Six months after 'serious & significant' cyber-attack, Scotland's Environment Protection Agency is building back better

  25 June 2021
Six months after a ‘serious and significant’ cyber-attack left Scotland’s environmental regulator locked out of its systems, the agency and its staff are building back better, having made substantial progress so the organisation can continue to protect Scotland’s environment and ensure businesses and communities are impacted as little as possible.
  • Working with Scottish Government, Police Scotland, the National Cyber Security Centre and the Scottish Business Resilience Centre, SEPA is working to a clear recovery strategy in response to a complex and sophisticated cyber-attack.  
  • SEPA was clear that it would not use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds and Police Scotland has been clear that “SEPA was not and is not a poorly protected organisation”.  
  • Six months on, many services are back and running and officers have deployed around 850 times.  SEPA has issued 91 Flood Alerts, 192 Flood Warnings, issued almost 2,500 authorisations and completed or are progressing around 400 planning cases to support Scotland’s recovery.  
  • Sadly, as we’ve seen from daily attacks including the Irish health service, cyber-crime is an increasing challenge for businesses and public sector partners and service recovery takes time.
  • SEPA has commissioned an independent audit and through its experience is shining a light and speaking openly about internationally orchestrated cyber-crime.
  • Once complete, SEPA will share the learnings widely so that the organisation and all others with an interest can benefit from the agency’s experience in preparedness, response and recovery.

Six months after a ‘serious and significant’ cyber-attack left Scotland’s environmental regulator locked out of its systems, the agency and its staff are building back better, having made substantial progress so the organisation can continue to protect Scotland’s environment and ensure businesses and communities are impacted as little as possible. 

Teams across the Scottish Environment Protection Agency (SEPA) have been working flat-out since Christmas Eve to support colleagues, partners and customers and to restore systems services as quickly as possible.  

SEPA’s business continuity arrangements were immediately enacted due to the attack at 00:01 on 24th December 2021, and the organisation worked closely with Scottish Government, Police Scotland, the National Cyber Security Centre, Scottish Business Resilience Centre and cyber-crime experts to respond to the complex and sophisticated criminality. 

In a milestone update, Terry A’Hearn, Chief Executive of the Scottish Environment Protection Agency (SEPA) said:  

“Working with Scottish Government, Police Scotland, the National Cyber Security Centre and the Scottish Business Resilience Centre, SEPA is working to a clear recovery strategy in response to a complex and sophisticated cyber-attack.  

“We were clear that we would not use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds and Police Scotland has been clear that “SEPA was not and is not a poorly protected organisation”.  

“Whilst within the confines of a live criminal investigation, we’ve been vocal and transparent on the criminal attack, the theft and illegal publication of data, the impact on our services and progress towards our recovery.  

“Since Christmas Eve, teams across the agency have been working flat-out to support our people, partners and customers and to restore our systems and services as quickly as possible.  

“We know that that communities and citizens depend on us to do our job which is why, even on Christmas Eve, we prioritised critical frontline services including vital flood warnings to safeguard families, communities and public services. Six months on, many services are back and running and officers have deployed around 850 times.  SEPA has issued 91 Flood Alerts, 192 Flood Warnings, issued almost 2,500 authorisations and completed or are progressing around 400 planning cases to support Scotland’s recovery.  

“We’re issuing weekly updates on our recovery and service status to be clear on what those we work with can expect and how we’ll continue to prioritise progress whilst we continue to listen to our staff, customers, communities and stakeholders.  

“Sadly, as we’ve seen from daily attacks including the Irish health service, cyber-crime is an increasing challenge for businesses and public sector partners and service recovery takes time. We have commissioned an independent audit and through our experience we’re shining a light and speaking openly about internationally orchestrated cyber-crime. Once complete, we’ll share the learnings widely so that we and all others with an interest can benefit from our experience in preparedness, response and recovery.”  

NOTES TO EDITORS:

