Update 29th January 2021

The Yin and Yang of a SEPA’s Cyber Incident Response 

On Christmas Eve, the Scottish Environment Protection Agency was hacked and many of their systems were taken offline, including their emails, and they are yet to recover them. They have also said that they lost 1.2 GB of data “this is equivalent to a small fraction of the contents of an average laptop hard drive”, parts of which have been made publicly available by the cyber-criminal group behind Conti ransomware. Over the last four weeks, I have been publishing a running commentary on their response here. I thought this week I would share a bulletin on what they did well (Yang) and what they didn’t do so well (Yin).

The Yang

1. While SEPA’s response was not exactly a John Smeaton “This is Glasgow. We’ll just set aboot ye.” moment, SEPA has done the whole of the Scottish Government sector a favour by not paying the ransom. Ransomware gangs have had quite a lot of success with attacks on local government in the USA, where a number of ransoms have been paid for the quick restoration of their systems. Attacks on English local authorities, such as Hackney, I believe have not been paid, but the consequence of this is that three months later they still do not have all their systems back online. My view was that SEPA was never going to pay a ransom, regardless of the impact of the cyber incident. It would be the Scottish Government who would ultimately decide on whether a ransom would be paid, and it would be better for them to been seen as the victim of a cyber-attack and have their environment agency hobbled than  to be severely criticised in the press for giving in to a ransom demand. I suspect they are keeping their fingers crossed that there is no pollution incident or event which could be tied back to parts of SEPA not operating. So hopefully SEPA has sent a message to those who carry out ransomware attacks, that Scotland will not pay, and as ransomware extortion is a business, those carrying it out should move on to other sectors or geographies which give a better return.
2. It has taken four to five weeks for SEPA to get their communications and messages sorted out. If you look on their website, there are now two sections on the attack which are very clearly signposted from the front of the website. There are details of the attack and what happened and a nice section on the status of the different parts of their business which have been affected by the hack. They have even said when they will provide the next update. The text is well written and does not contradict itself, as it did in earlier versions.
3. An interview with the Chief Executive Terry A’Hearn, has been posted at the top of the SEPA Twitter feed. His main message is that public money won’t be used to pay criminals. I think this is an excellent line and will resonate with the public.
4. The response has now gone multimedia with a video on the site and this has also been posted on Twitter. Social media has been used to promote the good work SEPA does and to try a portray it is business as usual.
5. The list of priorities has now been written, which is guiding their response and has replaced the nonsensical ones from their earlier communications. SEPA’s priorities are, Protecting Scotland’s environment and providing priority services to individuals and businesses across Scotland.

The Yin

1. Why has it taken five weeks for SEPA to come out with a set of reasonably well-written communications, which they should have put out within 24 hours of the incident happening? The communication throughout the whole incident has been poor, which has left the organisation looking incompetent, unprepared and uncoordinated. Even with the improvements in communication, there are still a number of issues.
2. Why have two sets of communications prominent on the website with overlaps? There is the banner “Cyber Attack – what is affected and how to contact us” which gives information on what has happened and contact details. There is then the new “Cyber-Attack: Service Status” section, which repeats much of the same information. At the end of the two pages, there are two different sections on how to contact the organisation. Why? Providing contradictory information in an incident is poor incident management, and within the same website, plays into a narrative of poor communications. The service update is probably what people want to know and they could have posted an accessible link to further information if people want to know more details on what happened.
3. There is also the stand-alone document signposted from the website “Approach to the delivery of services”, which elaborates on some of the information on the other two pages. Having so many different narratives at the same time increases the chance of contradictorily and out-of-date information.
4. The Service Status page has a table of what has been affected, what the organisation can do now, what you should do and when there will be an update. Very good, but why post it as a graphic, why not write it as text or a table within the website? Poor graphics or cut and pasting onto websites just looks bad.
5. The line by the Chief Executive that “public money will not be used to pay criminals” is a powerful one. Why then, is this not mentioned in the organisation communications, this is pointing to a lack of coordination in their response. Coordination of a single message going out from an organisation is a key concept of crisis communications.
6. Throughout all SEPA’s communications, they have been very reluctant to share information and be open and honest about their plight and the effect of the attack. Information has been given, but only when prompted by external events, such as The Times article and other articles on the data release. A key bit of information is that they have lost data and part of it has been released for public view. This has been well reported in the press. Their response and admitting to it is buried in the middle of a whole load of other text. SEPA have said that they don’t know exactly what data has gone but they have provided no advice on what to do if an individual or organisation thinks their data might have been compromised. On the whole, all communications have been reactive rather than proactive.
7. There has been no apology or contriteness from the organisation. Yes, they are a victim, but they have still lost data in their possession, which could have a large effect on those whose data it is or who are named within it. They have also lost their ability to provide the service they normally do. Tone, in crisis communications, is very important and I believe they have not got this quite right.

