Norsk Hydro took a blow, but they probably had a plan

Suvi-Maria Saarilehto

Technology Sales Manager

April 29, 2019 at 09:32

We cannot know for sure what goes on at Norsk Hydro and how they have proceeded in their process. But who doesn’t enjoy good old speculation.

In March 2019, Norwegian aluminum manufacturer Norsk Hydro got hit by a major ransomware attack. The company had to shut down some of its plants and it had to run its operations manually for several weeks. However, Norsk Hydro was praised by the cybersecurity community for its quick and factual crisis communication.

Norsk Hydro is a global aluminum company with 35,000 employees in 40 countries. When a cyber attack hits a company of this scale and the communications are precise and clear, we can assume that they have trained their crisis management procedures. They knew that if a cyber attack hits the company, processes A, B, and C will be launched. They had decided who is to do what and when.

Incident Response Platform running on the background?

As the actions of this Norwegian company were so prompt and precise, they must have had some type of Incident Response Platform (IRP) running on the employee computers with the relevant specifications made. For example, if hackers lock their computers, the system automatically alerts the IT specialists, communication specialists, and third parties, and shows them their predefined tasks and response times.

The platform can also handle part of the routine tasks automatically without anyone touching them. This helps to avoid the unnecessary hassle of trying to figure out the correct course of action when an information security incident occurs.

In a company like Norsk Hydro, cyber attacks are thus foreseen and a highly automated and well-documented process has been defined to prepare for the attacks.

Instead of blaming someone, the required actions have been agreed upon in advance and the process is clearly documented in the tool. When the company is hit by an attack, everyone knows what is going on and what they must do next.

Automatic documentation

Cyberattack is often followed by a criminal investigation or at least some kind of official report needs to be done. How can you ensure that your company has a clear documentation of the measures taken?

One of the advantage of Incident Response tools is that they can take care of this automatically. They document the measures taken, with dates and times, and they sort out the measures that are connected to the company’s own processes from the ones that are caused by criminals. As a result, a so-called “audit trail” is created. This means that nobody has to record the events in a hectic emergency situation. Nobody has to try to recollect later on what each person did, either.

The automatic documentation system enables the company to prove that it has taken the correct measures. And in case deficiencies are detected, it is easy to learn from the mistakes made when all actions have been recorded.

Instead of creating complicated Excel sheets, specific responsibilities are defined for the key roles in the IRP. When an employee starts working in a certain role, the platform gives them control of the actions required. Large companies are complex and thus, when a cyber crisis hits, one can rely on the automatic platform to point out who must react and when. IRP is connected to other company tools so that most of the tasks can be executed in one view without jumping from one application to another.

Everyone should have a plan

At the moment, companies are frantically trying to figure out how they could prepare for cyber attacks without excessively burdening the personnel with the matter. Cyber attacks of various levels occur very frequently and companies spend a lot of time investigating each event individually. However, these tasks can be automated by utilizing IRP’s.

Hydro got into a situation where all its systems were down and computers could not be connected to the network. In this kind of situation, nobody wants to start giving out tasks of calling the service provider and requesting them to... Well, what should they do first? What if the service provider does not answer? And who was the person in charge there again? When cyber attacks are anticipated and the models of operation have been agreed upon with all parties in advance, responsibility is shared between several parties as well.

All companies should have answers to these questions: How have we prepared? What is our plan?

If you have trained for potential attacks and your plan is up-to-date, you can just sit back and listen to the news regarding cyber attacks. Accidents happen and new types of crimes occur, but you can always prepare for a rainy day. And after that you can focus on other, more inspiring, matters.

When my friend got her driving license, her father gave her a disposable camera (this was before phones had cameras). “If you get into an accident, don’t worry”, he said to her daughter. “You just need to take photos with this camera and call the insurance company”. Although my friend’s everyday life surely was eventful, she became a confident driver—due to the disposable camera in her car’s glove compartment. In case something might happen, she always had a plan.


DO YOU ALREADY HAVE PLAN X? Having a plan B is always a good idea, even when it is something you don’t want to resort to—particularly in information security where plan A should work. Do not wait for plan B to kick into action, implement plan X. Read more at:

Related blogs