Norwegian hydro-power and aluminum giant Norsk Hydro is winning plaudits for the way it responded to a massive ransomware attack that shut down the company’s IT network Tuesday and forced it to resort to manual operations at many of its plants.
Observers noted the speed and transparency of the company’s response — even when, early in the day, they had very little hard information about the scope or nature of the cyberattack.
But others cautioned that potential downside risks of the company’s openness had yet to fully play out and it was too soon to call it successful.
Within a few hours of the first infection, and before markets opened in Europe, the company posted an initial report online. The terse three sentence statement called the cyberattack “extensive,” said that IT networks in “most” of its business areas had been hit and that company was “switching to manual operations as far as possible.
“Hydro is working to contain and neutralize the attack, but does not yet know the full extent of the situation,” the statement concluded.
They updated a couple of hours later, with a Facebook posting — the company website, like the rest of its business IT systems, was down. The posting said the cyberattack had not impacted safety and that its smelting plants across the world were “running normally,” albeit in some cases without the aid of computer controlled systems.
Hydro also spun up a temporary website and — since the company used cloud based email services — were able to communicate both internally and externally using tablets, smart phones and other mobile devices that could be connected through cell service rather than through the company’s compromised network.
Finally, by 3pm local time, the company staged a press conference, live streamed on the web, during which Chief Financial Officer Eivind Kallevik and other executives took questions from reporters.
Kallevik didn’t try to sugar coat it. “Let me be clear: The situation for Hydro through this is quite severe,” he said. “The entire worldwide network is down, affecting our production as well as our office operations.”
Transparency draws plaudits
“[I] Gotta say Hydro’s public facing response has been incredibly good — open, quick, transparent with customers (and public & employees), senior [execs] on camera talking about issues. Wishing them a speedy recovery,” tweeted Kevin Beaumont, a cyber-expert with an extensive social media following.
Andrea Carcano, co-founder and chief product officer with Nozomi Networks, a firm that monitors computerized industrial control systems, or ICS, likewise called the company’s incident response “laudable,” according to energy trade publication POWER Magazine. “They made a live stream with a brief on the attack and they’re keeping all informed using their Facebook channel,” he said.
Beaumont pointed out Wednesday that, despite having slipped somewhat Tuesday, the company’s share price bounced back and ended the day down less than half of one precent. On Wednesday it continued to hold up pretty well — which he attributed to the company’s transparency.
“Note that despite being extremely open about the scale of the issues with public and media and putting execs in front of [live] streams talking about an ‘extreme’ situation, Norsk Hydro’s share price is fine,” he tweeted Wednesday. “Compare that to where companies have hidden and minimized things,” he continued.
Downside risks yet to play out?
But some other cyber experts were more cautious. Sergio Caltagirone, from ICS cybersecurity specialist company Dragos, Inc told HS Today that he applauded the company’s response. “Any industrial cybersecurity incident requires a company to prioritize three things: safety, operations, shareholders in that order. They seem to have prioritized correctly.”
But he added that company out so publicly so early — and before the details of the attack were known — the company exposed itself to “immense pressure as they’ll … be inundated with reporters, investors, regulators, partners, etc.”
“Further,” he added, “they’ll open themselves up to all of the ‘ambulance chasers’ of the cybersecurity industry who will be filling up their phones and emails with offers to help.”
He called the company’s approach “mature and measured,” adding it was “well worth modeling by others.”
But he cautioned there is “not yet a universal ‘playbook’” for cyber incident response, especially in the industrial sector and “we must be careful not to pass judgment too quickly as these things take time” to play out.
In a statement, the company said Wednesday it was working towards restarting its IT systems “in a safe and secure manner,” but still didn’t know how long it might take to recover or what the eventual price tag for the attack would be.