Computer systems at the Scottish Government’s green watchdog have been crippled for two weeks by a “complex and sophisticated” cyber attack.
The Scottish Environment Protection Agency (Sepa) says that internal and external communications have been “significantly impacted”. Its email system has been down, and “internal systems” and “processes” have been affected.
Sepa is responsible for regulating over 5,000 industrial sites across the country to prevent them from polluting land, water and air. It maintains huge databases to monitor the state of Scotland’s environment, and keeps records of pollution breaches by companies.
Sepa says that its “core” services are “adapting and continuing to operate”. Campaigners are urging the agency to ensure that polluters stay regulated, and communities protected.
The cyber attack was launched at one minute past midnight on Christmas Eve, and has persisted since then. It involved “complex and sophisticated criminality”, according to Sepa’s chief executive, Terry A’Hearn.
In a statement on 5 January 2021, he said: “We moved quickly to enact our business continuity arrangements and our core regulatory, monitoring, flood forecasting and warning services are adapting and continuing to operate.”
Sepa is working with the Scottish Government, Police Scotland and the National Cyber Security Centre, to address the attack, he said. “The attack remains ongoing and communication into and across the organisation remains significantly impacted,” A’Hearn added.
“For the time being, we need to protect a criminal investigation and our systems. Some of our internal systems and external data products will therefore remain offline in the short term.”
Sepa was “working hard on analysing the impact before moving to eradicate, remediate and recover,” he said. “Our priorities are focused on incident response, supporting our staff, our priority services and the important work we continue to do.”
Police Scotland confirmed that an investigation was under way. “We are working closely with Sepa and our partners at Scottish Government and the wider UK law enforcement community to investigate and provide support in response to this incident,” said detective inspector, Michael McCullagh, from Police Scotland’s cybercrime investigations unit.
“Enquiries remain at an early stage and continue to progress including deployment of specialist cybercrime resources to support this response. It would be inappropriate to provide more specific detail of investigations at this time.”
The Scottish Government has been helping Sepa deal with the attack. “We are liaising closely with Sepa and consider that all those who value its important work should condemn this criminal action,” a spokesperson told The Ferret.
The Scottish Greens urged ministers to ensure that Sepa had all the resources it needed. “This continuing cyber attack presents a number of serious questions for Sepa both in terms of its cyber security capabilities and its ability to regulate polluters,” said the party’s environment spokesperson, Mark Ruskell MSP.
Friends of the Earth Scotland warned that cyber attacks were likely to increase. “A top priority must be to ensure polluters stay properly regulated and communities fully protected despite the difficulties in communicating and accessing systems,” said the environmental group’s director, Dr Richard Dixon.
“When the dust settles there will need be a thorough investigation to see what lessons Sepa and other public agencies can learn from this incident.”
Local groups concerned about fish farming and industrial pollution also stressed the importance of Sepa continuing to monitor and act on pollution.
One Sepa insider suggested that staff were worried about the security of personal data and environmental records. “The national environmental regulator has been and continues to be totally hamstrung,” claimed an anonymous email to The Ferret.
“Someone has Sepa by the balls. Very little regulation of the environment and industry, if any, until this gets sorted out.”
Cover image thank to iStock.