Summary
- Confirmed: In the early hours of March 19, 2019, a cyberattack affected Hydro's global organization. The company isolated plants and operations, moved to manual procedures where possible, reported no resulting safety incident, and rebuilt encrypted computers and servers from backups. Extruded Solutions suffered the greatest operating and financial effect.
- Observed through Hydro's own updates: Continuity was uneven. Energy and Bauxite & Alumina reported normal production; Primary Metal and Rolled Products continued with more manual work; Extruded Solutions was around 50 percent of normal capacity on March 21 and 22, reached 70-80 percent in most units by March 26, and retained significant workarounds after production neared normal. Payroll, treasury, reporting, billing and invoicing also needed interim solutions.
- Bounded technical account: Norwegian authorities and later technical reporting identified LockerGoga. Public analysis describes an interactive intrusion followed by coordinated encryption, not a self-spreading industrial-control worm. A Microsoft account, published with Hydro's cooperation, says an infected email from a trusted customer opened the path months earlier. Hydro has not published a complete forensic report that independently resolves every detail of initial access, privilege escalation, affected assets or attacker dwell time.
- Financial record: Hydro's final 2019 annual report estimated a NOK 650-750 million financial impact, mainly lost sales from reduced production and impaired order handling plus remediation cost. It recognized NOK 216 million in insurance compensation in 2019; the 2020 annual report recognized a further NOK 496 million related to the attack. Hydro's later incident page uses an approximately NOK 800 million cost figure. These are company accounting measures, not a complete measure of employee, customer, supplier, insurer or public cost.
- Assessment: Manual fallback proved that some sites retained local process knowledge, authority, documentation and safe degraded modes. It did not prove normal capacity, full order complexity, reliable enterprise-wide data, quick restoration, or fair cost distribution. Hydro's communications made that distinction unusually visible and therefore became part of the accountability record.
Manual continuity is evidence, not romance
At an extrusion plant, a paper order is not nostalgia. It is a claim about dimensions, alloy, treatment, finish, quantity, delivery and customer acceptance. A worker who keeps a machine operating without the usual networked systems is not performing a symbolic return to an earlier age. The worker is taking responsibility for a physical process while some of the digital evidence, coordination and safeguards that normally surround it are unavailable.
That is the right place to begin the Norsk Hydro case. On March 19, 2019, the company said that IT systems in most business areas were affected and that it was switching to manual operations as far as possible. In a more detailed update the same day, Hydro said it had isolated all plants and operations, that Norwegian primary plants and remelters were running with a higher degree of manual operation, and that inability to connect to production systems had caused challenges and temporary stoppages in Extruded Solutions and Rolled Products. Safety came first in the statement, followed by operational and financial impact. (Hydro's initial notice; Hydro's March 19 operational update)
Those communications transformed local improvisation into a public control record. Hydro did not merely say that it was resilient. It disclosed which business areas were producing, where manual work was heavier, where plants had stopped, and later what percentage of capacity had returned. That makes it possible to ask disciplined questions. Which services could operate without central IT? What knowledge survived outside the network? Which workarounds protected safety? Which only protected output? How long could they last? Which customers received priority? Who performed the extra work? What financial and reconciliation obligations accumulated behind the visible production numbers?
The familiar version of the story celebrates retirees returning, employees using paper and the company refusing to pay. Those facts matter. Microsoft, which assisted the recovery, reported that paper warnings were photographed and sent by phone to sites, local printers produced notices, workers used pen and paper, some plants ran manual procedures, and former employees familiar with older processes returned to help. But admiration is not analysis. (Microsoft's account of the Hydro response)
Manual fallback should be treated as a measurable control with limits, not as a heroic mood. It has an activation time, a safe operating envelope, a transaction capacity, a staffing requirement, an error rate, a reconciliation burden and a maximum sustainable duration. Hydro's experience shows all of those dimensions, even when the public record does not provide a number for each one.
