The December 2020 cyber-attack against the Scottish Environment Protection Agency (SEPA) ‘displayed significant stealth and malicious sophistication’ according to a series of independent audits published on 27 October by Scotland’s environmental watchdog.
A Police Scotland investigation concluded it likely that an international serious organised crime group was responsible for the extortion attempt detected at one minute past midnight on Christmas Eve. The Scottish Business Resilience Centre noted a ‘secondary and deliberate attempt to compromise SEPA systems as the team endeavoured to recover and restore back-ups’.
SEPA did not respond to a ransom request left on its systems and was clear that it would not use public finance to pay serious and organised criminals.
Recent London Business School research concluded that cyber-risk more than quadrupled since 2002 – and tripled since 2013 whilst Scottish Business Resilience Centre states that in the fourth quarter of 2020, attacks utilising PowerShell grew by 208% while malware leveraging Microsoft Office increased by 199%. The same study also identified that attacks targeting public sector entities increased by 93%.
The pattern of activity has become more global and has affected a broader range of industries. Victims have ranged from Apple and LinkedIn, to Sony Pictures, Marriot Hotels, Colonial Pipeline, Citi Bank and JP Morgan Chase. Closer to home, victims have ranged from the NHS, Hackney Council, Tesco and Talk Talk, to the Irish Health Service, Dundee and Angus College, Aspire Housing Association and, most recently, the Weir Group.
Independent audits were commissioned from Police Scotland (Cyber-Attack Response Debrief); Scottish Business Resilience Centre (Cyber-Attack Preparedness Review) and Azets (Cyber-Attack: Response; Cyber-Attack: Lessons Learned) to (a) ensure that SEPA further enhances its cyber security as the organisation builds new systems and practices; and (b) to allow others to learn from SEPA’s experience to help better protect themselves from cyber-crime. SEPA has also published its organisational response.
SEPA’s high cyber maturity assessment
- Police Scotland had previously confirmed that “SEPA was not and is not a poorly protected organisation”.
- The audits determined SEPA’s cyber maturity assessment as high, stating that sophisticated defence and detection mechanisms were implemented and operating correctly prior to the incident. SBRC noted ‘no implementation regime can be 100% secure’.
- Police Scotland found that SEPA has a strong culture of resilience, governance, incident, and emergency management. It regularly tested its emergency response capability and had undertaken a cyber exercise.
- Resilience planning ensured structures were in place that allowed SEPA’s key critical services (flood forecasting and pollution hotline) to continue, despite the core network being offline.
- Azets found SEPA’s response following the triggering of the ransomware on 24 December 2020 to be effective. Police Scotland noted a high quality of response provided by SEPA and found the stand-up of national cyber incident coordination arrangements worked well.
Backups and best practice
- SBRC noted that backups were taken in line with NCSC best practice in that there were three copies of the data, located at two separate locations, with one copy stored offline. However, the design of the network meant that both sites were affected. This attack displayed significant stealth and malicious sophistication with a secondary and deliberate attempt to compromise SEPA systems as the team endeavoured to recover and restore back-ups.
- SBRC identified SEPA implemented best practice in backup policy following the 321 principles, however, could have achieved greater maturity with increased offline storage capacity and speed. Similarly, best practice was identified in Network Segmentation where stricter management and filtering controls across the network would advance SEPA’s cyber maturity.
Data theft and illegal publication
- Police Scotland found that the data publication on the threat actors’ site was picked up quickly and that SEPA developed a data recovery plan in anticipation of the data being published and enacted this.
“A broad plan and great people”
- Police Scotland noted that ‘taking the time at an early stage in the incident to step back and produce a broad plan with long term targets, rather than reacting to events as they unfolded was extremely valuable.’
- Communications with stakeholders were transparent and concise. Stakeholders were regularly updated. Communications were specific to the needs of each type of stakeholder
- Police Scotland recognised the role of staff in ensuring a number of SEPA’s key business critical services (i.e. flood forecasting and warning and SEPA pollution hotline) were maintained and Azets noted that the commitment and dedication shown by SEPA staff during the response has been significant. ‘Staff have worked well beyond their normal hours and have demonstrated considerable flexibility, have worked through or given up annual leave, and public holidays.’
- Azets noted that senior leaders of SEPA placed emphasis on staff wellbeing and emotional resilience. This was through having a proactive approach in place to manage employee wellbeing and communications.
Learnings for Scotland’s public sector
Police Scotland, SBRC and Azets recommend actions across the Scottish public sector, including:
- SRBC and Azets recommended that SEPA investigate options for the engagement of a 24-hour Security Operations Centre (SOC).
