Information collected under Network and Information Systems (NIS) Regulations 2018: FOI release

Information requested

1. The number of reports made to the authority for each subsector they were a Designated Competent Authority during 2024.

2. The number of reports made to the authority for each subsector they were a Designated Competent Authority during 2024 which concern cybersecurity incidents.

3. Of the reports made during 2024 which were cybersecurity incidents, provide:

• The type of attack (e.g. ransomware, malware, denial of service, etc).
• The Initial Access Vector of the attack (e.g. credential abuse, exploitation of vulnerabilities, phishing, etc).

Response

The Network and Information Systems Regulations 2018 (NISR) are enforced through sector-specific Competent Authorities across the UK. These authorities are responsible for ensuring compliance and managing incident reporting for Operators of Essential Services (OES) and Relevant Digital Service Providers (RDSP).

In Scotland, there are two designated Competent Authorities:

• The Drinking Water Quality Regulator for Scotland oversees compliance within the water sector.
• Scottish Ministers act as the Competent Authority for all Health Boards in Scotland, who are considered to be OES. Operational responsibilities are carried out by a specialist team within the Digital Health and Care Division of the Scottish Government.

Across the UK, the Information Commissioner’s Office (ICO) regulates Relevant Digital Service Providers (RDSPs) under the NIS Regulations.

Under Regulation 11 of the NIS Regulations, all Health Boards in Scotland are required to notify the Scottish Health Competent Authority (SHCA) of any incident that significantly impacts the continuity of essential services. To support this, the SHCA has published specific incident reporting thresholds, which help Health Boards determine whether an incident meets the criteria for notification.

Reported Incidents (throughout 2024)

• Total Incidents Reported: 34
• Cybersecurity-Related Incidents: 7

Breakdown of Cybersecurity Incidents:

Third-Party Supplier Issue (SMS-Teknik):

• 5 incidents involved, the same third party issue, where data was accidentally exposed during routine exercises.
• Further details can be found on the supplier website: SMS-Teknik Executive Summary – Data Breach - https://www.smsteknik.com/executive-summary-data-breach/.

Malicious Plugin Infection:

• 1 incident involved an infected WordPress plugin on a corporate site, resulting in unauthorised links to adult content and a cryptocurrency miner. Further information on WordPress Plugin can be found here: https://learn.wordpress.org/lesson/troubleshooting-your-site-plugin-and-theme-conflicts/.

Cyber:

• 1 incident involved suspicious activity, including Kerberoasting, a technique that targets the Kerberos authentication protocol led to the immediate shutdown of servers.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at https://www.gov.scot/foi-responses.