Charlie lists the key points that you can learn, from the SEPA cyber-attack that occurred last year. He discusses what is important and how to ask yourself these questions to make sure you and your organisation are always prepared.
Keen readers of the bulletin will remember when I wrote a number of bulletins commenting on the SEPA response and communications following their hack on Christmas eve last year. In the last couple of weeks, there have been a number of reports written on the learning points and have been published on their website. I thought that I would also share a few of the learning points from the main report “SEPA’s Response and Recovery From a Major Cyber-Attack”.
1. The organisation has been very transparent in the lessons they have learnt. In 2019, Norsk Hydro in response to their hack were very open and transparent with the media and stakeholders. They are often used as an example of how to respond to a cyber incident.
2. “SEPA clarified that they would not use public finances to pay serious and organised criminals intent on disrupting public services and extorting public funds”. I think this is an excellent line to take in explaining why you won’t pay the ransom and justify why the customer would not be getting the same level of service.
3. UNISON, SEPA’s recognised trade union, had a place on the Emergency Management Team, which is quite unusual, but could prove invaluable in making sure that the Team’s response to the incident took into account the staff and their needs.
4. “SBRC noted that senior managers had attended external cyber resilience training. Throughout the autumn of 2020, mandatory cyber training was also provided and completed by 1,252 staff with 70 remaining outstanding”. It is important to have this information available and to have carried out training for all staff members as well as senior managers.
5. SEPA's business continuity plans were all unavailable because they were stored on IT that was affected by the hack. I think we need to go back to old-school printing plans off and have a copy at home, work and even in the car.
6. It is recommended that organisations identify where external organisations have linked into their systems, and then make sure that there are plans for cutting/unlinking these at the earliest opportunity after a cyber incident. This is good practice.
7. SEPA initially forecasted a flooding warning and pollution hotline, through their core systems and then prioritised their recovery. Information from the BIA can play a key part in this.
8. Review your backup strategies in light of “SBRC noted that backups were taken in line with NCSC best practice in that there were three copies of the data, located at two separate locations, with one copy stored offline." However, the design of the network meant that both sites were affected. This attack displayed significant stealth and malicious sophistication with a second and deliberate attempt to compromise SEPA systems as the team endeavoured to recover and restore backups.
9. “Azets further noted that communications with stakeholders were transparent and concise. Stakeholders were regularly updated. Communications were specific to the needs of each type of stakeholder”. Have you identified your stakeholders for a cyber incident and are you confident in your communications response?
10. It is important to look after your staff during all incidents including a cyber one “SBRC (after the incident) engaged with staff directly involved in the response. Those interviewed represented less than one percent of the organisation. Whilst 100% of interviewees responded that they felt respected in their workplace, and 80% of respondents felt that the organisation cared about them. The review identified a moderate to low morale position prior to the incident which increased during the incident, as everyone had a single focus and drive. However, this was decreased in the aftermath of the incident”.
I will leave you with a quote from the report, to inspire you to make sure you are prepared.
“Police Scotland recommended that SEPA and the wider public sector organisations within Scotland should review Cyber Incident Response Plans, ransomware and data loss playbooks and, as an exercise priority, test them against an enterprise-level ransomware and data theft attack”.