In recent years we have been reminded of the potential for disruption to our essential services through a whole range of events both malicious and natural.
Building resilience across all aspects of our essential services and enhancing the security and resilience of the critical infrastructure that supports and under-pins these services is vital. This can only be achieved through the implementation of appropriate enhanced protective security measures and mitigating the risks from natural hazards through improving our resilience and contingency planning arrangements. Increasing our understanding of the threats and hazards, and developing our awareness of the interdependency issues across all 13 sectors of critical infrastructure will also assist in terms of moving the resilience agenda forward in Scotland.
‘Keeping Scotland Running’ has been designed to support critical infrastructure owners and operators, emergency responders, resilience partnerships (RPs), industry groups and relevant government departments in working together to improve the resilience of critical infrastructure and essential services provision in Scotland. It seeks to support the delivery of national strategies in Scotland, including the National Security Strategy and Strategic Defence and Security Review 2015 (SDSR 2015)1 and the UK Counter Terrorism Strategy – CONTEST.2 ‘Keeping Scotland Running’ is not intended to duplicate or conflict with existing UK Government critical infrastructure resilience work streams or other regulatory requirements in this area.
In March 2011, the Scottish Government published its first ever strategy for Critical Infrastructure Resilience (CIR) in Scotland – ‘Secure and Resilient – A Strategic Framework for Critical National Infrastructure in Scotland.’3 The strategy was based on a clearly defined purpose, a common vision and a set of established principles that provided an excellent foundation on which to build our Critical Infrastructure Resilience (CIR) programme in Scotland. Indeed, the strategy and the wider delivery programme has also helped to establish Scotland as a world leader in the field of CIR.
‘Keeping Scotland Running’ seeks to build on the success of ‘Secure and Resilient’ by refreshing our strategic aims in the light of some significant developments that have taken place over the last few years. Much of the policy articulated in ‘Secure and Resilient’ however, remains valid and as such, CIR stakeholders should continue to refer to the document for guidance.
Significant Developments in Critical Infrastructure Resilience (CIR)
In September 2014, the UK National Security Council (NSC) instigated a comprehensive review of Critical Infrastructure Resilience (CIR) strategy and policy. The review resulted in a new definition of Critical National Infrastructure (CNI) and an increase in the designated CNI Sectors from 9 to 13. A comprehensive governance and delivery programme has also been established under the UK NSC, coordinated by the Cabinet Office at a UK level and delivered in Scotland through the Critical Infrastructure Resilience Partnership (CIRP).
New Definition of Critical National Infrastructure (CNI)
- ‘Those critical elements of infrastructure (namely assets, facilities, systems, networks or processes and the essential workers that operate and facilitate them), the loss or compromise of which could result in:
- major detrimental impact on the availability, integrity or delivery of essential services – including those services, whose integrity, if compromised, could result in significant loss of life or casualties – taking into account significant economic or social impacts; and/or
- significant impact on national security, national defence, or the functioning of the state.’
Designated Critical National Infrastructure (CNI) Sectors
The following table provides a list of the 13 designated CNI sectors following the 2014 review and highlights the agreed split between Reserved and Devolved responsibilities.
Energy – Electricity, Gas, Fuel/Oil
Communications – Telecommunications, Public Broadcast, Postal Services, Internet Government – UK
Transport – Aviation, Rail and Ports
Emergency Services – HM Coastguard
Government – Scottish Government,
Scottish Parliament, NDPBs and other agencies, Local Authorities
Water – Drinking Water, Waste Water Transport – Roads and Bridges Emergency Services – Police, Fire and Ambulance
Critical Infrastructure Resilience (CIR) Coordination and Delivery
At a UK level, the Cabinet Office coordinates delivery of Critical Infrastructure Resilience (CIR) through the Infrastructure Resilience and Security Working Group – IRSWG, which in turn reports to the Threats, Hazards, Risk and Contingencies Group – THRC (O) and the National Security Committee (NSC).
In Scotland, the Scottish Government coordinates delivery at a national and regional level through the Critical Infrastructure Resilience Partnership (CIRP) and reports directly into the UKG arrangements. Delivery of the CIR work programme is driven through sector specific resilience groups and three regional critical infrastructure resilience groups covering the North, East and West Resilience Partnership areas (See Annex A).
Progress in delivering CIR in Scotland since 2011
Since 2011, the Scottish CIR programme has matured and evolved using recognised continual improvement methodologies. The following highlights four significant areas where progress has taken place resulting in an overall improvement in Critical Infrastructure Resilience (CIR) in Scotland (see Annex B for an overview of how this process works in practice).
A Scottish Approach to CIR
- A move from a protective security approach to an all risks approach, which has subsequently been endorsed as good practice at a UK level
- A move from a UK CNI approach to a Scottish Essential Services and Sector Resilience approach
- Evolution from a centralised focus in Scotland to a regional and local approach in relation to CIR
- Enhanced engagement and influence on UK Government, the Centre for the Protection of National Infrastructure (CPNI), the National Cyber Security Centre (NCSC) and CIR operators and owners
A Collaborative Approach to CIR
- A move from silo working to a holistic approach to critical infrastructure resilience
- A move from a culture of secrecy to a culture of sharing information appropriately between partners
- Improved relationships with critical infrastructure owners and operators
- Enhanced engagement with essential services owners and operators during disruptive events, resulting in improved response arrangements
- Enhanced engagement and influence with international critical infrastructure stakeholders, including Governments, Responders and Owner/Operators
- Enhanced engagement and influence with academia
An Empowered Approach to CIR
- Geographic Information System (GIS) Mapping Project for critical infrastructure resilience in Scotland
- Flood risk assessments for Critical Infrastructure sites in partnership with SEPA and Local Authorities
- Three Critical Infrastructure Resilience groups established as part of Resilience Partnership (RP) engagement
- The establishment of a critical infrastructure resilience governance structure in Scotland that uses existing resources, assets and arrangements (CIRP)
- Improvements to the resilience of critical infrastructure by owners and operators
An Improvement Approach to CIR
- The establishment of a Continuous Improvement approach to drive delivery of CIR across the CNI Sectors
- Stakeholder Impact Assessment (SIA) methodology established to assist sectors, owners and operators to consider their response to the 4 Big Questions – Criticality, Vulnerability, Preparedness and Mitigation
- Synergy with the future Infrastructure Investment planning arrangements
- Providing Ministers and the Scottish Resilience Partnership (SRP) with a Biennial report on Critical Infrastructure Resilience in Scotland