Norsk Hydro switches plants to manual after cyber-attack

3 min read

Norsk Hydro has switched plants to manual operations and procedures following a cyber-attack on its worldwide network.


Norsk Hydro
IT systems down at Norsk Hydro

First detected on servers in the aluminium and energy producer’s global IT system late Monday evening, the ransomware attack has been described as ‘quite severe’ but hasn’t led to any safety-related incidents.

"I'm pleased to see that we are making progress, and I'm impressed to see how colleagues worldwide are working around the clock with dedication to resolve this demanding situation and ensure safe and sound operations," said Hydro's CFO Eivind Kallevik.

The company announced today, March 20, 2019, that is has detected the root cause of the problem and is currently working to validate the plan and process to restart the company's IT systems, although it can’t put a timescale on resuming normal operations or estimate the exact operational and financial impact of the attack.

Reporting on its global operations, Norsk Hydro said that its power plants were running normally, along with bauxite and alumina facilities in Brazil. Primary metal and remelter operations are reported as running normally with a higher degree of manual operations, but disruption has been experienced with extruded solutions and rolled products.

“Progress has been made, with the expectation to restart certain systems during Wednesday, which would allow for continued deliveries to customers,” the company said on Facebook.

Adam Vincent, CEO of US cyber-security company ThreatConnect, said events at Norsk should serve as a warning to UK manufacturers, nearly half of which were hit by a cybersecurity incident in 2018.

“Digital transformation is increasingly visible on the factory floor, and IP-connected robots are increasingly replacing manned and manual workflows,” he said. “That means that the average facility now has countless more potential access points for cyber attacks – and a successful breach can halt production in its tracks for many hours, causing serious financial and reputational damage.

“Nevertheless, across the manufacturing sector, awareness of the cybersecurity challenge and the implementation of appropriate preventive measures are highly varied. Manufacturers need to ensure that their cybersecurity capabilities are not just an afterthought.”

Commenting on preventative measures to mitigate cyber-attacks, Vincent said that there should be an increase in intelligence-sharing between businesses to collectively combat the common cyber-enemy.

“It’s essential that potential targets understand as much as they can about the threats they face. The more you know, the better you’ll be able to respond to a new threat,” he said. “With comprehensive information-sharing and process automation in place, manufacturers can rest assured that their valuable IP and production lines are still well defended.”

What is ransomware and how does it happen?

Ransomware is malware that, upon infection, prevents access to certain elements of your systems until a ransom is paid to the attackers. There are many different strains of ransomware, which variously encrypt data and system files, through a range of possible attack vectors.

What actually happens?

Regardless of what the ransomware attacks, the methods are broadly the same: attackers exploit a security vulnerability or backdoor in order to infiltrate the victim’s systems silently and encrypt critical systems and data. Attackers then demand payment (often in an untraceable cryptocurrency, such as Bitcoins) within a specified time frame. If the victim fails to pay in time, or attempts to remove the malware manually, attackers destroy the unique decryption key, and any compromised data and systems will be permanently irretrievable.

Who is being targeted, and why?

The short answer is everyone – individuals and organisations alike.

Cybercrime is big business, and ransomware is popular for a reason: it’s a low-investment, high-yield form of attack, with little technical barrier to entry. Malicious groups and individuals can now purchase ransomware capabilities as discrete tools with full GUIs on places like the Dark Web, or even as a managed service from criminal providers. This increased accessibility has significantly broadened the variety of potential attackers in recent years, and as such it’s hard to generalise around the motivations of individuals. Whether it’s lone actors operating from a bedroom, a politically-motivated hacktivist, or an international criminal organisation with salaried employees, everyone is a target to someone.

Larger organisations with valuable datasets and a public reputation to protect obviously represent high-value targets, and often attract the most sophisticated attacks as a result.

Why are these attacks so successful?

Whoever the target is, the rise of cryptocurrencies has increased the degree of anonymity afforded to criminals taking ransom payments. Cyber criminals balance risk and reward.  Taking payments as cryptocurrency means the reward has stayed constant, whilst the risk of being caught has dropped significantly.

How to recover

If you are hit with a ransomware attack you essentially have two options. You can either recover the information from a previous backup or pay the ransom. However, even if you pay the ransom, there is no guarantee that you will actually get your data back, so the only way to stay fully protected is to have historic copies of your data.

When recovering from ransomware, your two aims are to minimise the amount of data loss and to minimise the amount of IT downtime. Although outright prevention of ransomware is impossible, there are simple yet essential steps organisations can take to reduce the risk and impact of attacks.

Recommendations for recovery

It is vital that the Incident Response Team or Crisis Management Team has the authority to be able to make large scale, operational decisions to take systems offline to limit the spread of infection. You must then find when the ransomware installation occurred in order to be able to restore clean data from before the infection. Once the most recent clean data is identified you can begin a typical recovery, restoring data and testing before bringing systems back online again.

SOURCE: Databarracks