Norsk Hydro Cyberattacks Reinforce the Need for Device-Level Security

By March 27, 2019 No Comments

Last week, as reported by the Wall Street Journal, Norsk Hydro AS experienced firsthand the catastrophic consequences of modern cyberattacks. Finance chief Eivind Kallevik summed up the impact saying, “Let me be clear, the situation is quite severe. The entire computer network is down.” The level of network security in place at the time of the attack is a matter of debate. However, it is well-documented, across industries, that network-level-only security is insufficient against today’s attackers; indeed, the attack at Norsk Hydro appears to have been designed specifically to attack specialized computer systems, such as HMIs, jump boxes and application servers that run on production networks “air-gapped” from the broader Internet (*). We must set a new standard of application-layer security that protects down to individual apps and devices, and which continues to protect even if the industrial network is compromised. These industrial control networks are common across multiple industries including those that support national critical infrastructure such as energy and utilities.

Firewall technology and methods like air-gapping became the cybersecurity norm well before the IoT was introduced. However, now, if a hacker breaches the firewall or air-gap, it’s all too easy to infect entire operations (like Norsk Hydro), because very often passwords for production machines are shared widely, left at default values, or completely absent leaving the machine unprotected. Without comprehensive security, as soon as a virus has jumped the network-level protection – for instance by passing through or around a firewall or air-gap – it can spread very rapidly and create a vicious cycle of cross-infection. Norsk Hydro’s security teams have resorted to leaving paper messages around the site reading, “please do not connect any devices to the Hydro network.” This is to diminish the threat of transient devices, like Norsk employees’ cell phones or laptops, becoming infected or reinfecting recently purged systems.

There’s also a chance that air-gap approaches could actually increase the consequences of ransomware attacks by blocking the HMIs and other Windows machines in the production network from accessing up-to-date security information such as code-signature revocations. Either way, truly comprehensive operational security can only be achieved by protecting every single device – transient or otherwise – and every interaction within a company’s operational scope. The Xage Enforcement Point (XEP) delivers such universal protection across industrial operations whether modern or legacy. XEP protects every device and every interaction, providing the most modern and powerful access control and in-field identity management while eliminating the prospect of disrupting (or worse yet, ripping out) vulnerable existing infrastructure.

(*) Unusually, the Norsk Hydro malware generated encryption keys locally on the compromised host rather than pulling them from a remote server controlled by the attacker on the Internet, plus it does not link back to an Internet-based command-and-control (C&C) server to take ransom payment, relying on manual email from the user to send money. The malware was designed to work even absent an Internet connection.
Also, the malware was code-signed. These signatures were soon revoked after the attack started; however, the machines behind the air-gap may not have been able to check on the Internet to discover that the signatures were no longer valid – in this case, the air-gap may have actually made the whole operation more vulnerable by blocking access to up-to-date signature information.

Learn more about Xage’s Security Suite.

White Paper

the whitepaper

The current model of enterprise security is incapable of protecting Industry 4.0 with its intermittently connected, heterogeneous devices and applications, distributed across organizations and geographies. Today’s centralized IT security paradigm needs to be replaced by cybersecurity that is distributed, flexible and adaptive.