FTI Journal
FTI Journal | Critical Thinking at the Critical Time
 

Lessons Learned from Cyber Attacks in the Industrial Sector

Lessons Learned from Cyber Attacks in the Industrial Sector

From chemical and power plants to energy and mining and metal production, industrial companies are increasingly at risk of cyber attacks that threaten workers and the environment. Here’s how to respond.

I

n March 2019, Norsk Hydro, a leading global aluminum producer headquartered in Oslo, Norway, with operations around the world, found itself the victim of a stealth cyber attack.

Its “attacker” came in the form of a compromised email sent via an existing customer’s email address to an unsuspecting employee. The employee opened the attachment and unwittingly unleashed LockerGoga, a type of ransomware that gave an enterprising group of cyber criminals access to — and eventually control of — the entire Norsk Hydro network.

The attack was a sobering moment for all industrial companies, as it demonstrated that infrastructure systems across the globe are at significant risk of sinister cyber attacks.

According to FTI Consulting’s 2020 Resilience Barometer, 20 percent of surveyed companies reported being victims of a ransom or data hostage situation in 2019. The Barometer incorporates the views of more than 2,000 C-suite and senior manager executives from large companies across all G20 countries.

Financial Fallout

The Norsk Hydro incident was not a run-of-the-mill cyber attack. It was a calculated mission that took months to plan. The cyber criminals were able to replicate an email and corresponding attachment that a Norsk Hydro employee would expect to see, only with one major difference: The attachment contained malicious software.

This type of attack vector, social engineering, is the most common method for attempting to penetrate a company’s cyber defenses according to the Resilience Barometer. Nearly 30 percent of large companies researched reported being negatively impacted in this way in the past 12 months.

90 percent of G20 leaders surveyed believe they have cybersecurity gaps.
 

As with other cybersecurity breaches, the compromise of information systems and loss of controls in the Norsk Hydro attack exacted a high financial toll. The loss was estimated to be USD$75 million due to increased costs and reduced volumes from business disruption.1 (Norsk Hydro chose not to pay the ransom and instead attempted to continue business operations using alternative measures, like reverting to old paper systems.)

But financial damage is just one aspect of the fallout from a cyber attack to an industrial company. The potential for major safety issues, particularly in areas like chemicals and power plants, also poses significant dangers to workers while simultaneously creating environmental hazards.

Cyber Headaches On the Rise

Cyber incidents are not new; they have in fact affected industrial environments for years now. In 2014, for instance, the German Federal Office for Information Security indicated that a cyber attack had caused massive damages at steel plants in Germany.The incident resulted in systems failure at one of the plants, which prevented normal shutdown capabilities from occurring following standard procedures. The culprit? Sophisticated hackers who used a spear-phishing campaign to harvest credentials of specific users, granting them access to control systems.

What’s new in industrial environments is the audacity and variety of attacks. Spurred on by the sectors’ continued migration toward sophisticated digital technology, automation, and intelligent processes that increasingly connect erstwhile closed and stand-alone production systems, today’s cyber attackers see vulnerabilities at almost every turn. The Resilience Barometer showed that 27 percent of surveyed respondents experienced some form of cyber attack in 2019 where assets were stolen or compromised. One in four companies surveyed in the Barometer reported having experienced a cyber attack where assets where stolen or compromised in the past 12 months.

Consider last year’s attack on Nyrstar N.V., a global mining and metal processing business headquartered in Zurich, Switzerland. Although production operations continued, hackers blocked access to IT systems, databases, and email functionality, severely affecting the organization.3 In 2019, cyber criminals attacked ThyssenKrupp, one of the world’s largest steel producers, by using “organized, highly professional hacker activities,” resulting in the theft of technical trade secrets from the company’s steel production and manufacturing plant design divisions.4

Anticipating and Defending Against the Cyber Menace

What can industrial companies do to prevent ransomware attacks? Several best practices that focus on basics of cybersecurity go a long way toward implementing proper preparedness planning. These best practices include:

• Regular employee training and communication
• Internal systems that identify and filter out suspicious emails
• System design review and testing, including how to segment and segregate devices and data
• Secure backup system and methodology
• Regular and timely maintenance of systems, such as operating system and software being patched and kept up to date.

Additionally, having an incident response plan implemented and tested prior to a ransomware attack is essential. This process involves four steps:

1. Preparation: Establish and train an incident response team. Develop appropriate tools and resources. Select and implement controls based on the results of our
risk assessments.
2. Detection and Analysis: Combine resources and tools necessary to determine the
scope, impact and appropriate response.
3. Containment, Eradication and Recovery: Prevent data from leaving the networks, and prevent further damage. Remove malicious code, actor accounts or unnecessary access. Repair vulnerabilities that may be the root cause of the incident.
4. Post-Incident Activity: Reflect on lessons learned, identify new threats and upgrade systems with better technology. Detail the cost, cause and response for the incident, along with steps that should be taken to prevent future incidents.

