CYBERSECURITY IN MINING
reported security incidents , according to csoonline . com , the training focused mainly on potential email phishing attacks .
Hudbay teamed up with Infosec IQ to rollout this testing and training .
Having found a baseline of what Infosec referred to as “ phish-prone users ” back in 2018 through several exercises looking to replicate typical phishing behaviour , Hudbay started flagging internal examples of malicious emails that had come through to the company from external sources .
“ We then highlighted some of the tell-tale signs to show how they were fake ,” Lee explained . “ This could be a misspelling of Hudbay Minerals , wrong grammar , etc . These were the standard things people needed to be aware of that they used to gloss over prior to them being highlighted .”
Going into 2019 , Hudbay , backed by Infosec ’ s program , then started to deploy continual phish testing to compare users with the baseline they had confirmed the previous year .
“ This could be one , two , three emails a month that were simulated phishing emails ,” Lee said . “ As soon as people clicked on something they shouldn ’ t have , they received immediate feedback to make them aware of things they should watch out for . At the same time , the system noted the behaviour for us to review on a regular basis .”
In tandem with this , monthly training courses were rolled out covering phishing , flash drives and safe web browsing .
The program led to a dramatic decrease in phishprone users within Hudbay , with the metric going from 44 % in the March quarter of 2018 ( initial testing ) to just 5.5 % in the September quarter of 2020 .
Lee says the training has been a worthwhile exercise the company plans to continue with .
That is not to say it has been easy getting all employees on-board with increasing their cybersecurity awareness .
“ There definitely are people that understand the need and usefulness more than others ,” he said . “ It is sometimes challenging to convince personnel it is worth their time to engage with this training .”
Physical on-site safety has buy-in across the board at mine sites , but the less ‘ tangible ’ threat that comes with cybersecurity is harder to get across to personnel .
“ If we lost $ 1,000 in an accounts payable scam that is one thing , but if we have a mill that fails , for example , that affects the physical process ,” Lee said . “ This type of example tends to get more traction and attention across the company .”
Lee and Hudbay are committed to increasing engagement with this cybersecurity training .
The company currently has a 60-70 % participation rate in the training process , which will increase when Hudbay makes it mandatory in the near term .
Engagement and awareness may also increase when the phish testing becomes much more targeted , directing relevant emails quoting actual employees and what appear to be genuine instructions during these tests , Lee explained .
This reflects the increased sophistication of phishing emails the company is already getting .
“ These testing emails will be more specific and relevant to the users , targeting their specific group ,” Lee said . “ The emails we are receiving are already becoming that much more targeted , with the phishers directing what appear to be normal requests to the right people .”
Layered protection
Hudbay chose its ongoing cybersecurity training program to augment existing technical controls where further investment in such controls may have diminishing returns , according to Lee .
Based on his 15-plus years of experience in IT , Lee indicated staff can often rely on the technical controls of cybersecurity solutions to safeguard them should such third-party protection be employed . This would not be a problem in an environment where malware risks do not evolve , but the speed and complexity of changes coming from this community means such protection needs to constantly be updated .
“ It really is a game of whack-a-mole ; you are never going to catch them all ,” Lee said . “ We could put in all of these technical controls – enhanced malware protection , phishing and web filters , for example – but you are always going to be playing catch up .”
ABB ’ s Ray says more and more cybersecurity solutions are emerging to protect clients , but she places the onus on mining companies to develop a “ coherent cybersecurity strategy ”. Layered onto this strategy can be measures to protect assets , processes and people from imminent danger .
She thinks partnering with a recognised technology leader can provide protection against imminent cyber danger .
This is where ABB , as a maintenance service provider , an integration service provider and a product supplier , has an advantage over some of its peers , Ray argues .
ABB ’ s cybersecurity portfolio is built around three
layers : foundation , service and operation .
“ In the mining sector , the first foundation layer is of particular importance ,” Ray said . “ US Homeland Security reports that 98 % of cyberattacks can be
Hudbay ’ s Ian Lee says every system the company installs , or every change made to operational technology must go through an internal IT and ICS policy
mitigated if industrial operators have basic digital hygiene and process controls in place , including the latest anti-virus software and a regular back-up system .
“ To protect industrial facilities from undetected ‘ zero-day attacks ’ from advanced persistent threats such as ransomware , ABB also advises that network segregation and recovery processes are put in place ; the latter allowing mining companies to maintain production following a cyberattack .”
The ABB Ability™ CyberSecurity Fingerprint solution provides customers with an initial in-depth
site survey to assess their existing cybersecurity control system . Combining data from an ABB Ability Cyber Security Benchmark control system asset risk review with insights from plant personnel , ABB can then advise the client on risk mitigation and how to improve its overall cybersecurity profile .
Ongoing security patches and antivirus software need to be constantly reviewed as part of this .
“ Keeping these basic function controls updated is part of the second layer of ABB ’ s cybersecurity portfolio ,” Ray said .
The third layer of protection involves operational security monitoring in collaboration with strategic partners , using advanced analytics to predict and identify evolving security threats , and adapting solutions from the IT sector – IBM QRadar and Splunk , for example – for use in the OT space , Ray says .
ABB has an existing relationship with IBM . The two signed an agreement back in October to develop a new OT Security Event Monitoring Service that combines ABB ’ s process control system domain expertise with IBM ’ s security event monitoring portfolio to improve security for industrial operators like mining companies . This new service better connects OT data with the broader IT security ecosystem , providing the domain knowledge needed to swiftly react to security incidents related to process control , according to the companies .
While ABB is evidently well schooled on cybersecurity risks , Lee has seen mixed responses
66 International Mining | FEBRUARY 2021