Norsk Hydro cyberattack exposes supply chain fragility
by Graham Buck
A ransomware attack targeting one of the world’s top aluminium makers exposes how crucial sophisticated digital systems have become in the metals and mining industry.
Norway’s Norsk Hydro, one of the largest aluminium companies globally with operations in 50 countries, suffered a “severe” cyber-attack on its US and Europe operations early on March 19, forcing it to shut down several automated product lines and keep its smelters running using manual production processes.
Hydro is a major supplier of aluminium products in North American and European markets, providing specialised parts to industrial customers. It has more than a dozen aluminium facilities in Europe, from Norway to the U.K., including those producing primary metal or using aluminium extrusion. The company’s market share in the extrusion segment is around 20% in Europe and 23% in North America.
Hydro said it plans to restart certain systems shortly to “allow for continued deliveries to customers. “The critical issue for the producer is to now find specific customer orders and the recipe for how to fulfil them, said its chief financial officer (CFO) Eivind Kallevik.
“We can get that either through cleaning the systems and restoring the backups and in some cases, we are able to go back into the backup systems and pull data more manually," he said. “That is a big task at all the plants.”
The threat of a supply disruption at Hydro is already impacting the aluminium industry, with only a limited number of companies in the world able make the technical products required by carmakers such Daimler and Ford Motor.
Consequently when there’s a problem, the effects can be far-reaching, as was demonstrated last April when the US unexpectedly imposed sanctions on Russia’s United Co. Rusal, the world’s largest aluminium producer outside of China.
The Hydro incident and other recent attacks show how central technology and automation have become in the metals and mining industry. As part of its push into the European automotive market, in 2015 the company invested in automated ultrasonic testing systems to precisely scan its products for impurities, responding to the exacting needs of customers in the transport sector.
Without that automated certification, carmakers would be unable to use the parts, said Colin Hamilton, managing director for commodities research at BMO Capital Markets. Hydro admits the inability to connect to some of its production systems has caused challenges, adding that it’s still too soon to estimate the “exact operational and financial impact.”
More than other base metals, aluminium production is dominated by a handful of companies, increasing the risk that supply chains will be disrupted if there’s a production problem, said Michael Widmer, head of metals research at Bank of America Merrill Lynch in London.
The interconnected nature of supply chains isn’t unique to the metals industry. As manufacturing processes becoming increasingly complex and diversified around the world, more companies will have to navigate the risk of a disruption from cyberattacks.
"The more automation you introduce into your systems, the more you need to protect them," said Widmer. "Along with other industries, you may potentially start to see a much stronger emphasis on cybersecurity."
One of a series
The Hydro attack is the latest to hit the commodities sector, where disruptions can quickly cascade down the supply chain. Prior to Norsk Hydro, companies from zinc smelter Nyrstar NV to Saudi and Russian oil giants Aramco and Rosneft PJSC, shipping company AP Moller-Maersk and agriculture trader Archer-Daniels-Midland Co. had been also hit by cyberattacks.
Phil Neray, viec-president of industrial cybersecurity at factory and industry specialist CyberX, told tech website The Register that it was inevitable hackers would look to get ransomware onto networks at manufacturing and power giants, given how valuable system uptime is in those environments.
“Manufacturing companies are an obvious target for ransomware because downtime is measured in millions of dollars per day – so as you might expect, CEOs are eager to pay,” said Veray. “Plus the security of industrial networks has been neglected for years, so malware spreads quickly from infected employee computers in a single office to manufacturing plants in all other countries.
“These attacks are especially serious for metal or chemical manufacturers because of the risk of serious safety and environmental incidents, and the bottom-line impact from spoilage of in-process materials and clean-up costs.”
Like this item? Get our Weekly Update newsletter. Subscribe today