Protecting the public sector will be the top priority for the new Scottish Cyber Coordination Centre (SC3), according to a newly published document on its priorities.
It will include measures specifically directed at strengthening the sector’s cyber defences, including a supplier assurance tool and an incident notification procedure.
Plans for SC3 were first announced in 2022 and the Scottish Government has now outlined details of how it will operate with the publication of a strategic plan for 2024-27.
It outlines an operating model in which SC3 will sit alongside the Scottish Government’s Cyber Resilience Unit (CRU), with core functions that prioritise services for the country’s public sector. These will take in threat intelligence, vulnerability management, standards and insights, cyber exercising and incident coordination, supported by partners including the CRU, Police Scotland, the Digital Office for Local Government and NHS National Services Scotland.
The list of core partners is expected to change as SC3 evolves.
Supply chain services
Key services will include a project to explore how to reduce the impact of any cyber breaches on the public sector supply chain, the development of a public sector supplier assurance tool, and awareness campaigns focused on key risks to the sector.
There are also plans to formally embed the public sector notification procedure for cyber incidents, requiring organisations to report within a specified timeframe to enable an appropriate response, and to implement an incident management platform to record and analyse major incidents in the sector.
In addition, there is an intent to improve the cyber resilience early warning (CREW) process, to encourage public organisations to take part in the Cyber Information Sharing Partnership (CiSP) and create a formal community of cyber specialists.
SC3’s specific services for the public sector will include: automated and curated reporting on threat activity, ransomware incidents and trends; augmented reporting from a range of feeds and sources; a self-service feature for opting in and out of threat intelligence reporting by category or theme; scraping the dark web for relevant information; and evaluating and deploying cyber deception technologies.
Other more general services to be developed include one for coordinating the response to major incidents, partly through the creation of the cyber observatory platform for taking and processing relevant data from in-scope organisations in “a structured and dynamic manner”.
Analysis and reporting
This will be accompanied by the development of real time analysis and reporting capabilities for the production of summary reports and briefs in accordance with operational requirements.
SC3 will also work on identifying and promoting appropriate standards and frameworks, and develop an online tool for organisations to record their compliance and enable it to assess where there are gaps in capabilities.
Its operating principles will involve data driven approaches in targeting its capabilities, the development of baseline services that can be scaled up, the identification of reusable components or services, and engagement with the cyber security community.
In emphasising the overall vision for 2027, the document states: “SC3 will be a focal point for Scotland’s cyber security and resilience, providing services to help protect against and respond to the accelerating and evolving threat of cyber attack while promoting adherence to appropriate standards and best practices across critical functions and infrastructure.”
Publication of the strategy marks the second development in recent days relevant to the cyber security capability of Scotland’s public sector. It has come after the Digital Office and national procurement organisation Scotland Excel announced they are working on a single supplier framework for security operations centre services.