Nearly five months after a crippling cyber attack, the Scottish Government’s environment watchdog is still struggling to process thousands of pollution permits, planning applications and waste licences.
The Scottish Environment Protection Agency (Sepa) has not been able receive air and water pollution returns from companies, handle reservoir and other registrations, nor provide information on the past state of Scotland’s rivers.
The agency has admitted its systems have been “badly affected” and there “may be a risk” to the environment if it fails to quickly restore services. Sepa’s former boss labelled the attack “disastrous” and warned that Sepa’s reputation had been “dealt a serious blow”.
The extensive damage done to Sepa’s digital infrastructure is now under investigation by four different agencies, which are expected to produce initial reports in the next few weeks. It is also coming under scrutiny by the Scottish Government’s spending watchdog, Audit Scotland.
Sepa stressed that it had a “clear recovery strategy” and had been “vocal and transparent”. Staff had been “working flat-out” to restore systems and services “as quickly as possible”.
The attack against Sepa was launched at one minute past midnight on Christmas Eve 2020, reportedly by an international criminal gang known as Conti. It demanded a large ransom, amount unknown, to restore access to Sepa’s data.
Sepa refused to pay, its communications were wrecked and over 4,000 files stolen from its computers were published on the dark web. Coping with the attack up to April cost the agency £800,000, and it could take until 2023 to recover.
Sepa described the attack as “complex and sophisticated” and warned that it had “significantly impacted our organisation and infrastructure”. It is under live criminal investigation by the police.
“For the time being we’ve lost access to most of our systems,” said Sepa’s online service status, updated weekly. “Some systems and services may be badly affected for some time.”
Sepa is still unable to “receive, verify and determine applications” for many industry pollution permits and waste management activities. The agency is responsible for regulating over 5,000 industrial sites across the country to prevent them from polluting land, water and air.
Its ability to respond to numerous applications for developments across the country has been “severely compromised” leaving a “large backlog”, said Sepa’s guidance to planning authorities. Staff have lost their “planning casework system”.
“We are acutely aware that our inability to engage with planning authorities post cyber attack has stalled the progression of many planning applications,” the guidance stated. Since 31 March staff have been “triaging and prioritising work on the accumulated backlog of casework.”
Waste operators told The Ferret they have had to postpone site improvement plans, with some planning applications effectively “put on hold” by councils awaiting input from Sepa. The agency’s communication “breakdown” had been a “source of frustration”, but people were “muddling through”, according to industry sources.
Until 14 May Sepa’s service status report advised companies not to submit pollution data required by their environmental licences. It has had to set up new systems enabling data to be submitted by email.
This includes submissions to the Scottish Pollution Release Inventory, which has disappeared from Sepa’s website. The inventory is meant to provide detailed information on emissions to air and water of some 80 pollutants from more than a thousand sites, including big climate polluters.
Different waste management licences have been extended for six or nine months, while there have been delays in processing applications for waste imports and exports.
“We cannot currently provide historical river, groundwater or rainfall data,” said Sepa. “We are not currently able to receive, verify or process reservoir registrations.”
In a report to board members in February Sepa’s chief executive, Terry A’Hearn, highlighted the dangers of failing to rebuild services quickly and well. “There may be a risk of not protecting the Scottish environment, especially from key threats,” he said.
In an update in April A’Hearn disclosed that Sepa had to distribute 640 new laptops to staff and to rebuild its payroll system. It took five weeks to rebuild the agency’s flood warning decision-making system and there was an invoicing backlog.
|Problems caused by the cyber attack on Sepa|
|Unable to “receive, verify and determine applications” for industry pollution permits and waste management activities.|
|Ability to respond to planning applications “severely compromised” by a “large backlog”.|
|Been unable to receive regular returns from companies on the air and water pollution they cause.|
|Waste management exemptions extended for up to six months, and waste carrier licences for up to nine months.|
|Delays in processing applications for importing or exporting waste.|
|“We cannot currently provide historical river, groundwater or rainfall data.”|
|“We are not currently able to receive, verify or process reservoir registrations.”|
|“Unable to process applications for temporary cessation of charges for activities (e.g agricultural irrigation or fish farms).”|
|“We are not currently able to receive or process any Scottish Landfill Communities Fund notifications from approved bodies or landfill operators.”|
|“We are limited in our ability to respond to access to information inquiries” because “our information and email systems remain impacted and offline”.|
|“Backlog of emails” on the container deposit return scheme.|
|“We are currently unable to access any documentation on our public register and unfortunately cannot provide any documentation regarding authorised sites or ongoing applications.”|
|“Other than pollution incidents, we have very limited capability to assess and respond to non-urgent enquiries.”|
|“Our ability to communicate with our supply chain partners is currently limited” and “payments may be delayed”.|
|“Don’t assume that any emails that you have sent to us since Christmas Eve (and in the period leading up to this) are currently being actioned.”|
Concerns that the environment could suffer as a result of the cyber attack have also been raised by a former Sepa chief executive, professor Campbell Gemmell. “This criminal attack on Sepa and the serious disruption to Sepa’s operational capability is little short of disastrous,” he told The Ferret.
