Lessons Learned from Cyber Attacks in the Industrial Sector
From chemical and power plants to energy and mining and metal production, industrial companies are increasingly at risk of cyber attacks that threaten workers and the environment. Here’s how to respond.
In March 2019, Norsk Hydro, a leading global aluminum producer headquartered in Oslo, Norway, with operations around the world, found itself the victim of a stealth cyber attack.
Its “attacker” came in the form of a compromised email sent via an existing customer’s email address to an unsuspecting employee. The employee opened the attachment and unwittingly unleashed LockerGoga, a type of ransomware that gave an enterprising group of cyber criminals access to — and eventually control of — the entire Norsk Hydro network.
The attack was a sobering moment for all industrial companies, as it demonstrated that infrastructure systems across the globe are at significant risk of sinister cyber attacks.
According to FTI Consulting’s 2020 Resilience Barometer, 20 percent of surveyed companies reported being victims of a ransom or data hostage situation in 2019. The Barometer incorporates the views of more than 2,000 C-suite and senior manager executives from large companies across all G20 countries.
The Norsk Hydro incident was not a run-of-the-mill cyber attack. It was a calculated mission that took months to plan. The cyber criminals were able to replicate an email and corresponding attachment that a Norsk Hydro employee would expect to see, only with one major difference: The attachment contained malicious software.
This type of attack vector, social engineering, is the most common method for attempting to penetrate a company’s cyber defenses according to the Resilience Barometer. Nearly 30 percent of large companies researched reported being negatively impacted in this way in the past 12 months.
As with other cybersecurity breaches, the compromise of information systems and loss of controls in the Norsk Hydro attack exacted a high financial toll. The loss was estimated to be USD$75 million due to increased costs and reduced volumes from business disruption.1 (Norsk Hydro chose not to pay the ransom and instead attempted to continue business operations using alternative measures, like reverting to old paper systems.)
90 percent of G20 leaders surveyed believe they have cybersecurity gaps.
But financial damage is just one aspect of the fallout from a cyber attack to an industrial company. The potential for major safety issues, particularly in areas like chemicals and power plants, also poses significant dangers to workers while simultaneously creating environmental hazards.
Cyber Headaches On the Rise
Cyber incidents are not new; they have in fact affected industrial environments for years now. In 2014, for instance, the German Federal Office for Information Security indicated that a cyber attack had caused massive damages at steel plants in Germany.2 The incident resulted in systems failure at one of the plants, which prevented normal shutdown capabilities from occurring following standard procedures. The culprit? Sophisticated hackers who used a spear-phishing campaign to harvest credentials of specific users, granting them access to control systems.
What’s new in industrial environments is the audacity and variety of attacks. Spurred on by the sectors’ continued migration toward sophisticated digital technology, automation, and intelligent processes that increasingly connect erstwhile closed and stand-alone production systems, today’s cyber attackers see vulnerabilities at almost every turn. The Resilience Barometer showed that 27 percent of surveyed respondents experienced some form of cyber attack in 2019 where assets were stolen or compromised. One in four companies surveyed in the Barometer reported having experienced a cyber attack where assets where stolen or compromised in the past 12 months.
Consider last year’s attack on Nyrstar N.V., a global mining and metal processing business headquartered in Zurich, Switzerland. Although production operations continued, hackers blocked access to IT systems, databases, and email functionality, severely affecting the organization.3 In 2019, cyber criminals attacked ThyssenKrupp, one of the world’s largest steel producers, by using “organized, highly professional hacker activities,” resulting in the theft of technical trade secrets from the company’s steel production and manufacturing plant design divisions.4
Anticipating and Defending Against the Cyber Menace
What can industrial companies do to prevent ransomware attacks? Several best practices that focus on basics of cybersecurity go a long way toward implementing proper preparedness planning. These best practices include:
- Regular employee training and communication
- Internal systems that identify and filter out suspicious emails
- System design review and testing, including how to segment and segregate devices and data
- Secure backup system and methodology
- Regular and timely maintenance of systems, such as operating system and software being patched and kept up to date.
Additionally, having an incident response plan implemented and tested prior to a ransomware attack is essential. This process involves four steps:
- Preparation: Establish and train an incident response team. Develop appropriate tools and resources. Select and implement controls based on the results of our risk assessments.
- Detection and Analysis: Combine resources and tools necessary to determine the scope, impact and appropriate response.
- Containment, Eradication and Recovery: Prevent data from leaving the networks, and prevent further damage. Remove malicious code, actor accounts or unnecessary access. Repair vulnerabilities that may be the root cause of the incident.
- Post-Incident Activity: Reflect on lessons learned, identify new threats and upgrade systems with better technology. Detail the cost, cause and response for the incident, along with steps that should be taken to prevent future incidents.
Integrating Cyber into Risk Management Programs
Critical infrastructure entities that proactively take measures against ransomware attacks will not only be able to better serve their customers and protect their brands and reputations, but they will also reduce legal risks, ensure business continuity and preserve their intellectual property.
In industrial environments, protection against cyber attacks should be fully integrated into a corporation’s risk assessment and mitigation program. Compromised systems and the loss of controls may otherwise result in the destruction of critical assets and have catastrophic safety and environmental consequences.
© Copyright 2020. The views expressed herein are those of the author and do not necessarily represent the views of FTI Consulting, Inc. or its other professionals.
Senior Managing Director