NCSC: New Cyber Attack categorisation system to improve UK response to incidents

The NCSC and law enforcement are implementing a new cyber incident prioritisation framework.

  • NCSC and law enforcement to implement new cyber incident prioritisation framework
  • Existing system of three categories of incident broadened to six detailed classifications
  • Categorisation spans full range of incidents from national campaigns to personal attacks

The NCSC defines a cyber security incident as:

  • A breach of a system’s security policy in order to affect its integrity or availability
  • The unauthorised access or attempted access to a system

Activities commonly recognised as cyber incidents are:

  • attempts to gain unauthorised access to a system and/or to data
  • the unauthorised use of systems and/or data
  • modification of a system’s firmware, software or hardware without the system-owner’s consent
  • malicious disruption and/or denial of service

NCSC cyber security incident prioritisation framework

 Category definitionWho responds?What do they do?
Category 1

National cyber emergency

A cyber attack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life.Immediate, rapid and coordinated cross-government response. Strategic leadership from Ministers / Cabinet Office (COBR), tactical cross-government coordination by NCSC, working closely with Law EnforcementCoordinated on-site presence for evidence gathering, forensic acquisition and support. Collocation of NCSC, Law Enforcement, Lead Government Departments and others where possible for enhanced response.
Category 2

Highly significant incident

A cyber attack which has a serious impact on central government, UK essential services, a large proportion of the UK population, or the UK economy.Response typically led by NCSC (escalated to COBR if necessary), working closely with Law Enforcement (typically NCA) as required. Cross-government response coordinated by NCSC.NCSC will often provide on-site response, investigation and analysis, aligned with Law Enforcement criminal investigation activities.
Category 3

Significant incident

A cyber attack which has a serious impact on a large organisation or on wider / local government, or which poses a considerable risk to central government or UK essential services.Response typically led by NCSC, working with Law Enforcement (typically NCA) as required.NCSC will provide remote support and analysis, standard guidance; on-site NCSC or NCA support may be provided.
Category 4

Substantial incident

A cyber attack which has a serious impact on a medium-sized organisation, or which poses a considerable risk to a large organisation or wider / local government.Response led either by NCSC or by Law Enforcement (NCA or ROCU), dependent on the incident.NCSC or Law Enforcement will provide remote support and standard guidance, or on-site support by exception.
Category 5

Moderate incident

A cyber attack on a small organisation, or which poses a considerable risk to a medium-sized organisation, or preliminary indications of cyber activity against a large organisation or the government.Response led by Law Enforcement (likely ROCU or local Police Force), with NCA input as required.Law Enforcement will provide remote support and standard guidance, with on-site response by exception.
Category 6

Localised incident

A cyber attack on an individual, or preliminary indications of cyber activity against a small or medium-sized organisation.Automated Protect advice or local response led by Law Enforcement (likely local Police Force).Remote support and provision of standard advice. On-site response by exception.

 

 

 

 

[amazon_link asins=’1500734756,1787288684,1981491767,0071839763′ template=’ProductCarousel’ store=’opse-21′ marketplace=’UK’ link_id=’7c0c0beb-4160-11e8-807f-d1e124a27b37′]