Seòmar agus comataidhean

Determination of Committee priorities for Session 6: submission from SEPA

Submission from SEPA for the evidence session on 28 September 2021

Dear Convener

The Cyber Attack

The criminal cyber-attack SEPA experienced on Christmas Eve 2020 was serious and complex.  It significantly impacted our contact centre, internal systems, staff, processes and communications. Following the attack, SEPA immediately enacted its business continuity arrangements and took immediate action to limit the impact of the cyber-attack, notifying relevant authorities, including the Scottish Government, Police Scotland, the National Cyber Security Centre and the Information Commissioner's Office with whom we continue to work.

Since then, SEPA has voluntarily commissioned a series of independent audits into the attack so that we and others can learn the lessons. We have taken the view that, as a public agency, we should be open and share lessons. Accordingly, on 27th October SEPA, alongside partners Scottish Business Resilience Centre, Police Scotland and the Scottish Government, will deliver a webinar hosted by FutureScot to share as much of the audits as possible and our organisational response. The information will be made widely available. This will provide the wider information about the attack and its impacts that the committee is seeking.

Despite the impacts of the cyber attack, SEPA has remained very clearly focused on ensuring that we continue to deliver our core regulation and flooding services for the people of Scotland while at the same time determinedly staying on track with the transformational changes to the organisation we are making to deliver our One Planet Prosperity strategy. For example, we are currently fast track building a completely new IT system (within two years rather than the planned four) that will enable us to implement new ways of working and transform how we deliver many of our services.

Pollution events

The ability to report pollution incidents to SEPA was restored very quickly following the cyber-attack and has remained in place 24/7 since. SEPA continues to receive, assess and respond appropriately to all reports of pollution, prioritising those incidents with the greatest potential for harm.

In the immediate period after the cyber-attack, pollution reports were handled manually (eg relaying reports by phone) as internal systems were unavailable.

Due to the manual nature of the systems put in place to maintain SEPA's ability to assess and respond to incidents, we are currently unable to provide an accurate figure for the number of incidents reported to us since the cyber-attack. In addition, as a result of the cyber-attack, SEPA has also lost access to historic data on events which means that it is currently not possible to compare pre and post cyber-attack data. We are, however, able to confirm that from 1st January to 31st June, SEPA regulatory teams were deployed around 900 times to investigate pollution events across Scotland. This figure does not include routine field deployments for other purposes, such as site-based compliance work. It is also important to note that in addition to incident response, SEPA also places a strong focus on preventative work. This includes, for example, a focus on the regulation of high hazard activities and on those sites which could adversely impact communities through nuisance. This preventative focus has been maintained both during Covid and following the cyber-attack through a combination of remote checks as well as field and site-based activity.

As SEPA continues to recover from the cyber-attack we will continue to ensure that arrangements are in place to receive, assess and respond to pollution reports and take strong regulatory action where necessary.

I hope that this, alongside the further information that SEPA will be publishing on 27th October, provides the committee with further evidence of SEPA’s ongoing response to the cyber-attack. Best wishes

Jo Green (Acting CEO)