Closing the IT-OT vulnerability gap

Authors:

René Waslo, Global Risk Advisory Leader, Energy, Resources & Industrials, Deloitte US

Andrew Kwong, Partner, Risk Advisory, Deloitte Canada

Over the past five years, the acceleration of digitisation, information technology (IT) and operational technology (OT) convergence and value-chain integration in the mining sector has produced new levels of efficiency, driven down miners’ costs, and created exciting new business opportunities.

However, with opportunity also comes risk and, for many companies, rather than security efforts keeping pace with their digital growth, the gap between risks and controls has widened.

According to computer-security firm McAfee, the cost of cybercrime globally now tops US$1 trillion, with monetary losses accounting for US$954 billion.[1] Higher metal prices and the strategic importance of certain metals have brought the mining sector to the attention of criminals in recent years, and a number of firms (both metal producers and METS companies) have found themselves victims of security breaches.

For example, Norwegian aluminum and renewable energy company Norsk Hydro faced a ransomware attack in 2019 that affected more than 35,000 employees across 40 countries. The financial impact was estimated at US$71 million.[2] More recently, Weir Group PLC was the victim of a ransomware incident in September 2021.[3] This led to disruptions in the company’s engineering, manufacturing and shipping operations which resulted in revenue deferrals and overhead under-recoveries.

Vulnerability through IT-OT convergence

Traditionally, mining companies have placed heightened security focus on protecting data and systems in functions like finance or human resources, but not enough on the ground at mine sites. However, IT-OT convergence is increasing, and more devices are being connected than ever before, sometimes without the proper due diligence for security. The result is that, today, some of the industry’s biggest cyber vulnerabilities are around OT, industrial control systems (ICS), and Industrial Internet of Things (IIoT).

René Waslo, Global Risk Advisory & Cyber Leader, Energy, Resources and Industrials, Deloitte & Touche LLP, explains, “While companies have begun to place more emphasis on the operations side of their businesses, we still see opportunity for improvement in the OT environment. Until there is equal focus on the front and back office, we’ll continue to see breaches.”

Figure 1: IT-OT environments in mining are becoming increasingly connected

Access the other 2022 trends

Historically, OT systems were designed to be isolated, running less-known industrial protocols and custom software. Those systems had limited exposure to cyber-related threats whereas, today, as an enabler of business innovation and efficiency, OT environments are becoming increasingly connected to other networks and are remotely accessible to allow remote process monitoring, system maintenance, process control and production data analysis/integration (see figure 1).

The adoption of remote and hybrid operating models as ‘the new normal’ means that now is a good time to review cybersecurity measures around interconnected or segmented networks, and ensure they are robust enough to sustain current practices and support future business growth.

Other key challenges include the high cost associated with ICS upgrades, patching or changing configuration files on legacy systems, and a lack of redundancy in production schedules as supply chains move to more integrated or just-in-time models.

Restoring trust in the value chain

Twenty years ago, cybersecurity in mining was a technology implementation issue; as solutions were scaled up, security measures were added. While there’s still an element of association today, the ubiquity of digital technologies and work practices means that businesses now need to factor security threats and solutions into every decision they make. As value-chain integration accelerates, there are touchpoints where miners need to ensure that third-, fourth- or fifth-party organisations with whom they are doing business have a strong cyber posture.

There is also a reputational element to consider. In the future, a mining company’s security stance could affect its ability to engage or trade with other organisations.

Andrew Kwong, Partner, Risk Advisory, Deloitte Canada explains: “When it comes to new technologies and systems, businesses are making strategic choices on how their organisations change, and those changes could have a big impact on security. Today, it’s important to put a cybersecurity lens over every business decision or technology implementation, and make sure that secure processes are in place to support these organisational changes.”

Of course, mining companies are just at the beginning of their digital journeys, so it’s worth putting the time, attention, and investment in now to ensure operations are not left exposed in the future.

Securing the mining OT environment

• Knowledge is power: Create and maintain a holistic inventory of all connected devices at the shop-floor level. Review this regularly to ensure OT cybersecurity measures are sufficient and properly allocated.
• Uncover asset vulnerabilities: Perform a passive detection of the network by collecting and analysing traffic circulating between OT devices. This will allow vulnerabilities in the discovered assets to be uncovered.
• Perform regular OT security assessments: Assessments allow the identification of security gaps and missing controls, and can help leaders to gauge the maturity level of their organisation’s approach to OT cybersecurity. Based on this, recommendations can be made on work lots to achieve target maturity and strategic deployment roadmaps built to support this effort.
• OT third-party risk assessment: Conduct a workshop with critical third-party stakeholders, such as OEMs or service providers, to discuss the controls in place to secure the interface between their systems and the mine’s. Ensure these are robust and up to date.
• Create an OT governance framework: Establish a corporate-wide security objective for OT by defining the OT cybersecurity strategy. Also, create a functional IT/OT governance working model.
• Consider an IT-compromise assessment: It’s also worth assessing the current IT environment, infrastructure, and selected systems to identify previously undetected backdoors, compromises, or exposures that reveal data and system integrity to significant risks.
• Perform a thorough market review: The traditional OT security market is niche and mature. However, OT/IT convergence is accelerating, and a growing number of cyber-physical systems are emerging in operational and mission-centric environments, creating a new security market with shifting dynamics. It’s worth scanning the market on a regular basis to ensure access to the latest security systems and services.

Future bites

Advanced digital technologies such as blockchain and artificial intelligence are already a reality. However, as future technologies, such as quantum computing for industrial applicationsꟷemerge, it’s important to consider the potential security issues that data management on this scale could entail in advance of implementation. Out of 600 respondents to Deloitte's 2021 Future of Cyber Survey, 64% ranked security capabilities as the top consideration in their decision to implement emerging technologies.[4]

End notes

[1] Zhanna Malekos Smith, Eugenia Lostri and James Lewis, “The hidden costs of cybercrime,” McAfee, published December 2020 https://www.mcafee.com/blogs/other-blogs/executive-perspectives/the-hidden-costs-of-cybercrime-on-government/, accessed 9 October 2021.

[2] Bill Briggs, “Hackers hit Norsk Hydro with ransomware. The company responded with transparency,” Microsoft, published 16 December 2019 https://news.microsoft.com/transform/hackers-hit-norsk-hydro-ransomware-company-responded-transparency/, accessed 14 November 2021.

[3] “Q3 trading update and cybersecurity incident,” Weir, published 7 October 2021 http://www.global.weir/newsroom/news-articles/q3-trading-update-and-cybersecurity-incident/, accessed 14 November 2021.

[4] “2021 future of cyber survey,” Deloitte, published October 2021 https://www2.deloitte.com/global/en/pages/risk/articles/future-of-cyber.html, accessed 29 October 2021.