How Norsk Hydro gave a masterclass in crisis communications
Norsk Hydro is a global supplier of aluminium and aluminium products. It's an enterprise that employs 35,000 people across 40 countries.
It’s too early to put an exact figure on it, but Norsk Hydro is estimated to have lost at least $40 million, from “lost margins and volumes in the Extruded Solutions business area”. Longer term costs are hard to measure - whether Norsk Hydro loses future earnings and suffers from reputational damage is yet to be seen.
But in the days that followed the attack, Norsk Hydro gave a masterclass in Cyber Incident Response and crisis communications.
The attack came in the form of LockerGoga; ransomware that has been infecting industrial engineering and manufacturing businesses. French engineering company Altran suffered a similar attack in January 2019.
There are four key stages of Cyber Incident Response:
• Isolate & Contain
Ransomware incidents demand swift action to Isolate & Contain to limit spread and speed up recovery.
Crypto vs Locker Ransomware
There are two strands of ransomware – crypto-ransomware and locker-ransomware. The former encrypts user data. The latter lock users out of systems (some types will do both).
Targeted vs Mass Ransomware attacks
There are also two broad types of attack – those that target specific organisations and mass-scale attacks. These work in the same way that businesses either target a mass market with a low cost product vs a more valuable niche (think Vauxhall vs Rolls Royce).
Mass-scale attacks usually use a phishing email sent to a large number of email addresses – that haven’t necessarily been specifically selected. The ransom cost is typically low (hundreds or thousands of pounds) because so many organisations will pay.
Targeted attacks demand much higher ransoms (perhaps hundreds of thousands of pounds). This higher pay-out means it is worth investing more time and effort into infecting the target organisation. LockerGoga doesn’t have the ability to self-propagate like WannaCry or NotPetya, which were able to spread without privileged access. For LockerGoga to spread, the original infection must have had Domain Administrator access.
In Business Continuity Planning, the best solution to keep the organisation going is not always expensive and complex. Sometimes a simple, manual workaround will do.
At airports, when digital display boards go down, staff break-out the white boards – for example.
But as we automate and optimise our business processes, there are fewer opportunities to use manual workarounds. Modern, automated manufacturing is far more productive and efficient, but the reliance on technology means when systems do go down, it can be difficult to keep moving.
Norsk Hydro took systems offline and reverted to manual processes wherever possible.
Systems were then brought back online after being recovered from backups.
Two weeks after the initial infection, its Extruded Solutions business area is still operating at reduced capacity.
Crisis Communications was the area where Norsk Hydro really excelled.
They were honest and transparent with frequent updates.
It is not necessary to give the complete story all at once (you likely won't have all the facts early on) but share what you do know.
Its first notification on its website was simply to say:
“Hydro became the victim of an extensive cyber-attack in the early hours of Tuesday (CET), impacting operations in several of the company's business areas.
IT-systems in most business areas are impacted and Hydro is switching to manual operations as far as possible. Hydro is working to contain and neutralize the attack, but does not yet know the full extent of the situation.”
Simply acknowledging the problem here is vital to get on the front-foot for Crisis Communications. This wins goodwill from customers and the public and takes pressure off the team to focus on handling the issue itself rather than fielding questions from all angles.
Over time, Norsk Hydro provided more information.
It provided specifics about which business units were affected and gave a time for its upcoming press conference.
It stated operations were “safe and stable”. The root cause had been identified and the company was working through its remediation plans to restart IT systems.
Further progress made and restoration of IT systems in progress. The update also featured comment from Hydro’s Head of Information Systems naming “Microsoft and other IT security partners” who are providing support for the recovery. It highlighted another positive – there were no reported safety incidents. Finally, the incident had been reported to the police.
At this point, Hydro clarified some systems were shut down to contain the spread of the malware, rather than because they were themselves infected. They highlighted the difficulties faced in the Extruded Solutions business area due to the reliance of “work-around solutions”.
Hydro continued to provide reports every working day, primarily updating the status of production capacity as it returns to normal levels.
The overall impression from the press conference was that of a company dealing with a difficult situation but in complete control.
Hydro’s CFO, Ivan Eivind Kallevik projected a quiet confidence as he answered questions from the press. He was fully informed on the situation; which business areas were affected, which were running as normal, when production systems were expected to be restored. He declined to comment on some questions, where appropriate (but without seeming evasive).
As an aside - during the press conference, Kallevik stated Norsk Hydro had a cyber insurance policy in place with “business interruption” included – with a “reputable international insurance company”.
This is worth noting, considering the ongoing dispute over a cyber insurance claim by Mondelez following its NotPetya infection. (https://www.insurancejournal.com/news/international/2019/01/11/514553.htm)
After the dust settles
We can compare Norsk Hydro to other large organisations that suffered significant ransomware infections. WannaCry and NotPetya have affected giants like the NHS, DLA Piper, WPP and Maersk. Norsk Hydro clearly learned lessons from those incidents.
It was an organisation with a Cyber Incident Response Plan in place ahead of the infection. That enabled it to deal with a difficult situation confidently.
We predict Norsk Hydro’s response will:
• Reduce production capacity losses
• Reduce (or potentially even eliminate) future losses stemming from damaged reputation
• Reduce the likelihood of fines from regulators
• Increase its likelihood of a pay out from its cyber insurer