Norway’s Auditor General’s Office (AGO) has questioned the general standard of cyber defence competence among leading companies and agencies in the country’s public energy sector.
It identified shortcomings in cyber defence policy and strategy in a number state-owned enterprises, including water and power resource organisation NVE (Norges Vassdrags- og Energidirektorat).
The AGO’s cyber security assessment was based on an extended appraisal by the state agency that began in 2020 and ended in March. The review scrutinised the efficacy of cyber defence policies and strategies to protect critical computer systems against the widening range of cyber attacks directed at major public institutions and companies in Norway.
The country has seen a significant rise in cyber attacks since 2019. The AGO’s audit followed a series of high-profile data security breaches at Norsk Hydro, the Norwegian parliament (the Storting) and cruise company Hurtigruten. In March, the parliament’s computer systems were breached, and data captured, for the second time in seven months.
The AGO will require the Ministry of Petroleum and Energy, which has oversight over state companies such as NVE, to do more to ensure that enterprises in its charge employ a higher level of preparedness against cyber attacks, said Per-Kristian Foss, the auditor general.
“The situation is serious when we discover that the risk of computer attacks aimed at our national power supply systems is increasing,” said Foss. “If we do not take this threat seriously now, we may be confronted by cyber attacks that have very dire consequences.”
The AGO identified weaknesses in NVE’s defence preparedness and its capacity to prevent data breaches in its critical IT systems. The agency criticised the ministry for failing to implement sufficiently robust measures to develop effective and transparent management systems, especially systems to monitor the efficacy of data security policies and advanced technologies used to protect NVE’s power supply operations.
A key component of NVE’s cyber threat enhancement strategy stems from the company’s relationship with KraftCERT, an organisation created to help Norway’s power utilities strengthen their ICS systems, address network security vulnerabilities, detect threats and bolster their capabilities to mitigate digital attacks.
Launched in 2014, KraftCERT was formed by NVE in partnership with energy groups Statnett, Statkraft and Hafslund. The organisation, which serves as a cyber defence support tool for the energy sector, provides expert analysis and critical assessment of cyber threats, while making recommendations on countermeasures.
Managing cyber risk has become a heightened priority for Norway’s energy actors, against the backdrop of an industry with a rapidly expanding digital footprint and growing reliance on IT.
NVE has agreed to reinforce its overall preparedness and security network defences against cyber threats to comply with the AGO’s guidance, said Ingunn Åsgard Bendiksen, head of NVE’s department of emergency and contingency planning.
“In collaboration with the energy industry, we have carried out extensive work to implement checks and security measures to reduce the risk of attacks on computer networks that control power supply,” said Bendiksen. “So far, there have been no cyber attacks on critical IT systems that succeeded in compromising our systems with negative consequences for the power supply in Norway.”
KraftCERT membership also offers a gateway for Norway’s energy companies to collaborate with Oslo-based cyber security specialist Mnemonic. Key areas of cooperation include security risk management, data protection and cyber threat defence strategies. Also, partnership agreements with KraftCERT means utilities can access mIRT, Mnemonics’ Incident Reponse Team, in times of crisis.
The burden of protecting Norway’s energy production and distribution is complicated by the hundreds of small to large hydro and wind power plants dotted across the country. Adding to the risk is the peculiarity of Norway’s electricity supply management systems, with powerlines operated by Statnett as well as numerous regional and local grid companies.
The magnitude of the challenge facing Norway’s leading energy groups is reflected in state-owned Equinor’s ongoing capital investment drive to resolve IT security network weaknesses in two key areas that were first identified in 2019. The initiative to buttress its cyber defence competence is running along a parallel project to expand the multirole function of Equinor’s Computer Security Incident Response Team.
For Equinor, the two primary areas of concern include improving control over user access to IT systems and the market trading that interfaces with the group’s IT systems. Equinor’s market trading deals with the purchase and sale of oil, gas and power and the continuing strengthening of defences in these areas, which restricts computer and IT network access to personnel holding an appropriate level of security clearance, is intended to reduce the risk of cyber attacks.
As evidenced by the data breach at Norsk Hydro, cyber attacks have the potential to inflict significant global disruption to the operations of large multinational corporations. Hydro fell victim to a malicious and sustained ransomware-led cyber attack on 19 March 2019 which impaired the whole of the group’s international operations.
The cyber attack impacted, to some degree, all of Hydro’s 35,000 employees and 150 production plants in 40 countries around the world.
Eight months to rebuild
It took the organisation almost eight months to fully rebuild its critical IT infrastructure and network security systems, and normal production was restored in the third quarter of 2019. By that stage, Hydro’s IT teams, working with Microsoft’s cyber security team and other external cyber security experts, had completed a full malware cleanse of all PCs and servers across the group. The encrypted PCs and servers were rebuilt based on back-ups.
The cyber attack resulted in the reorganisation of Hydro’s IT security unit, which was reformed and upgraded to detect and respond to cyber incidents better. Hydro calculated the financial impact of the attack at between NOK800m and NOK1bn (€78.8m to €98.5m). The final bill included costs incurred to remediate impacted systems and data.
“The cyber attack affected our entire organisation worldwide,” said Hilde Merete Aasheim, Hydro’s CEO. “Hydro was fortunate to have a robust cyber insurance policy in place with recognised insurers. This was hugely important for us to have.”
The unidentified cyber attackers used the LockerGoga ransomware variant to forcibly log users off their PCs and hard-code administrative passwords. The disruptive capabilities of LockerGoga encrypted files on desktops, laptops and servers across the company. Ransom notes were posted on the screens of corrupted computers, but Hydro refused to pay the ransom that was demanded in bitcoin.
Hydro received a total of NOK769m in insurance compensation related to the cyber attack in 2019. Of this amount, NOK216m was granted in 2019 and NOK553m in 2020.
The mission to shore up Hydro’s cyber defences since 2019 has included the establishment of a Cyber Response Programme covering the period 2020-2022. The project is focused on fortifying central group IT infrastructure and industrial control systems within all core business areas of the organisation.