“It’s hard not to worry that, despite years of improving Scotland’s environment, environmental damage will have gone unmonitored and some will have taken advantage of the loss of capability, focus and energy.”
He added: “The hard won and deserved reputation as a leading world-class environmental regulator and a transparently high quality environment has been dealt a serious blow by the attack and its damaging consequences. The criminals involved have a lot to answer for.”
Gemmel was chief executive of Sepa from 2003 to 2012, and has since been a consultant advising governments on coal gasification, air pollution and radioactive waste management. He is a visiting professor at the University of Strathclyde and an honorary professor at the University of Glasgow.
He warned of the “debilitating” impact on staff morale, and effects on the perceptions of the companies being regulated. “Sepa has put a lot of effort into profile of late,” he said.
“I hope that even more effort will go into restoring the basics of effective environmental permitting, quality and performance assessment and monitoring as well as speedy prevention of harm and policing and remedying failures. They matter now more than ever.”
The impacts and implications of the cyber attack are currently under investigation by Police Scotland, the National Cyber Security Centre, the Scottish Business Resilience Centre and business consultants, Azets.
The cyber attack will also been examined by the public spending regulator, Audit Scotland, as part of its annual audit. If that flags up issues, a formal investigation would be launched.
“We are continuing to closely monitor the impact of the recent cyber security attack on Sepa as they continue with recovery,” said an Audit Scotland spokesperson. “This will be considered as part of our 2020-21 annual audit of Sepa.”
Anonymous sources claiming to work for Sepa have told The Ferret that a “plethora” of data, computer code and software may never be recovered. This includes information on pollution in rivers going back more than 50 years, they say.
Sources also claimed that emergency backup systems had been damaged by the attack, and that the consequences were “grave”. The Ferret has not been able to independently verify these claims.
Ian Watt, a digital data specialist with the company, Data Enabled, in Aberdeen, warned of “reputational damage” to Sepa. “For too long data management, and data security in particular, have been seen as a cost to organisations,” he said.
“What we see from the Sepa case is that an organisation not having appropriate security measures in place, including staff training on how to manage devices, has a long-term detrimental effect on their ability to deliver services, and to operate at a basic level.”
Watt urged senior managers to ensure that organisations were “protected as much as they can be” against cyber attacks. “Any organisation suffering such an attack can no longer operate, deliver basic services to customers or even pay its staff,” he said.
Dr Richard Dixon, director of Friends of the Earth Scotland and a Sepa board from 2011 to 2019, thought it was a “terrible situation” for staff. “Sepa continues to suffer from massive problems with computer systems and lost data,” he said.
“The various inquiries may turn up lessons that public bodies need to learn but for now I can only feel sympathy for teams and individuals doing their best to make sure the environment is protected.”
The Scottish Environment Protection Agency highlighted Police Scotland’s view that it had not been “poorly protected” against cyber attack. “Our assessment of that is that there were a lot of measures in place that you would expect to see from an organisation of that type,” deputy chief constable Malcolm Graham told an online cyber security event in February.
Sepa’s chief officer, Jo Green, said: “Working with Scottish Government, Police Scotland, the National Cyber Security Centre and the Scottish Business Resilience Centre, Sepa is working to a clear recovery strategy in response to a complex and sophisticated cyber-attack.
“Within the confines of a live criminal investigation, we’ve been vocal and transparent on the criminal attack, the theft and illegal publication of data, the impact on our services and progress towards our recovery.”
She confirmed that Sepa had refused to use taxpayers’ money to pay “organised criminals intent on disrupting public services and extorting public funds”. Since Christmas Eve staff had been “working flat-out” to restore systems and services “as quickly as possible,” she said.
According to Green, over 1,100 staff were now back online and “good progress” had been made in recovering environmental data. Information recovery specialists had been hired and Sepa was confident it would recover “the most important, broader data”.
She said that since the attack regulatory teams had been deployed 170 times, 1,650 pollution authorisations had been issued and 304 planning cases completed or progressed.
Green stressed that it was the criminal cyber attack against a public agency that was under investigation, not Sepa. “Sadly cyber-crime is an increasing challenge for Scotland’s businesses and public sector partners and service recovery takes time,” she added.
Sepa shared compliments paid to its handling of the cyber attack by the Scottish Business Resilience Centre, and professor Ciaran Martin, former chief executive of the National Cyber Security Centre. The Sepa staff trade union, Unison, said its members were “working round the clock” to restore essential public services.