Integrating Cyber into Risk Management Programs

Critical infrastructure entities that proactively take measures against ransomware attacks will not only be able to better serve their customers and protect their brands and reputations, but they will also reduce legal risks, ensure business continuity and preserve their intellectual property.

In industrial environments, protection against cyber attacks should be fully integrated into a corporation’s risk assessment and mitigation program. Compromised systems and the loss of controls may otherwise result in the destruction of critical assets and have catastrophic safety and environmental consequences.


NOTES:
1: https://www.computerweekly.com/news/252467199/Norsk-Hydro-cyber-attack-could-cost-up-to-75m
2: https://www.bbc.com/news/technology-30575104
3: https://im-mining.com/2019/01/23/mining-metals-processor-nyrstar-hit-cyber-attack/
4: https://www.reuters.com/article/us-thyssenkrupp-cyber/thyssenkrupp-secrets-stolen-in-massive-cyber-attack-idUSKBN13X0VW

Published April 2020

© Copyright 2020. The views expressed herein are those of the authors and do not necessarily represent the views of FTI Consulting, Inc. or its other professionals.

About The Authors


Jordan Rae Kelly
jordan.kelly@fticonsulting.com
Senior Managing Director & Head of Cybersecurity, Americas
Forensic & Litigation Consulting
FTI Consulting

Bertrand Troiano
bertrand.troiano@fticonsulting.com
Managing Director
Global Mining & Metals, Corporate Finance & Restructuring
FTI Consulting

Share This

Related Articles

  • Lessons Learned from Cyber Attacks in the Industrial Sector

    All Hands on Deck: Malware Is Infecting Cargo Vessels Arriving in the United States
    It’s time for the U.S. maritime industry to wake up to the dangers posed by ships docking in our ports that have inadequate (or nonexistent) cybersecurity measures. Here, in the first of four articles for National Critical Infrastructure Security and Resilience Month (November), FTI Cybersecurity looks at this unrecognized crisis.

  • Lessons Learned from Cyber Attacks in the Industrial Sector

    Cybersecurity Expertise: From the White House to the C-Suite
    Anthony J. Ferrante, FTI Consulting’s new Head of Cybersecurity in the Global Risk & Investigation Practice, addresses the growing cybersecurity threats affecting U.S. businesses today.

  • Lessons Learned from Cyber Attacks in the Industrial Sector

    Quiz: How Vulnerable is the Power Grid to Cyber Attack?
    It’s only a matter of time before the U.S. power grid comes under cyber attack by hostile nation-states or rogue hackers. Yet the electric utility industry is remarkably unprepared. What’s holding the industry back? Find out by taking our revealing true or false quiz.

Latest Articles

Related Articles

  • Lessons Learned from Cyber Attacks in the Industrial Sector
    All Hands on Deck: Malware Is Infecting Cargo Vessels Arriving in the United States
    It’s time for the U.S. maritime industry to wake up to the dangers posed by ships docking in our ports that have inadequate (or nonexistent) cybersecurity measures. Here, in the first of four articles for National Critical Infrastructure Security and Resilience Month (November), FTI Cybersecurity looks at this unrecognized crisis.
  • Lessons Learned from Cyber Attacks in the Industrial Sector
    Cybersecurity Expertise: From the White House to the C-Suite
    Anthony J. Ferrante, FTI Consulting’s new Head of Cybersecurity in the Global Risk & Investigation Practice, addresses the growing cybersecurity threats affecting U.S. businesses today.
  • Lessons Learned from Cyber Attacks in the Industrial Sector
    Quiz: How Vulnerable is the Power Grid to Cyber Attack?
    It’s only a matter of time before the U.S. power grid comes under cyber attack by hostile nation-states or rogue hackers. Yet the electric utility industry is remarkably unprepared. What’s holding the industry back? Find out by taking our revealing true or false quiz.

Latest Articles

It looks like you're enjoying this article. If you'd like to receive email updates from the FTI Journal, please consider subscribing.
The views expressed in this article(s) are those of the author and not necessarily those of FTI Consulting, Inc., or its professionals.
©Copyright, FTI Consulting, Inc., 2012. All rights reserved.

https://www.ftijournal.com/article/lessons-cyber-attacks-industrial-sector