Scottish Cyber Coordination Centre: SC3 strategic plan 2024 to 2027

4. Service development

In addition to the operating principles specified in this Strategic Plan, the continued evolution and improvement of service lines within the individual functions must also consider the following key elements:

Partnership: In line with the operating model, many services will require involvement of SC3 Core Partners. These Partners must actively contribute to, advise and support service development as well as engaging with operational processes as necessary.

Processes and standards: Where formal processes or directives are required, SC3 must define and manage these as well as build capability for enforcement of remedial action across the sector, in addition to supporting services and roles.

Technology: Where technical requirements are identified they must be built, sourced or procured to support individual workstream objectives, using expertise within the Scottish Government’s Digital Directorate to identify the most appropriate method.

4.1 Standards and insights

As described in the Operating Principles section, the effectiveness of SC3 and the value of the services provided is dependent on the ability to measure and understand the sector’s cyber resilience posture. This knowledge is also vital in the development and application of appropriate and proportionate security frameworks and standards.

Situational awareness

The Major Incident Coordination service will strengthen the robustness and capability offering through:

[1] The creation of a ‘Cyber Observatory’, an internal platform that can ingest, store and process relevant cyber security indicators from all ‘in-scope’ organisations in a structured and dynamic manner.

[2] The development of real-time analysis and reporting capabilities to allow summary reports and specific briefs to be produced in accordance with operational requirements.

Standards and frameworks

Cyber Security standards and frameworks are an important tool for organisations to gauge and manage their security controls and risks, but there are many recognised frameworks with varying purposes and focuses. The Standards and Insights function will work towards:

[3] Regular identification, review, and promotion of appropriate standards and frameworks for the sector (including guidance material and mappings where appropriate).

[4] An easy to use and intuitive online tool for organisations to record their status and compliance and enable SC3 to better assess control gaps and offer support.

Risk and assurance

Maintaining and applying an understanding of the risk landscape and significant threats to the public sector will help organisations to improve their own level of protection. This will be supported via:

[5] A supply chain project to explore means of reducing the impact of supply-chain breaches from suppliers that serve multiple public sector organisations.

[6] The rollout of a public sector supplier assurance tool, which will enable organisations to conduct due diligence against technology vendors and third parties, while also providing valuable data to SC3 for future improvements.

[7] Collaboration with partners and with CRU to undertake rolling awareness campaigns targeting key risks facing the public sector.

UK Government Engagement

In addition to a focus on improving the public sector in Scotland, SC3 will apply the Operating Principles to maximise the value of collaboration and knowledge/capability sharing between the Scottish Government and the UK Government on Cyber Security. The Standards and Insights function will lead on this by:

[8] Acting as the point of contact for all ‘Defend as One’ liaison and knowledge sharing with NCSC and the Government Cyber Coordination Centre (GC3).

[9] Working with DSIT, the Home Office and other relevant departments on relevant legislative and policy matters governing technology restrictions and usage.

4.2 Incident coordination

The Incident Coordination function is a critical component of the SC3 and one of the drivers for the existence of the Centre. The ability to co-ordinate multi-agency incident response with speed and consistency is key to the successful handling of serious, national- level and multi-impact cyber incidents. The Incident Coordination function provides not only the ability to orchestrate and enhance such response efforts, but also provide additional support, advice, briefing and reporting where required to enable local response efforts to focus on the eradication and remediation of incidents.

Major incident coordination

The Major Incident Coordination service will strengthen the robustness and capability of the function by delivering the following:

[10] Annually review, package, and roll out the Scottish Cyber Incident Management Policy and associated playbooks.

[11] Formally embed the Public Sector Cyber Incident Notification Procedure, requiring public sector organisations to report within a specified timeframe to enable appropriate response activities.

[12] Formalise a process and facility for cyber incident escalation and oversight to SGORR, via engagement with the Civil Contingencies Division.

Analysis and reporting

Analysis and Reporting is a key component of the Incident Coordination function, not only for awareness raising regarding trends and themes, but also because of the benefit that robust analysis brings to strategic decision making. The service offering is to:

[13] Develop and deliver robust, standardised, and reusable Lessons Learned processes across the public sector, in collaboration with partners and embedded within the Scottish Cyber Incident Management Policy (SCIMP).

[14] Implement a digital Incident Management platform to record, monitor and archive and analyse major incidents within the public sector.

[15] Establish bespoke and standardised reporting procedures, at regular intervals and on demand, including an annual Scottish Cyber Attack Report (SCAR).

Cyber Resilience Early Warning (CREW)

Cyber Resilience Early Warning is a mechanism to rapidly disseminate relevant operational information to specific public sector organisations to enable swift proactive protective measures. The focus here will be to deliver:

[16] An improved CREW process with the capability to rapidly disseminate targeted CREW alerts to organisations based on the applicability and expected relevance of the alert in question.

[17] A Self-Service feature that will enable organisations to opt-in/out of CREW alerts and notices by category or theme.

Incident support

The SC3 supports organisations not just via the Incident Coordination process, but also by providing guidance and specialist support where required. The focus here will be to:

[18] Develop and disseminate an improved Cyber Capability Toolkit, transforming the current package of guidance materials into a flagship Public Sector product.

[19] Provide an enhanced Certified Incident Response partnership for rapid expert deployment to augment victim organisations’ own response activities under exceptional circumstances.

