Norsk Hydro CIO on How to Prepare for Cyberattacks

A March ransomware attack that temporarily crippled computers and production at

Norsk Hydro AS

A led the company to prioritize the presence of manual overrides at its facilities to help reduce disruption in the event of another cyber intrusion, said Chief Information Officer

Jo De Vliegher.

Since the attack, the Norwegian aluminum company has focused attention on the processes across its operations, which include mining, smelting and renewable-energy generation.

How could a facility keep working if there’s another attack? “Of course it is not as good, not as optimal, but there should be a level of manual overrides that at least allow for a minimum of operation,” he said.

With the chief information security officer and various cyber teams reporting to him, Mr. De Vliegher directs the company’s cyber efforts. But as CIO, he also helps set strategy and policy and run Norsk Hydro’s incubator efforts. “It is bridging business with IT,” he said.

CIO Journal talked with Mr. De Vliegher last month at the WSJ Pro Cybersecurity Executive Forum in New York. Here are highlights:

Can you talk about what the CIO does at Norsk Hydro?

In two words…“shaping” and “safeguarding.”

Shaping, for all practical matters, means two things. It’s strategy, policy and enterprise architecture on the one hand. And I also lead a digital incubator to run a number of experiments that don’t exactly fit in a large-scale IT operation. It is more like a startup where we see what works—and if and when it works, we transfer it to the service operator to scale it up.

And we work with other startups and try to build an ecosystem where we look for new stuff that might work. That is all part of the shaping.

Safeguarding is related to cybersecurity, compliance and internal, external, legal etc. Hydro’s CISO reports to me and we have a number of cybersecurity experts that do penetration testing and that do what we call second-level-defense….We try to find black spots, the shadow field between IT and automation, for example….So we try to find holes in scope, rather than checking if people do their jobs.

Speaking of cybersecurity, what was your role in the response to the cyber event?

My role was to make sense of what has technically happened and what is technically going to happen in a language that people understand. And you could say that war is diplomacy by other means. It’s a bit similar. It’s just that the topic is sharpened and the problem is a million times bigger, but it is the same role: It is bridging business with IT.

Some of your operations were crippled in the attack. You have talked about your efforts to install manual overrides to prevent that from happening again.

I have a cabin in the mountains and in my free time I was playing with a remote-controlled heater, where you can use an app and then it would heat up the cabin the day before you arrived. I made all the switches, tested everything and it worked. Until one weekend I couldn’t make the app work. It was zero degrees outside and there was no way in hell I could get the heaters up.

And there I understood that what I had done wrong was replacing all the normal switches. There should always be a manual switch with no Z-Wave, no apps, no nothing so that at least you can come and you say, ‘Well, kids, it is going to be cold a little longer but at least the heaters are working.’ And it is the same analogy we do in our company now.

All this fancy stuff is good. But what we added since the attack is always the same question: Where are the manual overrides? Maybe you can’t produce the most sophisticated products, but at least you can produce the basics.

Are you integrating this world-wide?

It’s going to be a long process. Typically in automation you wait for a maintenance window. It’s not that you can retroactively install this in a couple of months. But what is most important is to get into the mind-set of the people. And the mind-set is AI, machine learning, robotics, all that is fine, but where are the cables and the buttons if it fails?

What are you excited about?

We do a lot of interesting stuff related to robotics, related to commercial solutions, but basically what I am excited about is just the value of analytics. Talking with some other companies, we start to learn that the value of analytics has been underestimated, whereas other tech has been overestimated.

Analytics has been around for a while. Why now?

What’s the success of the iPhone? It was not exactly new. What was new was the way to put existing capabilities together in a user-friendly way for the first time in a package that made sense. That to me is what we are trying to do now with analytics. Yes, the statistics behind it is probably 100 years old and the data has been there for a while, but to make it accessible, to make it interactive for people without a Ph.D. in mathematics, to make it available on mobile devices, to make it secure…before we didn’t share any data because some of it was sensitive. Now we can share much more and still take care of the sensitive data.

So how are those non-Ph.D.s enjoying the fruits of this new era of analytics?

Here is something exciting going on. We have always seen that there is a huge difference between our best operators and the less good ones. And in aluminium production the best operators could see the pattern of the flames in the cell [where aluminum is made] and tell whether the production was optimal or not.

They have tried many years to teach that to other operators with limited success. There is something that our most talented people are able to see and others just don’t. Now we use visual recognition and AI and cameras so that the analytics system is basically learning from our best operators and sharing that competence to other operators as a guideline. So it’s making basically everyone the best operator.

Copyright ©2019 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8