What happened, and what the public record establishes
Hydro described the attack as beginning in the early hours of Tuesday, March 19. The later company incident page says the event affected the entire global organization, with Extruded Solutions bearing the largest operational challenges and financial losses. The company's other major business areas produced close to normal, but only through work-intensive workarounds and manual procedures. (Hydro's incident overview)
The first day established three important facts. First, the interruption was broad enough for Hydro to isolate plants and operations. Second, physical production effects differed by business area. Energy and Bauxite & Alumina were reported as normal. Primary metals in Norway and remelters used more manual operation. Extruded Solutions and Rolled Products had lost connectivity to production systems, producing temporary stops at several plants. Third, the company said the event had not caused a safety incident.
On March 20, Hydro said its technical team and outside support had detected the root cause of the immediate problems and was validating a process to restart IT safely. Most operations were running and meeting customer specifications, but manual activity remained higher than normal. Extruded Solutions still faced production challenges and temporary stoppages. The distinction between operating and operating normally was already explicit. (Hydro's March 20 update)
On March 21, the company put a number on the most affected division. Extruded Solutions was operating at roughly 50 percent of normal capacity. Some plants had restarted, and inventory was being used to continue deliveries. Hydro said Microsoft and other security partners had arrived, the police had opened an investigation, and business-critical IT functions were being restored step by step. (Hydro's March 21 update)
The March 22 update made the recovery problem wider than production. Hydro said extraordinary measures remained necessary and workarounds in Extruded Solutions were challenging and time-consuming. It also identified supporting functions that needed interim solutions: payroll, treasury and reporting. Many systems had been shut down as containment, not because all had been infected. Healthy systems could not simply be reopened until affected parts had been addressed. Extruded Solutions remained at approximately 50 percent. (Hydro's March 22 update)
Over the weekend, the company moved from containment into a controlled recovery. On March 25, it said each PC and server across the company was being reviewed, cleaned and restored under strict guidelines, while encrypted machines would be rebuilt from backups. Extruded Solutions expected to reach about 60 percent overall production, though Building Systems remained the most affected. (Hydro's March 25 update)
By March 26, three Extruded Solutions units were producing at 70-80 percent, while Building Systems was almost at a standstill. Hydro gave a preliminary NOK 300-350 million estimate for the first full week, mainly lost margins and volumes in Extruded Solutions, and identified AIG as lead insurer on its cyber policy. By March 27, Building Systems had restarted at around 20 percent average capacity. On March 28 it was at 40-50 percent, while the other three Extruded Solutions units averaged 80-85 percent. (March 26 update; March 27 update; March 28 update)
Production and information recovery then separated into different clocks. On April 5, output was near normal in most areas, yet reporting, billing and invoicing were delayed. Extruded Solutions still had local variations and many workarounds. On April 12, Hydro said the extra effort required from 35,000 employees was sustaining normal or near-normal production, but the attack had delayed administrative processes and forced postponement of first-quarter reporting. Average value creation in Extruded Solutions was 85-90 percent, even while full IT recovery remained a complex process across several thousand servers and operations in 40 countries. (Hydro's April 5 update; Hydro's April 12 update)
This chronology prevents a simple binary judgment. Hydro was neither fully down nor fully recovered. Capacity, value creation, customer delivery, administrative processing, financial reporting and trusted IT each followed different recovery curves.
LockerGoga was disruptive without being an industrial-control worm
LockerGoga's behavior matters because the phrase "industrial ransomware" can suggest that malicious code directly manipulated furnaces, turbines or programmable controllers. The public evidence supports a more careful account.
