CYBERSECURITY IN MINING
Gone phishing
Dan Gleeson receives two perspectives on cybersecurity : one from the mining supplier network and one from the mining community itself
“
There is a fine line between securing your operations and implementing innovations or production enhancements .”
These are the words of Ian Lee , Manager , IT Security , Compliance & Enterprise Architecture at Hudbay Minerals , who neatly spells out the dilemma mining companies face in today ’ s digitally connected world .
It is not a matter of choosing one or the other – cybersecurity or productivity-enhancing technology – it is all about discussing what impact adopting innovative solutions will have on the digital ecosystem at mine sites or company headquarters .
Apala Ray , ABB ’ s Global Cybersecurity Manager , Process Automation , Process Industries , has been involved in a few of these conversations and knows the potential pitfalls mining companies can leave themselves open to .
She is also abundantly aware of the benefits that come with adopting new digital and automation solutions . They offer “ mining operators unprecedented visualisation across their operations , allowing them to make smart , informed decisions that improve production efficiency ”, she told IM .
Yet , this increased interconnectedness between operational technology ( OT ) and information technology ( IT ) systems makes industrial plants more vulnerable to sophisticated cyberattacks , Ray cautions , hinting at Lee ’ s opening point .
This means there is a decision-making process to go through even before implementing these solutions .
The cyber threats can take the form of generic
‘ white noise ’ attacks that impact both IT and OT
systems , as well as attacks using custom malware
specifically crafted to infiltrate the target environment , according to Ray .
This means cybersecurity must be addressed at each phase of an asset ’ s lifecycle – from design and development , to operations and maintenance – identifying what needs to be protected , when
attacks and security breaches occur and effective back-up and recovery plans .
Why us ?
Despite this impending threat , cybersecurity is not top of mind for miners implementing new OT , according to a 2019 State of Play report on cybersecurity in mining .
Through interviews , survey and analysis of Australia ’ s largest mining and service companies , including BHP , Rio Tinto , South32 , and Anglo American , the ‘ State of Play : Cyber Security Report ’, from researchers at State of Play , uncovered that 98 % of top-level executives thought a catastrophic event was required to drive an industry response to cybersecurity in mining .
The reality is that this ‘ catastrophic event ’ has not yet occurred in the mining space , although it is getting nearer .
In March 2019 , Norsk Hydro , a global aluminium producer , found itself the subject of an attack . This came in the form of a compromised email sent via an existing customer ’ s email address to an unsuspecting employee . The employee opened the attachment and unknowingly released a type of
ABB ’ s Apala Ray says more and more cybersecurity solutions are emerging to protect clients , but she places the onus on mining companies to develop a “ coherent cybersecurity strategy ”
ransomware that gave cyber criminals access to the Norsk Hydro network .
Earlier that year , hackers blocked access to Nyrstar ’ s IT systems , databases and email to try and disrupt operations .
While both incidents are noteworthy , neither packed the same punch as the ‘ NonPetya ’ ransomware incident in 2017 . While this ‘ white noise ’ cyberattack did not specifically target the industrial sector , it hit Maersk , the world ’ s largest shipping firm . This ended up costing the company $ 300 million , taking almost 10 days to rebuild the affected network of 4,000 servers and 45,000 PCs .
These warnings aside , there continues to be a worrying perception that most mining companies are too small or insignificant for hackers to target . The obvious rationale for an attack on a junior mining company , for instance , is hard to understand .
Lee has heard this argument but says such complacency is unwarranted .
“ Hudbay in the grand scheme of things is a relatively small company , but every hacker will practice somewhere ,” he told IM . “ These hackers are not going to start taking on the big guys ; they will start with the small guys and see what they can accomplish at that level before moving onto bigger targets .”
Armed with this knowledge , Lee and his team devised a sophisticated cybersecurity training program back in 2018 to help protect employees and the company from such attacks .
With 94 % of malware delivered via email and phishing attacks accounting for more than 80 % of
FEBRUARY 2021 | International Mining 65