4.3 Cyber exercising

The negative, and sometimes catastrophic, consequences of major incidents underline the importance of well-rehearsed exercising for preparedness and resilience in the face of cyber threats, at both an organisational and national level. It is one of the most important tools available and therefore a priority focus for SC3.

Exercising standard and practices

Defining what best practice and effective exercising means in practice is of significant value to organisations. SC3’s Cyber Exercising function will strengthen the robustness and capability of this service offering by delivering:

[20] A robust, standardised, and reusable process and playbook for best exercising practices and regimes in the public sector.

[21] An outreach programme to the public sector to achieve 100% rate of cyber exercising, on a frequency determined by the standard (e.g. at least annually).

Exercising delivery

Implementing exercise standards and practices requires knowledge and expertise across the public sector. In line with the operating principles, SC3 will support the uplift and frequency of exercising by delivering:

[22] The creation of a formal community (exercising cadre) with training, registration, and recognition of public sector cyber specialists.

[23] The implementation of a community Hub and learning repository to assist members.

[24] The formal certification of SC3 as an NCSC Assured Exercising provider.

National Cyber Exercise

In addition to exercising across the public sector, it is the responsibility of SC3 to ensure that the SCIMP is tested robustly at a national level, and on an annual basis. Each year, the SC3 will therefore:

[25] Work with multiple partners at a national level to identify, design and plan an annual National Cyber Exercise (NCE) with senior official oversight.

[26] Act as the facilitation body to run the agreed exercise, coordinating logistics and participation.

[27] Prepare and issue a formal report and lessons identified for key senior officials, ministers, and stakeholders, accompanied by an NCE action tracker. This will include recommendations on steps for improvements on national preparedness and response.

4.4 Vulnerability management

Ensuring that services, networks, and environments are well managed and up to date is a continuous challenge for the public sector. In recognition of the exploitation of known vulnerabilities as a common attack vector for hostile actors, assisting organisations with their own vulnerability management activities is another core function of SC3.

Major vulnerability coordination

The Major Vulnerability Coordination service is a complementary service to Major Incident Coordination and enables the response and reporting at a national level of critical widespread vulnerability disclosures. The SC3 will strengthen the robustness and capability offering by:

[28] Formalising, publishing, and promoting a Critical Vulnerability Coordination Policy and procedure (including the ability to issue commissions for investigations and updates across public sector, with 100% of organisations signed up).

[29] Establishing formal links with the GC3 Vulnerability Management team, to share and collaborate on action plans and outputs.

AAA reporting

Effective vulnerability reporting is characterised by the SC3 as that which meets the criteria of being ‘Available, Applicable and Actionable’. The Vulnerability Management function will strengthen the robustness and capability of the service offering by delivering:

[30] Automated reporting, on demand or at regular intervals, at both operational and strategic levels.

[31] An internal capability to review vulnerability disclosure information (including technical CVE data) to identity and analyse trends of relevance or applicability to the Scottish public sector.

National protective measures

In addition to reporting and awareness raising to assist organisations to manage their own vulnerabilities, the SC3 should take proactive measures to identify issues and exposure across the visible public sector ‘internet footprint’ that is accessible and discoverable by hostile actors. The Vulnerability Management function will deliver:

[32] Active Cyber Scanning capabilities, at organisation, domain, or IP level, for public sector organisations and beyond.

[33] Technical integrations with existing Government and commercial active protection measures, for rollout to applicable high-risk organisations.

4.5 Threat intelligence

Cyber threat intelligence is the foundation of successful proactive cyber security. Having relevant and actionable information on threats, trends, malicious actors, and organisational exposure informs and contributes to pragmatic risk assessments for organisations as well as the ability to effectively respond and mitigate to changing environments and circumstances.

Threat reporting

The Threat Intelligence function will assist the Scottish public sector by providing:

[34] Automated and curated reporting, on demand or at regular intervals, at both operational and strategic levels, covering not just standardised threat activity but also threat actor assessments, ransomware incidents over time, and trends across sectors.

[35] Augmented reporting drawing from a range of commercial, open-source and government intelligence feeds and sources.

[36] A self-service feature that will enable organisations to opt-in/out of Threat Intelligence reporting by category or theme.

Advanced intelligence capability

The use of the dark web by malicious actors to share information, host and sell stolen data, and circumvent security measures present on the internet puts organisations lacking skills or resources to access or monitor the dark web at a disadvantage. The Threat Intelligence function will assist the Scottish Public Sector by providing:

[37] A service for scraping/monitoring the dark web for news or information relating to Scottish Public Sector organisations, including mechanisms for extracting data for analysis where required.

[38] A service for evaluating and deploying deception technologies to monitor attacker interest or activity in the Scottish Public Sector.

Community engagement

Active community engagement and buy-in is fundamental to the successful integration of threat intelligence into organisational defences. The SC3 must cultivate a strong and engaged community by:

[39] Promoting, maintaining, and growing public sector participation in the Cyber Information Sharing Partnership (CiSP) platform for discussion and knowledge sharing, leveraging strategic alliances with industry and other partners to contribute directly to community requirements.

[40] Actively developing and evolving the Malware Information Sharing Platform (MISP) offering under Cyber Scotland Shield for exchange and dissemination of technical data and encouraging data sharing into the platform for the benefit of all users.