Playing by the book: Learning lessons from the attack on Norsk Hydro cyber security

One of the world’s largest aluminium companies, Norsk Hydro, was hit by an extended, targeted, ransomware cybersecurity attack last week, forcing it to shut several automated product lines, and revert for a while to manual for smelters. While the cause of the problems has been identified, the cure and resolution are taking time to implement, with one of the five business areas – extruded solutions – still facing significant challenges at the time of writing. Nonetheless, there are already several lessons that can be shared from the ongoing incident. This is not so much a commodities or finance story, or a cyber security story, or an insurance story but a communications story that feeds into the others.

Cyber security has been on my mind. That’s because I’m in the process of preparing to moderate a panel for the ICC Banking Commission annual meeting in Beijing on the subject, this time on digitisation and cyber ‘rethinking cybersecurity in a digital world’. Last year I moderated a panel at the same event (in Miami), where the preoccupation was how to survive an attack in trade.

Please forgive any tiny piece of schadenfreude creeping into my preparation this time with the Hydro attack. From a, somewhat dispassionate, distance it has been fascinating to see the issue play out live in a corporate. Play is an operative word – as whether or not the company has used what is known in the insider jargon as a ‘cyber security playbook’ is not clear. However, the calm and very visible communications process is likely to have helped the company’s stock price during the crisis. Uncertainty is the mother of speculation.

This time last year, the main takeaways from my discussions were that cybersecurity is not an IT problem, it is principally a business continuity issue (though, for sure, IT is at the heart of detection and resolution). Indeed, it is interesting to see that the main person put up to spearhead external communications at Hydro was not the CISO (chief internet security officer) but the CFO [Eivind Kallevik] and the Norwegian national security authority. That makes sense when investors and the media are watching. The CISO equivalent [chief information officer Jo De Vliegher] made appearances in Hydro’s external communications later in the week.

 

Doors to manual

It is helpful to have a glance at the timeline. The attack happened, starting in the US, in the early hours of Tuesday 19 March CET, the day after the Norway-domiciled company had publicised the appointment of a new CEO, Hilde Merete Aasheim, its first ever woman CEO, and four days after publication of its annual report for 2018 describing its first year as ‘a fully integrated and truly global aluminium company’ (with a staff of 35,000 across 40 countries). 

That first day of the attack, staff at Hydro’s main facilities and offices could not get into their systems (as the company had elected to disengage its worldwide network (WAN) for fear of further contagion), the website went down and staff arriving at work were greeted with printed notes stuck to entrance doors telling them not to switch on their computers or try to log into local networks.

The first the outside world, and people like me, saw of the unfolding crisis was the RSS feed to stock markets, an elected strategy of informing and containing risk with bald facts (pursuant to disclosure requirements): “Hydro became victim of an extensive cyber-attack in the early hours of Tuesday (CET), impacting operations in several of the company's business areas. IT-systems in most business areas are impacted and Hydro is switching to manual operations as far as possible. Hydro is working to contain and neutralise the attack, but does not yet know the full extent of the situation.” And then named contacts for media and investors.

Then came the temporary website and all external comms directed initially via Facebook. This made for interesting viewing (smiley faces were few, angry or weeping faces a little more prevalent, nonetheless, a somewhat unusual gauge of sentiment).  But the key messaging – that nobody was hurt, that the national security authorities had been called, that manual processes were in force where needed, that they were working (hard) with internal and external IT experts (naming Microsoft in particular) was repeated, giving a feeling of assurance that relevant information was being shared, that people were working around the clock to create normal running and that containment had been largely successful.

Particularly effective were the videoed corporate webinars with the CFO as the main actor giving information. These were live and recorded and available globally and from which most media articles were based (media questions were taken from an assembled audience). Reassurance was also given that paying ransoms was not an option, and the plan was to revert to backup, and that, when asked, that the company had cyber insurance. Though Kallevik initially declined to name the insurer, by Tuesday 26, the website revealed, “Hydro has a solid cyber risk insurance policy with recognised insurers, with global insurer AIG as lead”.

The Hydro website was rehoused again and a more normal looking service resumed. By Monday 25, media contacts had (serious looking) photos (as did De Vliegher), things were looking more slick. Extruded solutions was reported to be on a 60% overall production rate, and the other areas were reporting production running as normal (though primary metals and rolled products still reported a higher degree of manual operation). One full week out from the attack, on Tuesday 26, the website made the assessment that extruded solutions were running at 70-80% production, except for the building systems business unit, where operations continue to be nearly at a standstill.

 

Counting the costs

By Tuesday, the website was giving topline estimates for how much the breach has cost the company. “It is premature to give any precise or detailed overview of the financial impact at this point. Based on a high-level evaluation, the preliminary estimated financial impact for the first full week following the cyber attack is around NOK 300-350 million ($35-41 million), the majority stemming from lost margins and volumes in the extruded solutions business area,” the web statement said. How much of the final loss Hydro will claim via insurance is not clear, although with potentially no data breaches or loss other than to business operations, there should be a relatively simple process. But not all things cyber insurance are simple.

