SEPA Cyber Attack - a commentary

Posted on 19 January

Update 19th January 2021

I noticed in a ZDNet article that they are alleging that SEPA's data has been leaked by the cybercriminal group behind Conti ransomware.  They say that data stolen from the Scottish government agency has been published online. I note to date SEPA has not commented on this article.

The article can be read here 

Update 14th January 2021

The following are screenshots of the information which was posted on the SEPA website a day after The Times Articles was published. A coincidence I ask myself?

I have written under each section of the text some comments on their communications and text:

On the whole, I think the organisation has been fairly open and honest on the effect of the incident on its ability to deliver its services and given us some details of what happened. There communications have been not too bad. For me, the major issue is that the text keeps contradicting itself on the possible length of the incident. Is it going to be short term or much longer, both are in the text? Give contradictory information in the same article is poor crisis communications. Most likely they don't know how long systems will be down if this is the case be honest and say you don't know and then keep regularly communicating an update.

Comments on the above text:

  1. When SEPA say "For the time being, we need to protect the criminal investigation and its systems." are they being strictly honest? Are they locked out of their systems and so it is taking them a while to recover and rebuild them from backup or are they as they claim not bringing them back due to preserving the forensic evidence. For me, I would rather have my systems back at the expense of the forensics. I think we should watch this one see which way this goes, but it seems to me looking at their response to date, they only give a public explanation when forced to. One of the lessons for the response by Norsk Hydro in their cyberattack was that they were very open and honest in their communications right from the beginning of the incident.
  2. I do think it is good that they have been clear what systems are not effected.
  3. I also think they have been open in giving us their incident priorities although I think they on the right lines they could be written slightly better. 

Comments on the above text:

  1. I think this line rather contradicts my earlier point 1. as they say "It is now clear is that with infected systems isolated, recovery may take a significant period" which contradicts the "short time" mentioned in the previous paragraph. I suspect the significant period is realistic.
  2. I think for the public it is important to know that some data submitted after the incident has been lost. Perhaps, more information earlier could have reduced this.
  3. We have now another contradiction that "Some of our internal systems and external data products will therefore remain offline in the short term". Then we have another contradiction ion the next line "access to be unavailable for a protracted period". In managing crisis's you want to avoid putting out conflicting information, especially in the same statement, it smacks of incompetence, if you don't know how long it will take to recover, say you don't know and be honest.

Comments on the above text:

  1. I think it is always a good idea to state the standard your organisation has in place to try and prevent a cyber statement. The statement says "despite systems being certified to UK Government security standards" if possible and a lesson for other organisations I think it would be better to state what those standards are as "government standards" for me is a bit non-descript.
  2. I think it is very interesting and telling looking at the description of the information which the statement says has been taken. Cybercriminals are professionals and they have people whose job it to search breached companies for sensitive data, It seems from the description of the data that they have taken the most sensitive data and which could be best held to ransom.
  3. I think that reading between the lines that there may be more information to come out on who has been effected and there might be more data look to be discovered. I think for me the lesson here is that these investigations take time and you don't have all the answers within hours. Senior managers in incident management teams need to be aware of this fact and they need to give their technical staff and investigators time to find out what has been lost.