As I have said in previous bulletins, it is very easy for bloggers to carp and criticise from the side-lines, an organisation who is in the middle of dealing with a major incident. Some of my criticisms are a matter of judgement and only time will tell whether they are valid or not. On the other hand, many of the issues I have highlighted are only problems with good practice and so I would have expected organisations like to SEPA to be prepared for them. Many of the issues I have with their response are crisis communications and crisis management basics and should be known by organisations like SEPA who have a prominent role in managing incidents. Those of you who have yet to prepare your organisation for managing an incident and put in place the basics now is the time to do so.

If your organisation is not yet ready to respond effectively to a cyber incident, we can help by carrying out a Cyber Incident Gap Analysis and you could attend our 2 day NCSC Certified Managing & Preparing for Cyber Incidents Course.

For more information click here

Update 19th January 2021

I noticed in a ZDNet article that they are alleging that SEPA’s data has been leaked by the cybercriminal group behind Conti ransomware.  They say that data stolen from the Scottish government agency has been published online. I note to date SEPA has not commented on this article.

The article can be read here 

Update 14th January 2021

The following are screenshots of the information which was posted on the SEPA website a day after The Times Articles was published. A coincidence I ask myself?

I have written under each section of the text some comments on their communications and text:

On the whole, I think the organisation has been fairly open and honest on the effect of the incident on its ability to deliver its services and given us some details of what happened. There communications have been not too bad. For me, the major issue is that the text keeps contradicting itself on the possible length of the incident. Is it going to be short term or much longer, both are in the text? Give contradictory information in the same article is poor crisis communications. Most likely they don’t know how long systems will be down if this is the case be honest and say you don’t know and then keep regularly communicating an update.

Comments on the above text:

1. When SEPA say “For the time being, we need to protect the criminal investigation and its systems.” are they being strictly honest? Are they locked out of their systems and so it is taking them a while to recover and rebuild them from backup or are they as they claim not bringing them back due to preserving the forensic evidence. For me, I would rather have my systems back at the expense of the forensics. I think we should watch this one see which way this goes, but it seems to me, looking at their response to date, they only give a public explanation when forced to. One of the lessons for the response by Norsk Hydro in their cyberattack was that they were very open and honest in their communications right from the beginning of the incident.
2. I do think it is good that they have been clear what systems are not effected.
3. I also think they have been open in giving us their incident priorities although I think they on the right lines they could be written slightly better. 

Comments on the above text:

1. I think this line rather contradicts my earlier point 1. as they say “It is now clear is that with infected systems isolated, recovery may take a significant period” which contradicts the “short time” mentioned in the previous paragraph. I suspect the significant period is realistic.
2. I think for the public it is important to know that some data submitted after the incident has been lost. Perhaps, more information earlier could have reduced this.
3. We have now another contradiction that “Some of our internal systems and external data products will therefore remain offline in the short term”. Then we have another contradiction ion the next line “access to be unavailable for a protracted period”. In managing crisis’s you want to avoid putting out conflicting information, especially in the same statement, it smacks of incompetence, if you don’t know how long it will take to recover, say you don’t know and be honest.

