NEARLY five months after a crippling cyber attack, the Scottish Government’s environment watchdog is still struggling to process thousands of pollution permits, planning applications and waste licences.
The Scottish Environment Protection Agency (Sepa) has not been able to receive air and water pollution returns from companies, handle reservoir and other registrations or provide information on the past state of Scotland’s rivers.
The agency has admitted its systems have been “badly affected” and there “may be a risk” to the environment if it fails to quickly restore services.
Sepa’s former boss labelled the attack “disastrous” and warned that Sepa’s reputation had been “dealt a serious blow”.
The extensive damage done to Sepa’s digital infrastructure is now under investigation by four different agencies, which are expected to produce initial reports in the next few weeks. It is also coming under scrutiny by the Scottish Government’s spending watchdog, Audit Scotland.
Sepa stressed that it had a “clear recovery strategy” and had been “vocal and transparent”. Staff had been “working flat-out” to restore systems and services “as quickly as possible”.
The attack against Sepa was launched at one minute past midnight on Christmas Eve 2020, reportedly by an international criminal gang known as Conti. It demanded a large ransom, amount unknown, to restore access to Sepa’s data.
Sepa refused to pay, its communications were wrecked and more than 4000 files stolen from its computers were published on the dark web. Coping with the attack up to April cost the agency £800,000 – and it could take until 2023 to recover.
Sepa described the attack as “complex and sophisticated” and warned that it had “significantly impacted our organisation and infrastructure”. The incident is under live criminal investigation by the police.
“For the time being we’ve lost access to most of our systems,” said Sepa’s online service status, updated weekly. “Some systems and services may be badly affected for some time.”
Sepa is still unable to “receive, verify and determine applications” for many industry pollution permits and waste management activities.
The agency is responsible for regulating more than 5000 industrial sites across the country to prevent them from polluting land, water and air.
Its ability to respond to numerous applications for developments across the country has been “severely compromised” leaving a “large backlog”, said Sepa’s guidance to planning authorities. Staff have lost their “planning casework system”.
“We are acutely aware that our inability to engage with planning authorities post cyber attack has stalled the progression of many planning applications,” the guidance stated. Since March 31, staff have been “triaging and prioritising work on the accumulated backlog of casework”.
READ MORE: Iran accused of plot to meddle in the Scottish Parliament election
Waste operators told The Ferret they have had to postpone site improvement plans, with some planning applications effectively “put on hold” by councils awaiting input from Sepa. The agency’s communication “breakdown” had been a “source of frustration”, but people were “muddling through”, according to industry sources.
Until May 14 Sepa’s service status report advised companies not to submit pollution data required by their environmental licences. It has had to set up new systems enabling data to be submitted by email.
This includes submissions to the Scottish Pollution Release Inventory, which has disappeared from Sepa’s website. The inventory is meant to provide detailed information on emissions to air and water of some 80 pollutants from more than a thousand sites, including big climate polluters.
Different waste management licences have been extended for six or nine months, while there have been delays in processing applications for waste imports and exports.
“We cannot currently provide historical river, groundwater or rainfall data,” said Sepa. “We are not currently able to receive, verify or process reservoir registrations.”
In a report to board members in February Sepa’s chief executive, Terry A’Hearn, highlighted the dangers of failing to rebuild services quickly and well. “There may be a risk of not protecting the Scottish environment, especially from key threats,” he said.
In an update in April A’Hearn disclosed that Sepa had to distribute 640 new laptops to staff and to rebuild its payroll system. It took five weeks to rebuild the agency’s flood warning decision-making system and there was an invoicing backlog.
CONCERNS that the environment could suffer as a result of the cyber attack have also been raised by a former Sepa chief executive, professor Campbell Gemmell.
“This criminal attack on Sepa and the serious disruption to Sepa’s operational capability is little short of disastrous,” he told The Ferret.
“It’s hard not to worry that, despite years of improving Scotland’s environment, environmental damage will have gone unmonitored and some will have taken advantage of the loss of capability, focus and energy.”
He said: “The hard-won and deserved reputation as a leading world-class environmental regulator and a transparently high-quality environment has been dealt a serious blow by the attack and its damaging consequences. The criminals involved have a lot to answer for.”
Gemmel was chief executive of Sepa from 2003 to 2012, and has since been a consultant advising governments on coal gasification, air pollution and radioactive waste management. He is a visiting professor at the University of Strathclyde and an honorary professor at the University of Glasgow.
