- Four out of five of Norsk Hydro's business areas are running production at normal capacity as of Wednesday after last week's ransomware attack, according to a company announcement.
- Manual workloads are still required. The most impacted business area is its aluminum manufacturing unit, Extruded Solutions, which was at 70-80% production as of Tuesday. Building Systems, however, is "almost at a standstill" and operating at 20% "with local variations from plant to plant," according to the announcements.
- The industrial company estimates the ransomware attack will cost about $40 million accrued from lost margins and volumes from Extruded Solutions.
Hydro is in the recovery phase following what is believed to be a LockerGoga ransomware attack. LockerGoga is said to limit its attack surface, making victims more targeted than infamous ransomware attacks like NotPetya or WannaCry.
It's also possible the attackers "were just wildly successful with this attack, probably far beyond what they expected," said Hani Mustafa, CEO of Jazz Networks, in an email to CIO Dive. The connection between Hydro's industrial controls and office computers across the globe that require "local attendance, all exacerbated" the company's woes.
Extruded Solutions was having difficulty connecting to production systems, which resulted in temporary "stoppages," according to the company. It's unclear how long it will take production to return to normal but deliveries to Building Systems will increase "over the coming days," according to the announcement.
Hydro used multiple active directory subdomains through Microsoft and LockerGoga's hackers most likely used the company's main Active Directory to distribute the ransomware.
Network segmentation "to prevent unwanted talk between locations and unrelated servers," could have helped Hydro curtail the spread of the ransomware, according to Mustafa.
Office computers and industrial control systems should be separated as computers are exposed to the internet.
"It's not unusual for industrial control systems to be 'air-gapped' or not connected to anything but themselves," said Mustafa. However, in Hydro's case, the Active Directory server essentially bridged the air gap.
The connection of office computers in Hydro's international locations highlights the persistence of different versions of software running in different facilities. Keeping track of a global company's software updates in different offices is challenging, but inventory and patching management software is available.
Mustafa suggests companies subscribing to private intelligence feeds for warnings. "Have anomaly detection in layers of protection on both the level of the network and the endpoint," he said.