Cyber Safety: How to Prepare for Ransomware Attacks

March 29, 2019
Norsk Hydro recently became a victim of a ransomware attack that affected its production and IT systems.

Norsk Hydro, a multinational manufacturer headquartered in Norway and one of the world’s largest aluminum producers, reported last week that it was hit by a ransomware that affected its production and IT systems.

The LockerGoga ransomware infected multiple systems across the organization and impacted operations across multiple areas. As this is a relatively new incident, there are still many unknowns regarding the actual impact on the aluminum producer, the adversaries’ motivations, and what exactly occurred in the company’s networks.

Based on the information published so far, including by Norsk Hydro itself, it’s clear that the company’s production environments were affected by the attack – causing several of its factories to halt production or switch to manual operations.

This is yet another proof point that manufacturers can no longer isolate their operational technology (OT) networks from cyber-attacks. In 2017, during the WannaCry and NotPetya ransomware campaigns, many manufacturers worldwide reported that their production networks were hit, leading to hundreds of millions of dollars in damage. Victims included pharmaceutical manufacturer Merck, automotive manufacturers Nissan and Renault, food manufacturer Mondelez, and many others.

During 2018, we witnessed more infections when iPhone chip manufacturer TSMC reported that a WannaCry variant caused operational downtime in multiple sites, leading to an estimated damage of $250 million. Even though these industrial companies were not the main targets of these malware and attacks, they found themselves as victims due to their dependency on IT systems and unpatched Windows systems. This type of collateral damage can affect any connected device, regardless of whether it’s an IT, OT or other type of device.

Adversaries leverage IT/OT connectivity to affect Incident Command Systems. If an adversary can identify an attack vector into a connected device, that device can easily become the target of such generic tools as ransomware.

Industrial organizations cannot base their OT security strategies on a “hopefully no attack will occur” attitude or think their organization is not attractive enough to be the target of such attacks.

Based on the information known so far, it may seem that the Norsk Hydro case is another example of a generic attack like WannaCry and NotPetya, which caused collateral damage to industrial organizations. However, the technical details of the methods used by the attackers in this case, especially the propagation methods, may indicate otherwise. The attackers used existing methods and tools like the newly discovered industrial ransomware LockerGoga, but modified and tailored them for the specific target—Norsk Hydro. It is still too early for a final conclusion, which will become clearer when more information emerges.

With the growing threat landscape affecting these highly sensitive OT systems, what can manufacturers do to protect themselves from future cases?

Reduce the Attack Surface

As proven during the Norsk Hydro incident, industrial organizations can no longer trust segmentation or isolation between IT and OT as a security strategy. Even though Norsk Hydro claims some of its production systems were isolated from IT and therefore safe, this method has not proven effective to properly protect the entire OT infrastructure.

Manufacturers must gain visibility into their internal OT networks and maintain an up-to-date, automatic asset inventory and architecture maps. The inventory needs to contain the different devices, their operating systems, patch-level, vulnerabilities, and more. In addition, mapping the devices and communications will identify traffic flows, architectural flaws, rogue connections to the internet, and connections between IT and OT networks.

By maintaining a continuous, real-time asset inventory with extensive visibility into the network connections, manufacturers can identify security gaps and prioritize the actions they take to reduce their overall exposure and, therefore, the likelihood of an attack occurring. Visibility is a key enabler of security policy enforcement and measurement of the effectiveness of current security capabilities in place.

Prepare for the Worst

When it comes to security strategy or single tools, no silver bullets exist for protecting the OT environment, and companies need to prepare to respond to the worst-case scenarios. As Norsk Hydro proved, proper backup capabilities allow companies to effectively respond to such incidents and restore normal operations. By backing up critical files and configurations, the aluminum producer was able to minimize the damage caused and to restore operations, even if this was done manually at first. Backup and restore capabilities and procedures cannot prevent an attack from happening, but can accelerate the recovery of infected systems.

Analyze the Threat and Contain It

Once there is an initial indication of breach or an indicator of compromise detected, companies must have capabilities in place to analyze their risk and contain the threat. Investigative capabilities must be implemented in advance, allowing real-time incident response and root-cause analysis. This information is critical to pinpoint the source of the incident and to analyze potential propagation paths. Once the defenders have an understanding about what is attacking them and what the attackers can perform in their environment, they can implement the proper measures to contain the threat as much as and as quickly as possible and reduce the potential outcome of the attack, keeping their operations running and employees safe.

In summary, cyber-attacks that hit OT networks can cause significant damage to manufacturer’s revenue and public reputation, and even endanger their employees. Industrial companies must build the proper OT security strategy and procedures, train the personnel, and put in place the proper tools that will allow them to reduce the probability of infections and minimize the effect of such attacks.

Yoni Shohet is Co-Founder and VP Business Development at SCADAfence, which helps industrial organizations to secure their digital transformation journey.

About the Author

Yoni Shohet | Co-Founder and Vice President, Business Development

Yoni Shohet is co-founder and vice president of business development at SCADAfence, which helps industrial organizations to secure their digital transformation journey. SCADAfence Platform monitors complex large-scale OT networks to increase security and visibility, ensuring the resilience and safety of production environments in the Industrial IoT era. 

Sponsored Recommendations

Free Webinar: ISO 45001 – A Commitment to Occupational Health, Safety & Personal Wellness

May 30, 2024
Secure a safer and more productive workplace using proven Management Systems ISO 45001 and ISO 45003.

ISO 45003 – Psychological Health and Safety at Work

May 30, 2024
ISO 45003 offers a comprehensive framework to expand your existing occupational health and safety program, helping you mitigate psychosocial risks and promote overall employee...

DH Pace, national door and dock provider, reduces TRIR and claims with EHS solution

May 29, 2024
Find out how DH Pace moved from paper/email/excel to an EHS platform, changing their culture. They reduced TRIR from 4.8 to 1.46 and improved their ability to bid on and win contracts...

Case Study: Improve TRIR from 4+ to 1 with EHS Solution and Safety Training

May 29, 2024
Safety training and EHS solutions improve TRIR for Complete Mechanical Services, leading to increased business. Moving incidents, training, and other EHS procedures into the digital...

Voice your opinion!

To join the conversation, and become an exclusive member of EHS Today, create an account today!