- Police Scotland recommended that SEPA and the wider public sector organisations within Scotland should consider the value of retaining a Cyber Incident Response (CIR) specialist company to ensure availability of the necessary expertise at the earliest opportunity.
- Police Scotland recommended that SEPA and the wider public sector organisations within Scotland should review Cyber Incident Response Plans, Ransomware and Data Loss play books and as an exercise priority test them against an enterprise level ransomware and data exfiltration attack.
- Police Scotland recommended that Scottish Government Cyber Resilience Unit in collaboration with key stakeholders should consider the development of an Organisational Learning and Development process in support of Cyber incidents and exercising across the Public Sector to ensure that there is a consistent and proactive approach to the identification of learning and an appropriate ‘end to end’ process that ensures learning identified become lessons learned and that they are captured within a single repository and communicated accordingly.
A series of learnings were identified for Scotland’s public sector. 44 learnings were identified for SEPA. All have been accepted. The learnings are the focus of a joint SEPA, SBRC & FutureScot ‘Cybercrime: Ready, Resilient & Responsive’ online event, held today (27 October) for public, private and third sector stakeholders.
Terry A’Hearn, Chief Executive at SEPA, said:
“Ten months ago, on Christmas Eve, SEPA was the victim of a hideous, internationally orchestrated crime which impacted our organisation, our staff, our public and private partners and the communities who rely on our services.
“Unfortunately, our story is not unique. Cybercrime has rapidly expanded around the world. Major organisations such as Apple, the Irish Health Service, LinkedIn, Colonial Pipeline, CitiBank, Sony and many more have been hit by cyber-attacks.
“In the face of this awful crime, I am immensely proud of the way our team has coped and responded. We have delivered high-priority services to protect Scotland’s environment and started building all our services up in new and better ways. In the end, we will have fast-tracked major reforms we had set out to do anyway. In all this work, as CEO of SEPA, I want to acknowledge and thank the outstanding efforts of our workforce and the assistance we have received from partners and all those we regularly work with.
“A key element of our recovery has been to set a high level of transparency in our work. We’ve spoken openly about the impact of the attack, our response and recovery, including weekly service updates as one example of the many ways we’ve kept people informed about our recovery and how to work with us.
“In line with this approach, I commissioned independent expert reviews of the cyber-attack. No-one asked us to commission multiple reviews. No-one required us to do so. We simply took the view that this was our responsibility as a public agency.
“The audits make it clear we were well protected but that no cyber security regime can be 100% secure. A number of learnings have been identified that will help SEPA further improve its cyber security. All have been accepted.
“The majority of organisations hit by cyberattacks around the world do not publicise much about the attack and that is their right. We know we have taken an unusual approach, but we are convinced it is the right thing for us to do. We are publishing as much as we can of the reviews so that as many organisations as possible can use our experience to better protect themselves from this growing scourge of cybercrime and have committed to supporting Police Scotland and Scottish Business Resilience Centre in their work on highlighting the support available to organisations to be cyber ready, resilient, and responsive.
Detective Inspector Michael McCullagh, Cybercrime Investigations, Police Scotland, said:
“Police Scotland has been consistently clear that SEPA was not and is not a poorly protected organisation. The organisation had a strong culture of resilience, governance, incident and emergency management and worked effectively with Police Scotland and others.
“Recent attacks against SEPA, the Irish Health Service and wider public, private and third sector organisations are a reminder of growing threat of international cyber-crime and that no system can be 100% secure. They’re also a reminder of the growing importance of organisations being ready, resilient, and responsive.
“SEPA’s work in standing up to, and speaking openly about international serious and organised cyber-crime shows real leadership. By its actions, including sharing its learnings, organisations across Scotland have the opportunity to be safer and stronger.”
Jude McCorry, Chief Executive Officer, Scottish Business Resilience Centre, said:
“Against a growing global and local threat environment, Scottish businesses and organisations need to get increasingly serious about cyber. For organisations in Scotland today, the question is when, not if you’re organisation will be subject to attack and how well it will respond and recover.
“The fact that SEPA’s cyber maturity assessment was high and sophisticated defence and detection mechanisms were implemented and operating correctly prior to the incident is a reminder to us all how real the risk is.
“As an organisation, SEPA has consistently acted with great courage – not engaging with the criminals, refusing to use public funds to pay a ransom, speaking out and sharing the learnings widely. We’re delighted to stand with SEPA as together we use this as an outstanding case study of a cyber-attack response, including on the practical support available to Scottish businesses and organisations on readiness, response and recovery.”