The Center for Internet Security's March 2019 primer said LockerGoga did not target or infect industrial control systems as such. Its effect on business and production networks connected to industrial operations could still force costly downtime and manual production. The primer described a manually deployed encryptor: the malware itself did not self-propagate, while attackers were reported to use administrative access and other tools to move through networks and distribute it. Some variants cleared event logs, encrypted files, logged users off, changed local passwords or disabled network interfaces. Those behaviors can make an enterprise environment unusable even without issuing a malicious command to a physical controller. (CIS LockerGoga primer)
Dragos similarly warned against treating every operational effect as proof of malware purpose-built for OT. The important exposure was the set of IT-based services that industrial operations rely upon: identity, order information, production scheduling, engineering files, quality data, reporting and communications. A ransomware campaign can reach physical output by making those dependencies unavailable or untrustworthy. (Dragos on IT ransomware in ICS environments)
Later Dragos analysis described LockerGoga intrusions as interactive campaigns in which attackers explored networks before coordinated encryption. It also noted unusually disruptive features and uncertainty about whether the Hydro variant would have supported reliable decryption. The researchers expressly stopped short of concluding that the event was state-sponsored disruption rather than financially motivated crime. That boundary is important. Disruptive effect is established; ultimate motive is not resolved by malware behavior alone. (Dragos LockerGoga retrospective)
The initial-access story deserves the same care. Microsoft's later feature, produced with Hydro interviews and operational images, said an employee opened an infected email from a trusted customer about three months before encryption. Dragos also reported spoofed legitimate customer communication. These are credible accounts connected to participants and responders. They are not a public, independently reviewable forensic report that sets out headers, identities, timestamps, privilege changes, detection opportunities and every affected boundary. The safest conclusion is that a trusted-business communication was reported as the entry route and that attackers then had time to prepare broad encryption. It is not safe to reduce the event to one careless click or one employee's fault.
The broader criminal investigation reinforces the interactive-campaign model. A 2021 Eurojust operation concerning actors associated with LockerGoga, MegaCortex and other ransomware described access through several methods, lateral movement with common post-exploitation tools, long periods of network exploration and later ransomware deployment. That is group-level and campaign-level evidence, not a forensic attribution of every step inside Hydro. (Eurojust's 2021 coordinated action)
Accountability therefore has at least two layers. The attackers are responsible for intrusion, extortion and damage. Hydro remained responsible for how trust zones, privileged access, monitoring, backup, recovery, local operations and stakeholder obligations shaped the consequence. One does not cancel the other.
Isolation was an operating decision, not just an IT action
Hydro's shutdown of systems expanded the visible outage, but that does not make it a mistake. When the integrity of a network is uncertain, continued connectivity can increase the attacker's reach, corrupt recovery evidence or make physical operations dependent on data that can no longer be trusted. Containment trades present availability for reduced future harm.
Hydro publicly stated that many systems were shut down to stop spread even though they were not known to be infected. This matters for accountability because outage metrics often conflate criminal damage with defensive interruption. The attacker created the condition. Management and responders chose isolation as the safer operating state. Both facts belong in the incident record.
The decision also exposed where local operations could stand alone. Energy and Bauxite & Alumina continued normally according to company updates. Primary Metal and Rolled Products maintained output with greater manual effort. Extruded Solutions, which depended more heavily on production systems and customer-order flows, lost much more capacity. That variation is more informative than a company-wide uptime percentage. It maps dependence.
NIST's operational technology guidance emphasizes that OT security must account for reliability, performance and safety requirements, not only conventional information protection. It is a later, general benchmark, not an audit of Hydro. It helps explain why reconnection must be staged: an industrial system should not be declared recovered merely because a server boots or a network route opens. The operator needs confidence in configuration, identity, data, safety interlocks, dependencies and monitoring. (NIST SP 800-82 Rev. 3)
Hydro's public sequence reflected that logic. The company described identifying a recovery method, cleaning and reviewing systems, rebuilding encrypted assets from backups, and reopening in a controlled manner. The later incident summary says every PC and server was reviewed, cleaned and safely restored. The scale and categorical phrasing are Hydro's own account; no public independent audit verifies every endpoint. Still, the stated method shows why a decryptor alone would not have resolved the trust problem.
What manual fallback proved
Manual operations provided evidence of at least six capabilities.
First, some sites retained local process authority. People at plants could decide what to run, what to stop, what to simplify and when a process remained safe. Central digital coordination had not eliminated all local command. That is a continuity asset because a fallback that requires approval from an unavailable identity, messaging or approval system is not a real fallback.
Second, operational knowledge existed outside live applications. Workers could use paper records and experience to execute at least some orders. Retirees and former employees familiar with older procedures reportedly helped. This demonstrates retained knowledge, but it also reveals a succession risk: if continuity depends on people who remember a retired process, the capability can disappear as the workforce changes.
Third, production could be segmented by complexity. Later accounts from Hydro leaders distinguished simpler or emergency orders that could be produced manually from sophisticated work needing advanced automation. This is a mature continuity principle. A degraded mode should define its service catalog. It should not pretend that every normal product, entitlement or case can be processed with equal confidence.
