SEPA accepts cyber security recommendations after ‘hideous attack’

The Scottish Environment Protection Agency (SEPA) has accepted dozens of recommendations on improving its cyber security following a devastating attack last year, which “displayed significant stealth and malicious sophistication”, according to a series of reviews.

The regulator this week published three independent audits into the attack, in the hope that other public bodies can learn from SEPA’s experience “to better protect themselves from cybercrime”.

On Christmas Eve last year, about 4,000 files were stolen by the Conti ransomware group, who then published them online after SEPA refused to pay a ransom.

SEPA lost access to almost all of its data and systems – everything from historical water quality statistics to emails. 

SEPA said earlier this year that it would take "a year or two to build back fully everything we need for the future".

According to an audit from independent consultants Azets, SEPA staff showed “commitment, eagerness, camaraderie and positive dedication across the response and recovery stages of the attack”.

However, Azets also noted that the regulator’s cyber incident response plan was inaccessible during the incident because it was stored on the servers affected by the attack and there was no offline version available.

In addition, Azets found that only very senior managers within the Information Systems Department were aware of the plan's existence and that “there was no evidence that this plan was ever exercised”.

Despite this, a previous Police Scotland review found that  SEPA "was not and is not a poorly protected organisation".

READ MORE: Access denied: SEPA's battle to restore operations in the aftermath of a crippling cyber-attack

Elsewhere the audits class SEPA’s cyber maturity assessment as “high”, stating that sophisticated defence and detection mechanisms were implemented and operated correctly prior to the incident.  

In one audit, from the Scottish Business Resilience Centre (SBRC), it was noted that SEPA had made data backups in line with best practice and there were three copies of the data, located at two separate locations, with one copy stored offline. 

However, the design åof the network and a second attack from the hackers meant that both sites were affected, it said.

“This attack displayed significant stealth and malicious sophistication with a secondary and deliberate attempt to compromise SEPA systems as the team endeavoured to recover and restore back-ups,” SRBC said.

The audits suggest 44 “learnings” for SEPA, all of which the regulator says it accepts. These include investigating options for  a 24-hour Security Operations Centre and the hiring of a Cyber Incident Response specialist company.

Terry A'Hearn, SEPA’s chief executive, said the regulator had been the victim of a “hideous, internationally orchestrated crime”. 

“No-one asked us to commission multiple reviews. No-one required us to do so. We simply took the view that this was our responsibility as a public agency. 

“The audits make it clear we were well protected but that no cyber security regime can be 100% secure. A number of learnings have been identified that will help SEPA further improve its cyber security.  All have been accepted,” he said.

Compliance Search

Discover all ENDS content in one place, including legislation summaries to keep up to date with compliance deadlines

Compliance Deadlines

Plan ahead with our Calendar feature highlighting upcoming compliance deadlines

Most-read articles

Principal Planner

Leeds is a fast growing city and the main driver of a city region with a £64.6 billion economy.

Officer 2 Environment Team x 2

Sustainable Management of Natural Resources

Environment Team Leader

If you want a role that offers variety and challenge, and to be a part of an organisation that has the sustainable management of natural resources at the core of our purpose, we would love to hear from you.

Non-Executive Member to the Office for Environmental Protection

The Department of Agriculture, Environment and Rural Affairs (DAERA) is seeking to appoint a Non-Executive Member to the Office for Environmental Protection (OEP).

Installations Officer - Control of Major Accidents Hazards (COMAH)

We are looking for two enthusiastic professionals to join our North West Hub Control of Major Accident Hazards (COMAH) Regulatory team as Installations Officers.

Installation Officer

If you’re part of the Environment Agency (EA), you’re part of the solution. Working with us means protecting and improving the environment for generations to come, tackling issues of national importance across a huge variety of disciplines.

Sustainable Development Programme Manager

An exciting opportunity has arisen for a driven and motivated individual to join a forward thinking and dynamic Directorate within Public Health Wales.