Insights

3 Ways Norsk Hydro Kept its Reputation During LockerGoga Cyberattack

When a cyberattack occurs, an organization’s reputation is immediately threatened. The steps they take next are imperative to repairing their reputation.

Standing Partnership and guest blogger Heather MacKenzie, ICS Cyber Security Specialist at Nozomi Networks, the leader of industrial cyber security, have teamed up again. This time, they discuss how important it is for industrial companies to combine crisis planning with cybersecurity technology to protect their reputation and their OT networks from cyberattacks.

About the Co-Author: Heather has worked in the field of industrial cyber security since 2008, authoring many articles and white papers on the topic. As an ICS Security Specialist, she helps OT/IT teams responsible for industrial control networks understand cyber risks and how the Nozomi Networks real-time cyber security and visibility solution is uniquely positioned to address their needs.


When a cyberattack on an industrial facility succeeds, the highest level of concern is for safety. Making sure that process or manufacturing systems don’t endanger lives, or the environment, is paramount. The next level of concern is business continuity, making sure that production is maintained or restarted so that customers can be served, and financial losses minimized.

In parallel to these operational challenges, executives need to work hard to protect the organization’s reputation. Nozomi Networks sales managers and system engineers cite “we don’t want to be in the news” as one of the key drivers of investment in industrial cyber security systems.

While data breaches that have been poorly handled by companies capture the headlines, it is refreshing to note a recent industrial cyberattack response that has been applauded by communication experts. The event in question is the LockerGoga ransomware attack on Norsk Hydro.

What stood out about Norsk Hydro’s response are three key steps to protecting any organization’s reputation.

LockerGoga ransomware caused Norsk Hydro to reduce aluminum extrusion output
The LockerGoga ransomware caused Norsk Hydro to reduce aluminum extrusion output,
a process that uses a machine like the one above. The attack cost the company approximately $52 million.

Three Key Steps to Protecting Your Reputation During a Cyberattack

As indicated above, cyberattacks disrupt operations, cause financial loss and can also ruin corporate reputations. They bring about heightened scrutiny of the executive team’s reactions and decision-making under pressure, threatening to shatter shareholder and customer trust in a matter of hours.

  • Did the company leadership do everything to minimize IT and OT vulnerabilities?
  • What steps did they take to contain the damage?
  • How are they handling the disruption to business and their customers’ businesses?

The answers to these questions can outlast the immediate impact of a cyberattack. So, what should companies do to prepare and how should they respond if they are hit by a one?

Crisis preparedness includes several foundational elements: a crisis response plan, a cross-functional response team and draft materials for the scenarios most likely to happen. Considering the growing sophistication of malware targeting industrial companies, cyberattacks should be one of the top 5 most-likely-to-happen scenarios.

Norsk Hydro’s response provided a textbook example of how to act well after the recent LockerGaga ransomware attack. Crisis response is immediate in nature and, when handled well, addresses not only the here and now, but also focuses on restoring long-term trust and minimizing reputational damage.

Here are three key steps to incorporate in your crisis response strategy:

Step 1: Be Transparent

Transparency fosters trust. When your stakeholders learn about all your efforts to prevent an attack and restore operations in the aftermath of an incident, they are more likely to give you the benefit of the doubt and continue doing business with you.

Norsk Hydro went above-and-beyond in its efforts to be transparent. Their executive team met with media and industry analysts every day for approximately a week after the attack to provide updates on their efforts to restore operations, and answer questions.

They posted daily updates on their website and social channels, and offered direct access to their media and investor relations representatives. No questions were off-limits, from the complexity of restoring operations to financial impact, and their collaboration with law enforcement officials.

Step 2:  Engage with Stakeholders Through Normal Channels

Even during a crisis, it’s important to remember that your stakeholders are accustomed to hearing from your company in different ways. It is not enough to post information on your website. Your social channels need to be updated as well.

Press conferences or on-demand webcasts are a great way of informing stakeholders in various time zones. Legislative representatives, local officials and trade associations might expect direct outreach by phone.

Step 3: Communicate Frequently

A single update is not enough. As daunting as this sounds, it is critical to provide multiple timely updates on the impact of the cyberattack and on the steps taken to contain it. This demonstrates agility, integrity and transparency to your external and internal stakeholders.

You may want to consider devoting part of your website homepage to crisis management updates, storing them in chronological order to show progression. Continue to share developments until the consequences of the cyberattack have been fully addressed.

To assess and manage OT risk, and protect your corporate brand, preparedness is key. And, help is available. The experts at Standing Partnership deliver guidance on how to navigate cyber incidents with minimal damage to your reputation. For more information, download our Complete Guide to Crisis Communications Planning.

Paired with advanced technology that rapidly identifies malware and provides time-saving forensic assistance, your organization should be well equipped to weather the storm of a major cyberattack. If you are interested in Nozomi Networks Lab’s research on LockerGoga, you can find it here.


Related Links

Blog: Protecting Your Reputation in an Era of Cyberattacks

Blog: 5 Critical Elements of a Crisis Management Plan

Blog: Managing OT Risk While Protecting Your Organization’s Reputation

Executive Brief: Integrating OT into IT/OT SOCs

Solution Brief: Nozomi Networks

Share This Article
The Complete Guide to Crisis Communications Planning
Featured Resource

The Complete Guide to Crisis Communications Planning

We hope this step-by-step guide helps you assess your organization’s preparedness for a crisis.

Download Resource