Bring in the cyber guards
Mining companies are facing unprecedented attention from hackers, so they need to get their cyber security act together – but how exactly? Guy Richards reports.
Barely a week seems to go by without a report in the media about a firm’s cyber security having been breached, with the loss of sensitive company and customer data. Mining companies are no different. In fact, a range of recent studies show that, increasingly, they are the target of choice.
It is easy to see why mining firms have become so attractive to hackers. As consultancy Ernst and Young (EY) explains in its latest Global Information Security Survey, a typical mining company regularly deals with huge cash flows for investment and other purposes. They also play a fundamental role in the world supply chain of minerals and metals. Because of this, they are often hate figures for social and environmental activists – and they have geographically dispersed workforces, using a range of communication methods.
None of this is new, but in the past few years the mining sector has undergone some changes, the consequences of which a number of companies may have overlooked. If they continue to do so, they risk severe damage to their finances, reputation and shareholder confidence.
The mining sector has been hit by the recent global economic downturn as much as any other, so mining companies have been under the same pressure as everyone else to rationalise their costs. One way they have done so, says the EY report, has been to centralise many business functions, creating more sophisticated, enterprise-wide web-based IT systems, which bring with them greater scope for outside intrusion.
In addition (in a cost-saving drive), more and more miners are adopting automation and remote control systems for their projects. The problem here is that these systems are now connected to the wider IT network and many of them, especially the legacy control systems, are inherently less secure because they were not designed with security in mind. Without proper precautions, a hacker can access the systems through the enterprise network and cause all manner of damage to equipment as well as to employees.
This is not scaremongering. As Mike Elliott, EY’s Global Mining and Metals Leader, says, ‘Companies can be a little naïve in assuming that these technologies are not exposed to attack. The assumption is that they are still standalone technologies – they’re not.’ A case in point, he says, are the supervisory control and data acquisition (SCADA) systems used to control heavy equipment, processing systems and safety monitoring at a mine.
It is a view echoed by Charlie Hosner, Partner at consultancy KPMG with responsibility for cyber security in energy and natural resources. He says, ‘Industrial control systems tend to be designed with open access for safety and legacy design issues, and are often built with a focus on availability and robustness rather than security.’
Plan of attack
The motivations behind cyber attacks are the same as for any other extractive industry, and experts agree that the most serious threat is corporate espionage. As Dr Scott McVicar, Managing Director of Cyber Security at BAE Systems Applied Intelligence, explains, ‘This is the form of cyber attack most likely to succeed. Hackers can be very well resourced and will more than likely achieve their aim, even where the target company has strong cyber security in place.’
The resources of such hackers – in terms of knowledge, manpower and time – are usually greater than those of their targets, giving them the capability to pull off highly sophisticated, complex and extended attacks, which may involve human as well as cyber espionage. Here, the primary targets are to collect data supporting merger and acquisition activity as well as intellectual property around actual operational techniques, plus other commercially sensitive information to aid contract negotiations.
Attacks on the control systems themselves have different aims, but are no less damaging. As Hosner explains, ‘Abuse of these systems represents real health and safety issues as well as a potential environmental and financial impact. It is not hard, for example, to imagine a dedicated attacker causing a national safety threat if they had control of the flow of some of the chemicals used in today’s mining operations.’
These attacks can come from socalled hacktivists – broadly a hacker with a social or political agenda – or plain old-fashioned criminals. For example, in the former case, if a mining company fails to meet a demand under its social licence to operate, a group with unsatisfied demands may seek to disrupt the company’s activities or expose confidential information. In the latter case, a criminal could, for example, take a long position on a metal such as copper, disrupt its production at key sites and then profit from the resulting spike in its market price. While some might see this as a desperate situation, there are plenty of practical and effective measures that can be taken.
Preventing a hack
The key thing to understand is that the threat does not come from cyberspace itself (which is, after all, just a fast and interconnected tool) but from the people using it. Experts agree that a company’s staff, if suitably trained, is the strongest defence. With training, staff will know how to spot something suspicious such as a spear phishing attack – usually a seemingly legitimate email that asks the recipient to click on a link or to supply usernames and passwords. These are increasingly succeeding as perpetrators have become adept at mimicking the content and style of a bona fide message.
Training should not be generic but instead targeted at categories of staff using specific education programmes that cater for how they use data and the risks that presents. In addition, because of the effects an attack can have on the entire business, cyber security is no longer purely an IT issue. Someone at board level or in senior management should be directly responsible for this area – for instance, a Chief Information Security Officer – who can take a strategic view of the issue.
At operational level, monitoring and surveillance are vital. Hosner explains, ‘For enterprise IT, mining companies should be moving from a protective architecture to a detective and responsive one supported by robust surveillance tools and mature processes to handle the incidents and events of interest they discover. From an industrial control standpoint, there are a handful of industrial cyber security technologies emerging, and I expect we will see a flood of new tools coming in the next five years. But in general, we suggest our clients initially stay away from these tools and instead set up the right capabilities and people-focused controls.’
Dr McVicar agrees. ‘One of the key things we would suggest is network segmentation – splitting up systems to limit the potential for damage between networks that have data of different value. Monitoring for advanced targeted attacks is essential. With the right type of monitoring based on logging of data across the network, and using behavioural analytics on that data, the chances of detecting attacks will increase.’
Even having adopted these measures against deliberately malicious intent, mining companies can still be vulnerable to attack via third-party suppliers. ‘Third parties are, and will continue to be, one of the hardest threat vectors to manage,’ says Hosner. ‘Often they do not share the consequences of security breaches and are under pressure to provide rapid and inexpensive support, meaning important controls are often left out of services or connections. So before awarding a contract, mining companies need to commission an appropriate security review of the potential supplier.’
Dr McVicar takes this a stage further. ‘A key step is to ensure there are mechanisms in contracts to ensure your suppliers are at least as cybersecure as your own firm,’ he says. ‘For example, if you have a contract with a legal or accounting firm for merger and acquisition activity, you should think about specific clauses requiring certain cyber security undertakings, ensuring they treat your data as securely as you would yourself.’
The time has come for the mining industry to take this issue seriously. As Hosner says, ‘Cyber security has not been a priority in the industry, as the threats just didn’t warrant it. But now we’re entering a new world and mining companies are going to have to make real investments in cyber security controls, or at best suffer critical data leakage at best and at worst real physical damage.
‘The good news is that a lot can be done around the foundations of governance, ownership and risk, before organisations need to invest heavily in new technology. And as organisations mature, they will find that the major automation vendors are working hard to evolve their product offerings and should have better embedded control for the future.’
A tactical guide to beating cyber crime
Developing a cyber security plan from scratch can seem daunting – consultancy KPMG suggests this initial checklist.
- Take a position – who are your enemies and what are their motivations? What tools and techniques will they use and what will the impact be if they are successful?
- Select your defences – those you put in place for hacktivists will be quite different from those for corporate espionage. Know what threats you are going to defend against and those you want to defend against. Trying to prevent them all can be unfeasibly expensive.
- Get the basics right – fundamental security weaknesses account for 70–80% of cyber attacks.
- Out-of-date software has known vulnerabilities that leave you susceptible to attack.
- Alarm systems – anti-virus software and firewalls are not sufficient defences against sophisticated attacks. If you think these are at risk, employ a better monitoring system and carry out a network compromise analysis to uncover evidence of any breaches, which will also require specialists to analyse the output and respond to attacks.
- Behaviour and education – make sure your contractors and those in the supply chain recognise what the threats are, how to spot something suspicious, as well as what phishing attacks are and how they might be targeted.