‘No one is safe” is unnerving to hear, of course. But for Terry A’Hearn, the chief executive of the Scottish Environment Protection Agency (SEPA), he is describing a plain, albeit disturbing, truth. 

The rise of cybercrime through the pandemic has taken a huge toll on organisations around the world, A’Hearn’s included, and emphasises the pressing need of business leaders to treat the threat of online harms with urgency.

On Christmas Eve last year, the public body’s systems and data were crippled by a ransomware attack which is likely to have been perpetrated by serious and organised criminals outside the UK. The damage done was both instantaneous and devastating.

As the virus propagated laterally across the network, the hackers worked mercilessly to close off and steal some of that data, and used it as leverage to force SEPA to pay. Taking a firm moral stand, A’Hearn refused to countenance parting with public funds to fuel a growing trend of ‘big game hunting’ orchestrated from the dark corners of the web. 

The brave decision SEPA took during a fast-moving crisis – supported by Police Scotland, the Scottish Business Resilience Centre (SBRC) and the National Cyber Security Centre (NCSC) – inevitably had repercussions. Even now, there are parts of the network that continue to be inaccessible, but the organisation is confident the vast majority of the data, developed assiduously over the years by a dedicated workforce of 1,200, is being recovered.

As A’Hearn is keen to point out, with the challenge of responding to the incident – which placed enormous strain on the collective wellbeing of the organisation – there have also come opportunities. As trite as it sounds, SEPA really does have a chance to ‘build back better’ as it designs new digital systems that are not only superior in security terms but provide a better service for its consumers. 

Today, A’Hearn will address business leaders from across Scotland’s private, public and third sectors. The Cybercrime: Ready, Resilient & Responsive webinar – organised by Futurescot – coincides with the release of a detailed audit report commissioned by A’Hearn to comprehend the full extent of the attack, his organisation’s response to it, and the lessons that can be learned in its aftermath. Those lessons, he hopes, will not only be valuable for SEPA, but many others who will join the online event.

“This is a global scourge and has had huge impacts on people and organisations all around the world, so anything we can do to help others protect themselves from this, both individually and collectively, I think we need to do that,” A’Hearn says. “Yes, we know that’s difficult for us, and it brings challenges – because people will ask questions – but you don’t make the world a better place by doing the wrong thing, by burying your head in the sand.”

The audit process was overseen by Azets – an international business advisory service – and involved contributions from Police Scotland and the Scottish Business Resilience Centre. As well as describing the attack on SEPA, some of which has been redacted to protect the identity of key staff and the integrity of its systems, the report offers learnings for the public sector as well as 44 recommendations for SEPA, which the organisation has accepted in full.

The organisation – with the online security measures it had at its disposal – was considered by police to be one that was “well protected”. SBRC determined SEPA’s cyber maturity assessment as high and that sophisticated defence and detection mechanisms were implemented and operating correctly prior to the incident.

Police Scotland found that SEPA had a strong culture of resilience, governance, incident, and emergency management. It regularly tested its emergency response capability and had undertaken a trial cyber exercise. Communications with stakeholders were transparent and concise, the report found, with Police Scotland noting that the communications cell between SEPA and Police Scotland was one of the most successful aspects of the response. Stakeholders were regularly updated. Communications were specific to the needs of each type of stakeholder.

At a technical level, the 44 recommendations include a new network configuration, password management protocols, improved multi-factor authentication, firewalls, threat detection, enhanced emergency management and incident management procedures, and staff training. The report noted that IT backups were taken in line with NCSC best practice in that there were three copies of the data, located at two separate locations, with one copy stored offline, but pointed out that the organisation could have a greater level of “maturity” for its backup procedures.

A’Hearn hopes some of the recommendations – which are on course to be delivered by the end of 2022 – will help benefit other cybercrime victims.

“The reassuring thing for me as chief executive is I’ve commissioned multiple reviews, and nobody found any fundamental weakness in what SEPA was doing,” says A’Hearn. “If an organisation like ours, which had lots of good things in place can be hit, it shows everybody is vulnerable. And, of course, experience around the world shows that, even with huge organisations with way more capacity and resource than SEPA, nobody’s safe and everybody needs to be vigilant.”

