The regulator this week published three independent audits into the attack, in the hope that other public bodies can learn from SEPA’s experience “to better protect themselves from cybercrime”.
On Christmas Eve last year, about 4,000 files were stolen by the Conti ransomware group, who then published them online after SEPA refused to pay a ransom.
SEPA lost access to almost all of its data and systems – everything from historical water quality statistics to emails.
SEPA said earlier this year that it would take "a year or two to build back fully everything we need for the future".
According to an audit from independent consultants Azets, SEPA staff showed “commitment, eagerness, camaraderie and positive dedication across the response and recovery stages of the attack”.
However, Azets also noted that the regulator’s cyber incident response plan was inaccessible during the incident because it was stored on the servers affected by the attack and there was no offline version available.
In addition, Azets found that only very senior managers within the Information Systems Department were aware of the plan's existence and that “there was no evidence that this plan was ever exercised”.
Despite this, a previous Police Scotland review found that SEPA "was not and is not a poorly protected organisation".
Elsewhere the audits class SEPA’s cyber maturity assessment as “high”, stating that sophisticated defence and detection mechanisms were implemented and operated correctly prior to the incident.
In one audit, from the Scottish Business Resilience Centre (SBRC), it was noted that SEPA had made data backups in line with best practice and there were three copies of the data, located at two separate locations, with one copy stored offline.
However, the design åof the network and a second attack from the hackers meant that both sites were affected, it said.
“This attack displayed significant stealth and malicious sophistication with a secondary and deliberate attempt to compromise SEPA systems as the team endeavoured to recover and restore back-ups,” SRBC said.
The audits suggest 44 “learnings” for SEPA, all of which the regulator says it accepts. These include investigating options for a 24-hour Security Operations Centre and the hiring of a Cyber Incident Response specialist company.
Terry A'Hearn, SEPA’s chief executive, said the regulator had been the victim of a “hideous, internationally orchestrated crime”.
“No-one asked us to commission multiple reviews. No-one required us to do so. We simply took the view that this was our responsibility as a public agency.
“The audits make it clear we were well protected but that no cyber security regime can be 100% secure. A number of learnings have been identified that will help SEPA further improve its cyber security. All have been accepted,” he said.