At a Norsk Hydro extrusion plant in Norway, sales project manager Rune Johansen and extrusion anodizing fabrication manager Sten Stolpe dig through paper documentation to manually complete customer orders during the cyberattack.<\/figcaption><\/figure>\n<\/p>\nIn Hungary and Norway last March, DART members helped Norsk Hydro develop safe processes to restore their servers with an improved security posture. They also educated the company about the current threat landscape and known attacker behaviors to help reduce the risk of future attacks, Moeller says.<\/p>\n
Inside Norsk Hydro, the internal response focused on multiple fronts. They launched old-school methods to resume full production and repair business operations. And they worked to protect the safety of employees and the environment.<\/p>\n
\u201cWe operate heavy machinery. If the power is lost in an uncontrolled manner, it could risk severe safety incidents for people,\u201d says Molland, the media relations SVP.<\/p>\n
\u201cSafety is always first priority with us. Secondly, it\u2019s the concern for the environment and ensuring we don\u2019t have any uncontrolled emissions (due to sudden machine stoppages) out to the air, land or water.\u201d<\/p>\n
Executives handwrote signs warning of the cyberattack, photographed them with their smart phones and texted the images to managers at Norsk Hydro plants and offices around the world. At those facilities, the staff used local printing shops to create paper signs, posting them on entryways, stairwells and elevators for employees to read as they arrived for the workday.<\/p>\n
\u201cPlease do not connect any devices to the Hydro network. Do not turn on any devices connected to the Hydro network. Please disconnect devices from the Hydro network,\u201d read some written alerts that also carried a simple signature: \u201cSecurity.\u201d<\/p>\n
Two workers at a Norsk Hydro plant in Portland, Oregon manually operate machines to produce specific customer orders during the initial phase of the cyberattack.<\/figcaption><\/figure>\n<\/p>\nThe entire workforce did their jobs with pen and paper during the attack\u2019s first days. Some plants switched to manual procedures to meet manufacturing orders. Retired employees \u2013 familiar with the old paper system \u2013 volunteered to return to their plants to keep production rolling.<\/p>\n
\u201cThe way we pulled together to make the company come through the situation in one piece and get back into production has been an extreme team-building session,\u201d Molland says.<\/p>\n
\u201cWe have an organized emergency preparedness methodology within the company \u2013 in the corporate level, in the business area and at the plant level,\u201d he adds. \u201cThat worked to our benefit. When this hit us, we were able to handle the situation in a constructive, organized manner.\u201d<\/p>\n
In other words, prevention is important but locking out all cyberattackers should not be a company\u2019s sole security focus, says Jo De Vliegher, Norsk Hydro\u2019s chief information officer.<\/p>\n
\u201cIf hackers want to get in, they will get in,\u201d De Vliegher says. \u201cWe now have an improved incident response to make sure that \u2013 should something similar happen \u2013 we are much better equipped to limit the damage in time and geography.\u201d<\/p>\n
Norsk Hydro reported the incident to Norway\u2019s National Criminal Investigation Service (Kripos). The case remains under investigation, Molland says.<\/p>\n
Video and photos courtesy of Norsk Hydro. <\/em><\/p>\n","protected":false},"excerpt":{"rendered":"\u201cWhat would you get from paying a ransom in such an attack?\u201d Gimnes Are asks. \u201cYou will potentially get back your encrypted data \u2013 if the attacker gives you the key. Paying the ransom would not help you to rebuild the company infrastructure, all the servers, all the PCs, all the networks. \u201cPaying the ransom […]<\/p>\n","protected":false},"author":2,"featured_media":105655,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[49],"tags":[52,298],"class_list":["post-105654","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-news","tag-security","tag-transform"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/105654","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=105654"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/105654\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media\/105655"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=105654"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=105654"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=105654"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"Two](\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2019\/12\/facing-ransomware-demands-one-company-had-an-unusual-response.jpg\")
![\"Two](\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2019\/12\/facing-ransomware-demands-one-company-had-an-unusual-response-1.jpg\")