SCOTLAND'S environmental regulator has suffered increased financial pressures 12 months on from a cyberattack which crippled its network, the public funds scrutineer has warned.
The Scottish Environment Protection Agency (Sepa) fell victim to a sophisticated ransomware attack on Christmas Eve 2020, with criminals demanding payment and the majority of the organisation’s data encrypted, stolen or deleted overnight.
Now the Stephen Boyle, the Auditor General for Scotland has in an analysis of the attack that SEPA is still working to rebuild its computer systems. Bosses were still trying to calculate the cost of the cyberattack and accounting records have had to be recreated from bank statements, leaving auditors unable to fully examine its finances, including £42 million of contract income.
The public funds scrutineer said the full financial impact on SEPA was still unknown but that other public sector bodies should "learn lessons" from what happened to SEPA.
The auditor said that SEPA were unable to obtain sufficient audit evidence to substantiate £42m of income from contracts.
The auditor general said there are indications that SEPA was hit through a phishing attack which means "there may have been a degree of human error involved, which is very difficult to mitigate against".
"The sophisticated nature of the attack meant that online backups were targeted and corrupted at an early stage, meaning there was no way of accessing historical records quickly."
The Section 22 report, prepared when any specific concerns or issues have been raised in an audit said that SEPA recognised that the cyber-attack had increased the medium to longer term financial pressures on the organisation.
Its financial strategy 2020-24 had already identified a potential black hole in future income and expenditure streams of up to £17.9 million as a worst-case scenario.
"Fully restoring its financial analysis capabilities is essential to SEPA being able to manage this variability and associated risks," said Mr Boyle.
Independent reviews identified opportunities for "enhancing staff awareness and training" over cyber risk.
The auditor general the financial impact of the incident is not yet known and that SEPA will continue to experience the consequences of this attack for a while to come.
"Key systems have been rebuilt, such as SEPAs financial accounting system, with others being built from new and data recovered or recreated securely, and this will take time," he said.
"The independent reviews identified a number of recommendations which SEPA’s management has accepted. Public-sector bodies should review these recommendations and learn lessons from what has happened to SEPA. This incident highlights that no organisation can fully mitigate the risk of the everincreasing threat and sophistication of a cyber-attack but it’s crucial that organisations are prepared."
Sepa is responsible for regulating over 5,000 industrial sites across the country to prevent them from polluting land, water and air. It maintains huge databases to monitor the state of Scotland’s environment, and keeps records of pollution breaches by companies.
The cyberattack led to more than 1GB of data was stolen, including personal information about staff and some related to businesses that they regulate and work with.
The agency said that international groups were likely to be behind the ransomware attack that locked its emails and contacts centre and led to more than 4000 digital files being stolen.
Information stolen included project information relating to their commercial work with international partners. Some information related to SEPA corporate plans, priorities and change programmes.
Police Scotland’s review concluded that SEPA "was not and is not a poorly protected organisation’".
But another review said the Christmas Eve attack displayed "significant stealth and malicious sophistication".
It revealed Sepa's cyber incident response plan was inaccessible during the incident.
This was because the report - along with the watchdog's disaster recovery plan - was stored on the servers affected by the attack and there was no offline version or hard copy available, according to independent consultants Azets.
Azets also found staff initially responded to the attack at about one minute after midnight on 24 December but attempts to escalate the problem to other SEPA officials were not successful until about 8am.
Sepa rejected a ransom demand for the attack, which was claimed by the Conti ransomware group, and the stolen files were then released on the internet.
A Scottish Business Resilience Centre (SBRC) review found that throughout the autumn of 2020, before the attack, mandatory cyber training was provided and completed by around 95 per cent of staff.
SEPA plans to further roll out training and awareness across the organisation.
"This incident highlights how no organisation can fully defend itself against the threat of today's sophisticated cyber-attacks. But it’s crucial that organisations are as well-prepared as possible," said Mr Boyle.
"SEPA was in a solid starting position but it will continue to feel the consequences of this attack for a while to come. Everyone in the public sector can, and should, learn from their experience."
Jo Green, SEPA acting chief executive said: “Whilst challenging and complex, SEPA’s recovery continues apace.
“Grant Thornton, in their external audit report to the Auditor General noted that SEPA undertook ‘a significant exercise’ to recreate accounting records in order to prepare financial statements for the financial year ended March 31, 2021 and given the catastrophic impact of the attack, they have commended management on their ability to reproduce accounting records and prepare draft financial statements by September 2021.”
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel