Skip to main content
search
All BlogsCritical InfrastructureCyber-Physical Systems ProtectionIdentity-Based Security

Norsk Hydro Cyberattacks Reinforce the Need for Device-Level Security

By March 27, 2019 No Comments

Firewall technology and methods like air-gapping became the cybersecurity norm well before the IoT was introduced. However, now, if a hacker breaches the firewall or air-gap, it’s all too easy to infect entire operations (like Norsk Hydro), because very often passwords for production machines are shared widely, left at default values, or completely absent leaving the machine unprotected. Without comprehensive security, as soon as a virus has jumped the network-level protection – for instance by passing through or around a firewall or air-gap – it can spread very rapidly and create a vicious cycle of cross-infection. Norsk Hydro’s security teams have resorted to leaving paper messages around the site reading, “please do not connect any devices to the Hydro network.” This is to diminish the threat of transient devices, like Norsk employees’ cell phones or laptops, becoming infected or reinfecting recently purged systems.

There’s also a chance that air-gap approaches could actually increase the consequences of ransomware attacks by blocking the HMIs and other Windows machines in the production network from accessing up-to-date security information such as code-signature revocations. Either way, truly comprehensive operational security can only be achieved by protecting every single device – transient or otherwise – and every interaction within a company’s operational scope. The Xage Extended Protection (XEP) delivers such universal protection across industrial operations whether modern or legacy. XEP protects every device and every interaction, providing the most modern and powerful access control and in-field identity management while eliminating the prospect of disrupting (or worse yet, ripping out) vulnerable existing infrastructure.


(*) Unusually, the Norsk Hydro malware generated encryption keys locally on the compromised host rather than pulling them from a remote server controlled by the attacker on the Internet, plus it does not link back to an Internet-based command-and-control (C&C) server to take ransom payment, relying on manual email from the user to send money. The malware was designed to work even absent an Internet connection.
Also, the malware was code-signed. These signatures were soon revoked after the attack started; however, the machines behind the air-gap may not have been able to check on the Internet to discover that the signatures were no longer valid – in this case, the air-gap may have actually made the whole operation more vulnerable by blocking access to up-to-date signature information.

Learn more about Xage’s Security Suite.