Photo of from left to right: Bjorg Aa. Backer, Elin S. Torget, Odd Kr. Berg, Kristin Engh, Helle R. Mollestad, Per Ch. Lindgård, Erik Snersrud and Hege L. Larsen.

Business continuity plan defends against ransomware attack with strongest military algorithms

The challenge

On 19th March 2019, Norsk Hydro was the victim of a cyber-attack targeting its technology infrastructure. This was a ransomware attack infecting 22,000 computers across 170 sites in 40 countries with the message “Your files have been encrypted with the strongest military algorithms…without our special decoder it is impossible to restore the data.”

Despite the company’s extensive emergency preparedness plan covering nearly every conceivable circumstance, no-one anticipated a cyber-attack of this magnitude.

The solution

The client service operations department put a team in place comprising the company’s most senior cyber-security staff to address the crisis. While the plants and operations teams were working 24/7 to find ways to keep machinery running, Per Christian Lindgård, Head of Cash Management, and his treasury team were doing the same for Norsk Hydro’s cash management operation. Ensuring that critical payment functions, such as payroll, treasury and reporting were not impacted by the attack, was key to maintaining business-as-usual (BAU).

The treasury team worked quickly to ensure the treasury function would be able to support vital business objectives. Treasury’s ability to respond nearly instantaneously to the cyber-attack, thinking creatively about workarounds, implementing measures to keep the cash management function operational under the most challenging of circumstances, is a tribute to the ingenuity and perseverance of the incident management team and stakeholders across the company.

As Per Christian Lindgård recalls, “the team quickly assessed the extent of the disruption to BAU and formulated a game plan to respond to the crisis and prevent further spreading of the cyber-attack to unaffected systems. Communication was key, both internally and externally. Employees were immediately notified through text messages and printed postings at every office – instructing everyone to keep computers off due to the cyber-attack.”

Norsk Hydro also decided to be extremely transparent about the attack with the public, media and investors, immediately announcing what had occurred via a press release and Facebook postings.

To ensure the treasury function could continue to support the business, the incident management team, which included teams from all business areas down to the account level, developed work-around plans for operations. Some of the steps implemented included the purchase of new laptops that were unaffected by the virus, allowing team members to work from coffee shops with independent wi-fi signals. The rehiring of retired colleagues was also instrumental to manually operating business functions without the support of technology systems.

Best practice and innovation

Importantly, Norsk Hydro was able to accomplish its goals without paying the ransom demanded by the hackers. Since the attack, Lindgård and his team have been sharing best practices developed during this crisis at multiple events across the globe, helping to educate the treasury community on how to manage a cyber-attack of this magnitude.

Remarkably, despite a cyber-attack that disabled the company’s technology systems, Norsk Hydro’s cash management function was able to remain resilient. This demonstrates the value of an effective Business Continuity Plan and how a concerted response can save a business.

Many of the lessons learned from the response to this cyber-attack have proven instrumental in the company’s response to the recent COVID-19 pandemic.

Key benefits

• Able to operate BAU despite the attack.
• Norsk Hydro’s immense contribution of cyber knowledge sharing to the greater treasury community.