as effectively as possible.

A risk based approach to such planning, preparation, response and recovery will help organisations understand their vulnerabilities to cyber and take appropriate measures. Key to taking a risk-based approach is in actually understanding the nature of the cyber threat to the organisation.

How

Building organisational resilience to cyber threats an organisations cyber resilience measures should:

• Be based on current good practice guidelines, standards and principals
• Be based on a sound understanding of the cyber threat
• Be owned as a board level risk
• Be integrated into existing risk management and planning processes and decisions
• Be informed by understanding the nature and likelihood of the threat and a cycle of review and action, monitoring the effectiveness of decisions and ensuring continuous improvement
• Understand and take steps to manage the risk to the infrastructure, supply chain and staff
• Take account of any expert advice from recognised organisations both in planning for and dealing with the impacts resulting from the cyber threat
• Be developed in partnership with stakeholders/interested parties
• Be integrated at an appropriate scale – some infrastructure may require national scale planning and collaboration; others may be specific to a particular area or site
• Contribute to enabling other organisations to mitigate the cyber threat by sharing appropriately sanitised threat intelligence within the Cyber Security Information Sharing Partnership (CiSP) and other trusted networks

Case Study

2017 Wannacry Ransomware Attack

In May 2017 a global cyber-attack using hacking tools to deploy the Wannacry Ransomware spread at unprecedented speed across 150 countries and within the UK impacted significantly on the NHS within the UK.

WannaCry exploited a Microsoft vulnerability which was known and a patch to fix it was released in March.

Hospitals and GP surgeries in England and Scotland were among at least 16 health service organisations hit. Staff were forced to revert to pen and paper and use their own mobiles after the attack affected key systems, including telephones. Hospitals and doctors' surgeries in parts of England were forced to turn away patients and cancel appointments after they were infected with the ransomware, which scrambled data on computers and demanded payments of $300 to $600 to restore access. People in affected areas were being advised to seek medical care only in emergencies.

The incident was declared to be a national cyber incident and the National Cyber Security Centre undertook a central co-ordination role. At a Ministerial level both the Cabinet Office Briefing Room and the and Scottish Government Resilience Room were stepped up to manage the escalating incident. The incident received significant media attention and was a wake-up-call questioning the resilience of critical infrastructure such as the NHS ability to respond appropriately. The National Cyber Crime Unit of the National Crime Agency and Police Scotland Cyber Teams played a vital role in supporting the NCSC.

In Scotland the CEO’s of all public sector organisations were contacted over the weekend to alert them to the risk and ensure that assurance could be given to Ministers that steps had been taken to mitigate against the threat.

Key insights:

• The speed at which this virus spread through the NHS nationally highlights the interconnectedness of organisations
• Incident Response plans need to recognise this interconnectedness and reach beyond the individual organisation
• Service delivery was impacted
• Effective media handling is essential
• National Co-ordination of significant emergencies ( SGOR and COBR) were tested in the first managed major cyber incident
• There needs to be a clearer understanding of engagement with and roles of Central co-ordination organisations particularly the NCSC, Police Scotland and the Scottish Government
• The value of membership of the NCSC Cybersecurity Information Sharing Partnership (Cip) to gain essential threat intelligence was tested and proven
• The attack identified the need for organisations to take proper cognisance of having the basic cyber hygiene in place to combat the most common internet borne threats
• Cyber as a risk was elevated to Board/ Executive level as a result of Wannacry incident
• As a result of the incident the Scottish Government accelerated plans to introduce a Public Sector Action Plan on Cyber Resilience²⁰ to provide assurances that this sector was resilient to the growing cyber threat

²⁰ https://beta.gov.scot/policies/cyber-resilience/

Background

Cyber has been identified as one of the top risks to UK security. A serious attack on a critical infrastructure or essential service organisation may result in the disruption or denial of service output, with the compromise and harm to a critical network asset causing significant financial and reputational damage. This is exacerbated if organisations are not prepared to respond and recover from cyber-attacks.

Critical Infrastructure sectors are at constant risk from state actors, cyber criminals, hacktivists and staff (deliberate or accidental), while terrorist groups aspire to acquire cyber capability.

