Ever since the cyberattack on the Scottish Environmental Protection Agency (Sepa) four years ago, public sector leaders have been looking at ways and means to improve the digital security of critical national infrastructure.
The ransomware attack on Sepa in December 2020 was a landmark moment but other incidents impacting the likes of Western Isles Council and NHS Dumfries and Galloway have highlighted ongoing gaps in public cyber defences.
Ministers approved the release of an update on its “strategic activities” to improve resilience in September, which looked at some of the measures it has put in place since the first iteration of a national cybersecurity framework in 2021.
For the public sector – one of three focus areas, the other two being private and third sector – the document highlighted several achievements during the past year, including a survey which showed 93 per cent of public sector organisations in Scotland have cyber-awareness staff training in place, 91 per cent have robust governance in place and 86 per cent have well developed cyber incident response plans.
But that wasn’t all. During 2023/24, the Scottish Government provided 25 facilitated public sector board training sessions to 263 board members from 93 organisations aimed at raising awareness and supporting board members to provide “constructive challenge” to their organisations on cyber issues.
Such steps may not eliminate cyberattacks, but they help in raising awareness of the importance of digital vulnerabilities.
Another has been the development of the Scottish Cyber Co-ordination Centre (SC3), which provides a central management, threat intelligence and incident response facility to face the “escalating threat” from cybercriminals.
“The teams are pushing really hard to make improvements across not just the public sector, but Scotland as a nation,” says Alan Gray, deputy director of national cyber security and resilience for the Scottish Government.
“We’ve got the strategic framework, which has a number of action plans that cover various sectors, as well as just the learning and skills in general, but we have to be clear about the accelerating threat and the ever-increasing complexity of that, because we are still seeing major incidents,” he adds.
Gray sees both the SC3 and the Cyber Scotland Partnership – a collective of public bodies who have joined together to combat cyber threats – as an “evolution” of the work that has gone on since the Sepa attack, which caused millions of pounds worth of damage to the agency’s network, forcing a rebuilding of systems in order to continue to do its business online.
Other incidents have not been as cataclysmic, but the focus for SC3 has been on improving how national bodies respond to cyberattacks – with better mitigations in place.
Gray says: “It’s really about the need to address the fact that where there are major, national level cyber incidents we have a really strong core function to do all the multi-agency engagement, the approach in terms of how we deal with it within Scottish Government, how we deal with ministers, as well as ensuring that we provide the right guidance at the right time to the victim organisations.”
He adds: “One of the things I have learned over the years is that when you are dealing with a serious incident, every minute counts and the way in which you respond in those initial stages dictates how successful or otherwise you will be as it progresses.”
Another focus has been on reducing duplication in the public sector. Understandably, individual organisations want to be responsible for their own security, but SC3 can pool knowledge and resources, saving time and effort.
And it also gives SC3, which has been set up as an almost entirely virtual operation, scale. Gray says: “There are organisations who outsource their security or have larger internal security teams who should be able to deal with a lot of this, but we know that the risk and the threat is not evenly distributed, and actually there’s a lot of smaller organisations that don’t have the resources to be able to match some of the threats that we see.
“That’s why being able to produce services and offer support and operational functions that we can scale up right across the public sector is so important.”
So, what are some of those functions? Gray says threat intelligence – where the Scottish Government is helped by cybersecurity giant CrowdStrike – is one of the key focus areas for SC3.
Before even embarking on that journey, organisations already need good security monitoring and “hardened” systems in place. And even then, it is hard to separate the signal from the noise.
“We are seeing all the time clear, actionable information which we push out to the community,” says Gray. “If there’s a vulnerability that we think is being exploited and we think it’s serious, we know that you have got that. So we’re telling you that these are the steps you need to take.”
Another focus is cyber exercising, which is taking organisations through real-life scenarios of how they might deal with a cyberattack. Gray insists it is an “underrated activity” and can really help organisations improve their defences, and help learn lessons from known cyberattacks.
The Scottish Government is to partner with the National Cyber Security Centre on its exercising certifications, but it’s also been developing its own approaches.
In April, members of the Scottish Public Sector Cyber Incident Exercise Cadre developed and delivered Exercise Celtic Broch – an exercise to test the operational and strategic response to a significant cyberattack impacting on service delivery on the three councils in the Forth valley area – Falkirk, Stirling and Clackmannanshire.
It allowed the local authorities to test their own processes, identify improvements, and highlight common issues across the authorities and explore mutual aid options.
As well as helping organisations like those build their own cyber frameworks and controls, Gray insists it’s often the small things that can deliver the bigger wins.
He’s keen that organisations are not overwhelmed by the threats that are out there, and focus on some of the fundamentals of good cybersecurity.
“When we talk about the accelerating cyber threat and the complexity of the risks and incidents out there, it lends itself to the assumption that you need big, expensive, difficult, complicated solutions,” he says.
“And that’s not the case: once you’ve got some of the secure fundamentals in place, you’re effectively guarded against a substantial portion of the incidents that we see, which have been down to routine, preventable failures and controls, or the absence of controls that should have been in place.”
Some of the incidents that SC3 has dealt with have been due to, or facilitated by, a failure or inadequate multi-factor authentication, he adds, which would make a “massive difference” if implemented effectively and managed by organisations. Understanding supply chain risks is another area where more focus is required, he says.
When it comes to what more we could be doing to close the gaps, to prevent such attacks as those on NHS Dumfries and Galloway, and Western Isles Council, Gray says: “One of the serious issues which we have in a lot of public sector organisations is around legacy technology, whether that’s systems that are completely out of support and are really old and, kind of, ignored, despite being critical to their functioning. It is a really intractable problem but one that appears absolutely everywhere.”
Eradicating legacy technology is going to be “very difficult, if not impossible”, adds Gray, so the best thing public sector bodies can do – especially those with vast and complex IT infrastructures like in the NHS and the education system – is to try and understand those supply chain risks and mitigate them, where possible.
But there could be help at hand. The Scottish Government is sponsoring a CivTech challenge around cybersecurity supply chain risk, and another one focused on ransomware, too.
“These are the two big concerns, Gray adds. “It’s ransomware, but as a result of either supply chain vulnerabilities or legacy technology.
“We will be speaking more about that as soon as we can, but it’s one of the areas where we can hopefully exercise a little bit of creativity in terms of solving that problem, as well as all of the traditional security measures you would expect to be in place to prevent it from happening in the first place.”
