Podcast: The High-Risk Threats Behind the Norsk Hydro Cyberattack

ransomware Norsk Hydro

Threatpost talks to Phil Neray with CyberX about Tuesday’s ransomware attack on aluminum producer Norsk Hydro, and how it compares to past manufacturing attacks like Triton, WannaCry and more.

Norway-based Norsk Hydro announced on Tuesday morning it was victim to a ransomware attack, which forced the global aluminum producer to shut down or isolate several plants and send several more into manual mode, the company said on Tuesday morning.

The cyberattack, first detected by the company’s IT experts around midnight Norwegian time, has left the aluminum producer struggling to maintain operations despite shutting down some plants and going into manual mode for others.

While ransomware attacks are nothing new, the stakes are much higher when these types of attacks target manufacturing firms, said Phil Neray, the VP of Industrial Cybersecurity at CyberX.

“We’re seeing a classic ransomware attack that we’ve seen on corporate IT networks targeting this manufacturing facility… In addition to having to pay the ransom, which a CEO will be more likely to pay in the case of an attack on a production facility, there are also other issues, losses due to materials that they had in process,” he said.

Threatpost talked to Neray about what kinds threats and fallout Norsk Hydro is facing – and how manufacturing firms can be proactive in avoiding a similar cyberattack.

Below is a machine transcription of the podcast, which can also be downloaded here.

Lindsey O’Donnell: Welcome to the Threatpost podcast. I’m Lindsey O’Donnell with Threatpost. And I’m here today with Phil Neray, the VP of industrial cybersecurity at CyberX. Phil, how’s it going?

Phil Neray: It’s going great, Lindsey, Thanks.

LO: Good. Good. Can you just to start, tell us a little bit about yourself and CyberX? I know you guys are an industrial control system security firm, can you give us some details?

PN: Yeah, sure. So I’ve been in the security industry for a while now. And I joined CyberX a couple of years ago, we were founded to specifically address security for industrial control system networks, some people also call them OT networks to differentiate from IT networks. Some people refer to them as SCADA networks. And now more recently, the term IIoT – industrial Internet of Things – has crept into the conversation. But overall, the area that we’re addressing is security for the networks that run our plants, that run our power generation facilities. The networks that are separate from the corporate IT networks but that are used by manufacturing companies, or energy companies or oil and gas companies or pharmaceutical companies, to run their production operations.

LO: Well that’s very relevant today because we have some big news that the security industry has really been looking at: this morning aluminum producer Norsk Hydro announced that it had fallen victim to a serious ransomware attack, which essentially forced it to shut down several plants and then send send several other operations into manual mode. And for our listeners who who don’t know, Norsk Hydro is based in Norway, and it’s one of the world’s biggest makers of aluminum. So it employs over 35,000 people I think I saw and it’s running in 40 different countries.

So Phil, I’m really curious to hear your thoughts on this particular cyber attack especially given that it is a manufacturing company. Just off the bat was there anything that really stuck out to you when it was first announced this morning?

PN: Well what’s interesting is we’ve seen prior attacks on manufacturing companies specifically with WannaCry and NotPetya, these were initially thought to be ransomware attacks, and WannaCry was a ransomware attack but NotPetya was really more of a destructive cyber attack. But what those attacks did is they woke up the C-level and the boards of directors of industrial and critical infrastructure companies to the fact that cyber attacks aren’t just about stealing sensitive information or PII. But they can actually bring down production operations and cause serious losses and we saw with NotPetya hundreds of millions of dollars in losses reported by public companies which you know again woke people up to the fact that they needed to do more to ensure that the security of these networks was stronger than than it is today. What’s interesting about this one is it’s one of the first known ransomware attacks on production facilities that are actually intended to to shut down operations and then money from the victim organization.

And really it was only a matter of time before we would see that it makes sense if you’re cyber criminal that you would target a manufacturing company that might lose millions of dollars a day in downtime rather than, certainly, a consumer PC and even, you know, corporate PCs on the IP network, which of course, when those machines get compromised, it does impact the organization, but not in the way that an attack on a production facility will impact the organization.

We have also seen Triton, which was the cyber attack on a petrochemical facility in Saudi Arabia, which was intended to shut down the safety controllers in the plant. By mistake the attackers shut down the plant prematurely which also caused downtime and losses, but not as bad as if they’d actually achieved what we think is their intended objective was, to turn off the safety systems and then launch a second attack that would cause destruction of the plant and possible loss of human life and environmental damage. So we’ve seen those attacks in the past.

But now we’re seeing a classic ransomware attack that we’ve seen on corporate IT networks targeting this manufacturing facility. In addition to having to pay the ransom, which a CEO will be more likely to pay in the case of an attack on a production facility, there are also other issues, losses due to materials that they had in process – so that would apply to metals or chemicals or pharmaceuticals where you’ve got batches of materials that are going through a process. If the system, if this plant gets shut down in the middle of those you’ve got additional cleanup costs to to deal with the materials that were in process, maybe you have to discard them. And then there’s also the risk of environmental or safety issues. If you’re dealing with chemicals or, you know, metals that have been heated to a high temperature, that’s an additional risk that you have to worry about.

