The December 2020 cyber attack against the Scottish Environment Protection Agency (SEPA) “displayed significant stealth and malicious sophistication”, according to a series of independent audits published by Scotland’s environmental watchdog.
The attack was likely carried out by international serious organised criminals, the report stated, but SEPA did not respond to the ransom request and was clear that it would not use public finance to pay.
The Scottish Business Resilience Centre (SBRC) determined SEPA’s cyber maturity assessment as high and that sophisticated defence and detection mechanisms were implemented and operating correctly prior to the incident, although it noted that no implementation regime can be 100% secure.
Police Scotland found that SEPA has a culture of governance, incident and emergency management, regularly testing its emergency response capability with trial cyber exercises.
This ensured structures were in place that allowed SEPA’s key critical services – flood forecasting and pollution hotline – to continue, despite the core network being offline.
SBRC noted that backups were taken in line with National Cyber Security Centre best practice, in that there were three copies of the data, located at two separate locations, with one copy stored offline.
However, the design of the network meant that both sites were affected.
SBRC identified that SEPA implemented best practice in backup policy, but could have achieved greater maturity with increased offline storage capacity and speed.
Recent London Business School research concluded that cyber-risk more than quadrupled since 2002 – and tripled since 2013 – while the SBRC found that during the fourth quarter last year, attacks targeting public sector entities increased by 93%.
Victims have ranged from the NHS, Hackney Council, Tesco and Talk Talk, to the Irish Health Service, Dundee and Angus College, Aspire Housing Association and, most recently, Weir Group.
Independent audits were commissioned from Police Scotland, SBRC and Azets to ensure that SEPA further enhances its cyber security as the organisation builds new systems and practices.
SRBC and Azets recommended that SEPA investigate options for the engagement of a 24-hour security operations centre.
Police Scotland also recommended that SEPA and the wider public sector organisations within Scotland should consider the value of retaining a cyber incident response specialist company to ensure availability of the necessary expertise at the earliest opportunity.
Terry A’Hearn, chief executive at SEPA, said: “10 months ago, on Christmas Eve, SEPA was the victim of a hideous, internationally orchestrated crime which impacted our organisation, our staff, our public and private partners and the communities who rely on our services.
“In the face of this awful crime, I am immensely proud of the way our team has coped and responded.
“We are publishing as much as we can of the reviews, so that as many organisations as possible can use our experience to better protect themselves from this growing scourge of cybercrime and have committed to supporting Police Scotland and SBRC in their work on highlighting the support available to organisations to be cyber ready, resilient, and responsive. ”
Detective Inspector Michael McCullagh, responsible for cybercrime investigations at Police Scotland, said: “Police Scotland has been consistently clear that SEPA was not and is not a poorly protected organisation.
“Recent attacks against SEPA, the Irish Health Service and wider public, private and third sector organisations are a reminder of growing threat of international cyber-crime and that no system can be 100% secure.”
SBRC chief executive Jude McCorry added: “The fact that SEPA’s cyber maturity assessment was high and sophisticated defence and detection mechanisms were implemented and operating correctly prior to the incident is a reminder to us all how real the risk is.
“As an organisation, SEPA has consistently acted with great courage – not engaging with the criminals, refusing to use public funds to pay a ransom, speaking out and sharing the learnings widely.”
Don’t miss the latest headlines with our twice-daily newsletter – sign up here for free.