What The Mining Sector Should Know And Do About Cyber Risk
Many industry sectors have been highlighted in Australia by recent changes to the Security of Critical Infrastructure (SOCI) Legislation but one that is persistently overlooked is the mining sector.
Share This Article:
As with other industrial control sectors, mining may have avoided (for the most part) high-profile cyber incidents. In terms of targets, however, many would be surprised by the impact that the loss of critical mining systems may have, not only to the organisation but more broadly on the economies that these organisations operate in.
The mining industry is on the verge of several technology evolutions that will aim to put intelligent systems, automation, large-scale data acquisition, and robotics at the forefront of plans to improve efficiencies, reliability and safety. This makes the reliance on these technologies and their security even more relevant.
Regarding these new technologies and their proliferation and integration into both business and production operations of mining, it is feasible to consider them as high-risk targets regardless of the motivation of cyber threat actors.
What is critical and why?
Mining systems as a subset of Industrial Control Systems (ICS) provide many of the functions required to operate mining activities safely.
If we were to look at a system such as Heating Ventilation and Air Conditioning (HVAC) for a mine providing clean air, exhaust and cooling for many hundreds of staff deep underground, this brings into sharp focus the detrimental impact that an interruption to HVAC could lead to if it is disabled, either intentionally or otherwise.
Therefore, within the ICS domain, the focus on safety remains the core requirement of any supporting system and must, by nature, be designed and developed with safety, resilience and reliability in mind.
Traditionally these types of systems had little or no connectivity and could generally not be controlled remotely. However, with new systems leveraging commercial software and hardware, they are becoming increasingly vulnerable.
Providing the ICS has been designed correctly, mining systems should be able to fail-safe and should not be reliant on any single component failing to stop system operation as even the smallest outage or unexpected system operation has the potential to put the safety and lives of mine workers at risk.
Making mining a riskier business
Reflecting again on the operational technologies (OT) used in mining operations, several scenarios can be considered:
- Vulnerabilities in wireless communications allow interface with autonomous vehicles
- Supply chain risk with remote suppliers being compromised allowing unauthorised access to ICS
- Commercial ICT solutions increasing the attack surface within operational technologies
With these three examples, it is evident that cyber threats are multi-dimensional, and we have not yet discussed the additional risks of integration between corporate systems and ICS.
Not all cyber threat scenarios relate to technology. As mines are essentially geographically disparate locations, it is expected that the systems that each mine runs may differ in terms of design, technologies, processes and practices. This adds another vector when considering how a centralised mining organisation may seek to coordinate a response to a cyber incident as inconsistencies can produce delays leading to increased damage and response times.
It is a marathon, not a sprint
Linking ICS-related risks to business risks is an important part and should not be done in isolation between teams. A multi-disciplined approach and leveraging industry experts is a sure-fire way to ensure a consolidated view across the organisation.
The following steps should be taken into account by organisations looking to strengthen the security of their OT.
1. Understand risks and vulnerabilities
The first step in assurance is to understand the relevant risks and cyber maturity within the organisation, covering both the corporate and operational environments. Although there will always be residual risks that are unable to be resolved, it is critical to know what controls are in place and where efforts should be directed. Recommendations to gain a holistic understanding include:
- Document assets and facilities and order these based on criticality
- Asses these assets and facilities for exploitable vulnerabilities
- Understand the impacts if ICS and operational technologies are shutdown or unavailable.
2. Unite the workstreams
Technologies within mining organisations do not function in isolation, so a unified program to address cyber security methodically across both business and operations is key to ensure coverage and the ability to leverage complementary controls where applicable.
These programs, within the confines of funding, should be focused on a year-on-year approach and demonstrate how a step change will be achieved to reduce risk, improve posture and increase maturity.
3. Focus on the basics
Every business will have a different threshold for risk and maturity, however, there are common methods to ensure a starting point to achieving security, alertness and resiliency:
- Cyber Security Awareness training: Cyber security awareness needs to be promoted across all roles within the organisation. This can be provided through training and examples of real-world scenarios to instruct teams on how to respond and interact with systems safely and securely.
- Access control: Ensure that ICS systems and their associated technologies are segregated both logically and physically. The use of Industrial Standards such as IEC 62443 are valuable in guiding the risk assessment and technical controls to achieve a level of segregation based on a Security Target Level SL-T)
- Incident Response: A cyber event will undoubtedly occur in modern enterprises regardless of scale. Focusing on and periodically testing incident management response, policies and procedures will ensure an agile response to any incident.
Keep the conversation going
Most Boards and Executive teams are briefed regarding their responsibilities from a cyber security perspective; however, it is important to ensure that these conversations are raised across the organisation and are highlighted, made meaningful and actionable for senior leaders to understand what is required to address cyber risks.
Utilising industry research, reports and examples in short, concise executive briefings are a great way to assist with the communication within and across the organisation.
That is where we can help. The Anchoram team consists of professional security consultants who have extensive experience in the Mining Sector as well as in Critical Infrastructure, Defence and Intelligence organisations.
We can help with everything from executive briefings, risk management, cyber security control design, security testing and standards-based assessments and have competitive offerings led by dynamic leaders who have operated at the highest levels of industry.
Please don’t hesitate to contact us if you need help with securing your mining organisation.
Many industry sectors have been highlighted in Australia by recent changes to the Security of Critical Infrastructure (SOCI) Legislation but one that is persistently overlooked is the mining sector.
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.