LO: Yeah, that’s a really, really good point because I feel like manufacturing firms all already kind of have this high risk of having that downtime that they might have to deal with under this type of cyberattack or also any type of attack I guess. But on top of that there’s the element of even just human safety, which luckily I think the company said that there hasn’t been any safety incidents related to this yet, but, that’s definitely kind of at the top of everyone’s mind. Now I’m curious to I mean, you mentioned WannaCry and NotPetya – what’s the difference there in what an attacker would want to achieve if they were going all out and using a wiper, trying to take down operations as opposed to a ransomware attack? Do you see attackers kind of leaning in one direction versus the other when it comes to kind of what kind of attack they would launch on a manufacturing company?

PN: Yeah, that’s a great question. I mean, it depends on the adversary in the case of NotPetya. We now know, it was Russian threat actors that initially targeted the Ukraine but because the way these networks are interconnected inside a given organization, once they had compromised machines in the Ukraine, the malware quickly spread to all other systems in the corporation around the world. That’s what we saw with NotPetya. But again it was destructive ransomware, there was no real intent to get money and decrypt the files. As compared to this situation here where it’s clear that they’re using a common form of malware, we’ve seen it in other organizations and they’re looking for Bitcoin as a ransomware payments.

I think the thing that makes manufacturing organizations particularly susceptible to this, there’s really two aspects. One is a technological one and the other is organizational. From a technological point of view, these manufacturing networks are running devices that were designed in some cases 15 or 20 years ago when security was not a high priority. They have many connections to the IT network – ones often that organizations aren’t even aware of. So once the malware has reached the IT network and very quickly spreads to the OT network, often using SMB file shares, which was the case with NotPetya. And I’m pretty sure if it’s the form of malware that folks have been talking about for this situation, it was a similar kind of situation where the malware looks for network shares, and then spreads that way.

So number one, there’s not been a lot of attention paid to security and manufacturing networks. Often the minimum they have is a firewall. But as I said, often there are also other connections between IT and OT that people don’t know about that can bypass the firewall. And there are also lots of ways to go through the firewall, especially if you have file sharing enabled which you often have to have to run the operation, so the malware can very quickly spread that way. The other thing that’s particularly important for manufacturers and industrial organizations is that we’re now adding more and more devices to these networks – that’s where the industrial Internet of Things comes into play with more sensors, and more controllers, so that organizations have better information about what’s going on in their operations. They have better real time information. And they can use analytics to optimize their operations and to do predictive maintenance, for example, to predict when equipments going to be failing. So that increases the attack surface even further and increases the connectivity between IT and OT networks and therefore makes it much easier for attackers’ malware to go from one network to the other, right?

LO: Can you walk us through what a typical attack vector would be for this type of scenario when it’s used through it going into operational technology, just starting with with the biggest initial threat? Is it phishing emails or malicious emails or insider threats?

PN: The most common attack vector is phishing emails. It just takes one employee who’s maybe not paying attention to click on a link or open a document and be infected with malware. And then again, given the hyper connectivity we have across all organizations, and especially between IT and OT, the malware quickly spreads from that one employees desktop to all the other machines and to all the other plants around the world. That’s why it’s spread so quickly within an organization and not just that it’s not simply isolated to one location.

LO: I know that in their press conference this morning, Norsk Hydro had mentioned that one of the first things that they were working to do is really isolating all their plants globally to make sure that the virus doesn’t spread from one plant to the other. So I think that’s a big concern when when something like this occurs is that fast rapid spreading.

PN: It’s kind of a paradox of the way we run our networks nowadays that more connectivity is required to optimize up the operations. But the downside of that connectivity is it increases the attack surface and the risk.

LO: And then can you talk a little bit about kind of how an infection would get from the IT side to the OT side?

PN: Yeah, sure. I mean, there’s a couple ways that an attack can spread from IT to OT in the case of a targeted attack. If we take the case of the Triton attack on the petrochemical facility in Saudi Arabia, what we believe that what happened was, there was a phishing attack or some type of attack on the IT side that allowed the attackers to steal the privileged credentials for an employee. It could also be many of these organizations have third party companies that perform maintenance on the OT equipment and they also have privileged credentials to get remote access to these networks if they need to change software or updated configuration, they can do it remotely.

