National Cyber Resilience Advisory Board (NCRAB) minutes: December 2023

Attendees and apologies

Board members: 

Maggie Titmuss (Chair)

Deryck Mitchelson (Vice Chair - DM)

Christian Toon (CT)

Jordan Schroeder (JS)
Carla Baker (CB)

Natalie Coull (NC)

Freha Arshad (FA)

Rory Alsop (RA)

Deputy Director, Defence Security and Cyber Resilience – Ex Officio

NCSC Scotland Officer (ON) – Ex Officio

Also in attendance:

Head of the Cyber Resilience Unit (CRU)

CRU Public Sector Lead

Cyber Incident and Vulnerability Co-ordination Lead, (SC3)

CRU Head of Policy and Programme

CRU Business Support Officer

CRU Senior Policy Officer

Assistant Chief Constable, Police Scotland (ACC AF)

Apologies: 

DCC Jane Connors (JC) - Ex-Officio

David Hartley (DH)

George Fraser (GF)

Items and actions

Welcome, minutes and actions 

The Chair welcomed Members to the meeting. 

The minutes of the September meeting were approved.

Conflict of interest

No conflicts of interest noted.

New Vice Chair announcement 

The Chair shared information on the process that was undertaken to appoint a new Vice Chair. The Chair explained that there were some truly exceptional candidates and thanked the other Board members for their interest in the position. She announced to the Board that the successful candidate for Vice Chair was DM. 

The Vice Chair thanked the Chair and the Cyber Resilience Unit for the opportunity and then shared some information with the Board on his career to date. The Vice Chair expressed his commitment to working together with the rest of the Board to achieve a cyber resilient Scotland. 

The Chair articulated the importance of using the skills within the Board to help push forward the work being done by the CRU to continue to develop and build on Scotland’s cyber resilience. 

Cyber threat landscape

ON provided the Board with an update on the wider current threat landscape. 

ON commended the recent work of the Scottish Cyber Coordination Centre (SC3) - the daily and weekly threat reports were particularly noteworthy. 

CB shared that the Department of Science, Innovation and Technology (DSIT) had recently set up a working group looking into operational technology (OT). 

DEC23/01: The Chair requested that CB fed back into the NCRAB with further developments of the working group. 

The Head of the CRU thought that OT skills within the workplace may be the responsibility of Skills Development Scotland (SDS) as they held the remit for sector skills and developing National Occupational Standards (NOS). She further stated that the CRU continue to work closely with SDS to embed cyber resilience skills within occupational standards. 

DEC23/02: The Head of the CRU to liaise with SDS and explore which cyber-specific skills are required within OT in Scotland and to get further understanding of where the existing gaps are. 

JS suggested that OT cyber security is still nascent and having more people trained in OT cyber security within Scotland would be helpful for Critical National Infrastructure (CNI) and rapidly change the landscape. He shared that the SANS Institute (officially the Escal Institute of Advanced Technologies) has courses in Threat-informed Operational Technology (OT) Defence which required fairly specialised knowledge, but the content could be reproducible in other ways – he gave examples which included the cyber security issues of programmable logic controllers (PLC) and how the threat could be reduced, among others. 

ACC AF provided the Board with a Scotland-specific threat update. He explained that online fraud continues to be a fairly constant significant harm but urged caution with the reported figures as underreporting continued to undermine the true scale of the threat. ACC AF shared that Police Scotland had seen increased sophistication of cyber attacks which now meant that partnership between organisations and businesses was more valuable than ever. 

The Scottish Cyber Coordination Centre Cyber (SC3) Incident and Vulnerability Coordination Lead provided the Board with an update on the current cyber threat landscape. He explained with reference to recent cyber attacks, it became clear that there were some significant lessons to be learned and work will be undertaken in due course to understand and disseminate those lessons to the wider public sector in Scotland. 

The Chair posited that, ideally, there should be some form of mandating cyber security requirements within Scotland’s public sector organisations. The Vice Chair suggested that there was a distinct lack of awareness amongst CEOs within Scotland about the true cyber resilience maturity of their organisations and by extension, the vulnerabilities the organisation could face. The Head of the CRU and the CRU Public Sector Lead shared with the Board that Scotland’s public sector was becoming more mature in addressing and responding to cyber risks and that changes were to be made to the Public Sector Cyber Resilience Survey (PSCRS) which is due to be issued in early 2024 in order to identify any gaps in analysis. The Head of the CRU also shared that there was work underway to recruit a seconded cyber assurance expert, with the aim for a start in January 2024 to work within the Scottish Cyber Coordination Centre (SC3), leading on the cyber assurance workstream.

The Chair stressed the importance of increased visibility of the scale and threat of cyber attacks and advised she would query what approach was being taken in England and Wales with the Chair of NCAB.

The Head of the CRU advised that there may be an opportunity for the Chair to attend a meeting of the Joint Chairs of the SG/COSLA Board before Christmas, certainly CRU would be attending this meeting.

DEC23/03: The Chair and the Head of the CRU to discuss how to take forward engagement with the Cabinet Secretary for Justice and Home Affairs and the Minister for Small Business, Tourism and Trade to discuss the scale of the cyber threat and to demonstrate the impact of incidents.

