Company forced to resort to Facebook for updates
A ransomware attack has crippled IT systems at Norsk Hydro, the world’s third-largest aluminium supplier. The incident has forced the Norwegian company, which employs some 35,000 staff globally, to halt production at several plants and revert to Facebook to keep customers updated.
There is “no indication” of impact on primary plants outside Norway, Norsk said however and the company has managed to keep the majority of production going by switching back to manual processes. Norwegian security officials say the attack involved the LockerGoga ransomware.
In a stock market statement the company said: “Hydro became victim of an extensive cyber-attack in the early hours of Tuesday (CET), impacting operations in several of the company’s business areas.”
“IT-systems in most business areas are impacted and Hydro is switching to manual operations as far as possible. Hydro is working to contain and neutralize the attack, but does not yet know the full extent of the situation.
Hydro is currently under cyber-attack. Updates regarding the situation will be posted on Facebook: https://t.co/2S94rp3qll
— Norsk Hydro (@NorskHydroASA) March 19, 2019
In manufacturing, 86 percent of cyber attacks are targeted, according to a report by F-Secure earlier this year; Norsk is likely to have been singled out as vulnerable.
Security experts with an Operational Technology (OT) focus have long warned that industrial enterprises are typically dangerously insecure amid a proliferation of legacy devices and protocols, “undiscovered” devices sitting on networks (sometimes brought in by contractors) and stretched security teams struggling with the challenge of coordinating security patches from a multitude of different OEMs.
Norsk said energy production is running as normal meanwhile (the company is also a major energy producer), as are bauxite and aluminium production.
Primary metal production is running as normal with a “higher degree of manual operations”, as are remelters, it said.
Extruded Solutions and Rolled Products are unable to connect to production systems “causing production challenges and temporary stoppage at several plants.”
“Hydro is working to contain and neutralize the attack but does not yet know the full extent of the situation” it said, adding: “It is too early to indicate the operational and financial impact, as well as timing to resolve the situation.”
Critically, it may never know how the breach first occurred.
As a report [pdf] by industrial cybersecurity specialist Dragos noted early this year: “In 2017, Dragos reported the original infection vector to ICS [Industrial Control System] attacks remained unknown; in 2018, this is still the case.”
“One primary challenge for IR [incident response] on industrial networks is performing root cause analysis (RCA), partially because a common vector into the ICS network is through the associated business or IT networks.”
“An external adversary may not have knowledge about the network topology and must discover or create an access method to the ICS segments. Finding this pivot point can take time, so the adversary may exist in the IT network for several weeks or months prior to pivoting into the OT network.”
The company added: “RCA in these instances requires larger data retention and resources for investigation. RCA faces several additional challenges, as network traffic logging in ICS networks is generally not verbose, and visibility to lateral movement can be insufficient. Unfortunately, internal politics and team organization can also delay investigative efforts.”
Pete Banham, cyber resilience expert at Mimecast said in an emailed statement: “Attackers are increasingly more sophisticated, so defence-only strategies are often doomed to fail. Organisations and governments must look to proactively analyse their business critical infrastructure for weaknesses and identify gaps for improvement.”
“It is about adopting a cyber resiliency mindset that looks at new methods of prevention and a recovery plan that will help restore the business back to operation in the event of a successful attack.”