An Integrated Security Strategy For Mining Organisations
Mining Infrastructure is a growing target for threat actors and attacks can have significant consequences. Read on to find out how to integrate your cyber, physical, and personnel security strategies.
Share This Article:
Co-authored by Jordan Plotnek PhD. Originally published in the Australian Mining Review.
The Australian mining sector is a critical component of the country’s economy, contributing significantly to the nation’s GDP whilst creating job opportunities for thousands of people.
Because of its importance and value to the nation, the mining sector is a growing target for threat actors to conduct cyber-attacks, espionage, and even cause physical damage. Without an adequate level of resilience to security threats, any impacts could have significant consequences to mining operations and output.
Protecting your critical mining assets is a challenging task that necessitates the navigation of complex vulnerabilities introduced through both IT and OT systems, as well as the people and processes that support it.
An integrated security strategy covers personnel, cyber, and physical security, and accounts for the governance processes that underpin day-to-day operations. This provides a comprehensive approach that recognises the distinct but interrelated nature of each security pillar, providing an efficient and effective measure for comprehensive security coverage of your mining operations.
Personnel Security
Personnel security is the most foundational aspect of an effective security strategy. Investments in other forms of security, including physical and cyber security controls, can usually be circumvented by a person on the inside; whether malicious or not.
A symptom of this issue in the mining sector is provided through “Enough is Enough: Sexual harassment against women in the FIFO mining industry”, a WA Parliamentary Inquiry tabled on 23 June 2022. The report called for the industry “to do more” to force perpetrators out of the industry. The relationship of this report to security is clear. Not only because of the security and welfare of women employees and contractors, some of whom were subject to targeted violence but also the fact that the recruitment processes failed to prevent the employment of such perpetrators.
Screening at recruitment and ongoing monitoring of personal circumstances are examples of treatments for managing risks associated with personnel. Pre-employment screening is a challenging task that must provide assurance that the person to be employed will not be a security risk to the organisation or its employees. A simple police check alone does not provide this assurance as it validates only a small portion of an individual’s record of character. These ‘standard’ checks need to be in combination with a comprehensive screening process by qualified assessors; one that is objective, evidence-based, and applies the principle of natural justice to ensure that it is done fairly, consistently, and equitably. It also needs to consider access to critical information and assets that will determine if higher levels of assurance are required prior to engagement. Finally, a personnel risk management process needs to be maintained during tenure and offboarding to ensure no damage or information loss is incurred post-employment. Only with such governance can there be certainty about security risks pertaining to employees.
Cyber Security
Mining operations are critically dependent on technologies that are often expensive, highly specialised, geographically dispersed, and becoming more and more connected. Such technologies include the business ICT network; which contains sensitive financial, exploration, and site planning data; and the mine site OT networks and systems; such as open pit monitoring, underground life support, autonomous vehicles, rail and port infrastructure, and so on.
Cyber-attacks on any of these technologies can cause significant damage to mining organisations, often resulting in production delays, equipment damage, and reputational losses. Given the risky nature of mining operations, a cyber-attack on any OT system could also cause safety consequences and, in extreme situations, even holds the potential for loss of life.
Due to its ever-evolving nature, there are virtually infinite options when it comes to cyber security mitigation strategies and controls. In highly specialised mining sector organisations it is therefore crucial that each strategy is tailored to the specific organisation’s threat environment, technological landscape, operational needs, risk appetite, and budgetary constraints.
One of the key strategies to balance these competing considerations is an integrated security risk management plan that tracks ongoing risks across all three pillars of security. This provides an effective method to prioritise mitigations based on their likelihood of occurring and the related consequence to the organisation’s mission. It also enables the recognition of complementary security controls that help to mitigate several risks simultaneously. Security controls and mitigation strategies should be selected from relevant cyber security standards, including the foundational IEC 62443 for OT or ISO 27001 for IT.
Aside from the overall cyber security governance structure, it is critical to map out your networks, take stock of all connected systems in your environment, and ensure adequate segregation between your IT and OT networks. Since COVID-19 there has been a significant uptake in remote maintenance, meaning that remote backdoor access has commonly been established to critical OT systems, often bypassing corporate security measures. These maintenance access points should also be accounted for and monitored for suspicious activity through logs, intrusion detection systems (IDS), and security information and event management (SIEM) systems. Regular cyber security audits and vulnerability assessments (passive assessment for OT networks) should also be conducted, with any necessary action taken to fix identified vulnerabilities.
Physical Security
Physical security is the final pillar of an integrated security strategy. The mining sector has many valuable assets, including equipment, facilities, and resources, that require protection from theft and damage. The remote nature of most mining operations provides a level of security through obscurity, however it will not sway determined threat actors. Besides the mine site, corporate offices remain especially vulnerable to physical intrusions, which in turn can provide access to IT assets and systems.
Typically, physical security is the pillar with which the industry is most familiar given its close alignment with safety controls. However, poor personnel and cyber security measures can undermine the investment in physical security, allowing bypassing or deactivation of controls in place.
Some generally recommended physical security controls for mining organisations include physical access control systems (e.g., locks, swipe passes, fences), surveillance cameras, alarm systems, and security patrols.
Bringing it all together
Security needs to be viewed holistically and not in the separate silos under different functions within a company. An integrated security approach unifies security practices and enhances both the efficiency and effectiveness of security investments.
Each of the different facets of security deploys another ring of defence that deters a would-be attacker. A cyber threat, for example, is frustrated by a vetted and informed workforce where vulnerabilities of individuals are detected and managed; reducing the success of social engineering, spear phishing, or blackmail attempts.
Most boards and executive teams are briefed regarding their responsibilities related to each individual security domain. However, it is important to ensure that these conversations are raised across the organisation and are highlighted holistically. A meaningful and actionable security strategy allows senior leaders to understand what is required to address cyber, physical and personnel security risks for a complete appreciation of their risk landscape.
Anchoram Consulting assists mining organisations with mapping their security environment and developing a comprehensive security strategy across cyber, physical, and personnel that is aligned with company mission objectives and risk appetites. Our people have extensive experience with many different security frameworks and mining processes and technologies, with a goal to not only protect your mission critical systems but also ensure regulatory compliance, operational sustainability, and meaningful communication to senior leadership.
Mining Infrastructure is a growing target for threat actors and attacks can have significant consequences. Read on to find out how to integrate your cyber, physical, and personnel security strategies.
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.