Fourth, safety was treated as a gating condition. Hydro repeatedly said no safety incident had resulted and emphasized safe restart. That does not prove risk was absent. It shows that output was publicly subordinated to a safety condition, giving employees and managers a defensible basis to decline unsafe activity.
Fifth, the company had a distributed emergency structure. Microsoft quoted Hydro's description of preparedness at corporate, business-area and plant levels. Alternate communications, external partners and local action allowed the organization to operate while its ordinary network was suspect. The photographed paper warnings are a small but telling example: the message path did not depend on the channel being quarantined.
Sixth, backups supported a rebuild rather than an extortion payment. Hydro said encrypted PCs and servers were rebuilt from backups. Backups were not an instant return to normal, but they preserved an independent recovery option. That option strengthened management's ability to refuse the ransom and reduced the attacker's control over the recovery decision.
These are meaningful controls. They deserve recognition because they reduced physical, commercial and possibly environmental harm. But none should be converted into a claim that the event was well contained in every respect.
What manual fallback did not prove
Manual operation did not prove capacity parity. Extruded Solutions at roughly 50 percent was continuing, but half-capacity is a major interruption. Building Systems remained nearly stopped a week into the incident. Even where production was reported as normal, Hydro described the work as intensive and exceptional. A throughput number can conceal double shifts, queues, deferred maintenance, supervisory load and accumulating paperwork.
It did not prove full product capability. Simpler orders can keep equipment warm, preserve selected deliveries and reduce a customer's immediate shortage. They cannot necessarily satisfy complex tolerances, sequencing, traceability, customization or regulatory evidence. "We can make something" and "we can perform the contracted service" are different statements.
It did not prove data integrity. Paper records may preserve individual transactions, but enterprise processes depend on consistent versions of customer orders, inventory, pricing, credit, shipment, quality and payment data. If one plant acts on an old printout while another team records a change elsewhere, the eventual reconciliation is a control problem of its own. Hydro's delayed billing, invoicing, reporting and first-quarter results show that the information backlog outlived the most visible production loss.
It did not prove sustainable staffing. Manual work moved effort into employees. Hydro praised 35,000 colleagues for maintaining output, and public accounts describe retirees returning and staff working with paper. That effort can be effective in an acute phase. Over weeks, it raises fatigue, error, health, fairness and burnout questions. A continuity plan that works only through unbounded overtime is consuming human resilience rather than demonstrating organizational resilience.
It did not prove that prevention controls had been adequate. Recovery competence can coexist with a serious failure of access control, segmentation, monitoring or response timing. Conversely, the fact that an attacker succeeded does not by itself prove negligence or identify one failed product. Hydro has not published enough technical evidence for such a judgment.
Finally, manual production did not prove that harm stayed inside Hydro. Customers may have received late or simplified orders. Suppliers and logistics providers had to coordinate through changed channels. Smaller counterparties may have faced working-capital pressure when billing and payment processes slowed. Public authorities and outside specialists committed scarce response capacity. Continuity reduced those effects; it did not erase them.
The financial record is a sequence, not one number
Hydro's cost disclosures changed as the company learned more. This is normal in a live recovery, but it creates room for misleading summaries.
