Mining companies’ cybersecurity has traditionally focused on functions like finance or human resources rather than on the ground at mine sites. However, with more devices being connected, some of the industry’s biggest cyber vulnerabilities are around operational technology.
Authors:
René Waslo, Global Risk Advisory Leader, Energy, Resources & Industrials, Deloitte US
Andrew Kwong, Partner, Risk Advisory, Deloitte Canada
Over the past five years, the acceleration of digitization, information technology (IT) and operational technology (OT) convergence and value-chain integration in the mining sector has produced new levels of efficiency, driven down miners’ costs, and created exciting new business opportunities.
However, with opportunity also comes risk and, for many companies, rather than security efforts keeping pace with their digital growth, the gap between risks and controls has widened.
According to computer-security firm McAfee, the cost of cybercrime globally now tops US$1 trillion, with monetary losses accounting for US$954 billion.1 Higher metal prices and the strategic importance of certain metals have brought the mining sector to the attention of criminals in recent years, and a number of firms (both metal producers and METS companies) have found themselves victims of security breaches.
For example, Norwegian aluminum and renewable energy company Norsk Hydro faced a ransomware attack in 2019 that affected more than 35,000 employees across 40 countries. The financial impact was estimated at US$71 million.2 More recently, Weir Group PLC was the victim of a ransomware incident in September 2021.3 This led to disruptions in the company’s engineering, manufacturing, and shipping operations which resulted in revenue deferrals and overhead under-recoveries.
Vulnerability through IT-OT convergence
Traditionally, mining companies have placed heightened security focus on protecting data and systems in functions like finance or human resources, but not enough on the ground at mine sites. However, IT-OT convergence is increasing, and more devices are being connected than ever before, sometimes without the proper due diligence for security. The result is that, today, some of the industry’s biggest cyber vulnerabilities are around OT, industrial control systems (ICS), and Industrial Internet of Things (IIoT).
René WasloꟷGlobal Risk Advisory & Cyber Leader, Energy, Resources and Industrials, Deloitte & Touche LLP, explains, “While companies have begun to place more emphasis on the operations side of their businesses, we still see opportunity for improvement in the OT environment. Until there is equal focus on the front and back office, we’ll continue to see breaches.”
Figure 1: IT-OT environments in mining are becoming increasingly connected
Historically, OT systems were designed to be isolated, running less-known industrial protocols and custom software. Those systems had limited exposure to cyber-related threats whereas, today, as an enabler of business innovation and efficiency, OT environments are becoming increasingly connected to other networks and are remotely accessible to allow remote process monitoring, system maintenance, process control, and production data analysis/integration (see figure 1).
The adoption of remote and hybrid operating models as ‘the new normal’ means that now is a good time to review cybersecurity measures around interconnected or segmented networks, and ensure they are robust enough to sustain current practices and support future business growth.
Other key challenges include the high cost associated with ICS upgrades, patching or changing configuration files on legacy systems, and a lack of redundancy in production schedules as supply chains move to more integrated or just-in-time models.
Restoring trust in the value chain
Twenty years ago, cybersecurity in mining was a technology implementation issue; as solutions were scaled up, security measures were added. While there’s still an element of association today, the ubiquity of digital technologies and work practices means that businesses now need to factor security threats and solutions into every decision they make. As value-chain integration accelerates, there are touchpoints where miners need to ensure that third-, fourth- or fifth-party organizations with whom they are doing business have a strong cyber posture.
There is also a reputational element to consider. In the future, a mining company’s security stance could affect its ability to engage or trade with other organizations.
Andrew KwongꟷPartner, Risk Advisory, Deloitte Canada explains: “When it comes to new technologies and systems, businesses are making strategic choices on how their organizations change, and those changes could have a big impact on security. Today, it’s important to put a cybersecurity lens over every business decision or technology implementation, and make sure that secure processes are in place to support these organizational changes.”
Of course, mining companies are just at the beginning of their digital journeys, so it’s worth putting the time, attention, and investment in now to ensure operations are not left exposed in the future.
Securing the mining OT environment
Future bites
Advanced digital technologies such as blockchain and artificial intelligence are already a reality. However, as future technologies, such as quantum computing for industrial applicationsꟷemerge, it’s important to consider the potential security issues that data management on this scale could entail in advance of implementation. Out of 600 respondents to Deloitte's 2021 Future of Cyber Survey, 64% ranked security capabilities as the top consideration in their decision to implement emerging technologies.4
1. Zhanna Malekos Smith, Eugenia Lostri and James Lewis, “The hidden costs of cybercrime,” McAfee, published December 2020, accessed 9 October 2021.
2. Bill Briggs, “Hackers hit Norsk Hydro with ransomware. The company responded with transparency,” Microsoft, published 16 December 2019 , accessed 14 November 2021.
3. “Q3 trading update and cybersecurity incident,” Weir, published 7 October 2021 , accessed 14 November 2021.
4. “2021 future of cyber survey,” Deloitte, published October 2021 , accessed 29 October 2021.