Industry Q&A: Cyber Security in the Mining Sector
Cyber security is an ever-growing issue in the mining sector, with our move into the digital age of mining. Austmine caught up with Michael Rundus, Global Mining & Metals Robotic Process Automation Leader and Oceania Advisory M&M for EY, to get his insights into some of the most pressing challenges and risks about cyber security.
Is cyber security high up enough on the agendas of mining companies yet? How about for the METS companies who are working with them to provide the operational and information technology that brings with it the security risk?
Not yet – there are still far too many people who think that cyber risk against mining operations is theoretical and the ‘air gap’ between corporate and operational systems will protect them. In 2015 there were over 250 reported cyber incidents in the USA against operational technology supporting critical infrastructure. We have seen the first viruses targeting operational systems and our clients with strong security event monitoring are seeing a rapid increase in the number of attacks on operational systems. Whilst cyber risk has become a Board level issue we haven’t seen a step-change in cyber security awareness and the security culture within the mining sector is needed to resolve the gaping hole that the ‘human factor’ exposes to potential cyber-attacks. The urgency becomes more critical when you accept the ideology that it is no longer ‘if’ but ‘when’. The mining sector shares similar cyber threat profiles to ‘critical national infrastructure’ and technologies utilised within the Energy sector. These organisations have generally started their ‘step-change’ cyber security journeys nearly 2-5 years ago depending on where they operate. The mining sector needs to accelerate its cyber program.
Whose responsibility is it within the mining company to ensure that cyber security protocols and technology is up to date?
Too many organizations are taking an ad hoc approach or acting when it is already too late to manage their risks and vulnerabilities, exposing the enterprise to greater threats. This is not a responsibility that can be delegated to one or two individuals. Rather, a wide range of individual responsibilities must be noted and detailed throughout the organization and the ecosystem, and brought together to form a single coherent and accessible view of the threat environment. This view will look different for the board and the C-suite than for employees, just as it will appear different again for partners, suppliers, vendors and other third parties.
We are seeing Boards taking more responsibility for Cyber and they are demanding more cyber metrics and reporting from management to drive their understanding of how the risk is being managed. However, management typically struggles to generate this information in a timely and easily digestible format. End users are often the front line when it comes to cyber-attacks as one of the most common attacks is social engineering or using phishing. We are seeing significant investment in security awareness and training and leading companies run targeted campaigns to test how well end users provide the first line of defence.
What are some of the biggest challenges with ensuring your organisation is safe when it comes to cyber security? Are there additional challenges faced in mining?
Over the past few years we a have seen the convergence of IT and OT and many organisations have extended their ‘crown jewel’ assessments from the enterprise applications to cover critical operational technology that enable automation, process control and HESE. This cyber risk assessment typically identifies that:
- Operational systems are critical to the organisation and there are no manual workarounds in the event of a cyber-attack
- The true cost in terms of production or safety from a cyber incident is material, however the maturity of the controls over OT are significantly lacking. Often simple controls like redundancy, backups and network segregation are lacking.
- Significant investment is required to balance the cyber protection with the organisations risk appetite
- The pace of change is rapid and malware and viruses attacking OT are increasing
An addition challenge is that the attack surface is only getting larger with the increasing investment in digital and reliance on control systems for efficient operations. If you think about all connected devices across an operating environment the footprint can be significant – for example a mining company will have thousands of connected devices – many in physically secure environments such as the port, some in more controlled environments at mine sites and others in public such as railway signals.
How does EY work with clients to help them understand, and mitigate, cyber security risks?
Our point of view on cyber is to apply good risk management principles – and this starts with thinking of the issue as cyber risk. We assess the situational awareness to understand the business risks, critical assets and scenarios that pose a cyber risk event. We then balance the organisational risk appetite, controls environment, governance and business constraints to determine a risk based cyber risk framework and program. It is difficult for mining companies to obtain funding to remediate across all components of a cyber framework, at EY we advocate a risk based approach that demonstrates risks reduction through targeted cyber investments.
What lies ahead with cyber threats? What do miners and METS need to be future-proofing for?
The big trends in mining are digital, automation and data. As mining companies begin to automate more and more of their operations their ‘attack surface’ increases and so does their overall cyber risk. Miners need to have a clear plan – their digital roadmap needs to be cognisant of cyber risk, or they could be facing a major incident. There needs to be a recognition that cyber security firstly requires the organisation to establish a baseline of ‘basic’ cyber controls maturity supported by a risk-based approach to prioritise strategic long-term cyber investment for the subset of top cyber threat scenarios. Companies need to apply a cybersecurity framework to identify the critical cyber control gaps that need to be closed to achieve the target cyber risk profile. The threat has already increased due to the IT/OT convergence.
Michael Rundus is the Global Mining & Metals Robotic Process Automation Leader, the Oceania Advisory Mining & Metals Leader and the Advisory Services Leader for EY Perth, Australia. He is responsible for client delivery of risk and development of their people culture.
Read more about EY's expertise across cyber security and other business risks in the mining sector on their website.
Interested in learning more about cyber security in mining? Don't miss out on Austmine's live webinar on the topic, taking place on Thursday 14th September at 12.30pm AEST. Register online now!