On March 26, Hydro estimated NOK 300-350 million for the first full week, mainly lost margins and volume in Extruded Solutions. An April 30 operational update raised the preliminary first-quarter estimate to NOK 400-450 million. The completed first-quarter report, delayed until June, later estimated NOK 300-350 million for the quarter. The preliminary and final first-quarter figures should not be silently merged; Hydro revised its estimate. (Hydro's April 30 operational update; Hydro's Q1 2019 report)
The second-quarter report added an estimated NOK 250-300 million impact for that quarter, of which NOK 150-200 million related to Extruded Solutions. By quarter end, operations were largely back to normal. (Hydro's Q2 2019 report)
The 2019 annual report settled on an estimated NOK 650-750 million financial impact. It described the main effect as lost sales caused by lost production ability and inability to receive and process sales orders during March and April, plus remediation of systems and data. Hydro recognized NOK 216 million of insurance compensation in 2019 and said more claim documentation was in progress. (Hydro Annual Report 2019)
In 2020, Hydro reported NOK 496 million in additional insurance compensation related to the 2019 attack. Added arithmetically, the recognized 2019 and 2020 amounts equal NOK 712 million. That arithmetic should not be presented as a precise reimbursement ratio without the policy, deductibles, claim allocation, currency and accounting detail. It does show that insurance shifted a substantial portion of the recognized corporate loss into the insurance system over time. (Hydro Annual Report 2020)
Hydro's incident page, updated in 2024, says total cost was around NOK 800 million. That later rounded figure is higher than the annual report's 2019 estimate range. It may reflect a later view, a broader scope or simple rounding, but the page does not reconcile the measures. The responsible presentation is to preserve both and explain the dates, not to choose whichever produces the strongest headline.
None of these numbers is total social cost. Company financial impact may include lost margin and remediation, but it does not automatically measure employee overtime or exhaustion, delayed customer production, supplier cash flow, public investigation cost, insurer administration, future premiums or the opportunity cost of specialists diverted from other risks.
Who carried the cost
The first bearer was Hydro. It lost production and order-processing capability, paid for response and rebuild, delayed financial reporting, and exposed its leadership and control environment to scrutiny. Shareholders bore earnings effects and uncertainty. Management carried decision responsibility for isolation, ransom refusal, prioritization, disclosure and recovery.
Employees carried a different cost. They provided the manual capacity celebrated in public accounts. They also absorbed more complex work, uncertain information, changed shifts, paper reconciliation and responsibility for operating heavy industrial processes under abnormal conditions. Insurance can reimburse a covered corporate loss. It cannot return attention, sleep or risk exposure to the people who supplied the fallback.
Customers carried schedule and substitution risk. Hydro used stock to keep some deliveries moving and prioritized continued production. That is evidence that customer continuity mattered. It is also evidence that ordinary flows were constrained. A large automaker or construction supplier may have inventory, alternate sourcing and contractual leverage. A smaller fabricator may have less buffer and less ability to finance a delay. The public record does not quantify customer losses, so the analysis should identify the mechanism without inventing a total.
Suppliers and service providers carried coordination and liquidity risk. Hydro's own updates referred repeatedly to limiting effects on suppliers and partners. Payroll, treasury, billing and invoicing interruptions show how a cyber event can reach parties whose systems are intact. If a purchase order cannot be confirmed, a delivery cannot be matched or an invoice cannot be processed, the downstream party effectively finances part of the interruption.
Insurers ultimately carried a substantial recognized amount. This was not the same as making the incident disappear. Coverage socialized part of Hydro's loss across insurer capital and future pricing. AIG's identification as lead insurer also indicates that the insurance relationship was part of incident governance from the first week, not merely a later reimbursement exercise.
The public sector carried investigation, coordination and defensive-learning costs. Hydro reported to Kripos and cooperated with NSM. International investigation later involved police, prosecutors and agencies across several countries. Public response generated benefits beyond Hydro, including threat information, arrests, decryption capability and future deterrence, but it consumed public resources to do so.
The attackers sought to force all of these groups to value speed over trust. The ransom demand attempted to convert operational dependence into payment. Hydro's refusal denied that immediate transfer, but the recovery bill still had to be paid somewhere.
Refusing to pay was enabled by controls and capacity
Microsoft's account says Hydro executives decided at an emergency meeting not to pay, to bring in Microsoft's response team, and to communicate openly. The refusal is often presented as a matter of corporate character. Character mattered, but the decision was also enabled by material conditions: viable backups, experienced staff, alternate production methods, external expertise, insurance, liquidity and the ability to tolerate weeks of degraded work.
That distinction matters for SMEs and public bodies. Telling a small manufacturer or a municipality to "be like Hydro" is empty unless it has protected backups, restore skills, legal advice, alternate communications, authority to prioritize services and cash to survive the interval. A policy against payment must be funded as a recovery capability.