RECENT STAKEHOLDER COMMENTARY

  • DCC Malcolm Graham – Deputy Chief Constable, Police Scotland “Thanks to Terry for his real open and honest assessment and appraisal of what the last number of months must have been like in dealing with such a significant, intrusive and impactful attack. “I think it’s also worth emphasising (whilst Terry is on the line) that SEPA is not, was not a poorly protected organisation. Again our assessment of that is that there were a lot of measures in place that you would expect to see from an organisation of that type and actually again it’s just a reminder to us that demonstrates the ability of organisations that have the backing of the nature of some of the groups that we know are behind some of the software and the networking that we see in the likes of this attack are going to be able to overcome some fairly sophisticated and secure protection barriers that people have in place round about their organisations as well.“ Source: Cyber Scotland Week Conference https://youtu.be/yvS0PgNVFbE
  • Prof Ciaran Martin CB (Former Chief Exec officer, National Cyber Security Centre) “It’s a real privilege to listen to Terry and having been through it I think the candour which he brought to the discussion is really powerful and I think people learn from that but also frankly the moral courage of the organisation refusing to pay the ransom is a huge deal and is to be commended. “There is no specific answer to all cyber-crime and some of it is state backed, some of it’s not, some of it is for money, some of it is for political advantage so you know, it’s as variable as crime and malign activity in the non-digital world, but one of the reasons why ransomware has reached epidemic proportions is that it is being incentivised and the more Terrys and SEPAs we have then the less advantageous it will be.” Source: Cyber Scotland Week Conference https://youtu.be/yvS0PgNVFbE
  • Jude McCorry, Chief Executive Officer, Scottish Business Resilience Centre. The reaction from SEPA has been exemplary given the circumstances, McCorry believes, and the stiff upper lip attitude taken by the public authority has been admirable. Repeatedly, SEPA has made it clear it will not pay a ransom or engage with cybercriminals – a tactic which she says is critical in the fight against ransomware. “Certainly in terms of crisis communications they’ve been great. The way they’ve handled things with the press, with staff and partners has been very pro-active and they appear to have just gotten on with the day job as much as they can,” she says. “When the time is right to come out and speak to organisations, I think it will be very helpful to a lot of people out there to listen to a case study on how SEPA handled things, what they’ve learned and how they dealt with it.” Source: Leader Insights | Jude McCorry, CEO, Scottish Business Resilience Centre (digit.fyi)
  • Sarah Cowie, Environmental Resources Policy Manager at NFU Scotland. “The scale of the cyber-attack SEPA faced was unprecedented and it was clear that there were going to be implications and they have been very good and communicating with us and working on effective and pragmatic ways to resolve these issues.”
    Source: BBC Radio Scotland  I  24 June 2021
  • Kevin O’Sullivan, Editor, FutureScot “Some victims have been very open and kudos to @ScottishEPA whose Chief Executive @TerryAHearn was happy to go on the record and share lessons learned.”
  • Zia Hussain, Secretary of SEPA Unison “Unison members of the Scottish Environment Protection Agency play a vital role in safeguarding Scotland’s environment, regulating industrial sites and protecting communities from flooding. Many SEPA Unison members cancelled festive leave with families and loved ones to respond to the cyber-attack and members remain working around the clock to restore essential public services. “We appreciate and welcome the active engagement from SEPA management during this period and will continue to work with SEPA management to ensure our members remain supported and services are delivered to the Scottish public over this period.”     

CYBER ATTACK

  • On Christmas Eve, the Scottish Environment Protection Agency confirmed that it was responding to a significant cyber-attack affecting its contact centre, internal systems, processes and communications. SEPA will not engage with likely international serious and organised criminals intent on disrupting public services and extorting public funds. The matter is subject to a live criminal investigation. 
  • Following the attack, business continuity arrangements were immediately enacted and SEPA’s Emergency Management Team continued to work with Scottish Government, Police Scotland and the National Cyber Security Centre to respond to what is complex and sophisticated criminality.  
  • Since Christmas Eve, SEPA has provided regular weekly updates, briefings and detailed question and answer sessions for groups of staff, hosted by Chief Executive Terry A’Hearn, his executive team and Unison.  
  • SEPA provided national media updates on 24th December, 7th January, 14th January, 21st January, 28th January, 12th February, 8th March, 3rd April, 2nd June and 24th June.  
  • SEPA published its 'Approach to the delivery of services' for the first half of 2021, outlining how the organisation will prioritise the protection of Scotland’s environment and the provision of priority services across the period in response to COVID-19, the post EU system, the climate and nature emergencies and the ongoing cyber-attack.   
  • SEPA Chief Executive Terry A’Hearn was the keynote speaker during Scotland’s Cyber Security Week in February where he shared a platform with: David Ferbrache OBE - Chair - National Cyber Resilience Advisory Board, The Scottish Government Malcolm Graham - Deputy Chief Constable, Crime & Operational Support - Police Scotland Prof Ciaran Martin CB - Former Chief Executive Officer - National Cyber Security Centre (NCSC) Jude McCorry - CEO - Scottish Business Resilience Centre Summary comments are here.
  • Priority regulatory, monitoring, flood forecasting and warning services are continuing to adapt and operate.  

SEPA

  • SEPA is Scotland’s principal environmental regulator.  Everyday SEPA works to protect and enhance Scotland's environment, helping communities, and businesses thrive within the resources of one planet.  We call this One-Planet Prosperity.

We also help Scotland to prepare more powerfully for future increased flooding, as the national flood forecasting, flood warning and strategic flood risk management authority. www.sepa.org.uk