santiago silver - Fotolia

Experts praise Norsk Hydro cyberattack response

Aluminum manufacturer Norsk Hydro was hit with ransomware that forced a switch to manual operations. The company's incident response has experts impressed.

Aluminum manufacturer Norsk Hydro was hit by ransomware that affected operations, but some experts have been impressed with the company's incident response.

The Norsk Hydro cyberattack began at midnight Central European Time on Monday, March 18, forcing the company to isolate all plants across the U.S. and Europe to stop the spread of the ransomware and switch to manual operations where possible.

Eivind Kallevik, CFO of Norsk Hydro, based in Oslo, Norway, said in a press conference on Tuesday that the attack was "quite severe," but added that the company had no plans to pay any ransom. In a follow-up press conference on Wednesday, Kallevik noted that, although this was a ransomware attack, the company had not been given a specific amount of money to pay.

"The plan and the strategy is to get back to operations by cleaning the systems we have and restoring the data we have from our backup systems," Kallevik said.

Kallevik also confirmed the company has cyberinsurance, though the details of the policy were not disclosed. Kallevik would not say how long the attackers were in Norsk Hydro's network, because that is currently under police investigation.

Bob Rudis, chief data scientist at Rapid7, based in Boston, noted that being able to move to manual operations "shows they had plans in place in the event of technology failures." He added that having backups in place indicated Norsk Hydro was already in the process of restoring encrypted systems to a working state.

"This is yet another indication that the internal planning and obvious partnership between business process owners and those in charge of information technology [and] information security is at a very high maturity level," Rudis said. "What's especially great about this is that we can externally measure how they are doing -- since they make real, physical things -- and all current indicators show they are meeting the needs of their customers."

In a blog post on Wednesday, Norsk Hydro also confirmed that its technical team "has succeeded in detecting the root cause of the problems and is currently working to validate the plan and process to restart the company's IT systems in a safe and sound manner."

However, at the time of this post, it is still unclear when the company would be able to fully restart IT systems.

Experts react

The transparency, continuous updates and -- so far -- daily press conferences that include question-and-answer sessions impressed experts.

Rudis said Norsk Hydro should be commended for how quickly status update pages were set up "and for their willingness to provide incremental information on the nature and scope of the attack."

"Their main external IIS [Internet Information Services] server(s) that run their normal website were active, operational and were also serving the static notice page, indicating that Norsk Hydro may have implemented solid network segmentation between their internet-facing systems and internal network(s)," Rudis wrote via email.

"I was frankly amazed Norsk Hydro managed to set up an internet-wide, press-at-the-ready, live-streamed update so quickly after the incident took place," he continued. "The leaders present were knowledgeable, they handed off answers to appropriate responsible parties and they were as open as legally possible about attack details, along with the state of business operations. That is highly unusual and exceptionally refreshing."

Kevin Beaumont, a security architect based in the U.K., said on Twitter that Norsk Hydro's public response "has been incredibly good -- open, quick, transparent with customers (and public [and] employees), [with] seniors on camera talking about issues."

"Note that despite being extremely open about the scale of the issues with public and media and putting execs in front of streams talking about an 'extreme' situation, Norsk Hydro's share price is fine," Beaumont tweeted. "Compare that to where companies have hidden and minimized things."

Justin Warner, director of applied threat research at network monitoring vendor Gigamon, based in Santa Clara, Calif., said the incident response to the Norsk Hydro cyberattack showed "strong coordination between communications, PR teams and the general public."

"The decision to disclose this level of detail and engage the public is the choice of the impacted organization and should be strategically planned to support their larger response plan," Warner said. "Transparency and engagement are always appreciated because, fundamentally, we see a lot of the same threats and activity. Sharing and engaging the public can help prevent activity like this from having a similar large-scale impact in the future. We ultimately will face these threats together or alone."

Dig Deeper on Threats and vulnerabilities