Norway's NSM now advises organizations not to pay because payment does not guarantee compliance, may leave systems untrustworthy, can signal willingness to pay again and funds crime. Its detailed guidance also calls for separate communication channels, offline contact information, protected and diverse backups, restoration exercises, dependency-aware recovery order and plans for staff rotation over incidents lasting weeks or months. Those recommendations explain the infrastructure behind a credible refusal. (NSM ransomware measures)
Payment would not have eliminated Hydro's need to investigate and rebuild. A decryptor can make files readable; it cannot prove that credentials, persistence, configurations and data are trustworthy. LockerGoga variants also raised questions about reliable decryption. The refusal should therefore be understood as a refusal to let the attacker's promised tool define recovery, not as a claim that the alternative was cheap.
Transparency became an operational control
Hydro's communications did more than protect reputation. They helped coordinate a dispersed system of employees, customers, suppliers, authorities, investors and responders.
The company held frequent press and analyst briefings, published business-area capacity, identified continuing workarounds, disclosed preliminary cost estimates and named public authorities and the lead insurer. Microsoft's account says executives held daily press conferences and webcasts, answered questions, opened control rooms to journalists and created a replacement website during the first week. When the ordinary information environment was impaired, public communication became an alternate service channel.
This reduced ambiguity for counterparties. A customer deciding whether to seek another source could see that Extruded Solutions was at 50 percent and later 70-80 percent. A supplier could understand that invoicing and treasury systems might be delayed. An employee could receive a clear instruction not to connect equipment. Investors could distinguish normal output in one division from serious impairment in another. Authorities could use shared information to warn other possible targets.
Transparency also imposed discipline on management. Publishing capacity percentages and recovery stages created statements that could later be compared with financial reports. The April disclosure that production was near normal but reporting, billing and invoicing remained delayed prevented "production restored" from becoming "incident over." The delayed first-quarter report itself became evidence of control impact.
But openness has boundaries. Hydro did not publish a full forensic timeline, complete affected-asset inventory, identity path, segmentation analysis, backup test history, ransom amount or detailed customer-loss assessment. Daily communication can be candid and still be selective. It should be credited for what it established, not treated as independent assurance of what remained undisclosed.
The strongest lesson is therefore not "tell everything immediately." It is to communicate operationally useful facts at a level that stakeholders can act on, update them as confidence changes, preserve uncertainty, and maintain an audit trail. The United Kingdom's Counter Ransomware Initiative guidance now recommends an offline record of incident decisions and an auditable explanation of workarounds, operational effects, customer and employee harm, supply-chain effects and payment reasoning. That is a later general standard, but it captures what made Hydro's record valuable. (CRI guidance for organizations during ransomware incidents)
Later controls: evidence of change, not proof of completion
Hydro's later disclosures identify several changes. Its incident summary says encrypted PCs and servers were rebuilt from backups and its security team was reorganized to detect and respond better. The 2019 annual report said the company launched initiatives to increase infrastructure robustness, educate employees and improve secure work processes and routines. The board's annual reporting said the attack was high on its 2019 agenda.
The 2020 annual report described a revised cyber program, infrastructure improvements, employee education and the reorganized security team. It also retained an important caveat: initiatives might fail to deliver expected results or be insufficient against future attacks. That is a more credible control statement than a declaration that the problem was solved.
Microsoft quoted Hydro's CIO saying the goal was improved response that could limit a future event in time and geography. This is the correct resilience target. Prevention remains necessary, but the organization also needs to reduce dwell time, privileged reach, cross-site propagation, recovery delay and dependence on improvised human effort.
Hydro's 2025 integrated annual report still classifies a major cyber breach as a business risk. It says the company is improving cyber and information-security risk management, moving toward a global information security management system, and continuing employee and management training. It also identifies operational disruption, HSE events, financial loss and data leakage as possible consequences. (Hydro Integrated Annual Report 2025)
These statements show governance attention and program direction. They do not independently prove that segmentation, identity, OT boundaries, backups or exercises now meet a particular benchmark. Later-control reporting should be assessed with evidence such as tested restore times, plant-level degraded-mode exercises, privileged-path reviews, recovery dependency maps, supplier tests, audit findings and board remediation tracking. The public record does not provide that level of assurance.
Criminal accountability moved on a much slower clock
Operational recovery took weeks and months. Criminal accountability has taken years.
