Grappling with cyber complacency in the mining sector

  • Pankaj Thareja, Cybersecurity Consultant, Fm Global

We live in interesting times. A recent survey by Pricewaterhouse Coopers found that Australian CEOs view cybersecurity risks as their greatest threat to business growth. Yet many mining executives are reporting that it would take a “catastrophic” cyber incident for industry to act and build adequate cyber resiliency.

The State of Play security report found that mining executives around the world felt that catastrophic events on their sites would be far more likely to spur action than education, regulation, or financial incentives. The product of interviews and surveys of more than 100 global senior executives, the report surveyed chief executives, chief operating officers and chief technology officers from mining majors including BHP, South32, Rio Tinto and AngloAmerican.

While it might look like miners are lagging, the truth is that complacency around cyber defences doesn’t only pervade the mining sector. Across all the industries we find there’s a level of laissez-faire when it comes to cybersecurity.

Many businesses feel that the security solutions they have deployed like firewalls and virus scanners will protect them from an attack. Others believe that merely complying with regulations is enough to prevent being victimised by cybercrime. This is simply not true. The sophistication of cyberattacks is growing exponentially and so too should defences.

Wide-ranging vulnerabilities

It’s essential to put defences in place to identify and reduce cyber exposure. Most miners are moving into robotics, integrated and automated systems and Internet of Things (IoT) in their operational environment to increase efficiency and cut down costs. Increased digitisation and connectivity increase vulnerabilities by providing bigger attack surface for malicious actors.

The threat of phishing attacks, malwares and having legacy environments is worrisome for executives. Vulnerabilities due to legacy systems, poor security programs, user behaviour or gaps in cybersecurity defence programs are of great interest to nation states and competitors whose intention is to exploit such weaknesses for fraudulent reasons. Continuously looking for vulnerabilities, prioritising and fixing them is a vital part of a cyber defence program.

The other side of the story is far less technical – mistakes made by employees. You can have the best security in the world, but employees can deliberately or accidentally put the organisation’s data and systems at risk.

In late 2019, the Office of the Australian Information Commissioner released data showing that human error was the second largest cause of data breaches by companies under the Notifiable Data Breach Scheme. Errors included sending personal information to the wrong recipient via email (35 per cent), unauthorised disclosure through the unintended release or publication of personal information (18 per cent), as well as the loss of paperwork or data storage device (12 per cent).

Third party vendors represent a particular vulnerability for mining companies. Having vendors on your sites creates an opening for systems to be more easily breached, either accidentally or intentionally. Third parties connecting a malware-infected laptop or USB to the OT (operational technology) environment can allow external actors to seize operations and cause massive damage. Poor security practices by these vendors may also introduce vulnerabilities in the production environment.

While third parties are relied upon heavily by mining companies for their specialised expertise and equipment maintenance, there’s a need to ensure they follow the company’s cyber security practices. Ensure equipment and software are delivered without vulnerabilities, vendors’ system access is strictly managed and regularly audited to effectively manage the risk and build a resilient cyber program.

What’s at stake

Mining companies are particularly rich targets for cyber criminals. Miners most valuable assets is the treasure trove of data they hold on projects in development, trade secrets, environmental records and studies and proprietary information. Pilfering such a treasure trove of monetisable data is highly appealing for threat actors.

You only need to read the news to see that the threat level is significant and rapidly evolving, with accusations flying over nation state-level attacks. As threat actors become more sophisticated in their attacks, they can often remain undetected once they penetrate networks, significantly raising the danger they can pose. Just imagine the damage that an invisible criminal could do if they broke into your mining operation or facility.

Three ways to get prepared

1. Educate all staff on cybersecurity as a shared responsibility

One of your utmost priorities should be letting your people know that security is everyone’s responsibility, from the chief executive officer to the most junior employee. I’m sure most of us can think of a time when we, or someone in an office we worked in, picked up a USB and plugged it into a computer without knowing where it came from or what was on it. Everyone needs to understand the importance of working securely.

2. Set up security requirements and restrict access to physical sites

Setting up security requirements that ensure access to physical sites and IT is only given to those who need it and deploying a supply chain management program also is another critical step. Employees and third-party vendors should only have access to data or a network – or a physical area – if it is needed for them to do their job.

A supply chain management program should ensure that vendors are given access to the plant based on the same security requirements and have standards to follow. Security requirements should ensure that facilities are physically locked and that keys are properly secured and handled.

3. Have an emergency response plan in the event of a cyber attack

Every business should also have emergency operating procedures set out establishing roles and responsibilities for each type of incident, including who is responsible for networking and cyber-related events. It’s also important to maintain information on vendors who are contractually obliged to provide support during a cyber event.

The cost of cyberattacks can increase significantly dependent on the time it takes for a threat to be contained and eliminated. Without rules on how to react, recovery can be prolonged and financial loses increase.

Develop procedures for other types of cyber incidents based on reported cyber events. Practice these procedures in table-top exercises on a routine basis as determined by the asset owner to maintain their efficacy. Emergency procedures should also cover how to manage without the support of certain technology that may be taken offline. This includes understanding whether there are manual alternatives to operating critical systems.

Cybersecurity is a major risk – not just to growth but to businesses’ basic ability to operate. With this reality increasingly being felt by many business executives, it’s time that action on cyber defences matched our perception of the threat it poses. 

This article originally appeared in CSO Australia here.