Norsk Hydro, a multinational manufacturer headquartered in Norway and one of the world’s largest aluminum producers, reported last week that it was hit by a ransomware that affected its production and IT systems.
The LockerGoga ransomware infected multiple systems across the organization and impacted operations across multiple areas. As this is a relatively new incident, there are still many unknowns regarding the actual impact on the aluminum producer, the adversaries’ motivations, and what exactly occurred in the company’s networks.
Based on the information published so far, including by Norsk Hydro itself, it’s clear that the company’s production environments were affected by the attack – causing several of its factories to halt production or switch to manual operations.
This is yet another proof point that manufacturers can no longer isolate their operational technology (OT) networks from cyber-attacks. In 2017, during the WannaCry and NotPetya ransomware campaigns, many manufacturers worldwide reported that their production networks were hit, leading to hundreds of millions of dollars in damage. Victims included pharmaceutical manufacturer Merck, automotive manufacturers Nissan and Renault, food manufacturer Mondelez, and many others.
During 2018, we witnessed more infections when iPhone chip manufacturer TSMC reported that a WannaCry variant caused operational downtime in multiple sites, leading to an estimated damage of $250 million. Even though these industrial companies were not the main targets of these malware and attacks, they found themselves as victims due to their dependency on IT systems and unpatched Windows systems. This type of collateral damage can affect any connected device, regardless of whether it’s an IT, OT or other type of device.
Adversaries leverage IT/OT connectivity to affect Incident Command Systems. If an adversary can identify an attack vector into a connected device, that device can easily become the target of such generic tools as ransomware.
Industrial organizations cannot base their OT security strategies on a “hopefully no attack will occur” attitude or think their organization is not attractive enough to be the target of such attacks.
Based on the information known so far, it may seem that the Norsk Hydro case is another example of a generic attack like WannaCry and NotPetya, which caused collateral damage to industrial organizations. However, the technical details of the methods used by the attackers in this case, especially the propagation methods, may indicate otherwise. The attackers used existing methods and tools like the newly discovered industrial ransomware LockerGoga, but modified and tailored them for the specific target—Norsk Hydro. It is still too early for a final conclusion, which will become clearer when more information emerges.
With the growing threat landscape affecting these highly sensitive OT systems, what can manufacturers do to protect themselves from future cases?
Reduce the Attack Surface
As proven during the Norsk Hydro incident, industrial organizations can no longer trust segmentation or isolation between IT and OT as a security strategy. Even though Norsk Hydro claims some of its production systems were isolated from IT and therefore safe, this method has not proven effective to properly protect the entire OT infrastructure.
Manufacturers must gain visibility into their internal OT networks and maintain an up-to-date, automatic asset inventory and architecture maps. The inventory needs to contain the different devices, their operating systems, patch-level, vulnerabilities, and more. In addition, mapping the devices and communications will identify traffic flows, architectural flaws, rogue connections to the internet, and connections between IT and OT networks.
By maintaining a continuous, real-time asset inventory with extensive visibility into the network connections, manufacturers can identify security gaps and prioritize the actions they take to reduce their overall exposure and, therefore, the likelihood of an attack occurring. Visibility is a key enabler of security policy enforcement and measurement of the effectiveness of current security capabilities in place.
Prepare for the Worst
When it comes to security strategy or single tools, no silver bullets exist for protecting the OT environment, and companies need to prepare to respond to the worst-case scenarios. As Norsk Hydro proved, proper backup capabilities allow companies to effectively respond to such incidents and restore normal operations. By backing up critical files and configurations, the aluminum producer was able to minimize the damage caused and to restore operations, even if this was done manually at first. Backup and restore capabilities and procedures cannot prevent an attack from happening, but can accelerate the recovery of infected systems.
Analyze the Threat and Contain It
Once there is an initial indication of breach or an indicator of compromise detected, companies must have capabilities in place to analyze their risk and contain the threat. Investigative capabilities must be implemented in advance, allowing real-time incident response and root-cause analysis. This information is critical to pinpoint the source of the incident and to analyze potential propagation paths. Once the defenders have an understanding about what is attacking them and what the attackers can perform in their environment, they can implement the proper measures to contain the threat as much as and as quickly as possible and reduce the potential outcome of the attack, keeping their operations running and employees safe.
In summary, cyber-attacks that hit OT networks can cause significant damage to manufacturer’s revenue and public reputation, and even endanger their employees. Industrial companies must build the proper OT security strategy and procedures, train the personnel, and put in place the proper tools that will allow them to reduce the probability of infections and minimize the effect of such attacks.
Yoni Shohet is Co-Founder and VP Business Development at SCADAfence, which helps industrial organizations to secure their digital transformation journey.