Norsk Hydro, a global aluminium and renewable energy company based in Norway, has been hit by an extensive cyberattack.
IT-systems in most business areas have been impacted and the company has switched to manual operations and procedures as far as possible.
In a statement, the company said its technical team, with external support, has succeeded in detecting the root cause of the problems and is working to validate the plan and process to restart the company’s IT systems in a safe and sound manner.
However, it is still not clear how long it might take restore stable IT operations.
Industry experts have commented on the attack:
Chris Morales, Head of Security Analytics at Vectra
While the situation for Norsk Hydro is severe as the entire worldwide network is down, which means the attack was able to propagate internally very quickly, I do at least commend Norsk Hydro’s incident response process.
The important thing here is that breaches happen and for manufacturing and energy who are large adopters of industrial Internet of Things, ransomware has become an unfortunate problem that can easily knock a manufacturing or energy plant offline.
Norsk Hydro is not the first to suffer from a ransomware attack in the energy sector. Ideally it would be good to be able to detect and respond to attacks before they cause damage but many companies simply are not in that state of capability yet.
From a response process, it is good that Norsk Hydro executive management immediately, within 24 hours, reached out to the public and have been open about their current state. Norsk Hydro had a backup plan to keep operating using manual processes. It is also fortunate that Norsk Hydro has backups of all their data to recover to their original state once they can recover from this attack.
Granted, when they recover is the biggest factor here. With an attack this widespread impacting the entire global network, they could be down for days.
Tim Mackey, Senior Technical Evangelist at Synopsys
I sincerely hope that Norsk Hydro details the attack methods and nature of the cyberattack they are experiencing. Given they are shutting down operations at some of their plants implies those plants had control system access from the Internet or from computers connected to the Internet.
Minimally, this attack provides a lesson in the value of both network segmentation and ensuring that threat models are created, assuming the threat comes from an internal source. With increasingly sophisticated attacks, organisations must assume attackers could compromise internal systems as easily as they might attempt to breach a firewall into a production system.
Piers Wilson, Head of Product Management at Huntsman Security:
The attack on Norsk Hydro highlights the risks faced by all parts of national critical infrastructure and major industry – from energy to manufacturing. The attack could potentially affect resource production in Norway, Qatar and Brazil – meaning the attackers have been able to cause maximum disruption on a global scale for, potentially relatively little effort. This is a stark reminder that it doesn’t matter what your line of business is, you are still reliant on IT systems and could still be on a hackers ‘hit list’.
We now live in an era where traditional defences – firewalls, anti-virus etc. can’t provide full coverage when faced with determined or targeted attack: there is often no easy way to block every potential threat at the perimeter or in key IT server systems and trying to do so will just result in teams becoming overwhelmed by the sheer volume of potential attacks.
Businesses need to go beyond blocking attackers and augment this with intelligent and rapid detection, containment and mitigation. This means having first class, automated threat and security intelligence capabilities that can manage the deluge of potential problems with intelligent analytics – sorting real threats from the background noise of systems and network operation, and freeing up security analysts to deal with the issues as effectively and efficiently as possible.
Sam Curry, Chief Security Officer at Cybereason
NotPetya/Wannacry ransomware attacks drove an immediate awareness of a new class of attack and for a time reminded everyone that existing prevention tools don’t stop the riskiest of attacks. Unfortunately, it came at the expense of peace of mind and drove FUD (fear, uncertainty and doubt) in managers. With these latest developments, it is too early to surmise if the Hydro breach will result in material losses for the company and their customers.
Years ago, ransomware came on the scene in a world with no protection like a disease in an exposed population. Now we understand it, and the adversaries no longer use it for smash and grab campaigns but rather surgically and to cover their traces. They drop it in specific places to trigger processes, to re-image and clean an area that has vital forensic evidence about their activities. Stimulus and response of the IT department to do the hacker’s dirty work for them.
Most companies have contingencies and tools now that help with ransomware, and that makes it feel like an understood and contained risk. However, that’s for the most part a false sense of security because most of the lack of recent Ransomware outbreaks is due to the attackers using it differently, not because defenders are stopping it better. In reality, ransomware attacks worldwide have been dramatically dropping for years. Attackers today are using ransomware more surgically. In the cybersecurity industry, companies built an immunisation plan ensuring that products had strong anti-ransomware options available. Some even discovered vaccines (Amit Serper, Head of Research, Cybereason discovered a vaccine for NotPetya).
Tim Erlin, VP at Tripwire
Right now, there’s a lot of missing information on this attack. The things we don’t know outweigh the things we do know, and that generally means there will be a lot of speculation.
After the last couple of years, no one should doubt that a cyberattack can directly impact your business. This is another reminder to spend the time and money on preparation and prevention. If you are an executive at any business, ask yourself what your organisation would be doing right now if you were Hydro.
Ilan Barda, CEO, Radiflow
This incident is similar to the infamous NotPetya and WannaCry incidents, showing that cyberattacks in general, and ransomware in particular, can cause major business interruptions to manufacturing facilities. In this particular case, it appears it was an IT attack that expanded to the OT side, however, we expect that ransomware will be used to directly target OT assets.
This attack emphasises again that in order to protect your organisation against such attacks, it is vital to employ cybersecurity to the production floor, enabling operators to maintain visibility and control of their OT network.
Such a dedicated OT security solution that intelligently combines cyber-risk and business impact to optimise risk scoring can assist operators in quickly handling emerging threats before they impact the operations, as was done in the case of the cryptojacking malware that Radiflow system detected at a waste-water facility last year.