The SEPA Cyber Attack a Case Study

Posted on 19 January

Update 29th January 2021

The Yin and Yang of a SEPA's Cyber Incident Response 

On Christmas Eve, the Scottish Environment Protection Agency was hacked and many of their systems were taken offline, including their emails, and they are yet to recover them. They have also said that they lost 1.2 GB of data “this is equivalent to a small fraction of the contents of an average laptop hard drive”, parts of which have been made publicly available by the cyber-criminal group behind Conti ransomware. Over the last four weeks, I have been publishing a running commentary on their response here. I thought this week I would share a bulletin on what they did well (Yang) and what they didn’t do so well (Yin).

The Yang

  1. While SEPA’s response was not exactly a John Smeaton “This is Glasgow. We'll just set aboot ye." moment, SEPA has done the whole of the Scottish Government sector a favour by not paying the ransom. Ransomware gangs have had quite a lot of success with attacks on local government in the USA, where a number of ransoms have been paid for the quick restoration of their systems. Attacks on English local authorities, such as Hackney, I believe have not been paid, but the consequence of this is that three months later they still do not have all their systems back online. My view was that SEPA was never going to pay a ransom, regardless of the impact of the cyber incident. It would be the Scottish Government who would ultimately decide on whether a ransom would be paid, and it would be better for them to been seen as the victim of a cyber-attack and have their environment agency hobbled than  to be severely criticised in the press for giving in to a ransom demand. I suspect they are keeping their fingers crossed that there is no pollution incident or event which could be tied back to parts of SEPA not operating. So hopefully SEPA has sent a message to those who carry out ransomware attacks, that Scotland will not pay, and as ransomware extortion is a business, those carrying it out should move on to other sectors or geographies which give a better return.
  2. It has taken four to five weeks for SEPA to get their communications and messages sorted out. If you look on their website, there are now two sections on the attack which are very clearly signposted from the front of the website. There are details of the attack and what happened and a nice section on the status of the different parts of their business which have been affected by the hack. They have even said when they will provide the next update. The text is well written and does not contradict itself, as it did in earlier versions.
  3. An interview with the Chief Executive Terry A'Hearn, has been posted at the top of the SEPA Twitter feed. His main message is that public money won’t be used to pay criminals. I think this is an excellent line and will resonate with the public.
  4. The response has now gone multimedia with a video on the site and this has also been posted on Twitter. Social media has been used to promote the good work SEPA does and to try a portray it is business as usual.
  5. The list of priorities has now been written, which is guiding their response and has replaced the nonsensical ones from their earlier communications. SEPA’s priorities are, Protecting Scotland's environment and providing priority services to individuals and businesses across Scotland.

The Yin

  1. Why has it taken five weeks for SEPA to come out with a set of reasonably well-written communications, which they should have put out within 24 hours of the incident happening? The communication throughout the whole incident has been poor, which has left the organisation looking incompetent, unprepared and uncoordinated. Even with the improvements in communication, there are still a number of issues.
  2. Why have two sets of communications prominent on the website with overlaps? There is the banner “Cyber Attack - what is affected and how to contact us” which gives information on what has happened and contact details. There is then the new “Cyber-Attack: Service Status” section, which repeats much of the same information. At the end of the two pages, there are two different sections on how to contact the organisation. Why? Providing contradictory information in an incident is poor incident management, and within the same website, plays into a narrative of poor communications. The service update is probably what people want to know and they could have posted an accessible link to further information if people want to know more details on what happened.
  3. There is also the stand-alone document signposted from the website “Approach to the delivery of services”, which elaborates on some of the information on the other two pages. Having so many different narratives at the same time increases the chance of contradictorily and out-of-date information.
  4. The Service Status page has a table of what has been affected, what the organisation can do now, what you should do and when there will be an update. Very good, but why post it as a graphic, why not write it as text or a table within the website? Poor graphics or cut and pasting onto websites just looks bad.
  5. The line by the Chief Executive that “public money will not be used to pay criminals” is a powerful one. Why then, is this not mentioned in the organisation communications, this is pointing to a lack of coordination in their response. Coordination of a single message going out from an organisation is a key concept of crisis communications.
  6. Throughout all SEPA’s communications, they have been very reluctant to share information and be open and honest about their plight and the effect of the attack. Information has been given, but only when prompted by external events, such as The Times article and other articles on the data release. A key bit of information is that they have lost data and part of it has been released for public view. This has been well reported in the press. Their response and admitting to it is buried in the middle of a whole load of other text. SEPA have said that they don’t know exactly what data has gone but they have provided no advice on what to do if an individual or organisation thinks their data might have been compromised. On the whole, all communications have been reactive rather than proactive.
  7. There has been no apology or contriteness from the organisation. Yes, they are a victim, but they have still lost data in their possession, which could have a large effect on those whose data it is or who are named within it. They have also lost their ability to provide the service they normally do. Tone, in crisis communications, is very important and I believe they have not got this quite right.

