Written by Yogen Appalraju, EY
Most mining companies today are investing for a digital future as the sector sets its sights on growth after emerging from the bottom of the most recent super cycle.
This means companies are storing more sensitive data than ever on networks where each node or access point represents an important connection to people or data—and a potential vulnerability or source of risk. Cybercriminals and hacktivists know this well. Little wonder, then, that more than half of the energy and resources participants in the most recent EY Global Information Security Survey (GISS) said they had experienced a significant cyber security incident in the past 12 months.
The mining and metals sector, similar to oil and gas or power and utilities sectors, carries the same “critical national infrastructure” threat profile—meaning they’re high-profile and high-risk, targets. But that’s where the similarities end.
Many energy organizations have long since made their cybersecurity step change and are building robust threat reduction platforms. Such a transformation has yet to occur—and is urgently required—in the mining and metals sector. The consensus among experts is that mining companies lag several years behind their energy sector peers when it comes to cybersecurity, a trend that cannot continue.
So, the question mining companies should be asking themselves is this: how will we contain and manage the threat when it comes? To do this, they need to understand the risks they face and, as they look to the future, be ready to implement the right controls to prevent attacks. Otherwise, the outlook is dim.
The world is experiencing an unprecedented surge in the number of cyberattacks, and they are as diverse as they are destructive. Among the most dangerous are the large-scale data breaches of commercial, personal and customer data, the kind suffered by some of the biggest brand names out there. These attacks can have a devastating short-term impact on the business, and an equally devastating long-term impact on a company’s reputation.
A big reason for this rise in attacks is the growing convergence between information technology (IT), which handles the storage of data and office networks, and the less mature operational technology (OT), which runs industrial and manufacturing operations. Blurring the lines between the two is a welcome and worthwhile endeavour as it helps mining companies achieve greater automation, rein in costs and maximize productivity.
However, it’s also greatly widening the so-called “attack surface.” Where once a cyberattack might clog networks or bring down a website, today they can strike at the very heart of business operations by attacking IT and OT systems. This can endanger everything from employee health and safety to the viability of supply chains.
Not surprisingly, this trend has fuelled the emergence of malware and exploits designed to target OT. One of the most well-known examples is the December 2015 attack on the Ukraine which resulted in a crippled power grid after malware infected the OT systems of one of the country’s regional power suppliers. That same year, the U.S. reported 250 cyber incidents against OT technology operations.
Then there is the rise of networked devices. Corporate operations are becoming more dispersed as organizations embrace the Internet of Things (IoT). Most mining companies today oversee thousands of interconnected devices connected across multiple geographies, and with each passing month, infrastructure that had never been previously connected to a network comes online.
Armed with this knowledge, attackers can use four distinct attack paths to find and take advantage of OT weaknesses:
- Gaps in perimeter security of corporate networks, such as weak firewall configurations or insecure remote tools, allowing intruders to pivot from IT to OT environments.
- Unmanaged vendor access policies that allow third parties access to OT environments.
- Poor security configurations that allow unobstructed access to OT systems and devices.
- Network segmentation gaps that allow for excessive access between OT security zones
Failure to address any of these risk factors will leave an organization exposed. What makes the picture even more bleak is that 97 per cent of energy and resource companies surveyed in the EY GISS say their cybersecurity function does not fully meet their organization’s needs, and that 48 per cent believe it’s unlikely that their organization would be able to detect a sophisticated cyber-attack.
Planning for the Future
To protect themselves adequately, mining companies don’t have to slow the pace of their digital transformation. Instead, operators should implement strong cybersecurity protocols to run in tandem, so that each improvement in productivity is matched with an equally robust improvement in protection.
It’s inevitable that cybersecurity breaches will occur. The goal is not to prevent them, but rather to minimize the number of intrusions and limit their potential to damage. It goes without saying that companies should have their basics covered, including the use of antivirus software, intrusion detection and protection systems, sophisticated encryption capabilities and a culture that understands the importance of strong passwords, avoid falling prey to phishing attacks and other security best practices.
However, to truly build a strong defensive perimeter, it’s critical that organizations assess their individual threat landscape and be aware of all current and emerging risks. This means approaching cybersecurity much as they would any other business risk.
- Identify critical information assets and the level of security required based on its impact to the business and the risk appetite of the organization.
- Ensure that in addition to preventative controls, appropriate focus is placed on response and resilience such as security monitoring, incident recovery processes and regular security testing.
- Optimize budgets; accept some manageable level of risk in areas where budgets, and the potential business impacts, are limited.
- Embrace the future. Constantly educate people on best practices to reduce weak links, and don’t discourage adoption of new technologies out of fear of risk
The mining industry is in an upswing. Volatility has eased off in a number of commodities, and balance sheets are stabilizing. Now is the time to invest in order to stop a preventable cybersecurity incident from derailing that momentum. Taking the right steps and making the right investments in 2018 will set the stage for a stronger, more certain future.
About this Author
Yogen Appalraju is the EY Canada Cybersecurity Leader. He is based in Toronto. For more information on digital mining and access to the complete EY Global Information Security Survey 2017-18 results, visit ey.com/digitalmine.
This article was originally published in the Spring 2018 issue of Canadian Mining Magazine. Access the full issue here: http://canadianminingmagazine.com/spring-2018/.