The Scottish Government’s policy in respect of Critical Infrastructure stakeholders is as follows:

Primary Driver:

Enhancing cyber resilience arrangements to mitigate and respond to cyber threats

Outcomes:

• Active management of cyber threats and vulnerabilities is embedded in corporate risk management processes and policies, with oversight at Board level
• Effective processes exist to:
  • Identify and assign ownership of critical assets that may be vulnerable to cyber threats
  • Assess and understand cyber threats and vulnerabilities in respect of corporate assets, and refresh this understanding on a continuous basis
  • Manage and respond to cyber threats and vulnerabilities on a continuous basis
• Staff at all levels are supported and incentivised to adopt appropriate behaviours to mitigate cyber risks/threats, including through staff education/training
• Appropriate technical controls and policies are in place (including in respect of secure configuration, network security, user privileges, malware protection and monitoring), with specialist advice and support made available where required via internal or external sources
• Robust Incident Response, Business Continuity Management (BCM) and contingency arrangements in place to manage and minimise disruption from a cyber-attack, including a test/exercise programme
• Enhancing cyber security arrangements to mitigate cyber threat

Scottish Cyber Resilience Strategy

Safe, secure and prosperous: a cyber-resilience strategy for Scotland²¹, was published in 2015. It set out the Scottish Government’s vision for Cyber Resilience in Scotland and sets out the aspirations and outcomes required for Scotland to become a world leader in cyber resilience.

“Safe, secure and prosperous” is closely aligned with the UK National Cyber Security Strategy²², which sets out the UK Government’s strategic approach to making the UK secure and resilient in cyberspace. Cyber security is a reserved matter, but it has strong implications for the delivery and resilience of devolved services – as such, the Scottish Government works closely with key partners such as the UK National Cyber Security Centre to ensure alignment between work on cyber resilience at the UK and Scottish levels.

The National Cyber Resilience Leaders Board (NCRLB) is an advisory board to Scottish Ministers and comprises of leaders from the Public, Private and Third Sector and Academia and was formed to help drive forward the Scottish Government’s Cyber Resilience Strategy.

Following the Wannacry attack in May 2017, which had a high profile impact on the NHS in England and Scotland, the Programme for Government committed the SG to working with the NCRLB to develop and implement a suite of 5 action plans, which will drive Scotland towards our strategic ambitions.

As of 2018, the action plans²³ have been published. The action plans are as follows:

• The Learning and Skills action plan, which sets out the actions we and our partners will take from 2018 to 2020 to support the development of cyber resilient behaviours amongst our population (helping them to avoid become victims of cybercrime), and to build a skilled and growing cyber security profession for Scotland. (Published March 2018)
• The Public Sector Action Plan, which aims to ensure that Scotland's public bodies have in place a common baseline of good cyber resilience practice, and are working towards becoming exemplars of cyber resilience. This is vital to ensuring our digital public services are safe and secure and protected from cybercrime. If successful, Scotland will be the first nation in the UK to have achieved this common baseline across its public sector. (Published November 2017)
• The Private and Third Sector Action Plans, which set out a detailed programme of work in partnership with Scotland's private and third sectors to help raise fundamental levels of cyber resilience. They have a particular focus on supporting our small and medium sized businesses and charities to understand the cyber threat and how to address it. (Published June 2018)
• The Economic Opportunity Action Plan, which will set out actions to help create the conditions for a world class cyber security goods and services cluster to flourish in Scotland.

²¹ http://www.gov.scot/Publications/2015/11/2023

²² https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021

²³ https://beta.gov.scot/policies/cyber-resilience/

Guidance

Good cyber security and resilience practices are wide ranging, from policy level to implementation, and have to be applied at every level of the business, from boardroom to control systems. Important guidance is available from the National Cyber Security Centre website (https://www.ncsc.gov.uk/guidance) where additional information on Threat Intelligence, Incident Management, Insight, Skills and Certified Security Services are listed.

It is also important to remember that cyber resilience is not something that can be considered in isolation. It goes hand in hand with physical and personnel security (e.g. building management systems and insider threat) to create a holistic approach to protective security. In a digital age good cyber resilience should be regarded as an essential digital enabler. The cyber threat is a business risk and requires managed at board level.

A number of critical infrastructure organisations will be impacted by the EU Directive on Security of Network Information Systems (NIS Directive) which was introduced in May 2018. As a result of this directive the UK Government will be producing clarity on the regulation of those that are directly impacted by the Directive. A set of security principals will be developed and will form a high level standard to which those impacted by the directive will be required to comply. These principals will follow recognise international good practice in security as such form good practice which organisations should strive to achieve taking into regard their size, sector and appetite for managing risk.

The following are common key areas for consideration in achieving good cyber resilience. They are presented to follow the 4 key domains and 14 sub categories that are likely to make up the NIS Framework.

Identify: Appropriate organisational structures, policies, and processes should be in place to understand, assess and systematically manage security risks to organisations

Governance:

• There are appropriate management policies and processes in place to govern the organisations approach to the security of network and information systems.

Risk Management:

• The organisation takes appropriate steps to identify, assess and understand security risks to network and information systems supporting the delivery of essential services. This includes an overall organisational approach to risk management.

Asset Management:

• All systems and/or services that are required to maintain or support essential services are determined and understood. This includes data, people and systems as well as any supporting infrastructure

Supply Chain Risk Management:

• The organisation understands and manages security risks to the network and information systems supporting the delivery of essential services that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.

