The Yin and Yang of a Cyber Incident Response – The SEPA Cyber Incident: A Case Study

Jan 29, 2021

This week Charlie looks at SEPA’s response to their recent cyber attack.

On Christmas Eve, the Scottish Environment Protection Agency was hacked and many of their systems were taken offline, including their emails, and they are yet to recover them. They have also said that they lost 1.2 GB of data “this is equivalent to a small fraction of the contents of an average laptop hard drive”, parts of which have been made publicly available by the cyber-criminal group behind Conti ransomware. Over the last four weeks, I have been publishing a running commentary on their response here. I thought this week I would share a bulletin on what they did well (Yang) and what they didn’t do so well (Yin).

The Yang

  1. While SEPA’s response was not exactly a John Smeaton “This is Glasgow. We’ll just set aboot ye.” moment, SEPA have done the whole of the Scottish Government sector a favour by not paying the ransom. Ransomware gangs have had quite a lot of success with attacks on local government in the USA, where a number of ransoms have been paid for quick restoration of their systems. Attacks on English local authorities, such as Hackney, I believe have not been paid, but the consequence of this is that three months later they still do not have all their systems back online. My view was that SEPA were never going to pay a ransom, regardless of the impact of the cyber incident. It would be the Scottish Government who would ultimately decide on whether a ransom would be paid, and it would be better for them to been seen as the victim of a cyber-attack and have their environment agency hobbling, than for the Scottish Government to be severely criticised in the press for giving in to ransom demands. I suspect they are keeping their fingers crossed that there is no pollution incident or event which could be tied back to parts of SEPA not operating. So hopefully SEPA has sent a message to those who carry out ransomware attacks, that Scotland will not pay, and as ransomware extortion is a business, those carrying it out should move on to other sectors or geographies which are more likely to pay.
  2. It has taken four to five weeks for SEPA to get their communications and messages sorted out. If you look on their website, there are now two sections on the attack which are very clearly signposted from the front of the website. There are details of the attack and what happened, and a nice section on the status of the different parts of their business which have been affected by the hack. They have even said when they will provide the next update. The text is well written and does not contradict itself, as it did in earlier versions.
  3. An interview with the Chief Executive Terry A’Hearn, has been posted at the top of the SEPA Twitter feed. His main message is that public money won’t be used to pay criminals. I think this is an excellent line and will resonate with the public.
  4. The response has now gone multimedia with a video on the site and this has also been posted on Twitter. Social media has been used to promote the good work SEPA does and to try a portray it is business as usual.
  5. The list of priorities have now been written, which is guiding their response and has replaced the nonsensical ones from their earlier communications. SEPA’s priorities are:
    a. Protecting Scotland’s environment.
    b. Providing priority services to individuals and businesses across Scotland.

The Yin

Why has it taken five weeks for SEPA to come out with a set of reasonably well written communications, which they should have put out within 24 hours of the incident happening? The communication throughout the whole incident has been poor, which has left the organisation looking incompetent, unprepared and uncoordinated. Even with the improvements in communication, there are still a number of issues.

  1. Why have two sets of communications prominent on the website with overlaps? There is the banner “Cyber Attack – what is affected and how to contact us” which gives information on what has happened and contact details. There is then the new “Cyber-Attack: Service Status” section, which repeats much of the same information. At the end of the two pages, there are two different sections on how to contact the organisation. Why? Providing contradictory information in an incident is poor incident management, and within the same website, plays into a narrative of poor communications. The service update is probably what people want to know and they could have posted an accessible link to further information if people want to know more details on what happened.
  2. There is also the stand-alone document signposted from the website “Approach to the delivery of services”, which elaborates on some of the information on the other two pages. Having so many different narratives at the same time increases the chance of contradictorily and out-of-date information.
  3. The Service Status page has a table of what has been affected, what the organisation can do now, what you should do and when there will be an update. Very good, but why post it as a graphic, why not write it as text or a table within the website? Poor graphics or cut and pasting onto websites just looks bad.
  4. The line by the Chief Executive that “public money will not be used to pay criminals” is a powerful one. Why then, is this not mentioned in the organisation communications, this is pointing to a lack of coordination in their response. Coordination of a single message going out from an organisation is a key concept of crisis communications.
  5. Throughout all SEPA’s communication they have been very reluctant to share information and be open and honest about their plight and the effect of the attack. Information has been given, but only when prompted by external events, such as The Times article and other articles on the data release. A key bit of information is that they have lost data and part of it has been released for public view. This has been well reported in the press. Their response and admitting to it is buried in the middle of a whole load of other text. SEPA have said that they don’t know exactly what data has gone but they have provided no advice on what to do if an individual or organisation thinks their data might have been compromised. On the whole, all communications have been reactive rather than proactive.
  6. There has been no apology or contriteness from the organisation. Yes, they are a victim, but they have still lost data in their possession, which could have a large effect on those whose data it is or who are named within it. They have also lost their ability to provide the service they normally do. Tone, in crisis communications, is very important and I believe they have not got this quite right.

As I have said in previous bulletins, it is very easy for bloggers to carp and criticise from the side-lines, an organisation who is in the middle of dealing with a major incident. Some of my criticisms are a matter of judgement and only time will tell whether they are valid or not. On the other hand, many of the issues I have highlighted are only problems with good practice and so I would have expected organisations like to SEPA to be prepared for them. Many of the issues I have with their response are crisis communications and crisis management basics and should be known by organisations like SEPA who have a prominent role in managing incidents. Those of you who have yet to prepare your organisation for managing an incident and put in place the basics, now is the time to do so.

If your organisation is not yet ready to respond effectively to a cyber incident, we can help by carrying out a Cyber Incident Gap Analysis and you could attend our 2 day NCSC Certified Managing & Preparing for Cyber Incidents Course. Get in touch with the BC Training Team for more information.

Sign-up to our Newsletter

"*" indicates required fields