Cyber security kevin

Cybersecurity Roadmap: Volue After the Ransomware Attack

In the Spring of 2021, Volue was the subject of a serious cyberattack. Kevin Gjerstad, CTO of Volue, shares some important lessons along with Volue’s cybersecurity roadmap.

I’ve been part of security incident response teams and events over the years. The first time was in 1997 when I was working at Microsoft in Seattle and there was a security breach involving Internet Explorer 3.0.

You prepare to respond to an attack but you don’t know how an organization will perform under the stress of an actual incident.

As a CTO of Volue, I’m responsible for the R&D function, some 200 developers, product development and technical strategy. Cybersecurity is an important focus area for the entire organization.

I’ve been part of security incident response teams and events over the years. The first time was in 1997 when I was working at Microsoft in Seattle and there was a security breach involving Internet Explorer 3.0.

You prepare to respond to an attack but you don’t know how an organization will perform under the stress of an actual incident.

As a CTO of Volue, I’m responsible for the R&D function, some 200 developers, product development and technical strategy. Cybersecurity is an important focus area for the entire organization.

The ‘new normal’

Early in the morning of 5 May 2021, I received messages on several channels saying that we had a serious cybersecurity attack. We had used such a notification routine for relatively minor incidents in the past but this time it was clear we needed to utilize a full security incident response.

The first thing that ran through my head was that we needed to prioritize protecting asset and data integrity, as well as production services. A CTO’s worst fear is that a cyber attacker manages to breach the company’s systems and exfiltrate or destroy critical customer data.

It turned out, Volue had a RYUK ransomware attack known for targeting large, public-entity Microsoft Windows cybersystems.

You might say that many companies experience cyberattacks and Volue isn’t special. However, Volue provides services critical to society – core services we all rely on such as energy, power grid, water and infrastructure, and we know that the energy and critical infrastructure sector has increasingly become targeted.

In the same week Volue was attacked, there was a cyberattack on Colonial Pipeline, the largest fuel pipeline in the U.S. The pipeline was shut down.

An attack on a company like Volue is an attack on all of us.

Even though our response wasn’t perfect by any means I can honestly say that I’m proud of the way Volue responded and worked through the attack.

Kevin Gjerstad CTO of Volue

Volue under the cyberattack

Volue has policies and processes for this scenario but it still took a while before we could mobilize a larger part of the organization.

Within 30 minutes of the cyberattack, we had 'boots on the ground'.

In the subsequent hours and days, we communicated about the incident openly and transparently and set up daily webcasts. More than 500 people tuned in every day. We worked with KraftCert to help us communicate with customers while our partner ATEA did extensive forensics. Fortunately, there was no evidence of data exfiltration – personal or critical infrastructure data.

Very early in the response, we were focused on understanding the risk to specific products and services, as well as customer data. It was critical that customers and products that were unaffected could restore normal operations as soon as possible.

Just over a week into the incident, more than 95% of customers and applications were deemed safe.

This incident is something that the organization has really learned from. For some who had never been through something like this, cyber threats have moved from a hypothetical threat exercise to something with real consequence and urgency.

I am proud that we openly communicated and collaborated. Many have praised us for our transparency and openness. In the first hours, however, we weren’t fast enough to notify customers with sufficient information and that is a learning point for us.

Even though our response wasn’t perfect by any means I can honestly say that I’m proud of the way Volue responded and worked through the attack.

All of us working in energy and critical infrastructure must consider this a high priority. And we should work together.

Kevin Gjerstad CTO of Volue

Going forward: investment in technology and people

Our approach to the cyberattack has been ‘Build back better’. Although we have a long list of things that are ongoing, significant progress was achieved in a matter of weeks.

We know however that there is much to do, to learn and improve and that this will require constant investment and attention.

Cybersecurity preparedness means investment in technology, people, training, penetration testing, working with the community. Volue is significantly increasing these investments in line with the ‘new normal’ threat landscape we face in our industries.

What is in the Volue roadmap now?

We are investing heavily in security both for the benefit of Volue internally and the services and products we have on behalf of our customers.

We have security initiatives in 12 categories and each category is a significant project on its own. I’m not going to cover it all here but just highlight a few things:

  • We have accelerated the migration to a new Volue and cloud-based infrastructure. We’ve reduced on-prem servers after the cyberattack and are fully utilizing the cloud capabilities for monitoring, disaster recovery, security appliances, encryption, and more.

  • We are expanding our ISO 27001 / 9001 certification to include all Volue units. This is the international standard for information security. It addresses people, processes and technology. It is recognised worldwide as an indication that you follow information security best practices. It’s one indication and measure of Volue’s security commitment.

  • We have worked with security partners to do regular penetration testing before and we will continue to invest in this. Penetration testing helps us find out where we are most likely to face an attack and, of course, fix the issue. Going forward, we will conduct further penetration tests by an external company.

  • We have seen the value of creating secure backups of data on a regular basis and with a high level of encryption. These backups should be offsite and isolated, with restricted, just-in-time access control, and secured credentials. We will test and practice the restore capability so that we’re sure it works as intended.

  • We have put multi-factor authentication in place for our services and are strongly encouraging all of our customers to enable this in their own Azure Active Directories. MFA is a must to help thwart attacker access from compromised credentials. We are also reviewing access controls and roles to protect against social engineering attacks.

  • Training and testing are important aspects for us going forward. Over 90% of cyberattacks start with phishing emails. Security training is very important because it helps employees and customers understand the role they play in combating security breaches. It’s about cyber hygiene and the ability to identify cyberattacks when they happen via email or on the internet.

  • Last but not least, we want to set a new standard when it comes to managing customer data. Beyond GDPR, there are a few defined best practices. We have an opportunity to up our game in this area and give our customers the information and that extra confidence in Volue’s data handling.

It is possible for organizations to prepare and defend against the worst impacts of a ransomware attack. It takes investment in technology and people to face this challenge.

All of us working in energy and critical infrastructure must consider this a high priority. And we should work together.

What is ransomware and what is RYUK?

A ransomware attack is where an attacker gains access to resources or systems, typically through a phishing exploit, and then encrypts the stored data. Once encrypted, it’s impossible to access the data unless a ransom is paid in a cryptocurrency.

RYUK is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It was an RYUK ransomware attack that Volue had on 5 May 2021.

Though we’re often dealing with highly skilled threat actors, the tools and techniques for ransomware attacks have become accessible to even amateur hackers. And cryptocurrencies make the untraceable payment aspect possible.

Ransomware attacks are on the rise globally. The energy and infrastructure sector has increasingly become targeted. This is the ‘new normal’ that we all have to come to terms with. Recorded Future, a security firm that tracks ransomware attacks, estimated that there were 65,000 successful ransomware attacks last year, or one every 8 minutes.

Get in touch

Click on the button below to request a meeting and learn more about how we are can make your operations more secure.

Click on the button below to request a meeting and learn more about how we are can make your operations more secure.

Jeremy lapak unsplash

Volue After the Cyberattack: How We Passed the Stress Test

Two weeks after the cyberattack on Volue, Vigleik Takle, Chief Commercial Officer, reflects on the value of transparency and the opportunity to build Volue into a stronger and more secure company.

Read more


Upcoming events