• The manufacturer had taken operational technology offline to prevent malware spreading from IT systems. 

• DNV Cyber’s approach contained the threat and guarded against a repeat. 

• The customer was able to resume production and deliveries without excessive downtime. 

When a manufacturer of semi-finished foods and drinks was hit by a ransomware attack, the company approached DNV Cyber for help in coping with and recovering from the incident. 

From initial discussions, it was clear that the overriding concern was bringing back online the operational technology (OT). The OT was unaffected by the attack, but the customer had taken it offline as a precaution to ensure that malware could not spread from IT systems, the primary target. 

The manufacturer had a business case that was strong and self-evident. With IT and OT already offline, it simply had to respond to safeguard its ability to quickly restart production and ensure business continuity. 

The customer also had compelling reasons to work with DNV Cyber because of the adviser’s wide-ranging expertise and experience in OT security. The manufacturer appreciated DNV Cyber’s: 

• knowledge of OT systems and their specific features 

• familiarity with procedures in operational environments 

• understanding of the need to avoid downtime. 

Containing the cyber-attack and future-proofing cyber security 

Working closely with the customer, DNV Cyber took a two-stage approach to counter the ransomware attack, restore affected systems, and draw up plans for reducing cyber risk. 

Stage one focused on containment. After initial discussions with the customer, DNV Cyber assembled an incident response team and conducted a remote intake screening. The team then visited the customer’s facilities to contain the malware, assess the impact of the attack, and determine the cause of the breach. This phase included compromise assessment, penetration testing, network asset discovery (licence-based), and the creation of AS-IS network drawings (logic and physical network diagrams). 

In the second stage, DNV Cyber focused on recovery. The team took the actions necessary to restore the customer’s operations and guard against a repeat of the ransomware attack. This phase included the following initiatives: 

• Network segmentation, including IT/OT network segmentation
• Deployment of firewall rule base and access control lists (ACLs)
• Logging and monitoring using SIEM software
• Design reference architecture
• Establishing a set of procedures and policies
•  Systems and network rebuild

OT and industry expertise combine for positive outcomes 

DNV Cyber’s containment operations first addressed the customer’s primary concern by allowing for a quick return to normal operations. Team members with the right skill-set for incident handling were able to determine exactly where and how the attacker had breached security measures. As a result, the customer was able to resume production, deliveries, and other interactions with customers without excessive downtime. 

The next step was to move on quickly to recovery operations, which were less urgent but equally important. In this phase, the team was able to reduce risk for the customer by carrying out a compromise analysis that was designed to protect against the theft of customer data, financial assets, and intellectual property. It was also able to improve security by proactively identifying practices that were making the customer’s assets and data more vulnerable. 

DNV Cyber was able to offer exactly the sort of expertise that the client needed. It drew heavily on its experience and knowledge of OT systems and its ability to establish effective and robust separations between IT and OT networks. Additionally, it took a hands-on approach to the project and took extra care to ensure that the customer’s needs and concerns were addressed.