Comments on the above text:

1. I think it is always a good idea to state the standard your organisation has in place to try and prevent a cyber statement. The statement says “despite systems being certified to UK Government security standards” if possible and a lesson for other organisations I think it would be better to state what those standards are as “government standards” for me is a bit non-descript.
2. I think it is very interesting and telling looking at the description of the information which the statement says has been taken. Cybercriminals are professionals and they have people whose job it to search breached companies for sensitive data, It seems from the description of the data that they have taken the most sensitive data and which could be best held to ransom.
3. I think that reading between the lines that there may be more information to come out on who has been effected and there might be more data look to be discovered. I think for me the lesson here is that these investigations take time and you don’t have all the answers within hours. Senior managers in incident management teams need to be aware of this fact and they need to give their technical staff and investigators time to find out what has been lost.

Comments on the above text:

1. For me, this is the best part of the statement in that the organisation is committed to its ongoing operations and is risk assessment what it needs to priorities under the circumstances.
2. It would be good practice to say when the site might be updated even if it is to say that there is no update.

Comments on the above text:

1. Lots of good information here plus I notice they have put on links to cyber advice as well.

Update 13th January 2021

Charlie was quoted in an article in The Times which can be found here

Update 10th January 2020

Some updated thoughts:

1. The situation is obviously serious as they still have not got back full access to their data and systems
2. I have written a blog on the Hackney Council ransomware attack which happened in October and they are still back to full functionality so I suspect SEPA will be down for a while yet.
3. I have tweeted to SEPA several times to see if my data has been compromised but have had no answers, just reply saying they will look into it. 
4. They have now got a form on their website for externals to send them messages which looks better than using direct messages on Twitter.
5. On Tuesday, 5th January 2021, Terry A’Hearn, Chief Executive put his name to a statement which didnt tell us much more than was on the website before. There is no applogy but perhaps they feel that there is nothing to appologies for. There is also no mention of whether any data has been compromised which, to me ,if they havent stated implicity that there is no data loss, they either dont know or those whoes data has been lost have been approached descretely and asked not to publicise the facts.
6. There has been very little new coverage of the event, with the escolation of COVID throughout the UK and the events in the USA, they are good events “to bury bad news”. Doing an internet search, I did notice one article echoing similar sentiments to myself at https://theferret.scot/green-watchdog-communications-cyber-attack/

It is easy from the outside to review and dissect other organisations responding to a cyber incident. We at PlanB Consulting carried out an internal exercise on a data breach last week and with the tables turned, I learned some of the difficulties of dealing with this type of incident. For me, SEPA has done most things right so far, but I think things will get more difficult as they try and continue to provide service without their systems. 

Update 27th Secember 2020

This blog post below was written on the 27 December 2020 – Four days after the incident.

What happened

At 0001 on Christmas Eve, SEPA suffered a cyber-attack which impacted their contact centre, internal systems, processes and internal communications. The incident didn’t affect their website which is still up and operating and their ability to put out flood warnings.

