The 3am call: how one senior leader responded to a serious cyber attack
How strong planning and a dedicated workforce helped Norsk Hydro recover from a catastrophic cyber attack - and why "cyber shame" is hindering business' response.
Halvor Molland was woken up at around 3am. Norsk Hydro, the senior vice-president’s company, was under a “massive” cyberattack launched three hours earlier.
When he arrived at the office and made his way to their meeting room, he saw handwritten signs around the office saying, “We're under a massive cyberattack, do not turn on your computer!” “Then we realised that the entire network in the company was shut down,” he says.
As a member of senior leadership, and the corporate emergency team, Molland’s actions over the next few hours, days and weeks could decide the fate of the 35,000-strong renewable energy and aluminium manufacturing company. “I think most organisations would train for this scenario and hope that they never experienced it,” he says.
Because they had trained for it, Halvor and his colleagues could follow the plans they had developed and take the immediate steps that needed to happen, rather than being overwhelmed by the scale of the emergency. The entire network had been compromised. Not a single employee across the 40 countries they operated in could access the network, turn a computer on, or even print – hence the written signs. Staff had to rely on contacts saved in personal phones or WhatsApp groups to communicate.
“The first few hours and the first day or so it's a bit chaotic, but then you start working and the creativity is coming alive,” Molland says. The damage, however, was catastrophic. Production capacity in its largest business area employing 23,000 people had halved overnight. Molland and his team were having to handle the attack, customers, suppliers and employees.
“We couldn't pay our suppliers. We couldn't print the shipping orders or shipping information to the customers,” he says. The team was methodical, prioritising the health and wellbeing of staff first to ensure they could work safely.
“We had the luxury of having a backup and that was how we recovered,” Molland says. Norsk Hydro enlisted the help of former employees who had worked using paper-based methods to keep its manufacturing side going, fulfilling simpler orders and ensuring the business was continuing.
The IT team split into three groups, one to look at what had happened, a second to focus on recovering the system from backups, and the third to design a new system that could not be compromised in the same way.
“I think any company should have a plan and train for the event of a cyber attack,” Molland says. In Norsk Hydro’s case, it was a single malicious email sent from a customer to an employee that gave them access to the network. However, to him that is less important than ensuring regular training and systems to prevent an attack, and a plan to recover.
It took Norsk Hydro six to eight weeks to get back to “fairly normal” operations, three months for the incident to be declared over, and another six months to fully clean up.