Skip to main content
close search
site logo
Dive Brief

Office computers, industrial controls connection 'exacerbated' Hydro's woes

Published March 28, 2019
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Norsk Hydro

Dive Brief:

  • Four out of five of Norsk Hydro's business areas are running production at normal capacity as of Wednesday after last week's ransomware attack, according to a company announcement.
  • Manual workloads are still required. The most impacted business area is its aluminum manufacturing unit, Extruded Solutions, which was at 70-80% production as of Tuesday. Building Systems, however, is "almost at a standstill" and operating at 20% "with local variations from plant to plant," according to the announcements.
  • The industrial company estimates the ransomware attack will cost about $40 million accrued from lost margins and volumes from Extruded Solutions.

Dive Insight:

Hydro is in the recovery phase following what is believed to be a LockerGoga ransomware attack. LockerGoga is said to limit its attack surface, making victims more targeted than infamous ransomware attacks like NotPetya or WannaCry.

It's also possible the attackers "were just wildly successful with this attack, probably far beyond what they expected," said Hani Mustafa, CEO of Jazz Networks, in an email to CIO Dive. The connection between Hydro's industrial controls and office computers across the globe that require "local attendance, all exacerbated" the company's woes.  

Extruded Solutions was having difficulty connecting to production systems, which resulted in temporary "stoppages," according to the company. It's unclear how long it will take production to return to normal but deliveries to Building Systems will increase "over the coming days," according to the announcement.

Hydro used multiple active directory subdomains through Microsoft and LockerGoga's hackers most likely used the company's main Active Directory to distribute the ransomware.

Network segmentation "to prevent unwanted talk between locations and unrelated servers," could have helped Hydro curtail the spread of the ransomware, according to Mustafa.

Office computers and industrial control systems should be separated as computers are exposed to the internet.

"It's not unusual for industrial control systems to be 'air-gapped' or not connected to anything but themselves," said Mustafa. However, in Hydro's case, the Active Directory server essentially bridged the air gap.

The connection of office computers in Hydro's international locations highlights the persistence of different versions of software running in different facilities. Keeping track of a global company's software updates in different offices is challenging, but inventory and patching management software is available.

Mustafa suggests companies subscribing to private intelligence feeds for warnings. "Have anomaly detection in layers of protection on both the level of the network and the endpoint," he said.

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
Graphiant Predicts Transformative Changes in Enterprise Connectivity and Data Assurance for 20…
From Graphiant
November 20, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell