CYBER SECURITY
With several large industrial firms still reeling from
recent cyber attacks, miners need to protect what is
becoming an increasingly large pool of data, processes
and autonomous equipment. Dan Gleeson finds out how
they should do this
Protectionist measures
yber security was propelled up the
agenda in 2017 when the WannaCry,
NotPetya and Triton incidents infected the
systems of many unprepared industrial companies.
These three events showed that a company
doesn’t have to constantly be in the media
spotlight to become the subject of an attack; all
they need to be is digitally connected.
Shipping firm Maersk, pharmaceutical
company Merck and auto manufacturer Renault
were just some of the victims.
These incidents have been a wake-up call for
the mining industry, according to Ragnar
Schierholz, Head of Cyber Security, Industrial
Automation Division, ABB.
“Many management boards now see the
need to address the cyber-security risk to their
industrial operations. After WannaCry, NotPetya
and Triton, the evidence that such incidents can
affect industrial operations is publicly
documented now with practical examples and
high impacts – ignoring the risk could be
interpreted as negligence,” he told IM.
Even before this, mining companies had not
been immune to cyber events.
In 2016, Goldcorp was the subject of a data
breach by anonymous hackers who posted large
amounts of the miner’s private information
online, while all the way back in 2014, undersea
mining hopeful Nautilus Minerals became the
victim of a scam.
Michael Rundus, Global Mining & Metals
Security Leader for EY, said the firm’s recent
Global Information Security Survey identified
that 54% of mining companies had experienced a
“significant” cyber incident in the past 12 months.
The indications are mining companies have
reacted to these and other events, with Rundus
saying they had been investing in protective
measures of late.
“Our recent Global Information Security
Survey revealed that 53% of energy and
resources organisations have increased their
spend on cyber security over the last 12
months,” he told IM.
There is a ‘but’.
C
International Mining | JANUARY 2019
“While budgets are increasing, they are not
currently sufficient to effectively manage the
increasing risk, particularly to mission-critical
operational technology. Indeed, as mining and
metals companies continue to move into the
digital age, budgets will certainly need to be
increased to manage the growing threat,” he said.
Paul Zonneveld, Global Energy Resources &
Industrials Risk Advisory Leader for Deloitte,
agreed with this assessment.
“It is not that (cyber security) isn’t recieiving
any investment, however the pace of investment
is not at the same level as what is going into
operational technology,” he told IM.
Joe Carr, Mining Innovation Director for
Inmarsat, the owner and operator of a global
satellite network, said companies are struggling
to know the most effective way to shield
themselves from such attacks.
“We found [in our own research] that 64% of
mining businesses reported that the risk of
external cyber attacks was the biggest security
challenge in their industrial Internet of Things
(IoT) deployments, and that 70% of
organisations require additional staff with cyber
security skills – higher than any other
discipline,” he told IM.
This imbalanced equation and lack of
understanding could prove problematic for
mining companies going forward. While they
may appease concerned investors that have
witnessed cyber attacks by saying they, at least,
have some protective measures in place, they
may be becoming a larger target in the process
of transitioning to more digital and autonomous
solutions on their mine sites.
Investment rationale
In a world where every investment must be
justified from a financial standpoint, how can
companies ensure they are protected from these
cyber risks?
Zonneveld said: “You need to ask: what are
you trying to accomplish? Which technologies
are you implementing? And, what could the
threats be to these technologies?
Inmarsat’s research showed 64%of mining
businesses reported that the risk of external
cyber attacks was the biggest security
challenge in their industrial Internet of Things
deployments
“For example, if you are designing
automation capabilities to remove drivers from
trucks, the security team should ask
themselves, ‘what is the consequence if the
communication between the control centre and
the truck is intercepted? Could the truck be
shut down? Could an external party take control.’
Based on this, security capabilities are built into the
design, whether that is authentication, monitoring,
malware detection, etc.”
One of the keys to warding off cyber attacks
is around the timing of the protective measures
to be employed.
“Many of the counter measures, which
include, preventive, detective and responsive-
type controls, are not that difficult to implement
but they are very difficult to retrofit. It's all
about inplementing them at the right time,”
Zonneveld said.
“For example, when building an office tower,
a potential threat could be that the office tower
could catch fire. As a preventative measure, fire
suppression systems are built-in throughout
the structure to make sure that if this happens,
the fire suppression system can kick in quickly. If
this counter measure is not built-in when the
building is being constructed, it’s very difficult to
retrofit it once the building has been
completed.”
EY’s Rundus admits there is no “one-size fits
all” approach to applying security measures for
cyber attacks.
“A general rule is that the greater the ‘attack
surface’, the greater the likelihood or
susceptibility,” he said.
“Understanding the cyber threat landscape is
the foundation step in the change required to
improve cyber maturity.”
This is where a cyber security framework to
identify critical gaps, threats and actions
required to reduce risk is of great use, according
to Rundus.
“We believe that irrespective of the
framework adopted, a risk-based approach
should be taken, which is fit for purpose, adopts
a balance between ‘protect’ and ‘react’, and
meets the operational requirements of an
organisation,” he said.
Inmarsat’s Carr said: “From an Industrial IoT
perspective, the first step is to find a trusted
partner who will manage your connectivity as a
service, and who considers security at every
point that your data touches.”
He continued: “There are different ways to
harden an Industrial IoT network, which include:
n “Secure management access (so that only