No	Item	Marks available	SEPA response	Marks out of 10
Business impact
	Impact on business / operational model and long term ability to retain and grow customers, to retain its reputation or to continue to provide its services	15	SEPA is a regulator and being a government organisation there is no alternative to using its services. As this incident has happened over the holiday period its interactions with its customers will be limited and so the impact on the organisations will be minor. If the incident goes on longer the impact may be larger as they may have lost access to their systems and data which will limit their ability to continue to provide services. I suspect they are hoping that there is not a pollution incident, major flooding, or another incident they have to respond to when they are trying to recover from this incident.	12
	Standing of the organisation before the cyber incident and loyalty of customers	5	SEPA has a reasonable reputation prior to this incident and it is not known for being an accident-prone organisation.	4
Response
	Public and media sentiment on how well the incident has been managed	10	As the incident takes place during a holiday to date there has been no adverse comment on the incident.	10
	The time between discovering the hack and informing those effected	10	The hack was discovered at 0001 on the 24th December Christmas Eve. The first Tweet saying they were experiencing technical issues went out at 0313 which showed a very quick reaction (figure 3).At 1232 there was a tweet confirming that the incident was a cyber incident which again I think is a reasonable time to take to declare that an incident has taken place.It was not clear from the SEPA website what time the conformation post was put on the website, but it was posted on the same day 24th of December and probably a similar time to twitter.For me, it must have been a very obvious cyber-attack and that their systems were down, to allow the organisation to respond so quickly and admit to the incident. As the organisation has a monitoring, flood forecasting and warning services and emergency response role to a pollution incident they perhaps had no choice to report it. As they would have been heavily criticised if an event occurred and the public were unable to report it before they had admitted to the cyber incident.	8
Communications
	Appropriate media strategy and tone used to frame communications	10	There is an initial media statement on the organisation’s website (figure 1). The tone was very factual and to the point. It gave clear information on what from the organisation has been effected and how the organisation can be contacted. It was very reassuring and said that the work of the organisation was not effected by the hack.There was a banner on the front of the website and a side panel (figure 4) so they followed good practice in making it entirely obvious that they had had a cyber incidentThe only bit of poor communications practice is that the press releases on their website have no date and time of when they were posted (unless I missed it) and there was no time for when the next update would take place.In their statement on the incident, SEPA has followed the tried and tested communications playbook of portraying themselves as a victim of “complex and sophisticated criminality” so portraying itself as a victim and that they are working with “Scottish Government, Police Scotland and the National Cyber Security Centre”. This was very similar to the tone and language used by Hackney Council in responding to their cyber incident in November which that are still not yet recovered from.	7
	Appropriate information on the incident being provided to those who need it.	10	There is information on how to contact the organisation by saying you can contact them through a direct message on Twitter and Facebook. It has also given a number to call to report pollution incidents. This appears to be a new number just for this incident and is different from the 0800 normal pollution reporting hotline. They have continued to provide a normal service on their Twitter and Facebook pages warning on the possible flooding due to Storm Bella (see figure 2).	8
	Use of the website to provide information to those effected	10	If the incident is a ransomware attack, which the Scottish Daily Mail seems to think so, according to their ‘sources’ and if it is targeted ransomware, then usually the last act of the hackers is to encrypt the organisation’s data. Before they carry out the encryption, they would have harvested from the organisation’s system all the data they will have wanted so they can use this as another means to blackmail the organisation. As part of this ‘double extortion’[1], the hackers will threaten to release sensitive data unless an additional ransom is paid. The timing of the cyber incident on Christmas Eve when most staff would have left to go on holiday may be coincidental but to me has echoes of the Travelex hack which took place during the New Year last year.There is no mention in media statements if or if not the organisation’s data has been compromised. At this stage, they may not know if their data has been compromised. Not mentioning any data loss in their statement to me seems that they are unsure of whether this has happened or not. I don’t blame them for not mentioning this, but I wonder if there will be further revelations over the next days and weeks where they have to admit that personal and sensitive data may have been compromised.	7
	Providing support to victims and where they can go for help. Timeliness of this help is provided.	10	There are no victims to date and the public are still able to report incidents to the organisation.	10
	Visibility of senior managers / CEO	10	David Pirie, Executive Director rather than the Chief Executive signed of the press statement on the website. David Pirie could have been the duty Director or be responsible for emergency planning and so this may be in line with their emergency plans. Should the incident escalate then good communications practice says that over the next few days there should be some visibility in terms of incident management from Terry A’Hearn the Chief Executive.	9
	Using social media channels to signpost to fuller information on the hack	10	There has been good information on Facebook and Twitter to inform the public about the cyber incident and have signposted them to the website and to the pollution reporting number.	10
ConclusionAt present, there has been very little information given on this cyber incident and it appears from the public-facing part of the organisation business as normal. As the organisation was very quickly able to admit to a cyber incident I suspect that most of their internal systems are locked out by a ransomware attack and the attack impact is very obvious. If this is a targeted attack then they will either have to pay the ransom, which I suspect will be politically unacceptable, or they will be effected for days and weeks as they restore and rebuild their systems. I hope I am wrong, but for the organisation, this holiday period is the calm before the storm and once people come back to work and need their services then the incident will have a larger impact on their ability to operate, provide their services and impact their reputation.
Total	85

---

[1] https://planbconsulting.co.uk/blog/ransomware-attack-who-ya-gonna-call-mike

Past organisations scores

No	Date	Organisation	Score
	Sept 2020	New Zealand Stock exchange	65
	May 2020	EasyJet	58

Figure 1 Initial statement on 24th December 2020 taken from the SEPA website

Figure 2 Public information continues

Figure 3 First Tweet showing that they had technical issues

Figure 4 Banner and side panel on the SEPA website