In September, cybersecurity company Secolve released a report looking at how prepared Australian businesses are to face cyber attacks to critical industrial operating systems. Among the report’s findings was that many operations in the Australian mining industry are unprepared for a cyber attack.
“Most organisations tend to avoid assessing the security of their industrial control systems because of the impact it can have on the business in terms of downtime or unavailability of critical systems,” Secolve founder and CEO Laith Shahin said in a statement shared with Industrial Cyber.“ But an attack on an OT environment can cause the business catastrophic losses, not just financially but also through potential loss of life. A new Gartner report predicts the financial impact of cyber attacks resulting in fatalities will be more than US$50 billion by 2023. It is far more cost effective for businesses to invest in preventing attacks than dealing with the fallout.”
The report included the results of a survey of more than 2000 Australian risk, compliance and security specialists. The survey found that 78 percent of those responsible for their organization’s industrial control systems were concerned there would be an attack in the next 12 months. Forty five percent said they were “extremely concerned.”
The report indicates that some organizations in the Australian mining industry are failing to put appropriate measures in place to prevent cyber attacks. Overall, the survey found that just one third of respondents with OT responsibilities said their business had implemented new OT in the last two years. Only 31 percent had used a third party to test their OT security. And one in 10 businesses hadn’t undertaken any reviews or updates in the last two years.
“Industrial OT environments have traditionally been more isolated but with the shift to digitalisation and automation the threat levels are increasing exponentially. The lack of segmentation between IT and OT environments creates additional risks as an attacker can now gain access to OT systems by compromising an IT network,” Shahin said.
Secolve’s report is only the latest to highlight cybersecurity issues in the mining industry. In 2019, Colin Blou, the vice president of global sales for cybersecurity company Claroty, expressed concerns during a roundtable discussion on the mining industry.
“Any business operating within the mining sector needs to ensure that cyber security is baked into any new solution brought into their operation,” Blou said.
In March 2019, Norsk Hydro, one of the largest aluminum producers in the world, was hit by a devastating cyber attack that paralyzed the company’s computer networks. As a result, Norsk Hydro was forced to isolate plants and switch some operations to manual. The attack cost the company an estimated $40 million.
Attacks like these have become more common in the mining industry as digital transformation continues to link OT and IT networks.
“Increasingly in the mining sector, there is a convergence between IT systems and operational technology systems. The two systems are no longer operating in silos, but are integrating with one another. In an ideal world, there would be a complete segregation between OT and IT networks. However, and as we’ve witnessed along the years, this connectivity happens and exists,” Blou said. “The bottom line is the mining sector cannot allow itself to be disconnected, so each player needs to decide how to do it in a secure way.”
Earlier this month, professional services firm PricewaterhouseCoopers released a report looking at the overall state of the mining industry. The report includes the results of a survey of the top 40 mining companies around the globe.
According to the report, only 12 percent of mining and metals company CEOs are extremely concerned about cyber. That’s a decrease from 21 percent in 2018 and 14 percent in 2019. However, the number of reported cyber breaches among mining companies has increased fourfold.
“Cybersecurity should be an integral part of the Top 40’s safety and business strategies. Miners should take the opportunity, given their relative resilience, to leverage their strong safety cultures to embed the concept of ‘cyber safety’, which like other forms of safety, is non-negotiable,” Jock O’Callaghan, global leader for mining and metals at PwC, said in a press release.
According to the report, the cost of dealing with a cyber attack is substantial. In the United States, the average bottom-line impact of a single cyber attack is $8 million while the global average is $4 million. Worldwide, the cost of cyber crime is now $608 billion, representing almost 1 percent of global GDP.
“For mining organisations, the cost can be even greater given the legacy nature of many OT systems,” the report says. “It is not straightforward to remediate OT systems, not only due to limited maintenance windows but also because these systems are often no longer supported by vendors. Trying to alter legacy systems can often carry far greater risk.”
According to the report, in 2018, a petrochemical plant in Saudi Arabia was hit by a cyber attack that infiltrated its operating systems in an attempt to trigger an explosion. While the attack was unsuccessful, the recovery took months and was only one in a string of cyber attacks targeting the country’s petrochemical industry at the time.
“Mining companies are renowned for putting safety at the heart of everything they do,” the report says. “But with the growing risks associated with mining automation, cybersecurity also needs to be a core aspect of safety. Miners can leverage their strong safety cultures to embed the concept of ‘cyber safety,’ which like other forms of safety, is non-negotiable.”
PwC also looked at the impact the COVID-19 pandemic has had on the mining industry.
“The COVID-19 crisis has tested many miners’ ability to rapidly provide remote working solutions that are secure and resilient to cyber threats,” the report says. “How can we learn from this experience to scale more effectively for the future? Like many industries, mining continually faces the threat of increased phishing emails, both directly and through third-party suppliers. But the pandemic has heightened this risk as attackers seek to take advantage of vulnerable businesses and more isolated workforces. COVID-19 has highlighted the issue of resilience from a digital and technology standpoint. Cybersecurity needs to be an integral part of that discussion.”