As ransomware stalks the manufacturing sector, victims are still keeping quiet
Halvor Molland was asleep on a brisk night in Oslo, Norway’s capital, two years ago when his phone rang around 3 a.m.
The computer servers of Norsk Hydro, the global aluminum producer where Molland is senior vice president for communications, had seized up as a crippling ransomware infection spread through the company’s networks.
“The feeling is: You really don’t believe it,” Molland recalled in a recent interview. “There was a decision then to shut down the network altogether, because at some point there was nothing left to isolate.”
The ransomware attack would cost Norsk Hydro, which employs 35,000 people and has roughly 200 factories around the world, between $90 million and $110 million as production in some factories halted for weeks.
Yet Molland and his team did something unusual for a large industrial organization disrupted by hackers: They told the public what happened in vivid detail, releasing video interviews in which plant employees described switching to manual operations.
Two years later, Norsk Hydro’s transparency remains an outlier in a manufacturing sector that is increasingly dogged by ransomware during the coronavirus pandemic. Of 500 manufacturing sector employees in the U.S., Germany and Japan surveyed by security firm Trend Micro, 61% said they had experienced cybersecurity incidents, with many of those cases causing system outages.
Norwegian officials say Norsk Hydro’s willingness to share details of the breach has helped other companies block similar hacking attempts. But many ransomware victims, across different sectors, remain reluctant to discuss their experiences for fear of losing clients or admitting that they paid criminals in order to recover their data.
Chipping away at the stigma around publicly discussing cyber-incidents can make factory operators more secure, experts say. At stake is a public understanding of how to effectively respond to digital intrusions that are increasingly affecting manufacturers’ bottom lines.
In addition to Norsk Hydro, CyberScoop requested interviews with a dozen manufacturers in Europe and the U.S. that have reportedly had their production disrupted by ransomware incidents in the last two and half years. Nearly all either declined to comment, did not respond or said an executive was unavailable by press time.
Now, two years after the Norsk Hydro breach made international headlines, an unrelated incident at industrial giant Honeywell shows the frustration that can arise when employees have more questions than answers. The Charlotte-based manufacturer, which reported roughly $33 billion in revenue in 2020, has so far been relatively tight-lipped about a “malware intrusion” into its networks last month.
William Malik, vice president of infrastructure strategies at Trend Micro, said transparency was important in the face of cyberthreats because “vendors need to know about vulnerabilities, firms need to know about breaches and law enforcement needs to know about ongoing attacks.”
“The issue isn’t just disclosure, but working together against a common foe – the cybercrook,” Malik said. “The bad guys don’t care which firm they attack, they just want to extort money from whomever they can. So facing a common threat, manufacturers help themselves by joining forces.”
A new kind of blue-collar problem
While competition from countries with cheap labor has long been an economic concern for U.S. manufacturers, cyberattacks have crept gradually into the equation. The financial impact of hacking is increasingly a management issue, with companies taking small steps to support workers who have been sent home from stalled factories.
A July 2019 ransomware attack against the Swiss manufacturer Meier Tobler, which cost the company more than $5 million in direct costs and $10.6 million more in lost production, helps illustrate the kind of headaches that can come as a result.
When ransomware struck Meier Tobler, “for some of the workers [especially in logistics], we made arrangements to take holidays and compensate for extra time,” company spokesperson Martin Schäppi said in an email. Meier Tobler’s operations were shut down for four days, Schäppi said.
Exact cybersecurity costs in the manufacturing sector are difficult to quantify, though snapshots provide a glimpse of the story. The manufacturing industry paid $6.8 million in ransomware payments in 2019, more than any other sector, according to Kivu Consulting. The next most-extorted sector was education, with $1.8 million.
That data represents just a portion of paid ransoms overall, as it only covers cases where Kivu negotiated payments with ransomware gangs.
Manufacturers are increasingly aware of the reputational damage — in addition to the potential costs from delays in production and deliveries — that could come from cyberattacks, said Stephanie Hall, director of innovation policy at the National Association of Manufacturers (NAM). All of those concerns “trickle down across the [supply] chain,” she said.
Hall said her association, which represents 14,000 manufacturers across the U.S., grew concerned about the lack of resources for small manufacturers to combat hacking incidents during the pandemic. And so, citing the “unprecedented risks” to manufacturers during COVID-19, the trade association set up a cybersecurity program that provides insurance and security guidance for its members.
A striking reminder of the digital threats to the industry came in March when Honeywell, which makes everything from cockpit systems to thermostats, became the latest manufacturer to be victimized in a cyber incident.
The “malware intrusion” had a “minimal impact on our manufacturing,” Honeywell spokesman Scott Sayres said in a March 25 email. He declined to elaborate, or answer questions about whether ransomware was involved, citing an “ongoing criminal investigation” into the breach.
On Friday, Sayres declined to answer a list of questions on whether Honeywell plans to disclose more details on the incident in the future, and whether it shared information about the malware with other companies.
Despite a Honeywell statement on March 23 saying the firm had “returned to service,” there were lingering IT difficulties at the company days afterward, according to two Honeywell employees who spoke on the condition of anonymity. Those technical issues, which have gradually been resolved, included difficulty connecting to the company’s virtual private network and internal data-sharing drives.
It was unclear how much of those IT issues were the result of the malware on Honeywell’s network, or if they were related to Honeywell’s decision to shut down applications in the wake of the intrusion. In a March 22 email to employees, Sheila Jordan, Honeywell’s chief digital technology officer, said the company had “shut down several hundred” IT applications “out of an abundance of caution.”
The company has instructed employees not to speak publicly about the incident, and sent them reminders of the threats of email phishing, according to internal emails seen by CyberScoop.
Still, people claiming to be Honeywell employees have complained about the incident anonymously on a public forum since March 20. The posts include reports of network outages from various employees, as well as questions about when connectivity would be fully restored and how the company’s security defenses may have failed. (CyberScoop was unable to verify the identities of the forum posters.)
After the breach is resolved, a clearer public understanding about the impact could help other organizations protect themselves from similar threats. Public companies are required to disclose security incidents and other risks that could affect share prices to the U.S. Securities and Exchange Commission, though such language generally is too vague to have any value for other potential victims.
The general dearth of information is one reason the FBI has sought to gather clues about ransomware breaches from insurers.
The problem is not going away. There were ransomware incidents involving 150 manufacturing companies in the third quarter of 2020, more than any other sector, according to Trend Micro.
As for Molland, the Norsk Hydro executive, he said he has no regrets about publicly detailing just how much pain ransomware brought his company.
“It was so big we couldn’t have covered it up anyway,” Molland quipped.