How to Protect Your Organization’s Network from the Dangers of the Internet

The recent cyberattack at Norsk Hydro, one of the world’s largest aluminum producers, is the latest example of the dangers of connecting industrial control system (ICS) to the internet.

Norsk Hydro, which was forced to issue its official statements via Facebookas a result of the cyberattack, said that the attack detected last March 18 hasn’t affected the company’s power plants as they’re running normally on isolated IT systems. The company, however, said that the cyberattack has impacted operations in several of the company’s business areas globally as the company’s worldwide network is down, forcing the company to switch to manual operations and procedures as far as possible.

Norsk Hydro, which has its headquarters in Oslo, Norway operates in 40 countries with 35,000 employees, said the lack of ability to connect to the production systems has caused production challenges and temporary stoppage at several plants.

In a news conference, Chief Financial Officer Eivind Kallevik said that the cyberattack on Norsk Hydro is a classic ransomware, a type of malicious software (malware) that’s designed to deny access to a computer system or computer data until a ransom is paid. During the press conference and succeeding updates on Facebook, however, the company didn’t identify what specific type of ransomware was used.

A spokesman for the Norwegian National Security Authority (NNSA), the state agency in charge of cybersecurity, meanwhile, told Reutersthat the ransomware known as LockerGoga was used in the Norsk Hydro cyberattack. Last March 19, a sample of LockerGoga was uploaded to Google-owned site VirusTotal. In addition to the LockerGoga sample uploaded last March 19 to VirusTotal, another sample of this malware was uploaded to VirusTotal in January this year.

Analysis of the LockerGoga by Trend Microshowed that this ransomware infects Windows computers either as a file dropped by other malicious software or as a file unknowingly downloaded by users when visiting malicious websites. Once this ransomware is inside the infected computer it encrypts specifics files. It, however, avoids encrypting Windows pre-installed files so as to render the computer operable even when infected by the malware.

Once the encryption is done, this ransomware then posts a ransom notice on the computer screen. The ransom note asks the victim to get in touch via email with one that has possession of the decryption key to unlock the encrypted files. The note doesn’t specify the exact amount of the ransom payment as this depends on how quick the victim gets in touch with the attacker or attackers.

To assure the victim that the attackers can decrypt the encrypted files, the ransom note states that the victim can send 2 to 3 random encrypted files and these will be returned in a decrypted form. This ransomware also drops copies of itself into the affected system, thereby infecting Windows computers connected to the same network.

Cybersecurity Best Practices

A study conducted by Kaspersky Lab in the first half of 2018 found that the main source of infection for computers in organizations’ industrial network infrastructure is the internet. Contrary to the accepted cybersecurity best practice of control networks being isolated, Kaspersky Lab said, over the period covering the 1st quarter of 2017, 2nd quarter of 2017 to 1st quarter of 2018, the internet became the main source of infection for computers on organizations’ industrial networks.

The Kaspersky Lab study showed that for the period covering the 1st quarter of 2017, 2nd quarter of 2017 to 1st quarter of 2018, the average infection via the internet was 23.5%, compared to 8.5% infection from removable media and 3.8% infection from emails. The study further found that for the 1st quarter of 2018 alone, 42% of all computers in industrial infrastructure of organizations had regular or full-time internet connections, while the remaining computers connected to the internet no more than once a month and the rest less frequently than that.

What Norsk Hydro got right in the recent cybersecurity incident was that the company has foresight to isolate the IT systems of its power plants from the main network. Aside from isolating the company’s power plant IT systems, it appears that the company’s IT systems aren’t segmented enough, otherwise, the current situation, a situation that the company’s Chief Financial Officer Kallevik called as “quite severe” wouldn’t have happened.

It also appears that the company’s anti-malware protection isn’t robust enough. The LockerGoga, in particular, was known in the cybersecurity field a few months back. Aside from effective network segmentation and robust anti-malware protection, here are some cybersecurity best practices that will mitigate this type of attack:

1. Keep your organization’s operating systems, application software and security solutions up-to-date.

2. Restrict network traffic inside the organization’s operational technology networks.

3. Offer cybersecurity training for employees that have access to the network.

You don’t have to fight cybercrime alone. Our experts are a phone call away. Please visit ustoday to schedule a consultation.