If Cyber Security Conversations Aren’t Happening at Board-level Then You’re Behind
A chat with Rob Labbe, Co-founder and Chair of Mining and Metals ISAC. Interviewed by Christopher Lycett, Mines and Technology.
With the drive towards digitization, cyber security is becoming more and more important for mining companies looking to apply digital technologies at their operations.
Against this backdrop, Mines and Technology caught up with Rob Labbe, Chair and co-founder of MM ISAC, on the challenges of cyber security in mining and the role MM ISAC will play in solving these. Rob will be speaking at Mines and Technology in Helsinki, Finland, May 29-31, 2018.
Q. Tell us about MM ISAC, why it was set up and what are its main objectives today?
A. The initial driver was a cyber security incident that affected many mining companies in Canada. The same person attacked many of us successfully. This lead to a conversation that at some point it stops being the bad guy’s fault for doing it, instead it becomes our fault for enabling it. We as an industry must take on some accountability and responsibility for this.
Let’s share information about the people who are attacking us so that we can have some shared-intelligence about what’s happening from a cyber security perspective in the industry; let’s figure out how to do that. That was the first piece and that is the core.
The second piece that came out of this was, yes, we must do that, but that is really a retrospective look. That’s talking about what has happened, or what is happening—this is the post-mortem.
The industry is driving towards digitization, automation and machine-learning, and these things are being talked about all over the place. We are on the cusp of a huge innovation leap for mining. We are on the cusp of this technological leap and we’re focusing on all the awesomeness of this in terms of safety, productivity and environmental sustainability.
However, on the flip side, what does the risk picture look like? What are the cyber security risks that come along with this? Nothing comes for free. What are the new risks? What is the impact on the functional safety systems? How do we deploy these modern technologies in a way that ensures we maintain safe, reliable operations?
That piece of work from a single company perspective is daunting. It’s a huge amount of work in terms of volume, it’s a huge amount of work in terms of cost and it is a cost at a company level that would essentially have to be repeated individually.
Now, we could each spend half a million dollars to come up with that individually, but the products wo
uld all look close to the same. If every company looked at the threat model for autonomous haulage, that would take millions out of the industry to be handed over to security consultants. The OEMs would then be left with every operator’s varying requirements.
How is a Caterpillar supposed to fit that? They’re not going to make a unique autonomous haul truck for everybody. So, by coming up and doing it together, we can spend that money once as an industry and have the product we all need. We have a consistent set of recommendations and requirements, we can update it in one place, and we can get one set of standards for the vendor which are consistent.
The operators then focus on the operations, the OEMs focus on developing and building the technology we need, and we can all cover off the security as an industry together. Combining threat intelligence and information-sharing are going to make the industry more fundamentally secure and they are the two things that gave birth to MM ISAC.
Q. To what extent is cyber security now a business focus for mining companies?
A. It is a much bigger focus than it was five years ago. At that point in time cyber security was viewed as a corporate communications risk, an IT risk—something the people in IT can take care of, and in a lot of cases, people weren’t wrong.
However, as we start to replace onsite operators with remote operations and autonomous systems, the digital systems will be running the core of our operations, affecting safety and productivity—those decisions aren’t all going to be made by people anymore. The computers will be making those decisions according to programming, so now we have to start thinking about and managing the risks that come from that.
However, the realization that cyber security is a business risk and needs to be dealt with at the same level as other business risks is not unanimously understood yet. So, one of the jobs of MM ISAC as an outreach organization is to educate those who have not quite grasped that concept yet. If cyber security conversations aren’t happening at board and senior management team levels, then you’re behind.
Q. In terms of numbers, how much should mining companies be spending on cyber security?
A. That’s traditionally how people look at it, but I think that’s the wrong metric.
It makes sense to look at it that way in mining because for every problem in mining, traditionally, capital is and has been the answer. If you’re not moving enough rocks, you buy more and bigger haul trucks. If you’re not processing enough rocks, you build an extra crusher, and so on. Mining companies naturally take and compare those sorts of costs against each other. Cost per tonne is a very simple, consistent metric.
For cyber security however, it doesn’t make sense. What we need to look at is “Am I effectively managing risk and what does that risk look like,” because risk tolerance is going to be different company by company.
Just because someone spends $25 million versus $5 million, it doesn’t mean they’re going to get a better result. Cyber security is all about people, process, good procedures and good risk management, all of which is not a capital outlay activity.
The better questions to ask are:
- What does it mean to be a secure mining company?
- What does my risk picture look like at various stages of that?
Then it becomes a board decision of how comfortable you are at current level maturity with the risk profile currently being carried.
So, if you are a very traditional mining company that is not moving to digitization, you might be perfectly comfortable at a much lower level of cyber security maturity because the risk isn’t there.
However, if your goal, like many in Europe, is to remove as many people from your mining operation and have the entire mining operation digital, automated and so on, then that lower level of maturity on the scale may not provide an acceptable level of risk management.
Q. So, with all of this said, do you think mining companies have the right level of risk or is there still a long way to go?
A. As an industry, there is a long way to go. We are starting probably five years to a decade behind other industries. We’re late, and we’ve got some catching up to do.
There are some impediments to playing that catch up. Obviously, for the last few years the commodity cycle hasn’t helped. It has changed recently for some, and that frees up some money, but as I said, this isn’t about the money. Some money needs to be spent, but more importantly than this, there needs to be a cultural shift of where the risk sits and until that occurs, all the money in the world will not solve this.
This is not a problem that is fixed by throwing capital and that idea is culturally challenging for a lot of mining companies.
I try to relate spending on cyber security to spending on safety and sustainability. We spend money on safety and safety programmes so as to keep our people safe and healthy. While the direct ROI to that is not clear, we do it because it is the right thing to do, and long-term trends and data tells us it pays off in the long run.
Cyber security is not an investment to add direct value, but it’s certainly an investment to preserve value, protect our investments and enable innovation. Similar to safety, we all understand that we got our much-improved industry safety record not because we bought some “safety stuff.” We focused on the programme, the procedures and the safety culture, and then we bought the tools and technology we needed to enable our safety programs. This is what we need to do with cyber security.
Leave a Reply