Eurojust reported that a joint investigation team involving Norway, France, the United Kingdom and Ukraine was established in 2019, followed by a 2021 action against twelve people suspected in ransomware attacks affecting more than 1,800 victims in 71 countries. Norwegian police later reported a 2023 breakthrough in the Hydro investigation: an Armenian national suspected of a key role was arrested in Germany and surrendered to Norway, while further arrests occurred in Ukraine. (Norwegian Police Cybercrime 2024 report)
In September 2025, the US Department of Justice announced charges against a Ukrainian national alleged to have administered LockerGoga, MegaCortex and Nefilim schemes. The department said LockerGoga and MegaCortex decryption keys had been made publicly available through the No More Ransom project in 2022. The charges are allegations; the defendant is presumed innocent unless proved guilty. The announcement does not by itself adjudicate responsibility for each act in the Hydro intrusion. (US Department of Justice announcement)
This long timeline reinforces the value of early reporting. Hydro could not condition recovery on an arrest, and law enforcement could not promise immediate redress. Yet preserved evidence, timely authority contact and international information sharing created options that eventually reached beyond one company's restoration.
What SMEs should take from Hydro
Small and medium-sized enterprises should not copy Hydro's scale. They should copy the structure of the questions.
Define the minimum viable service. A small manufacturer should identify which products can be made safely without networked scheduling, which quality evidence must still exist, and which customers or obligations take priority. A professional firm should define which cases can proceed with offline records and which must pause. "Operate manually" is too vague to test.
Measure manual capacity. A fallback should state transactions per hour, trained people per shift, supervision, approval rules and expected error or rework. If normal digital throughput is 500 orders and paper throughput is 40, the continuity plan must contain a queue policy. Hydro's divisional percentages made this gap visible.
Keep critical references independently available. Contact trees, safety limits, customer priorities, supplier contacts, insurance details, response authority and core procedures should not exist only inside the environment that may be quarantined. This does not mean printing every database. It means deliberately selecting the information needed to operate safely and communicate.
Protect recovery from ordinary administration. Backups need separation from production identities and tested restore procedures. CISA's StopRansomware guide recommends offline or otherwise protected backups, segmentation, least privilege, response planning and exercises. It specifically recognizes the resource constraints of smaller organizations and points them toward shared and managed capabilities where appropriate. (CISA StopRansomware Guide)
Plan for cash and counterparties. An SME may be technically able to restore while failing financially during the delay. Insurance, emergency liquidity, alternate invoicing, customer communication and supplier-payment priorities belong in cyber continuity. Hydro's delayed administrative systems show why production recovery alone is insufficient.
Do not build a plan around retired memory. Experienced former workers helped Hydro, but that is a fortunate reserve, not a durable control. Capture knowledge, train current alternates and run the manual process under realistic conditions. ENISA's cybersecurity guidance for SMEs emphasizes backups, disaster recovery, roles and incident planning; the Hydro case adds the need to test the actual service envelope, not just whether a file can be restored. (ENISA Cybersecurity Guide for SMEs)
Buy response capability before the emergency. Hydro could summon Microsoft, security firms, insurers and government authorities. A smaller organization needs prearranged contacts, contractual response times, decision authority and clarity about what its managed provider will restore. A phone number discovered during an outage is not a response plan.
The point is not to demand a large-company budget from a small firm. It is to force honest matching between promise and capacity. A narrow, tested manual service is more accountable than an ambitious plan that has never been run.
What public services should take from Hydro
Public bodies face an additional constraint: they often cannot choose only the easiest customers or most profitable services. A municipality, hospital, court, benefits agency or utility has duties involving legality, equality, evidence and life safety. Manual continuity must preserve those duties, not only output.
Service prioritization needs public criteria. Hydro could prioritize emergency and simpler orders to protect customer production. A public body needs a lawful method for prioritizing urgent care, vulnerable residents, statutory deadlines or safety cases. The reason for deferral should be recorded and reviewable.
Manual service can create an access penalty. Citizens with mobility, language, disability, distance or documentation barriers may be harmed more when a digital service falls back to telephone or paper. Continuity metrics should include who cannot use the fallback, not merely how many cases were processed.