He warned of the “debilitating” impact on staff morale, and effects on the perceptions of the companies being regulated. “Sepa has put a lot of effort into profile of late,” he said.
“I hope that even more effort will go into restoring the basics of effective environmental permitting, quality and performance assessment and monitoring as well as speedy prevention of harm and policing and remedying failures. They matter now more than ever.”
The impacts and implications of the cyber attack are currently under investigation by Police Scotland, the National Cyber Security Centre, the Scottish Business Resilience Centre and business consultants Azets.
The cyber attack will also be examined by the public spending regulator, Audit Scotland, as part of its annual audit. If that flags up issues, a formal investigation would be launched.
“We are continuing to closely monitor the impact of the recent cyber security attack on Sepa as they continue with recovery,” said an Audit Scotland spokesperson. “This will be considered as part of our 2020-21 annual audit of Sepa.”
ANONYMOUS sources claiming to work for Sepa have told The Ferret that a “plethora” of data, computer code and software may never be recovered. This includes information on pollution in rivers going back more than 50 years, they say.
Sources also claimed that emergency backup systems had been damaged by the attack, and that the consequences were “grave”. The Ferret has not been able to independently verify these claims.
Ian Watt, a digital data specialist with the company Data Enabled, in Aberdeen, warned of “reputational damage” to Sepa.
“For too long data management, and data security in particular, have been seen as a cost to organisations,” he said. “What we see from the Sepa case is that an organisation not having appropriate security measures in place, including staff training on how to manage devices, has a long-term detrimental effect on their ability to deliver services and to operate at a basic level.”
Watt urged senior managers to ensure that organisations were “protected as much as they can be” against cyber attacks. “Any organisation suffering such an attack can no longer operate, deliver basic services to customers or even pay its staff,” he said.
Dr Richard Dixon, director of Friends of the Earth Scotland and a Sepa board from 2011 to 2019, thought it was a “terrible situation” for staff. “Sepa continues to suffer from massive problems with computer systems and lost data,” he said.
“The various inquiries may turn up lessons that public bodies need to learn but for now I can only feel sympathy for teams and individuals doing their best to make sure the environment is protected.”
Sepa highlighted Police Scotland’s view that it had not been “poorly protected” against cyber attacks. “Our assessment of that is that there were a lot of measures in place that you would expect to see from an organisation of that type,” deputy chief constable Malcolm Graham told an online cyber security event in February.
SEPA’S chief officer Jo Green said: “Working with the Scottish Government, Police Scotland, the National Cyber Security Centre and the Scottish Business Resilience Centre, Sepa is working to a clear recovery strategy in response to a complex and sophisticated cyber attack.
“Within the confines of a live criminal investigation, we’ve been vocal and transparent on the criminal attack, the theft and illegal publication of data, the impact on our services and progress towards our recovery.”
She confirmed that Sepa had refused to use taxpayers’ money to pay “organised criminals intent on disrupting public services and extorting public funds”. Since Christmas Eve staff had been “working flat-out” to restore systems and services “as quickly as possible,” she said.
According to Green, more than 1100 staff were now back online and “good progress” had been made in recovering environmental data. Information recovery specialists had been hired and Sepa was confident it would recover “the most important, broader data”.
She said that since the attack regulatory teams had been deployed 170 times, 1650 pollution authorisations had been issued and 304 planning cases had been completed or progressed.
Green stressed that it was the criminal cyber attack against a public agency that was under investigation, not Sepa.
“Sadly cyber-crime is an increasing challenge for Scotland’s businesses and public sector partners and service recovery takes time,” she added.
Sepa shared compliments paid to its handling of the cyber attack by the Scottish Business Resilience Centre and professor Ciaran Martin, former chief executive of the National Cyber Security Centre. The Sepa staff trade union, Unison, said its members were “working round the clock” to restore essential public services.
Why are you making commenting on The National only available to subscribers?
We know there are thousands of National readers who want to debate, argue and go back and forth in the comments section of our stories. We’ve got the most informed readers in Scotland, asking each other the big questions about the future of our country.
Unfortunately, though, these important debates are being spoiled by a vocal minority of trolls who aren’t really interested in the issues, try to derail the conversations, register under fake names, and post vile abuse.
So that’s why we’ve decided to make the ability to comment only available to our paying subscribers. That way, all the trolls who post abuse on our website will have to pay if they want to join the debate – and risk a permanent ban from the account that they subscribe with.
The conversation will go back to what it should be about – people who care passionately about the issues, but disagree constructively on what we should do about them. Let’s get that debate started!
Callum Baird, Editor of The National
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here