This is a question we often hear from concerned Customers who call us to talk about OT/ICS cyber security to protect factory networks and systems in both industry and utilities.
Now we have the numbers of how much the accident of a few months cost Norks Hydro ago between the first and second quarters of 2019 (on page 9 of their Q1 2019 quarterly report which can be found on the net https://www.hydro.com/Document/Index?name=Report%20Q1%202019.pdf&id=71833: between 50 and 60 million Euros.
“….The cyber attack that hit Hydro on March 19 affected our entire global organization, where the Extruded Products Division (aluminum) suffered the most significant operational challenges and financial losses.
The overall financial impact of the cyber attack is estimated at NOK 300-350 million (about 30-35 million €) in the first quarter. The financial impact for the second quarter is estimated at approximately NOK 200-250 million (about €20-25 million, for a total of €50-60 million).
Operations and sales recovered later in the quarter, thereby reducing the incremental financial impact. Hydro has strong cyber damage insurance with leading insurers. Hydro has not yet collected any insurance compensation... "
In addition to the real damage, often we also speak of damage to image or reputation, and these can often be just as severe if not even heavier.
In fact, let us remember that precisely the Norsk Hydro case filled the pages of the newspapers and was also mentioned in the news, as the Company is one of the major producers of Aluminum globally, and following the accident, the price of this material (widespread use in many products and industrial activities) suffered immediate considerable fluctuations on international markets.
Cyber incident and image/reputation damage
In case Norsk Hydro, have been good at managing the emergency both in terms of the technical aspect and, above all, in managing the Company's image: In an article Heather MacKenzie of Nozomi Networks and Mihaela Grad, Standing Partnership explain how and what they have done good in managing the crisis. (https://www.nozominetworks.com/blog/3-ways-norsk-hydro-kept-its-reputation-during-lockergoga-cyberattack)
When a cyber attack is brought on an industrial plant, the highest level of concern is normally for Safety.
Ensuring that production processes or systems do not endanger human lives or the environment is crucial.
The next level of concern is business continuity or business continuity: have production maintained or restartedthat customers can be served and financial losses minimized.
In parallel with these operational challenges, managers must work hard to protect the Company's reputation.
Those at Nozomi Networks mention the “we don't want to go to the papers” theme as one of the key factors for investing in OT/ICS industrial cybersecurity systems.
Often poorly handled breaches to information systems by companies capture the headlines, and it's comforting to see how reaction to industrial cyber-attack i.e. LockerGoga ransomware attack on Norsk Hydro applauded by media experts.
Mihaela Grad, vice president of corporate reputation management firm Standing Partnership, identified what stands out in Norsk Hydro's response, and what lessons can be learned, if you're concerned about the potential damage a cyber-attack could have on your company's reputation.
Here is an excerpt from his recommendations.
The key steps to protect your reputation during a cyber attack
Cyber-attacks on Industrial Companies often disrupt production, cause financial losses and can even damage corporate reputation if they place stress on CEO and Board reactions and decisions made under pressure, threatening to shatter shareholder and customer confidence in few hours.
These are some questions to ask yourself:
- Has Company Management gone to great lengths to minimize IT and OT vulnerabilities?
- What steps did they take to contain the damage?
- How are they handling the business disruption and their customer relationships?
Correct answers to these questions can outweigh the immediate impact of a cyberattack.
So what should companies do to prepare and how should they respond if they are affected?
Crisis preparedness should include a few key elements: a Crisis Immediate Response Plan a Cross-Functional Response Team
Restart plans for the most probable scenarios
Considering the growing sophistication of malware that can target industrial companies, cyberattacks affecting production should be one of the most likely scenarios to predict.
Norsk Hydro's response provided a textbook example of how to deal with the recent LockerGaga ransomware attack: the response needs to be immediate and, if handled correctly, not only addresses the here and now, but also focuses on restoring trust to medium and long term and on minimizing damage to reputation.
The three key steps to be included in the crisis management strategy
Step 1: Be transparent
Transparency fosters trust. When your stakeholders learn about all the efforts made to prevent an attack and restore operations in the aftermath of an incident, they are more likely to give you the benefit of the doubt and continue doing business with you.
Norsk Hydro has gone further in being transparent: The executive team met with media and industry analysts every day for about a week after the attack, providing updates on their efforts to restore operations and answer questions from the press.
They posted daily updates on their website and social channels and offered direct access to their media and investor representatives.
No questions were off limits, from the complexity of restoring operations to the financial impact and their collaboration with law enforcement officials.
Step 2: Engage with stakeholders through normal channels
Even during a crisis, it is important to remember that your stakeholders are used to hearing from your company in different ways: it may not be enough to publish information on the website, social channels must also be kept up to date.
Press conferences and/or webcasts, even on-demand, are a good way to inform interested parties, even in different countries and time zones, if the Company is global.
Legislative representatives, local officials, trade unions and trade associations expect direct contact, even by telephone
Step 3: Communicate frequently
A single update may not be enough.
As daunting as this may sound, it is critical that we provide more timely updates on the impact of the cyberattack and the steps being taken to contain it.
This demonstrates agility, integrity and transparency for external and internal stakeholders.
Part of the Company's website home page can be devoted to crisis management updates, archiving them in chronological order to show progress and continue to share developments until the aftermath of the cyber incident has passed.
Proactive detection of cyber risks and effective response to OT/ICS incidents
Nozomi Networks solutions, distributed and supported by ServiTecno, simplify the understanding and adoption of cyber security best practices, such as those outlined by the Cyber security Framework for Manufacturing by NIST, ISA99/IEC62443, ISO 2700x, etc.
For example, the Cybersecurity Framework NIST outlines five activities/functions for cyber security: identification, protection, detection, response and restart (identify, protect, detect, respond and recover), which should be incorporated into all operational processes to address IT risk, even and above all in the factory.
Identification includes the discovery and management of networked assets and risk assessment, while discovery includes vulnerability detection, continuous monitoring, and understanding of anomalies and events, among other functions.
The Nozomi Networks solution makes it easy to apply related best practices across multiple functions of the NIST framework.
For example, automate the creation of a inventory of all devices connected to the network (PC, Server, Switch, PLC, DSC, robot, firewall, CNC/DNC, etc.), continuously monitor the OT/ICS network and quickly identify vulnerabilities.
The adoption of a reliable security framework such as that of NIST and the use of advanced features of continuous monitoring, detection of threats and vulnerabilities, anomaly detection and risk identification with SCADAguardian of Nozomi Networks, allows you to integrate security into your processes organizational skills and improve posture to face cyber risks and adequately protect OT/ICS networks and systems in both industry and utilities.
Some Links
Standingpartnership.com: The Complete Guide to Crisis Communications Planning
Webinar: Detect LockerGoga Ransomware with the Nozomi Networks Solution
Blog: Breaking Research: LockerGoga Ransomware Impacts Norsk Hydro
Blog: Managing OT Risk While Protecting Your Organization's Reputation Executive
Letter: Integrating OT into IT/OT SOCs Solution
ServiTecno: https://www.servitecno.it/soluzione/cyber-security/