Cyber Security – Coming to a Mine Near You -

The mining industry is being told to take advantage of digitalization. As an example, here is a link to a recent article that discusses this “Can mining decode the opportunities of the future?”. The article says “To achieve sustainable improvements in productivity, mining companies will need to overcome a digital disconnect that has held them back”.

I fully agreement with this sentiment, although there are some cautions when adopting new technology.

Not everything is positive

The mining industry will see positive impacts from digitalization. Unfortunately more reliance on technology also brings with it significant risks. These risks are related to cyber security.

I recently attended a CIM presentation here in Toronto that focused on cyber security, specifically related to the mining industry. The potential negative impacts to a company can be significant.

Some mining companies already have experienced these negative impacts, albeit in some cases it may not be well publicized. I will highlight some examples later in this blog.

(By the way, I appreciate that the CIM presenter gave me access to the information in his presentation).

Attackers and threats

There are several ways that mining companies can be attacked via technology channels. The attackers could be foreign governments, anti-mining groups, disgruntled employees, or just your average everyday miscreant. There are several avenues as described below.

Hack-tivsm: Where a company website may be defaced and blocked as part of a campaign against the opening of a new operation.
Data Breaches: Security breaches on websites resulting in leaked sensitive data including personal identification, credentials, and investor information.
Industrial Control Attack: Amending software code on major equipment resulting in shutdown or damage.
Business Interruption: Attacking systems so the company must be temporarily disconnected from the internet and forcing replacement of all hard drives and servers.
Dependent Business Interruption: Overwhelming servers in order to degrade cloud services and websites.

Examples

The following are some examples of how different attack approaches have been used with success.

April 2016 – a Canadian gold-mining firm suffered a major data breach when hackers leaked 14.8 GBs of data containing employee personal information and financial data.
May 2015 – a Canadian gold mining company was hacked resulting in 100GBs+ worth of stolen data being released.
May 2013 – a large platinum producer experienced a security breach on their website resulting in leaked sensitive data online including personal data, credentials, and investor information.
February 2015 – A junior mining company was the victim of a cyber scam that resulted in the company paying a $10M deposit into an unknown bank account intended for a sub-contractor.
November 2011 – In an attempt to gain information on bid information about a potential corporate takeover, hackers attacked the secure networks of several law firms and computers of the Government of Canada’s Finance Department and Treasury Board.
August 2008 – Hackers were able to gain access to the operational controls of a pipeline where they were able to increase the pressure in the pipeline without setting off alarms resulting in an explosion. Beyond damaging the pipeline, the attack cost millions of dollars and also caused thousands of barrels of oil to spill close to a water aquifer.
2014 – A steel mill was the victim of a phishing attack which allowed attackers to gain access to their office network causing outages of production networks and production machines. The outages ultimately resulted in a blast furnace not being properly shut down causing significant damage to the plant.
2003 – Cyber attackers were able to gain access to the SCADA network of an oil tanker resulting in an 8 hour shutdown.
August 2012 – A large state-owned oil and gas supplier, experienced an attack intended to halt their supply of crude oil and gas which resulted in more than 30,000 hard drives and 2,000 servers being destroyed ultimately forcing I.T. systems to be disconnected from the internet for two weeks.
2014 – Malware was used to gain access to a Ukrainian regional electricity distribution company to gain remote access to SCADA systems and remotely switch substations off, leaving 225,000 without electricity for three hours.

How many similar incidents have occurred, being unreported or not as publicly visible as these? Recently Air Canada had a major computer outage. Was that a squirrel chewing through a wire or a full-on cyber attack?

Ask yourself if you are ready

As your mining company continues to move into the digital world, you must ask:

If an attacker were to disable your business application or a production facility, how long would it take to recover? How much would it cost you? How would you even measure the cost?
How do you ensure your third party vendors’ security standards are appropriate? What would you do if a key supplier or key customer had a data breach that impacted you or hinder their deliveries? How do you mitigate your exposure to such events?
What type and how much sensitive information are you responsible for? If you learned today that your network was compromised, what is your response plan? Who would you call to investigate a data breach? What law firm would you use and do they have breach response experts?

A cyber attack can impact on operations, public perception, legal liability, and corporate trust. This can mirror the legal impact of a tailings dam failure. So are there any mitigations?

Cyber insurance is available

Companies can now consider the growing cyber insurance industry. Traditional insurance indemnifies property, casualty, crime, errors & omissions, and kidnap & ransom events. Cyber insurance adds additional coverage for breaches related to data confidentiality, operations technology malfunctions, network outages, disruption of 3rd parties, deletion or corruption of data, encryption of data, cyber fraud and theft.

While nobody wants to add another cost burden on their business, the gains from digitalization don’t come without pains.

Conclusion

The bottom line is that there is no stopping the digitalization of the mining industry. It is here whether anybody likes it or not. At the same time, there is likely no stopping the growth of cyber crime.

Likely we will hear more hacking stories as miners adopt more of the new technology.