Records remain public controls. A handwritten decision can be valid, but it must later be reconciled without duplication, loss, retroactive alteration or hidden queue jumping. The CRI recommendation to keep offline decision records is especially important where decisions are appealable or subject to freedom-of-information, audit and judicial review.
Shared infrastructure changes the boundary. Local public services often depend on common identity, payments, cloud platforms, telecoms and specialist suppliers. ENISA's 2025 public-administration analysis warns that compromise of shared systems or providers can cascade across multiple entities. It recommends architectural resilience, segmented networks, strong identity controls and improved preparedness. (ENISA on threats to public administration)
No-ransom policy requires funded restoration. A public prohibition on payment can reduce criminal incentives and avoid direct funding of extortion, but it does not restore a service. The United Kingdom's policy for government bodies links its no-payment position to response and recovery planning, service protection and resilient systems. (UK government policy on ransom attacks)
Exercises should join cyber response to business continuity. NIST describes manual processing as a short-term contingency option, not a permanent substitute for systems. Its contingency-planning guidance calls for business impact analysis, recovery priorities, plans, testing and maintenance. Public bodies should exercise the point at which a manual queue becomes unsafe, unlawful or impossible to reconcile. (NIST SP 800-34 Rev. 1)
Hydro's experience is useful to public services because it shows a large organization maintaining selected physical functions while central information systems were uncertain. The transfer is not industrial technique. It is the discipline of defining degraded service, protecting human safety, communicating limits and preserving a record that can later support accountability.
An accountability test for manual recovery
Boards, public executives, risk committees, insurers and service owners can test a manual fallback with ten questions.
- Activation: Who can declare the digital process untrusted, and what evidence triggers isolation or manual mode?
- Safety: Which tasks may continue, which must stop, and who has unquestioned authority to stop them?
- Scope: What exact products, cases or transactions can the fallback process, and what complexity is excluded?
- Capacity: What throughput can be sustained for one shift, three days and three weeks, with what staffing and error rate?
- Information: Which records, contacts, procedures and priorities are available independently of the affected environment?
- Integrity: How are approvals, changes, quality checks, identity and duplicate transactions controlled while systems are offline?
- Equity: Which customers, suppliers, employees or citizens bear delay, extra cost or reduced access, and how will that burden be mitigated?
- Reconciliation: How will paper and alternate-system records be validated and entered after restoration without loss or double action?
- Recovery: Which systems must return first, what dependencies govern the order, and when was that sequence last tested?
- Disclosure: Which operational facts, uncertainties, decisions and cost measures will be communicated, by whom and through what independent channel?
Hydro's response shows strength on several visible parts of this test: rapid isolation, safety priority, divisional status, alternate communication, backup-led rebuild, authority engagement and evolving financial disclosure. The public record is thinner on manual error, customer prioritization criteria, reconciliation outcomes, staff burden, detailed control failure and independently tested post-incident remediation. That is not a verdict of failure. It is the remaining accountability boundary.
Conclusion
Norsk Hydro's manual production should neither be dismissed as improvisation nor elevated into a comforting legend. It was a real control that preserved selected output and reduced harm. It worked because people retained knowledge, plants retained some autonomy, safety constrained action, alternative communications existed, backups supported rebuilding and the company could fund a long recovery without accepting the attacker's terms.
The same evidence shows the limit. Extruded Solutions lost major capacity. One unit remained nearly stopped after a week. Administrative systems lagged production. Employees supplied intensive labor. Customers and suppliers waited. Financial reporting moved. Insurers absorbed recognized losses later. Police and security authorities worked for years toward criminal accountability.
Hydro's unusual contribution was to make much of that progression public while it was happening. Capacity percentages, manual-work descriptions, delayed processes, revised estimates, insurance recognition and later control statements allow outsiders to see continuity as a distribution of function and cost rather than a binary claim of resilience.
That is the durable lesson for SMEs and public services. A manual fallback proves only what it has safely processed, for as long as it can be staffed, with records that can be reconciled and burdens that can be defended. The control is not the paper. The control is the organization's ability to state, test and account for what the paper can and cannot replace.

