This guide seeks to:
- Demonstrate a common cross-sector approach to continuous Critical Infrastructure Resilience (CIR) improvement in Scotland. It explains the process by which continuous improvement will be assessed and monitored by the Scottish Government.
This guide is aimed at:
- Government – Critical Infrastructure (CI) Resilience Policy leads in Scottish Government
- Critical Infrastructure (CI) Operators - Strategic Management, Security and Resilience leads
- Responder Communities – Resilience Partnerships (RPs), Security and Resilience leads
The benefits of engagement in the continuous CIR improvement process include:
- A consistent and standard approach across all sectors in Scotland
- Enhanced organisational resilience
- Economic and reputational advantage
- Reassurance that the wider Scottish Government vision of a ‘resilient critical infrastructure in Scotland’ is being realised
This will involve engagement in and completion of four key CIR performance documents - Stakeholder Impact Assessments (SIA), Sector Security and Resilience Assessments (SSRA), Sector Improvement Reports (SIR) and a biennial Ministerial Summary.
To support sectors in developing a culture of continuous improvement and to facilitate the capturing of relevant performance data, the Scottish Government has worked in collaboration with CIR stakeholders to develop the following model of CIR continuous improvement.
- As can be seen in the diagram below, the process begins with a robust assessment of their infrastructure at company/organisation or asset level (Stakeholder Impact Assessment)
- These separate SIA responses are then collated into an overarching sector security and resilience overview (Sector Security & Resilience Assessment)
- This information is then summarised for reporting purposes (Sector Improvement Report), which will be submitted by each of the Sector Resilience Groups or policy leads for the attention of the Critical Infrastructure Resilience Partnership meetings which will be held on a six monthly basis
- The SIR and the SSRA will also be used to prepare a biennial report for Ministers on critical infrastructure resilience in Scotland (Ministerial CIR Summary)
- The model also allows the Scottish CIR perspective to influence the on-going development of the National Risk Assessment (NRA) at UK Government level and the Scottish Risk Assessment as it develops
- Collating and identifying investment gaps to improve infrastructure resilience is a new element being developed and will feature more prominently in future iterations of this guide
Stakeholder Impact Assessment (SIA)
The Stakeholder Impact Assessment (SIA) provides answers to the 4 key questions used to assist in the risk assessment process on which the Sector Security & Resilience Assessment (SSRA) and the Sector Improvement Report (SIR) are based. The SIA provides an overview of individual key companies and organisations that make up each sector, their rationale for criticality, their identified vulnerabilities and describes mitigation, protection and contingencies in place to tackle vulnerabilities.
The SIA will be completed with each of the sectors key stakeholders using a standardised template and guidance. The template includes information on the following:
- Sub-Sector (if relevant)
- Scottish Government Policy Lead
- Rationale for Criticality including the identification of critical sites and systems
- Planning Assumptions and Mitigation/Contingencies
- Reasonable Worst Case Scenario(s)
- Testing and Exercising
- Significant Disruptive Events experienced by stakeholder in recent years
- Impacts on other Sectors
- Climate Change
- Expectations of SG and Resilience Partnerships.
- Contributions to the Resilience landscape in Scotland
Given the sensitivities associated with a detailed analysis of the criticality and vulnerabilities associated with assets/systems, the SIA will be jointly owned by the operator/owner and Scottish Government and protectively marked as Official – Sensitive - Commercial. The SIA will be shared (subject to appropriate information security arrangements) with relevant Scottish Government and UK Government departments and the Centre for the Protection of National Infrastructure (CPNI). In addition, the SIAs will be made available to the relevant Scottish Government Minister if requested.
Sector Security & Resilience Assessment (SSRA)
While the Stakeholder Impact Assessment (SIA) provides an overview of individual asset owners and operators, the Sector Security & Resilience Assessment (SRRA) provides an overview of the relevant sector/sub sector as a whole. For example, in the Communications Sector in Scotland, the individual operators within each of the four sub sectors – Telecoms, Postal, Broadcasting and Internet will each complete a SIA. In turn, these responses will be collated into Telecoms, Postal, Broadcasting and Internet Sector Security & Resilience Assessment’s (SSRA) for Scotland.
SSRAs will be developed through a collaborative approach between lead officials in Scottish Government, Sector Sponsor Departments in UK Government, sector regulators and asset operators.
UK Government Departments with policy responsibility for the security and resilience of sectors each produce Sector Security and Resilience Plans on an annual basis. These documents are shared with the Scottish Government and increasingly SG is being invited to submit information as to what is happening in Scotland.
The SSRAs will be completed using a standardised dashboard style template and guidance. The template includes:
- An Executive Summary of the Sector
- An overview of criticality
- An overview of the identified vulnerabilities (using information provided in the SIAs)
- An overview of Sector resilience (against each of the identified vulnerabilities included in the sub sector SIAs)
- An overview of Sector resilience to the current National Risks,
- A programme of measures/steps for achieving the appropriate level of ambition for resilience (mitigating the risks and vulnerabilities identified)
Given the sensitivities associated with a detailed analysis of the vulnerabilities of each sector’s critical assets, the SSRA will be owned by the Scottish Government’s Resilient Essential Services Team and protectively marked Official – Sensitive and stored securely. The SSRA will be shared (subject to appropriate information security arrangements) with relevant Scottish Government and UK Government departments and the Centre for the Protection of National Infrastructure (CPNI). In addition, the SSRAs will be made available to the relevant Scottish Government Minister if requested.
Sector Improvement Report (SIR)
The Sector Improvement Report (SIR) is a common reporting and performance management framework in a dashboard format. This enables each of the Critical Infrastructure Sector Resilience Groups in Scotland or policy leads to report on progress to the Critical Infrastructure Resilience Partnerships (CIRP) group against an agreed set of improvement criteria. An annual timeline for the reporting process ensures that the SIR complements the UK process co-ordinated by the Cabinet Office
– see the diagram in the ‘Delivery’ section below.
The SIR will be completed by each of the Critical Infrastructure Sector Resilience Groups or policy leads in order to provide the Critical Infrastructure Resilience Partnership with assurance on continuous CIR improvement. The SIR template includes:
- Progress against agreed work plans.
- Future Milestones/Next Steps
The SIR has been designed to ‘ensure that delivery and progress of the CIR Strategy is monitored and reviewed on an ongoing basis and to determine that effective outcomes are achieved’.
Continuous CIR Improvement Model Timeline
The governance arrangements for CIR in Scotland and also at a UK Government level are supported by the following timeline. In particular, the annual review of SSRAs and the submission of a biennial CIR Summary for Ministers, requires a degree of synergy with Sector Resilience Groups, policy leads and Critical Infrastructure Resilience Partnership meeting dates. In view of this, the timeline has been established in order to provide a common standard reporting cycle for stakeholders.