The first line of defense are your security policies and procedures. Bring in an expert for a security audit. As an option, you can contact cyber insurance brokers that have the expertise to help.

Its great to see an executive at the head office operating a scooptram at their underground mine. Its not so great to see some kid in a basement operating that same scooptram (and setting production records).

Open your doors to technology but at the same time keep them locked.

Note: If you would like to get notified when new blogs are posted, then sign up on the KJK mailing list on the website. Otherwise I post notices on LinkedIn, so follow me at: https://www.linkedin.com/in/kenkuchling/.

I fully agreement with this sentiment, although there are some cautions when adopting new technology.

Not everything is positive

The mining industry will see positive impacts from digitalization. Unfortunately more reliance on technology also brings with it significant risks. These risks are related to cyber security.

I recently attended a CIM presentation here in Toronto that focused on cyber security, specifically related to the mining industry. The potential negative impacts to a company can be significant.

Some mining companies already have experienced these negative impacts, albeit in some cases it may not be well publicized. I will highlight some examples later in this blog.

(By the way, I appreciate that the CIM presenter gave me access to the information in his presentation).

Attackers and threats

There are several ways that mining companies can be attacked via technology channels. The attackers could be foreign governments, anti-mining groups, disgruntled employees, or just your average everyday miscreant. There are several avenues as described below.

Hack-tivsm: Where a company website may be defaced and blocked as part of a campaign against the opening of a new operation.

Data Breaches: Security breaches on websites resulting in leaked sensitive data including personal identification, credentials, and investor information.

Industrial Control Attack: Amending software code on major equipment resulting in shutdown or damage.

Business Interruption: Attacking systems so the company must be temporarily disconnected from the internet and forcing replacement of all hard drives and servers.

Dependent Business Interruption: Overwhelming servers in order to degrade cloud services and websites.

Examples

The following are some examples of how different attack approaches have been used with success.

April 2016 – a Canadian gold-mining firm suffered a major data breach when hackers leaked 14.8 GBs of data containing employee personal information and financial data.

May 2015 – a Canadian gold mining company was hacked resulting in 100GBs+ worth of stolen data being released.

May 2013 – a large platinum producer experienced a security breach on their website resulting in leaked sensitive data online including personal data, credentials, and investor information.

February 2015 – A junior mining company was the victim of a cyber scam that resulted in the company paying a $10M deposit into an unknown bank account intended for a sub-contractor.

November 2011 – In an attempt to gain information on bid information about a potential corporate takeover, hackers attacked the secure networks of several law firms and computers of the Government of Canada’s Finance Department and Treasury Board.

2003 – Cyber attackers were able to gain access to the SCADA network of an oil tanker resulting in an 8 hour shutdown.

August 2012 – A large state-owned oil and gas supplier, experienced an attack intended to halt their supply of crude oil and gas which resulted in more than 30,000 hard drives and 2,000 servers being destroyed ultimately forcing I.T. systems to be disconnected from the internet for two weeks.

2014 – Malware was used to gain access to a Ukrainian regional electricity distribution company to gain remote access to SCADA systems and remotely switch substations off, leaving 225,000 without electricity for three hours.

How many similar incidents have occurred, being unreported or not as publicly visible as these? Recently Air Canada had a major computer outage. Was that a squirrel chewing through a wire or a full-on cyber attack?

Ask yourself if you are ready

As your mining company continues to move into the digital world, you must ask:

If an attacker were to disable your business application or a production facility, how long would it take to recover? How much would it cost you? How would you even measure the cost?

How do you ensure your third party vendors’ security standards are appropriate? What would you do if a key supplier or key customer had a data breach that impacted you or hinder their deliveries? How do you mitigate your exposure to such events?

What type and how much sensitive information are you responsible for? If you learned today that your network was compromised, what is your response plan? Who would you call to investigate a data breach? What law firm would you use and do they have breach response experts?

A cyber attack can impact on operations, public perception, legal liability, and corporate trust. This can mirror the legal impact of a tailings dam failure. So are there any mitigations?

Cyber insurance is available

While nobody wants to add another cost burden on their business, the gains from digitalization don’t come without pains.

Conclusion

The bottom line is that there is no stopping the digitalization of the mining industry. It is here whether anybody likes it or not. At the same time, there is likely no stopping the growth of cyber crime.

Likely we will hear more hacking stories as miners adopt more of the new technology.

The first line of defense are your security policies and procedures. Bring in an expert for a security audit. As an option, you can contact cyber insurance brokers that have the expertise to help.

Its great to see an executive at the head office operating a scooptram at their underground mine. Its not so great to see some kid in a basement operating that same scooptram (and setting production records).

Open your doors to technology but at the same time keep them locked.

Note: If you would like to get notified when new blogs are posted, then sign up on the KJK mailing list on the website. Otherwise I post notices on LinkedIn, so follow me at: https://www.linkedin.com/in/kenkuchling/.

Leave a reply