Update: The Washington Post pointed out that malware probably did not spread from Norsk’s IT network to it’s plant floor or OT network since they were able to run some plants manually. This is where network segmentation is really important, even within the IT network. They also pointed out that Norsk was very public about what was going on, even though it had a (likely) short term impact on their stock price. They definitely should get gold stars for that. Source: The Washington Post.
Aluminum Giant Norsk Hydro was hit with a ransomware attack this week.
The attack has forced the company to shut down several plants and take other other plants offline to stop the spread of the attack.
Other plants were operating in “manual” mode.
The Norwegian company employs 35,000 employees in 40 countries. They report that their entire worldwide network is down affecting production and office operations.
While some smelting operations can run manually, the company has had to shut down some of its extrusion plants.
The company says that it doesn’t plan to pay the ransom and plans to restore its systems from backups.
One expert suggested that the attacker(s) might have gained domain admin access and then installed a malicious executable on the domain controllers. From there it gets downloaded to any machine that logs on to the network – workstation or server. That is why they had to completely shut down the network.
The interesting thing is that they said that this attack is so big that it is affecting the spot price of aluminum on the world market.
So what does this have to do with you?
Let’s assume that you got hit with a ransomware attack. Not a great thought but not impossible either.
Now assume that you had to shut down the entire company network. Maybe computers can be powered up, but maybe not. Since the network is down, the cloud based phone system doesn’t work. No email and your cell is only useful as a phone. As long as it doesn’t need WiFi access to work.
How will your company operate?
Are you prepared for an event like this?
Do you have a plan? Have you tested it? When?
This is not an isolated event. We hear about it all the time. Most of the time it doesn’t affect the spot price of materials on the world market. That doesn’t mean that it won’t hurt you.
Your cyber incident response plan, program and training is critical. Are the external third party resources that you may need identified? Have you reviewed the contracts that will need to be signed?
Do you have backup plans for how your business will operate when you no longer have a network or an Internet connection?
What happens when your web site goes down? Will visitors just get a message that your site can’t be found? What will they think if that happens?
In the case of Norsk it was a ransomware attack, but it could be a failure of your Internet provider, a fire in your building, a burst water pipe in your data center or any number of other possible situations.
In their case, they can afford the millions of dollars they are spending to deal with the situation. Can you afford that?
Will your cyber risk insurance cover all of this? Many times companies come to us after discovering that their insurance won’t cover the loss and we look at the policy. The insurance company is right. It doesn’t cover it. That is because cyber insurance is like the wild west and if your agent does not write a lot of coverage, you may or may not get what you need. This is very different than almost EVERY other form of insurance. In Colorado and many (most) other states, cyber risk insurance is not regulated by the Department of Insurance.
If you are not prepared then now is the time to get prepared, because it is not a matter of if, but rather how, how bad and when.
Plan now or deal with it later and dealing with it later will not be pretty. Take it from someone who knows.
Information for this post came from Threatpost.