The Resilience and Emergencies Division (RED) of the Ministry for Housing, Communities and Local Government has launched an 18-month programme to work with local resilience forums (LRFs) on building up their cyber security capabilities.
Two of its lead officials told UKAuthority’s Public Sector Cyber Security Forum that the RED team has extended its brief from incidents such as flooding and fires.
“We want to move cyber away from sitting in a security box to thinking about it more in an emergency planning and preparedness space,” said Alice Reeves, head of resilience for RED.
She made the point that access to data and being able to communicate with other agencies is an essential element of any emergency planning, and that organisations need to map out these needs as part of their cyber planning.
Programme manager James Young said: “What we can offer to do is help build a collaborative culture. It’s by bringing together some technical and non-technical people and different communities that we can understand the business risk for public services in responding to these events.”
Scoping plans
An early stage of the programme has involved scoping the cyber element of LRFs’ resilience plans. It found that a few have developed cyber specific response plans and conducted an exercise with a cyber component, but more are relying on generic plans.
Young said efforts are beginning to help LRFs build cyber resilience capabilities and incident response plans, and identify good practice, partly through a cyber hub on the Resilience Direct online network for civil protection specialists.
There are also plans to link their response arrangements to those at national level, such as National Cyber Security Centre plans.
“It’s a key role that RED and Communities and Local Government plays, in linking the national level with the local response, thinking about consequences at a local level,” he said.
It will also support access to the products within the National Cyber Security Programme.
A small team will work with the LRFs to build the capabilities and work on individual issues, and help to develop some common language and understandings.
“My reflection is that there is a lot of cyber policy out there and it is quite difficult to navigate,” Young said. “So part of it is helping the local owners think about ‘What’s my plan? Who do I have to contact? Who do I need to notify.’ Where’s the threshold where we say ‘I’m managing it for our organisation, but you might want to be aware as it could impact your organisation’.”
In addition, a training offer will go out to LRF and local government representatives, built around three themes: understanding cyber and resilience; building a cyber capability; and integrating cyber into the more general instant response and business continuity arrangements.
RED will also run a number of exercises based on the possibility of a cyber attack happening at the same time as an event such as a terrorist incident.
LRFs bring together emergency services with essential service providers to plan for responses to civil emergencies.
Image by Matt Davis, CC BY 2.0 through flickr