A foundation for knowing your cyber vulnerabilities

Marilyn Scales | May 1, 2019 | 5:56 am

The digital revolution is happening.

Advanced technologies that blend hardware and software with Big Data – a combination of automation, Wi-Fi sensor technologies, cloud-based systems and data analytics – have the potential to profoundly change the face of mining forever.

These technologies show good promise to safeguard health and safety, improve collaboration, increase operational efficiency and productivity, and strengthen resilience while ensuring long-term sustainability and profitability.

But as digital systems and connected devices become more prevalent, mining companies need to remain diligent in keeping cybersecurity top of mind.

The number, frequency and sophistication of cyber-attacks continue to increase across all industries as hostile actors seek to inflict harm – disrupting operations, damaging equipment and the environment, and causing injury to personnel.

No industry is immune to the challenge, and today’s technologically advanced mining operations are at risk.

Overall, the mining industry is being proactive when it comes to establishing cybersecurity programs. Ensuring security is a highly complex endeavour for any industry, but perhaps more so for mining, which involves large-scale, geographically dispersed locations with thousands of assets.

‘Security by obscurity’ no longer

Like other operational process control sectors – such as manufacturing, pharfundamenmaceuticals and energy, water and oil and gas utilities – mining companies rely on information technology (IT) systems that interface with operational technology (OT) systems. IT systems are used to process data, including software, hardware, communications technologies and related services, while OT systems consist of the hardware and software used to monitor and/or control the devices used in enterprise operations.

As IT and OT systems become increasingly integrated and march along the

path to convergence, gone are the days of “security by obscurity” – the belief that systems can be secure through secrecy, or by simply being unknown. Considering the growing prevalence of technology in mining, operators need to take a more deliberate approach to protect their operational, process control, health, safety and environmental data centre security, supervisory control and data acquisition (SCADA), programmable logic controllers (PLCs) and other industrial control system devices and equipment.

information is necessary to implement an effective security program – fundamentally speaking, you can’t protect what you don’t know you have.

Four steps to an OT cybersecurity solution

An important first step for any mining company working to secure its digital assets is to establish an authoritative OT cybersecurity asset data management solution to formally control and maintain all cybersecurity-related data. This can be accomplished by following these four steps:

1 Define and identify critical mining assets and OT digital systems

When developing a cybersecurity program business case, it is necessary to balance costs with enhanced security risk reduction. To do this, mining companies should identify those assets that are both vulnerable to cyber-attack and critical to maintaining operational safety and reliability. Because there are few to no mining-specific regulations around cybersecurity, Black & Veatch defines these assets as critical mining assets and their associated critical OT digital systems.

  • Critical mining assets are those mechanical and/or electrical systems/ assets used to perform real-time monitor, command and/or control (via human or electro-mechanical means) of one or more of the following operational mining functions: commodity processing, drill, blast, load, haul, crush, convey, mill, leaching, etc.
  • Associated critical OT digital systems are those cyber systems used to monitor or provide command and/or control of the real-time critical mining assets.

2 Establish an OT asset data system of record (SOR)

The OT Asset Data SOR serves as a formally controlled and maintained asset data repository for all critical mining assets and associated critical digital systems.

The SOR should contain up-to-date information documenting key asset attributes that identify, physically locate, characterize and associate an entity’s critical mining assets and associated critical digital systems; including, at a minimum, the following asset-level data attributes:

  • Critical mining assets such as drill platforms, blast systems, loaders, haul trucks, crushers and conveyors: physical location, make, model, serial number, asset type, functional parameters, asset owner, etc.
  • Critical OT digital assets such as system applications, databases, computers and other devices: physical location, make, model, serial number, asset type, host ID/name, IP address, serial connectivity, asset owner, key hosted applications, etc.

Applicable OT system/component configuration information is also required to support next step security configuration management and monitoring requirements.

Many mining companies will find that the most convenient and available SOR repository for cybersecurity-related asset data is their existing Enterprise Asset Management (EAM) system. These systems already contain critical mining asset and related physical attribute data, reducing the complexity and cost of adding cyber-related attributes to a separate repository.

But mining companies should note that the sensitive nature of the data contained within the SOR means that caution must be taken when establishing user access and change controls. Restricting access should be commensurate with the security and controls of the physical and OT assets for which the data is associated.

3 Identify and eliminate OT cybersecurity asset data gaps

Once the critical mining assets and associated critical OT digital systems have been defined, the next step is to identify the actual assets and systems and to inventory their cybersecurity data. This is an important step that will help operators discover information gaps related to the completeness, accuracy and location of data.

To do this, mining companies should develop a process for collecting missing or inaccurate cybersecurity-related asset data. This process should specify data collection and storage methods as well as provide for the transfer of existing data from outside systems to the appropriate SOR.

4 Establish cybersecurity asset data governance, policies, maintenance procedures, and change management protocols

Policies and procedures that govern when and where the technology may be delivered and applied, who may use it, and the data to be collected and maintained, will be necessary to establish a complete OT cybersecurity program. Operators should review existing IT security policies and procedures, conduct an OT technologies gap analysis, and update current governance documents to either include OT or create analogous OT-specific governance policies and procedures. A subset of these policies and procedures should include Disaster Recovery and Incident Response plans that should also be reviewed and updated to cover both OT and IT.

Change management will also be critical to providing information, rationale and guidance to help employees understand the purpose of the new OT cybersecurity strategy as well as how to apply these technical, operational and procedural changes. Effective execution requires proactive communication, co-ordination, scheduling and training.

All parties will need to understand the changes when they will take effect, and if they require any new instructions, training, devices, tools, or credentials to successfully perform their assigned tasks.

Conclusion

Advanced systems will play a larger role as mining companies increasingly turn to technology to drive operational improvements.

It’s already happening – according to a 2015 IDC Energy Insights global survey, 69% of mining companies are investigating remote operation and monitoring centres, 56% are looking at new mining methods, 29% are eying robotics and 27% are considering unmanned drones.

With these numbers in mind, it’s not a stretch to expect to see advanced technologies become more prevalent at mining sites in the not too distant future, making it imperative that mining companies work to establish effective cybersecurity measures today. Implementing an OT cybersecurity asset data solution now will establish the foundational elements necessary for the organization’s overarchin g security program; ensuring safe, secure, reliable and sustainable operations for the long-term.

Dennis Gibson is the Chief Technical Officer of Black & Veatch Mining, where he is responsible for integrating the company’s wide range of technical skills in infrastructure development into the mining sector. He has 40 years’ experience in civil engineering, project management and mining in operations, construction and as a consultant, including 20 years with Rio Tinto.

Nathan Ives is Managing Director, Business and Technology Architecture, Black & Veatch Management Consulting. He has 26 years of power, water, oil and gas and mining industry experience specializing in asset management, risk management, facility operations, cybersecurity and technology implementation.

Nathan Ives is Managing Director, Business and Technology Architecture, Black & Veatch Management Consulting. He has 26 years of power, water, oil and gas and mining industry experience specializing in asset management, risk management, facility operations, cybersecurity and technology implementation.

Comments

Your email address will not be published. Required fields are marked *