Norsk Hydro’s Hack Highlights Need for Supply Chain Cybersecurity

If you get hacked once, you could easily get hacked again. At least, that’s the philosophy that Norwegian energy company Norsk Hydro held to when it was hacked back in 2019. According to a recent article in TIME magazine, instead of paying the hackers who held their thousands of servers and PCs hostage, the company decided to instead consult supply chain cybersecurity experts to inspect 30,000 employee credentials and get to the root of the attack. The final culprit? An employee had opened an infected email.

This approach may have left Norsk Hydro in a better position to fend off future supply chain hacks, but it still cost the company over $70 million. It also taught them, and can teach other organizations, a valuable lesson: Be prepared. 

“I think that, first of all, cybersecurity and cyber risk has to be on the top of the strategic agenda of any company,” Norsk hydro CEO Hilde Merete Aasheim told TIME. “It only gets more and more advanced, and the attacks are out there as we speak and only get more and more complicated.”

Supply chain hacks and third-party attacks are on the rise. Those kinds of organizations — supply chain, industrial, manufacturing, and critical infrastructure — offer not only easy ways in, but a variety of avenues to exploit — like holding part of Norway’s energy supplier ransom — once a bad actor is inside. Aasheim’s statement should be the guiding philosophy for any organization. Supply chain cybersecurity should be a top priority to prevent a supply chain hack and help solve the issue quickly if an attack does happen. No organization wants to be in Norsk Hydro’s shoes paying top cybersecurity organizations to comb through employee data that should’ve already been managed, audited, and protected.

So how can a company protect itself from supply chain hacks?

1. Purchase secure access management software. 

Access management software can prevent the need to comb through and do a deep dive into “the accounts of over 30,000 employees and even more service accounts” when something goes wrong. Strong software can help an organization practice role-based access control and regularly audit who accessed what and when. 

2. Implement Zero Trust architecture. 

Zero Trust architecture is exactly what it sounds like. It means your organization trusts no one, and doesn’t let anyone into your system without you approving it. In addition, that person gets access to only what they need at a given moment – nothing more. 

3. Invest in third-party cybersecurity.

Supply chain and infrastructure organizations like Norsk Hydro contain giant networks and work with a vast amount of third parties. If one of those third parties gets infected, it could come back to them, or infect their customers’ networks.

4. Educate your team.

Phishing is a trick as old as email, and even with the best supply chain cybersecurity in the world, a clicked-on suspicious message could open the door for a costly and damaging supply chain hack. Keeping your organization educated on the ever-evolving risks is the best defense against human error. All cyber security is human security, and it’s up to humans to help protect critical access systems