As I have said in previous bulletins, it is very easy for bloggers to carp and criticise from the side-lines, an organisation who is in the middle of dealing with a major incident. Some of my criticisms are a matter of judgement and only time will tell whether they are valid or not. On the other hand, many of the issues I have highlighted are only problems with good practice and so I would have expected organisations like to SEPA to be prepared for them. Many of the issues I have with their response are crisis communications and crisis management basics and should be known by organisations like SEPA who have a prominent role in managing incidents. Those of you who have yet to prepare your organisation for managing an incident and put in place the basics now is the time to do so.

If your organisation is not yet ready to respond effectively to a cyber incident, we can help by carrying out a Cyber Incident Gap Analysis and you could attend our 2 day NCSC Certified Managing & Preparing for Cyber Incidents Course.

For more information click here

Update 19th January 2021

I noticed in a ZDNet article that they are alleging that SEPA's data has been leaked by the cybercriminal group behind Conti ransomware.  They say that data stolen from the Scottish government agency has been published online. I note to date SEPA has not commented on this article.

The article can be read here 

Update 14th January 2021

The following are screenshots of the information which was posted on the SEPA website a day after The Times Articles was published. A coincidence I ask myself?

I have written under each section of the text some comments on their communications and text:

On the whole, I think the organisation has been fairly open and honest on the effect of the incident on its ability to deliver its services and given us some details of what happened. There communications have been not too bad. For me, the major issue is that the text keeps contradicting itself on the possible length of the incident. Is it going to be short term or much longer, both are in the text? Give contradictory information in the same article is poor crisis communications. Most likely they don't know how long systems will be down if this is the case be honest and say you don't know and then keep regularly communicating an update.

Comments on the above text:

  1. When SEPA say "For the time being, we need to protect the criminal investigation and its systems." are they being strictly honest? Are they locked out of their systems and so it is taking them a while to recover and rebuild them from backup or are they as they claim not bringing them back due to preserving the forensic evidence. For me, I would rather have my systems back at the expense of the forensics. I think we should watch this one see which way this goes, but it seems to me, looking at their response to date, they only give a public explanation when forced to. One of the lessons for the response by Norsk Hydro in their cyberattack was that they were very open and honest in their communications right from the beginning of the incident.
  2. I do think it is good that they have been clear what systems are not effected.
  3. I also think they have been open in giving us their incident priorities although I think they on the right lines they could be written slightly better. 

Comments on the above text:

  1. I think this line rather contradicts my earlier point 1. as they say "It is now clear is that with infected systems isolated, recovery may take a significant period" which contradicts the "short time" mentioned in the previous paragraph. I suspect the significant period is realistic.
  2. I think for the public it is important to know that some data submitted after the incident has been lost. Perhaps, more information earlier could have reduced this.
  3. We have now another contradiction that "Some of our internal systems and external data products will therefore remain offline in the short term". Then we have another contradiction ion the next line "access to be unavailable for a protracted period". In managing crisis's you want to avoid putting out conflicting information, especially in the same statement, it smacks of incompetence, if you don't know how long it will take to recover, say you don't know and be honest.

Comments on the above text:

  1. I think it is always a good idea to state the standard your organisation has in place to try and prevent a cyber statement. The statement says "despite systems being certified to UK Government security standards" if possible and a lesson for other organisations I think it would be better to state what those standards are as "government standards" for me is a bit non-descript.
  2. I think it is very interesting and telling looking at the description of the information which the statement says has been taken. Cybercriminals are professionals and they have people whose job it to search breached companies for sensitive data, It seems from the description of the data that they have taken the most sensitive data and which could be best held to ransom.
  3. I think that reading between the lines that there may be more information to come out on who has been effected and there might be more data look to be discovered. I think for me the lesson here is that these investigations take time and you don't have all the answers within hours. Senior managers in incident management teams need to be aware of this fact and they need to give their technical staff and investigators time to find out what has been lost.