Cyber(in)security: Take action now
Ensure your data doesn’t go astray
Mining companies’ cyber threat profile is rapidly evolving as the industry undergoes a massive digital transformation, introducing automation, digital technologies and even artificial intelligence (AI) and machine learning to their operations. Companies are also facing additional risk as hackers increasingly target critical infrastructure and begin to recognize mining’s place in the supply chain.
But according to experts, companies are largely unprepared to address the changing nature of cyber attacks.
“We tend to think about mine development and mine life in decades. And so to have such a rapid shift in risk in less than 10 years, a lot of the industry hasn’t caught up to that being a board-level or senior management team-level risk that needs addressing,” said Rob Labbe, founder of the Mining and Metals Information Sharing Analysis Center, an industry group dedicated to improving mining and metals companies’ cybersecurity. The MMISAC was founded in 2017 in response to a series of cyber attacks against eight mining companies.
Cyber attacks can have costly consequences for miners: according to research from Accenture and the Ponemon Institute, in 2018 Canadian companies faced an average US$2.96-million cost from attack-related business disruptions, and US$3.8 million in information loss.
Recent publicized attacks have clearly demonstrated the operational and financial cost. Last May, Colonial Pipeline paid hackers connected with Russia-linked cybercrime group DarkSide US$4.4-million after suffering a ransomware attack that halted all pipeline operations for six days. In October, engineering firm Weir Group was the victim of a “sophisticated” ransomware attack that forced it to delay shipments worth more than £50 million.
Operational technology challenges
Operational technology (OT) — the hardware and software that controls physical and industrial processes — has only become more important in the mining industry as companies digitalize and automate their operations.
But OT systems are on the whole less cyber mature than information technology systems, and attacks targeting them are on the rise. Vulnerabilities in OT devices increased 46% in the first half of 2021 over the previous year, according to an annual mid-year vulnerability and threat trends report from enterprise cybersecurity firm Skybox Security, released in September. Justin Berman, Skybox’s technical director, said these assets are “incredibly easy to attack” because they’re running on outdated operating systems that were designed by engineers without security in mind.
He added that companies have increasingly integrated their OT and IT networks, often to better understand their production or other key metrics. This poses a major security threat, as it could allow hackers to gain access to key company data through assets such as an automated haul truck or a site heating, ventilation and air conditioning system.
A KPMG Canada survey of 23 large mining companies headquartered in North America demonstrates just how at-risk these assets are. According to the survey, 36% of companies don’t have a complete inventory of their critical assets, 63% don’t regularly report on OT cybersecurity, and 35% have no cybersecurity monitoring of OT devices. Almost half (46% of respondents) only applied security patches in an ad hoc manner or never patch operating technology.
“You can’t protect what you don’t know you have,” said Erik Berg, cybersecurity partner at KPMG Canada. “Companies need a clear understanding of their IT and data assets, and that’s not fully understood.”
Leaving OT systems vulnerable to cyber attacks has far-reaching implications. A successful attack could halt production for days or weeks. But, more than that, it could put employees at risk, said Owen Key, director of risk consulting for cybersecurity at KPMG Canada. Some OT systems are directly related to health and safety, such as fire suppression systems in underground mines. “People could lose their lives,” he said.
Berg said a “pragmatic and risk-based approach” for hardening critical OT assets is to regularly patch old legacy software. Companies planning to introduce new automation software should implement security by design and information management protocols.
In a November blog post, Berg and Key also recommended miners better integrate OT into their overall cybersecurity program, identify all critical OT assets and regularly report on threats, vulnerabilities and any actions taken.
Berman emphasized that miners need to introduce “segmentation,” or disconnect their OT and IT networks.
Beefing up suppliers’ security
Digitalizing mining operations has come with the use of more third-party service providers that connect into companies’ internal systems. It’s a major risk, Berman said, as in-house IT or cybersecurity teams don’t often have visibility into manufacturers’ proprietary equipment.
According to Labbe, hackers are taking notice. The MMISAC has seen a growing trend of cyber attacks directed at suppliers and service providers, with the aim of using those companies as Trojan horses into miners’ IT and OT infrastructure.
Miners’ expectations of their suppliers’ cyber governance is starting to change, Berg said, and more are asking important questions. While Key noted some companies will decline to disclose internal cybersecurity policies, miners can ask them to prove their security through a certification, such as the International Organization for Standardization’s (ISO) standards on information security management. Companies can also negotiate the right to conduct a security audit into a contract.
Labbe said the MMISAC is looking at how to bring more suppliers into its fold. In February, the group launched a supply chain resiliency program, which is meant to assess suppliers’ current practices and help them improve their security. He said the program will also reduce due diligence work for all miners.
“Why does every mining company have to assess [a supplier] individually? We can do that once,” he said. “The goal isn’t to create a list of bad and good suppliers; the goal is to support the industry in getting better.”
Breaking down silos
Berg said companies need to break down the silos between their IT/cybersecurity department and the engineers that have designed their OT systems and “operate as one entity” against adversaries, though he acknowledged it’s a particularly difficult challenge.
Mining executives also need to recognize that business decisions have an impact on their companies’ cyber risks, Labbe said, and co-ordinate with their cybersecurity team on announcements. These business decisions can be things such as operating in a new country, moving into a new commodity or releasing financial results and environmental, social and governance commitments.
He gave the example of a company that just announced a major acquisition. Attackers may see that as a period during which the company will be vulnerable and distracted, and more likely to pay a significant ransom if their financial systems have been taken down ahead of the deal closing.
“Cyber attackers, especially financially motivated ones, are reading our annual reports, are reading our disclosures, they’re showing up at investor calls and are getting informed on the organization,” he said. “The decisions and communications we make have an impact on them. … When you’re thinking about how to communicate these announcements, you need to think about who’s reading it.”
Kelsey Rolfe is a freelance writer formerly with the Financial Post and the CIM. She can be reached at kannerolfe@gmail.com.
Comments