Speculation throughout was that the ransomware used is something called LockerGoga, later confirmed by the Norwegian Security Authority. It appears to be a relatively new threat that had been targeted on another corporate in January. The specifics will no doubt come out at a later stage, though there are interesting insights available on the virus online.

 

The wider view: will insurance pay?

There are similarities with the NotPetya ransomware strike on AP Moller-Maersk last year, which cost the shipping and logistics company as much as $300 million. Like Maersk, Hydro hasn’t reported any data breach or client or business data exposure, but there will be business disruption costs. The extent to which they will be paid by insurance remains a big question.

The cost of the NotPetya ransomware has been estimated by several different sources as reaching in excess of $10 billion globally in damages (ahead of the $4 billion plus estimated by WannaCry). It hit multinationals, not least TNT Express, Merck, Saint-Gobain, Reckitt Benckiser, Rosneft, state authorities such as the Government of Atlanta and the snack food company Mondelez. This last is becoming a test case for the insurance industry.

In January, Mondelez announced it would sue insurers Zurich (for $100 million) after the snack food company’s claim on its 2017 attack was turned down on the grounds that the NotPetya infection (estimated to have cost Mondelez over $188 million) was ‘an act of war’. There is a lot at stake for the insurers. The US and UK authorities have both blamed Russia for the genesis of the attack. As an act of war, the cyber insurance industry could be off the hook for that particular type of ransomware payouts.

Whether LockerGoga cases go the same way is far too early to say. But if state action underlies cyber crime attacks (and there are many other instances where both hardware and software have allegedly been compromised by state activity), this becomes a whole different ball game for what steps companies and banks can take to mitigate cyber risk. It will be interesting to see whether playing by the playbook works in the long run.

 

Now time to get up to speed on the markets.
    Here's our exclusive TXF Essentials subscriber content

Global export finance 2018: The complete ECA deal digest
From JBIC ranking as the most active ECA in 2018 to another good year for ECA-backed shipping, TXF digests and analyses the most prevalent trends from our global export finance report for 2018, so you don't have to.

A sigh of relief for trade insurance market as PRA time bomb defused
Successful lobbying by trade finance insurers, lawyers, banks and industry bodies has helped the sector dodge the danger of a PRA consultation paper that could have nearly shut down trade credit insurance as we know it. Will the industry get a taste for acting together?

Top trends in export finance 2019
What are the top export finance trends of 2019? From an increasing appetite for deals in developing markets to embracing sustainability, our resident experts articulate it all to the backdrop of a sublime time-lapse cartoon sketch.

UKEF takes both sides in Iraq power struggle
The UK's ECA, UKEF, has provided financings for Iraqi power-generation projects for both GE and Siemens, as the industrial conglomerates go toe-to-toe for lucrative electricity-generation contracts in the Middle Eastern nation.

 

Plus, to top things off... the news you thought you had but didn't

Ukrlandfarming in talks for debt restructuring
Ukrlandfarming (ULF) is currently in talks with banks, export credit agencies and bond holders to restructure part of the Ukrainian agriculture group’s $2 billion debt pile…

First State nears refi on two Iberian wind portfolios
 First State Investments is expected to refinance the outstanding debt packages stapled to its 863MW Finerge wind farm portfolio and the 171.6MW Ancora wind farm portfolio…

Poly-GCL seeks ECA/DFI funding for Ethiopian gas pipeline
Chinese oil and gas company, Poly-GCL Petroleum, is looking to raise a blend of commercial bank and ECA/DFI-backed debt to finance construction of the $312 million…

Taweelah IWP bank mandates near
Sponsors of the $1.2 billion Taweelah desalination Independent Water Project (IWP) in Abu Dhabi – ACWA Power (40%) and Abu Dhabi's Department of Energy (DoE (60%)…

Bapco to reach full financial close next week
State-run Bahrain Petroleum Company (Bapco) is expected to reach full financial close next week on a $3.8 billion ECA-backed loan to finance the expansion of the Sitra oil refinery…

BayWa closes 66MW Italian wind portfolio financing
BayWa r.e. have sealed financing for a 66MW portfolio of wind farms in the Italian regions of Lazio and Campania. The portfolio comprises three projects: the 18MW…

Momentum Trains seals rolling stock PPP financing
Momentum Trains – a joint venture between Pacific Partnerships (48%), CAF Investment Projects (26%) and DIF Infrastructure V (26%) – sealed a DFI-backed rolling stock financing…

Metito-led consortium sounds out banks for Saudi plant
Sponsors of the West Dammam sewage treatment plant in Saudi Arabia - Metito, Mowah and Orascom - are sounding out banks over the coming months for $180 million of project debt…

Lead arranger awarded for gas-fired Guernsey power plant
Joint sponsors of the 1,650MW combined cycle gas turbine (CCGT) Guernsey power station in Ohio – Caithness Energy and Apex Power Group – have appointed Investec as…

Rebidding process for Petrobras' TAG sale nears end
The rebidding process for a 90% stake in state-owned Petrobras’ pipeline subsidiary Transportadora Associada de Gas (TAG) will end next week. A final decision is…