But he adds: “This doesn’t mean you should be afraid, either. So don’t back off from the benefits of being digital and using IT, because it will deliver great services for your organisation as it will continue to do for us as we recover.”

Globally, organisations impacted by cybercrime include the likes of Apple, the Irish Health Service, LinkedIn, Colonial Pipeline, CitiBank and Sony, as the review notes. These household names make the headlines, but most victims tend to be small or medium-sized corporates, whose data continues to be released daily via ‘leak sites’ on the dark web. 

Insofar as ransomware is concerned, hackers behind the malicious code work in vastly complex, sometimes co-ordinated ways, maintaining a cloak of anonymity afforded by underground networks. In SEPA’s case, the report points to the attack as displaying “significant stealth and malicious sophistication with a secondary and deliberate attempt to compromise systems”.

The report pinpoints the group suspected for the SEPA attack, although its name is redacted, as are some other sections, owing to the ongoing multi-agency investigation. As for who actively harbours – or simply fails to police – these kinds of groups, there is no direct attribution, but in providing some international context, the review goes as far as it can. Referencing the meeting of US president Joe Biden and Russian president Vladimir Putin in Geneva in June, it says: “Officials reported that top of the agenda was international cyber-crime, with President Biden being clear that attacks on critical infrastructure should be ‘off-limits’.”

Whatever happens geopolitically, it is reassuring to know that SEPA’s experience, the concrete action plan now in place following it, and the collaborative response, provide a working template for other Scottish organisations to follow should the dark web come calling.

 ‘We had lost connection, we hadn’t lost our drive to issue flood alerts’

VINCENT FITZSIMONS, Head of Hydrology at SEPA:

‘We knew from the Met Office there were parts of North-West Scotland that faced being battered by a month’s rainfall in just a few hours over Boxing Day. Communities, public services and businesses in Scotland are on the front line of climate change and we know they rely on the alerts and warnings that SEPA provides. 

So, the morning of Christmas Eve, when we learned of the attack, our purpose was no different. Not responding was not an option.

Whilst in those first hours we had lost all digital connection with our national hydrometric network – and advanced predictive modelling – what we hadn’t lost was the expert knowledge of our people. 

Nor had we lost their teamwork or their drive to work round-the-clock and outside in all weathers to do as much as they could to keep Scotland safe from flooding. Not once did the staff fail in their task of issuing warnings and alerts.

But, there is more to fighting the scourge of flooding than a warning service. 

SEPA helps communities and businesses avoid the risk of flooding, we help protect those already at risk, and we provide warnings if flooding is imminent so that action can be taken to minimise the damage and save lives. 

In those first hours of that first day, and ever since, brilliant people went above and beyond across ‘avoid’, ‘protect’ and ‘warn’ and in every area we’ve made systematic improvements so that as we move into 2022, we do so stronger, more resilient and more focused as a team on the important role we all play in delivering this vital public service for Scotland.’

 ‘A guide to a safer digital future for all’

JUDE MCCORRY, chief executive, Scottish Business Resilience Centre:

The ransomware attack on SEPA is a stark reminder for all organisations in Scotland of just how widespread and damaging cybercrime has become. All criminals are by nature opportunistic, and a global pandemic has provided a rich hunting ground for hackers looking to exploit vulnerable victims for cash. 

However, through the experience of SEPA, and the rigorous audit process that has now been completed, I believe we have the foundations for a better, more collaborative way of working to protect our national digital infrastructure. At the Scottish Business Resilience Centre, we are proud to have played a part in helping SEPA not only respond to a critical IT incident, alongside Police Scotland, but also offering clear technical guidance to help it build back better. Whilst organisations will sadly continue to fall prey to online crime, the actions stemming from this review will act as a guide for a safer digital future for us all.


Published in association with The Scottish Environment Protection Agency