The Vice Chair suggested that the Board lacked information on the risk posed to local authorities (LAs) with regards to cyber attacks. He suggested an anonymised, broad form of RAG status for LAs could be suitable to help drive support from the Board to where it was most needed. 

The SC3 Incident and Vulnerability Coordination Lead shared that the SC3 is exploring the concept  of a shared chief information security officer (CISO) for the public sector.

Board priorities and focus 

The Chair focused on three key areas for improvement within Scotland:
•    Skills and vacancy gaps 
•    Innovation in the public Sector
•    Scottish Cyber Coordination Centre (SC3) resource. 

For skills and vacancy gaps, the Chair said that understanding the scale and size of industry engagement into schools was important but at present we did not have a good enough idea. How can this information be reported accurately and how can it become more agile with increased capability? 

DEC23/04: The Chair asked Board members to suggest any people or organisations who would be able to support in collating this information. 

The Head of the CRU set out some of the priorities that the Board could support with moving forward. These included:
- Awareness raising of the cyber security industry in classrooms. 
- Available global funding to provide Virtual Learning Machines in Scottish high schools to improve take up of cyber security learning and qualifications.
- Support with keeping Ministers aware of the importance of cyber resilience and the role of the SC3
- representation at or other involvement with future events, particularly Board involvement in CyberScotland Week (26 Feb – 3 Mar 2024)

The Head of the CRU shared that College Development Network (CDN) has been taking forward some work looking at embedding cyber security skills into existing vocational courses e.g., hairdressing. NC and the Head of the CRU shared they both had upcoming meetings with a representative from SICSA could look into this further.  
NC shared information on courses which were to be funded by the charitable arm of a private organisation and there was a possibility of these courses being rolled out wider. 

The Head of the CRU asked the Board if they were aware of any funding resource for schools to obtain Virtual Learning Machines (VLM) after a successful pilot phase. RA shared that the Chartered Institute of Information Security had VLMs in England and there would be a chance that, with adjustments, this could potentially be rolled out within Scotland. RA was not sure of the cost but imagined it would be inexpensive to do. The SC3 Vulnerability and Coordination Lead thought this would be a good idea but noted it would require teachers to be trained and knowledgeable on VLMs. The Chair felt it would be useful to understand the blockers and if this extended both to teachers and infrastructure. 

FA and CB expressed concerns about difficulties they had experienced when getting uptake and input from teachers, one of these concerns being lack of uptake due to already heavy workloads. The Chair posited that this was a key opportunity to grow the cyber resilient workforce in Scotland. The Head of the CRU suggested incorporating a representative from Skills Development Scotland (SDS) and Education Scotland into the Board may provide the missing gap. The Vice Chair supported this idea and said that it was important to have consistent input from Education Scotland on ongoing work within the cyber education space. 

DEC23/05: The Head of the CRU to explore representation on the Board from SDS and Education Scotland to further skills and learning.  

JS suggested that cyber security skills development of teachers is essential. The rest of the Board agreed with this. 

NC shared that there is work ongoing in the veterans’ space and that Abertay University had secured funding to deliver cyber-related training for veterans. She would welcome any support from the Board if they can offer positive job destinations.

DEC23/06: Board members to contact NC directly, if they can offer support with this activity. 

The Chair emphasised the importance of a fully operational SC3 to drive forward change and support for the cyber resilience of Scotland’s public sector in particular. The Head of the CRU gave a general staffing update and shared that a new Deputy Director/Head of Centre for the SC3 is due to take up post in January 2024. The Chair said that the introduction of a Head of Centre was an important step and could provide an impetus for change and direction.  

The Head of the CRU asked the Board if they could highlight and promote CyberScotland week (CSW) 2024 within their own organisations and wider contacts and if possible, to carry out and speak at events. 

DEC23/07: Board members to be given CSW marketing packs to promote and be involved in events taking place during CSW 24. 

Update on CivTech challenge

The Cyber Resilience Unit (CRU) Public Sector Lead and the Cyber Incident and Vulnerability Co-ordination Lead (SC3) provided the Board with an update on the CivTech 9.5 and 9.6 challenges in which they were recently involved. 

Scottish Cyber Coordination Centre (SC3) update

The Scottish Cyber Coordination Centre Cyber Incident and Vulnerability Coordination Lead provided an update on progress. He advised that:
- the Head of Centre (DD) was anticipated to start 4 January 
- a Cyber Coordination Analyst position was in the final stages of recruitment with an anticipated start date of January 2024
-NCSC Secondment Option was progressing to lead on the Cyber Assurance workstream with a January/February 2024 start
- daily and weekly vulnerability and threat reports are being produced and disseminated to the wider public sector. They are available through a subscription service via the CyberScotland portal.

The SC3 Cyber Incident and Vulnerability Coordination Lead also updated the Board on current national cyber incident support work. 

Any other business (AOB)

The Chair announced that RA, DH and CT had reached completion of two terms of appointment as Board members and as a result, this would be their last Board meeting. The Chair thanked them for their work to date and also informed the rest of the Board that they were keen to continue to support the work of the Board moving forward. 

Close

The next Board meeting will be on 25 March 2024, 10.00 – 14:00, St Andrews House, Edinburgh.