The Lesson in the Norsk Hydro Ransomware Attack

Norsk Hydro has been hit by a ransomware attack. The firm reports that some aluminum smelting plants have switched to manual operations, and some metal extrusion plants have halted production altogether. There are theories that the ransomware was deliberately planted in a corporate Active Directory controller in such a way as to infect most Windows hosts at the company.

This sounds like a combination of attacks #3 and #4 from The Top 20 Cyberattacks on Industrial Control Systems.

The lessons here are simple:

  • Even messages from trusted IT domain controllers can host, or be part of, a cyber attack.
  • Firewalls do not stop attacks.
  • Encryption does not stop cyber attacks either, this attack likely came into ICS networks through an encrypted connection to the compromised domain controller.


Industrial sites successful at defending themselves from ransomware and other remote attacks do so by protecting the control network cyber perimeter from information emanating from Internet-connected networks. When external information must enter industrial networks from outside sources, secure sites do not use firewalls to enable those information/attack flows. They use Unidirectional Gateways.

Waterfall’s Unidirectional Security Gateways are the industry standard when protecting control-critical networks from remote attacks. Secure industrial sites leverage Waterfall’s cybersecurity solutions to meet their specific enterprise needs and fit to their unique industrial network environments. Sites deploying Unidirectional Gateways rest easy knowing that their networks are 100% protected from remote inbound attacks.

My new book, Secure Operations Technology, documents how secure sites protect their control-critical networks. The book is still available free of charge to qualified practitioners, courtesy of Waterfall Security Solutions. To request yours, click here.

If you don’t want to wait for a book, a brief summary of the methodology is available here.

Andrew Ginter
Latest posts by Andrew Ginter (see all)
Newsletter Signup