The ‘attack’ in question was confirmed by subsea mining hopeful, Nautilus Minerals, in February. The company admitted that in December last year, as part of its agreement with Marine Assets Corporation (MAC) which is building a charter vessel for the company’s Solwara 1 project off the coast of Papua New Guinea, it had paid a US$10 million deposit to commence construction of the vessel.
However, shortly after the deposit was paid into a bank account, which Nautilus believed to be MAC’s, it was discovered that the payment had been intercepted. The matter was referred to the police authorities in the relevant jurisdictions and an investigation is currently underway.
The topic is also timely, given President Obama’s recent affirmation that he intends to back new proposals to step up the prosecution of computer crimes, and toughen penalties, in a bid to boost protection from cyberattacks for businesses and government.
“At a time when public and private networks are facing an unprecedented threat from rogue hackers as well as organised crime and even state actors, the president is unveiling the next steps in his plan to defend the nation’s systems,” a White House statement said in January.
While mining companies have been a target for criminals, governments and ‘hacktivists’ for some time, a recent increase in high-profile incidents at a corporate level have brought the issue to the fore. Examples include hacking activity during BHP Billiton’s attempted takeover bid of PotashCorp, and cyberattacks on both Fortescue Metals Group and Rio Tinto’s Australian computer networks in recent years.
Many miners as well as suppliers and service providers are now looking to engage professional security firms to ensure their data is protected.
EY flagged up the issue in its 2013 Global Information Security Survey (see PDF attached) in which 41% of mining and metals respondents reported an increase in external threats, and according to Paul O’Rourke, EY Asia-Pacific’s cyber security leader, this trend is only going to continue.
“The biggest threat the mining sector faces – and it is the same for utility providers and others – comes from the convergence of information technology (IT) and operational technology (OT) and the increased cyber risk that creates,” he says.
“Operational functions have not traditionally been connected to the network or ‘the internet of things’ [IoT] so they have not had to consider IT security risk. Now we are seeing web-enabled OT across all aspects of mining operations, but much of it is not being designed and operated with the same degree of risk management and security controls as traditional IT functions.”
Cyber-enabled businesses are effectively increasing their risks through unlocked backdoors, and the more internet-enabled operations become the more gateways there are to attack.
“The more dependent businesses become on big data, then the more reliant they become on the veracity of that data and, in turn, more vulnerable to increased security risk,” adds O’Rourke.
It is true that while big data, mobile computing and the IoT have enabled exciting opportunities in OT, and in the mining business more broadly, at the same time, they have exposed businesses of all sizes to increased threats of cyber hacking. For example, mobile devices which are both an important business tool and a stalwart for remote workers, particularly in mineral exploration, allow employees access back to their corporate environment. However, they also present another point of connectivity into the organisation, and many are cheap, unmanaged devices, meaning they often aren’t governed by the company’s corporate security policy.
Understanding cyber threats
Big data, once considered a buzz phrase, is now firmly here to stay. In a recent interview, Rio Tinto’s head of innovation, John McGagh, emphasised to me the importance of increased computing power, the decreased cost of managing and storing data, the IoT and connectivity in enabling more efficient mining processes and concepts such as predictive analytics.
“These things are revolutionising our industry”, he said.
Putting its money where its mouth is, the company has just opened an Analytics Excellence Centre in India and will unveil a Mining Excellence Centre later this year, to support its Processing Excellence Centre in Brisbane, Australia.
The centres draw and analyse data from Rio Tinto’s mines across the globe, helping the company to run its businesses with less variance. By the end of this year, 85% of Rio Tinto’s open-pit mines will be linked to the Mining Excellence Centre, and the company will be able to look at any vehicle at any facility globally just 0.3 seconds behind real time, which should provide a window into the magnitude of data just one company is channelling (and what would be at stake if an attack on the facility was to succeed).
Jeremy Wood and Russell Morgan from the energy & resources cyber security team at Deloitte explain that the utilisation of big data is increasing pressure on organisations and vendors to provide better security measures, often because their operations are dependent on aged technologies that have been ring fenced from security updates.
“The amount of data being generated, collected and stored, such as commercially sensitive R&D, intellectual property and production information, increases the attractiveness to attackers looking to capitalise on data, and such attacks are becoming easier to design, build and deploy,” Wood explains.
The high value of transactions in the industry, even for smaller operators like Nautilus, also makes the mining sector an enhanced target for cyber criminals.
“This is an issue across the mining sector regardless of size and scale. High-profile attacks on large, household-name companies in banking, government and many other sectors highlights that bigger organisations are equally as vulnerable as smaller organisations,” says O’Rourke.
Morgan confirms this, “Financial gain is a clear motivation for many of the cyber-attacks that we see. Part of the challenge is knowing whether you’ve been compromised in the first place, so any assertions over whether top-tier miners are more secure than junior or mid-tiers is a matter of opinion, rather than fact.”
Unfortunately the innocent insider, i.e. the employee, is also a threat to the industry and its supply chain.
“Spear phishing attacks causing employees to open malicious attachments have devastated organisations in other industries,” says Wood “and there is a shift in the ‘threat actor profile’ in the broader sector, from those motivated to steal IP towards those intent on causing disruption.
“Vast amounts of data can be lost because of innocent mistakes, such as emailing confidential files to personal email accounts, removable media, or the consequences of clicking links from phishing attacks.”
Getting the basics right is therefore a vital foundation for achieving the right security posture, whether that includes patching systems, applying anti-viruses, segregation of systems or educating users.
“The key for mining companies is to treat it [cyber security] as they would IT security and other business risks; understand and assess the risks, have a comprehensive OT security strategy, and either accept or treat the risks,” says O’Rourke.
“The key is to understand the risks before implementing new technology. We see a lot of new things deployed without the appropriate risk assessment and controls up front. ‘Security by design’ is a fundamental principle that needs to be embedded across new initiatives.”
Investment in technology should be considered secondary until the associated risks are properly assessed and understood, and investment in people, processes and culture are increasingly as important as the investment in the technology.
Additionally, the risks from third parties have increased because of greater connectedness with contractors and the supply chain, so businesses need to look at who they are working with upstream and downstream and consider the vulnerabilities of those companies as well if the risks are not being appropriately managed.
Wood and Morgan offer the following advice to firms in the mining sector that are looking to step up their security measures:
- Understand your threats based on recognised threat models and standards;
- Ensure there is support from the executive team. In many energy and resources organisations, getting cybercrime recognised as a board/audit committee key risk drives understanding, investment and progress;
- Implement a programme of change to drive cyber security improvement. Over time this will become operational continuous improvement, but most organisations benefit from a programme approach to catalyse and embed cyber resilience;
- Prioritise your efforts and investment: it is essential to identify and focus security resources around the systems which, if breached, would cause a significant detrimental business impact through financial loss, reputational loss or operational disruption;
- Understand and control your company’s exposure to connectivity, data handling and security controls of third parties or partners;
- Accept that you won’t be able to prevent every attack; but you can ensure that the company has capability to detect and respond to threats in a timely way;
- Raise the awareness of staff and suppliers to the threat of cyber-attacks, and ensure they are provided with secure ways of working;
- Secure your enterprise network. Successful attacks across a range of industries highlight how normal office users have been used as a stepping stone to attacking more critical systems;
- Properly control links between networks, and follow standards for securely managing segregation, interconnects and updates; and
- Miners, vendors and service providers must collaborate to implement and maintain robust defences to cyber threats.