13.1
The Information Security and Governance Manager gave a presentation
on the Council’s cyber security arrangements, including
measures to counter ransomware attacks. He outlined that the
National Cyber Security Centre (NCSC) had identified ransomware as
the number one threat to local government organisations. He gave
the example of Redcar and Cleveland Borough Council where a
ransomware attack got through to their core IT infrastructure via
an older, legacy system which had less protection. This resulted in
Redcar and Cleveland Council being unable to access databases and
machines, forcing them to close services and initiate business
continuity arrangements. The estimated cost of the attack was
£10.4 million including damage to IT systems, loss of income,
decreases in productivity and the impact on staff.
13.2
The Council constantly monitors cyber security threats and uses a
wide range of cyber security measures to protect its systems and
information from ransomware. Some of the measures used
include:
-
Protective Domain Name Service (PDNS) which is a
tool provided by the NCSC to check domains are not linked to
malware or other threats when a user clicks on a link or searches
for something using an URL (Uniform Resources Locator) or web
address.
-
Trusted Platform Module (TPM) microchips are used in
new laptops to give added encryption protection and makes them less
vulnerable to attack and more resilient.
-
Moving to ‘Always On’ VPN (Virtual
Private Network) to enhance security.
-
Increasing the resilience of services by using
things such as ‘hot, hot’ data servers for business
critical systems to ensure there is no downtime if a back-up server
has to take over.
-
Increasing the use of virtualised servers and blade
servers to make it easier to take servers off-line and quicker to
bring them back online if there is a problem.
-
Continuing to develop shared intelligence through
the NCSC Cyber Security Information Sharing Partnership and work
with other local authorities. This helps to identify emerging
threats and the NCSC can also identify any weaknesses or issues
with systems, including third party systems.
-
Collaborative working with our Orbis partners Surrey
County Council and Brighton and Hove City Council, sharing lessons
learnt and security configurations.
-
Continued development of in-house cyber security
staff, including five staff who hold NCSC accreditation which is
equivalent to a Masters level degree.
-
Holding three back-ups in two locations with one
off-line (3-2-1 rule) to protect against ransomware, which is
something NCSC is promoting as best practice.
13.3
The Council is constantly working to improve and maintain its
resilience in the event of an attack. It is likely that the Council
will be targeted, and this may result in some system downtime. The
Team is working with departments and partners to see what the
impact of various scenarios would be, and how they would cope with
system downtime (e.g. 24 hours downtime, 48 hours down time etc.)
to help inform their resilience and business continuity
plans.
13.4
The increase in remote working during the pandemic has presented
some challenges and the Council has adapted its security posture to
take this into account. This has included looking at new tools and
systems requested by users centrally to risk assess them and
strengthen security.
13.5
The Committee thanked officers for the informative presentation and
were reassured and impressed by the measures being taken to protect
the Council’s systems and information from cyber security
threats. The Committee discussed the presentation and a summary of
the points raised is given below.
-
The Committee asked whether all services were now on
virtual infrastructure and whether exercises are conducted that
rehearse the realistic effect of what would happen in the event of
a ransomware attack. The Information Security and Governance
Manager responded that the exercises are carried out with
departments which rehearse the impact on core IT services such as
email and individual departmental systems. This can be from a very
minor outage to a major outage with widespread system failure. The
majority of infrastructure is now virtualised due to the ease of
restoring systems, but some is still provided on non-virtual
infrastructure to add resilience.
-
In addition to the 3-2-1 back-ups referred to
earlier, there are incremental back-ups and cloud back-ups that
capture smaller changes in files that allow reversion to earlier
versions of files. The back-up system includes a centralised
back-up group which has incremental back-ups, and the two data
centres have their own separate storage for resilience as well as
an off-line back-up so it is possible to restore systems in the
event of the other two back-ups becoming corrupted. The data
centres used are Tier 3 which is the highest level of data centre
in terms of resilience and security.
-
The Committee enquired whether there were sufficient
trained and accredited staff for the Council’s needs and
whether staff and councillors working practices posed a risk. The
department is seeking to train as many certified staff as needed
and checks the NCSC credentials list regularly to ensure all staff
have up to date training when new items are added. Digital
footprint training is provided to all staff where staff are shown
how their footprint affects them, and how to keep themselves and
systems secure. This training is run almost every week and is
targeted at individuals and their job role in order to cascade the
learning though their work life and their use of IT outside work.
It is likely that councillors may be targeted by malware because of
their role. The Information Security and Governance Manager offered
to set up some training sessions for councillors and the Committee
agreed that they would be interested in attending this type of
training.
-
It was clarified that ESCC does use one of the
systems that Cleveland and Redcar Council had when it was attacked,
but our system has been maintained up to date and is not legacy,
and therefore does not pose a risk. All ESCC systems are regularly
updated and patched to fix any known security weaknesses, which
alongside regular training, provides some of the most effective
measures against cyber attacks.
-
The Committee asked if the Council has warning
systems in place that can warn or advise users in the event of an
attack. The Information Security and Governance Manager confirmed
that the Council has multiple systems for notifying users when
there are issues with the systems that they are using.
13.6
The Committee RESOLVED to:
1)
thank officers for the very detailed
presentation;
2)
note the presentation and that the Committee is
satisfied with the cyber security measures that are in place;
and
3)
confirm that no further scrutiny of this topic is
necessary at this point in time.