Latest News

Four tips to overcome the cyber threat to the mining industry

Organisations in the mining sector face a new and important
challenge as they balance the drive for operational and environmental
efficiency against the emerging risk of cyber attack.

As production costs increase, mining organisations are
looking to minimise costs and maximise flexibility. 

This is driving a trend to
connect Industrial and Process Control Systems (ICS/PCS) with corporate IT
networks. 

This results in decreased operational costs through centralised
management and control of mining sites and their respective processes.

However, increased connectivity carries an increased
opportunity for cyber attack. With criminals, hackers and other powerful
interested parties looking to sabotage operations, mining companies are a key
target. 

The potential gains for attackers include commercial or political gains
as well as monetary gains (for example, by manipulating markets and commodity prices).

The risks to mining organisations are significant. 

They
include potential health and safety issues to workers which may lead to loss of
life or reduced availability for production, financial impact to the
organisation and shareholders due to long downtimes, and brand and reputation
damage just to name a few.

Previously, ICS/PCS were separate to ICT systems because
they were air-gapped (physically isolated). 

While it’s true that there have
been a limited number of malicious cyber incidents to date in operational
environments, the threats facing the sector are constantly evolving and
increasing due to the exposure of these systems to the wider corporate
environments for operational purposes. 

It is vital for mining operations to
understand the potential risks to their organisation and protect their environments
from what could be a major catastrophe to the organisation’s financial position
and operational status.

That is not to say that attacks have not already occurred. 

For example,
in August 2012 there was an attack on RasGas, the state petroleum company of
Qatar. 

Cyber criminals attacked the corporate IT system of the company using
malware called Shamoon, but rather than attempting to steal information, the
attacker was seeking to disrupt the company’s operations. 

The Shamoon attack
was relatively unsophisticated, and has been widely reported to be attributable
to the “Cutting Sword of Justice” group.

However, other more sophisticated attacks have also taken place. 

An
example of this is the Stuxnet cyber attack on an Iranian Nuclear Power reactor
in 2012, widely speculated to have been a joint effort by two international
governments. This was a computer worm, aimed at the Natanz uranium enrichment
facility and reportedly designed to damage centrifuges by making covert
adjustments to the machines controlling them. Allegedly, this was one of the
first attacks designed to inflict physical destruction, rather than simply
steal information.

It is possible to protect an organisation against these
types of attacks without going back to the previous style of operations where ICT
and ICS/PCS were completely separate. The benefits of connected ICT and ICS/PCS
are many and they include not just the ability to drive down costs and meet
demand efficiently, but also to communicate with business stakeholders more
transparently and seamlessly. 

Reversing this trend would be detrimental to the
mining industry’s profit-making abilities.

Instead, organisations should assess the level of risk along
with the potential business impact if that risk were to materialise. They can
therefore identify the most vulnerable areas and decide where to invest in
protection.

When developing the risk assessment, organisations must
consider every element including people, process, training and policy as well
as technology.

The human factor is important and, while security technology
is essential, often it is human error or a policy failure that opens an
organisation to attack. 

Companies that educate employees about the risks and
their role in protecting the organisation are less likely to suffer a breach.

There are four key steps towards effectively protecting
mining organisations’ systems without jeopardising the business efficiencies
gained by connecting ICT and ICS/PCS environments. These are:

1. Prepare

Understand what targets the attackers may want to compromise
as well as the potential impact of a successful attack. Develop a policy that
articulates how to address cyber risks based on priorities. For example, while
a particular area may be vulnerable to attack, the business impact of a
successful attack may be negligible, so the organisation may decide not to
implement specific protection for that area.

2. Monitor

While IT managers are used to monitoring systems for signs
of cyber attacks, it is less common for OT managers to do the same simply
because the risk is either new to them or monitoring systems and management of
these in OT systems generally differs. If a system malfunctions the focus
should be on determining the cause of the malfunction as well as on getting the
system back up and running as quickly as possible.

3. Protect

This step can present challenges for organisations. The
temptation to tighten security can lead to systems becoming
difficult to use because of overly onerous security settings.
Organisations need to find the middle ground between securing the systems and
still allowing them to work in line with business requirements and integrating
well with overall business operations.

4. Respond

While risk assessments, skilful monitoring and strong
protection are essential, there is still a chance that cyber criminals will
penetrate security measures. It is therefore vital to have a clear incident response
capability in place that clearly articulates the process to follow in the event
of a cyber incident. This should also include the ability to learn from attacks
that occur and implement new policies, technologies or processes where
appropriate to prevent future attacks.

Mining organisations that implement these four steps while
simultaneously addressing the inevitable human factor in system security will
be well-placed to avoid being damaged by the inevitable increase in cyber attacks
on ICS/PCS based systems. 

Craig Searle is the head of cyber security, APAC, for BAE Systems Applied Intelligence.

Send this to a friend