So a phishing attack on a third party or a phishing attack on an employee will result in the attacker having credentials so they can remotely access the LTE network. And that could be either going from the IP network through the firewall to the OT network using these stolen credentials, or it could be a third party that typically comes in through a VPN connection. But again, using stolen credentials, the attacker can then come in and connect directly to the OT network and do the bad things that they want to do. Right, in the case of Triton, the attackers were quite sophisticated, they developed specific malware that targeted the devices in that environment. So they must have been in the environment for months at a time before they actually deployed their malware. That’s why it’s really important to have continuous monitoring in place so that you can quickly spot any suspicious or unauthorized activity that will indicate an attacker is in your environment. The trick is how do you quickly spot the intrusion and quickly isolate it and and stop the attack before it causes any destruction. So that was in the case of the Triton attack. It was stolen credentials used through in the case of Triton RDP – Remote Desktop protocol – connection to connect from IT to OT. a

And in that case, the other aspect that comes into play is an organizational aspect. The IT and the OT security teams typically have been separate, have been in silos. And in the case of the Triton attack, it’s clear that there was an issue – it wasn’t clear who was responsible or accountable for security in the OT network. Typically, it has not been IT security in the past, although increasingly it now is the OT folks typically who are more concerned with running their equipment than with making sure that security is okay. And sometimes it’s the automation vendor or the systems integrator who may not have the best skills when it comes to cyber security. So that apart from the technological issues that make these companies vulnerable, there’s also organizational issues that need to be addressed.

LO: Yeah, I think that that’s a really good point about the cultural aspect there between IT and the OT teams because it definitely is kind of a big difference within these workplaces. Going off what you were saying about having those monitoring types of solutions, how can manufacturers be proactive in adopting certain types of solutions or, deploying network segregation or, looking to better integrate these two types of IT and OT teams – what’s what’s your top suggestions there?

PN: Well, from an organizational point of view, what we’re seeing now is that the CISO is increasingly being held accountable for security of both the IT and OT side and it really makes sense, right? Digital risk is digital risk. It doesn’t really matter if it’s on the IT side or the OT side. The board wants to know that there’s a single person typically so that could be the CIO and a single organization that’s accountable for digital risk across the organization. With respect to implementing these new types of systems they didn’t exist until a few years ago. And so the idea that you can continuously monitor all activity on your own IT network and spot unauthorized or suspicious activity is a key factor and it means that organizations can now implement these solutions without any impact on the network. In the past solutions like this that were proposed might have affected the performance or the reliability of the network but these new types of solutions have a purpose built for OT, and have absolutely no impact on the network and are a great way to continuously monitor. You can think of them as a CCTV cameras … continuously monitoring all activity and looking for something that needs to be investigated.

With respect to segregation that’s another important aspect for increasing the security of OT networks. In many cases, we found that an attacker gets into the OT network, it’s very easy for them to move around and compromise additional devices. We’ve also found that the majority of these networks are still using plain text passwords. So any attacker that gets into the environment can sniff the traffic and use those passwords to compromise other devices.

LO: Wow, that’s pretty crazy.

PN: And we’ve also found that many of them are still running older versions of Windows, about half of all the sites that we’ve assessed – industrial organizational sites, production environments – half of them are still running older versions of Windows like Windows XP that don’t even receive patches anymore from Microsoft.

LO: Wow.

PN: So that’s another important challenge. Now, these organizations realize they can’t fix all the vulnerabilities at the same time. There’s just too many. Certainly the embedded devices like the controllers are often not patched. But the trick is to prioritize mitigating the vulnerabilities that would affect your most important processes in the plant.

Some people call these your “crown jewels.” So the trick is to identify your crown jewels, which might be the production line that generates the most revenue for your organization. It might be the production line whose compromise would result in a serious safety or environmental incident – so identify those crown jewels and then to look for the most likely paths than an attacker would take to compromise those crown jewel assets. And then look for various ways of mitigating the risk that could include better segregation and separation between networks as well as continuous monitoring so that even if the attackers do get in you can spot them in the various phases before they do any damage.

LO: Do you think that a lot of manufacturing firms at this point are aware of those types of steps that they need to take? What’s kind of the awareness level here about these security issues that a lot of firms are facing?

PN: So the the awareness level has dramatically increased, I would say, in the last 12 months. We’re increasingly involved in many, many initiatives across all of the industrial verticals where typically it’s a top down initiative driven by the board and the C-levels to increase security. I’ve certainly this incident with Norsk Hydro will help raise visibility, although it’s unfortunate for Norsk Hydro, but it will help raise visibility that that these attacks can actually cause a huge impact on the production on the bottom line.

There’s still some organizations that are in the mode of thinking, “it won’t happen to me.” And we saw the same thing 10 or 15 years ago with data breaches where for many, for a long time, a lot of organizations were thinking the same: “I don’t have to worry I’m not going to focus budget and people resources on addressing this issue.”

Increasingly, organizations, all modern organizations put a big focus on security for the corporate networks. We’re seeing the same thing happening here with OT networks, but it’s not true for all organizations. I think it’ll take a few more years before all of them realize this is a key aspect of managing business risk, right?

LO: Well, I hope that the awareness increases and it doesn’t have to take something like this to happen for for that to happen.

PN: Yes, I’m with you on that.

LO: Well, Phil, thanks so much for joining us today. Great discussion. You made a lot of really good points about the state of security and manufacturing and how manufacturing firms can be proactive and trying to resolve some of these issues.

PN: My pleasure Lindsay was it was great talking to you.

LO: Great and again this is Lindsey O’Donnell with Threatpost here with CyberX’s Phil Neray, and listen in for the Threatpost podcast, every week on iTunes.

Suggested articles