Protect: Proportionate security measures should be in place to protect essential services and systems from cyber-attack, system failures, or unauthorised access. Specific requirements will be set out in respect of:

Service Protection Policies and Processes:

• The organisation defines and communicates appropriate policies and processes that direct the overall organisational approach to securing systems and data that support delivery of essential services.

Identity & Access Control:

• The organisation understands, documents and controls access to systems and functions supporting the delivery of essential services. Rights or access granted to specific users or functions should be understood and well managed.
• Users (or automated functions) that can access data or services are appropriately verified, authenticated and authorised.

Data Security:

• The organisation prevents unauthorised access to data whether through unauthorised access to user devices, interception of data in transit or accessing data that remaining in memory when technology is sent for repair or disposal.

System Security:

• Critical Systems are protected from cyber-attack. This includes minimising the opportunity for attack by configuring technology well, actively managing software vulnerabilities, minimising services available, and controlling connectivity and physical access.

Resilient Networks & Systems:

• The organisation builds resilience against cyber-attack, implementation, operation and management of systems.

Staff Awareness & Training:

• Staff are given appropriate support to ensure they can support the security of network and information systems of essential services.

Detect: Appropriate capabilities should be in place to ensure network and information system security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential services/public services. Specific requirements will be set out in respect of:

Security Monitoring:

• The organisation monitors the security status of the networks and systems supporting the delivery of essential services in order to detect potential security problems and to track the on-going effectiveness of protective security measures.

Anomaly Detection:

• The organisation detects anomalous events in the network and information systems affecting, or with the potential to affect, the delivery of services.

Respond and Recover: Capabilities to minimise the impacts of a cyber security incident on the delivery of essential services/public services, including the restoration of those services where necessary.

Response and Recovery Planning:

• There are well-defined and tested incident management processes in place, that aim to ensure continuity of essential services in the event of system or service failure
• Mitigation activities are in place that are designed to contain or limit the impact of compromise

Improvements:

• When an incident occurs, steps must be taken to understand the root cause of that incident and take appropriate remediating action.

Additional clarity on the impact and extent to which the NIS Directive will apply will be forthcoming from the UK Government in 2018. In developing cyber resilience action plans for the public, private and third sectors the Scottish Government will, where possible, be seeking to achieve a commonality of approach with regards to the application of cyber resilience standards.

Delivery

Operators are again referred to the many resources offered by the National Cyber Security Centre (NCSC) as well as being encouraged to join the Cyber Security Information Sharing Partnership (CiSP) where additional real time threat intelligence is offered, including:

NCSC website

www.ncsc.gov.uk

There is a significant body of advice and guidance contained within the NCSC website. NCSC is developing the Network Information Systems (NIS) Cyber Assessment Framework (CAF). The NIS CAF is the tool that NCSC will be recommending for assessing cyber security for CNI.

Cyber Security Information Sharing Partnership:

https://www.ncsc.gov.uk/cisp

The Cyber Security Information Sharing Partnership (CiSP) is a confidential forum for sharing intelligence about cyber threats and vulnerabilities, in real time. Run by the NCSC, CiSP is a joint industry and government initiative that helps to increase overall situational awareness and reduce impact on UK business. Scotland has established its own non sector based community within the Cisp known as the Scottish Cyber Information Network (SCiNET)

NCSC Cyber Incident Management

https://www.ncsc.gov.uk/section/about-ncsc/incident-management

The National Cyber Security Centre has a role in managing significant cyber incidents and indeed is the competent authority to declare significant Cyber Incidents that have an impact on the UK. The NCSC can provide critical support to organisations and as such operators should make themselves aware of the NCSC Incident reporting process

NCSC Ten Steps to Cyber Security

https://www.ncsc.gov.uk/guidance/10-steps-cyber-security

Guidance on how organisations can protect themselves in cyberspace, including:

• An introduction to cyber security for executive/board-level staff.
• A white paper that explains what a common cyber-attack looks like, and how attackers execute them.
• The 10 technical advice sheets an organisation should consider putting in place.

Cyber Essentials

https://www.cyberaware.gov.uk/cyberessentials/

Cyber Essentials is a government-backed cyber security certification scheme that sets out a good baseline of cyber security suitable for all organisations in all sectors. The scheme addresses five key controls that, when implemented correctly, can prevent around 80% of cyber-attacks.

Water UK Cyber Security Principles for the Water Industry

https://www.water.org.uk/news-water-uk/latest-news/cyber-security-principles-water- industry

The Water UK Cyber Security Good Practice Group has produced a set of principles and recommendations to help its members address the risks posed to water and waste water services by cyber related threats. In drawing this work together, the industry engaged with stakeholders, government and regulators.