Home Breadcrumb caret News Breadcrumb caret Risk Data Mining As mining and metals firms connect more operational systems to computer networks, their vulnerability to hacking tends to increase. Yet most metals and mining firms surveyed have no formal program to detect information security breaches. July 31, 2015 | Last updated on October 1, 2024 5 min read Bruce Sprague, Mining & Metals Leader, EY Canada|Abhay Raman, Cyber Risk Leader, EY Canada Everyone has heard stories and read news about cyber hacking in financial services, retail and government. But as cyber hacking has become more widespread and sophisticated, cyber attacks are now a common issue across sectors regardless of focus, size or scale. In fact, for the first time, cyber security ranks in the top 10 of EY’s Business risks facing mining and metals 2015-2016. And in a separate company survey – Global Information Security Survey 2013 – 41% of respondents from mining and metals companies reported they had seen an increase in external threats, while 28% reported they saw an increase in internal vulnerabilities. That survey, conducted in June and July of 2013, was based on a questionnaire distributed to 1,900 professionals. Respondents included chief information officers, chief information security officers, chief financial officers and chief executive officers in different industries worldwide. Thirty-nine respondents were from mining and metals firms. There are several reasons cyber security was one of the Top 10 risks. For one, mining and metals operational functions have not traditionally been connected to information technology (IT) networks. Operational technology (OT), in the context of metals and mining, refers to the systems that support operations and distribution – including smelting, embedded systems and remotely-operated machinery. In the past, IT security risk was not such a mainstream issue. However, many mining and metals companies have been investing heavily in new technology to manage and run their networks centrally, in a bid to improve production and operations, automate their supply chain, reduce costs, improve maintenance and streamline data flow. NETWORKED SYSTEMS There is also a trend of connecting OT systems to Internet Protocol (IP) networks, connecting to services which, in turn, are connected to the public Internet. This helps improve management and usability. These networks also allow staff to manage devices and OT systems from remote locations. Once hackers compromise the premises – unless there are adequate network access controls – they could also compromise OT and IT systems within a mining environment. Advancements in big data, mobile computing and the Internet of Things have enabled exciting opportunities in OT to improve safety, sustainability and productivity. However, at the same time, they have exposed mining and metals businesses of all sizes to increased threats of cyber hacking. This convergence of IT and OT systems has made access to these systems easier. As a result, the implications of misuse have become more severe. At the same time, mining and metals companies have historically underinvested in security, and security budgets are often static, despite increasing cyber threats. With total budgets remaining flat in recent years, competing priorities and budget constraints mean mining and metals companies are addressing only the top one or two priority areas each year. Interestingly, an EY survey showed that the majority of current spend is being allocated simply to maintain existing security capabilities. Of course, while maintaining a basic level of security capability is important, it does not enable companies to proactively combat the evolving cyber threat landscape. Unfortunately, this means the likelihood of compromised cyber security is on the rise. Finally, there is a growing body of evidence suggesting the majority of large organizations have been breached and either have threat actors operating undetected within their environments or have failed to identify the breach when it occurred. CONFIDENTIAL DATA Not all cyber attacks are for financial gain. Hackers can be groups seeking to serve their own purpose. Being a victim of any form of attack can cost a mining and metals company millions of dollars in lost production, create health and safety issues on site, or cause massive reputational damage by leak of confidential or stakeholder-unfriendly information. Despite these risks, 62% of respondents to the global information security survey reported their firms do not have a breach detection program or do not have a formal process to respond to breaches. Unfortunately, this limits their ability to proactively identify and manage cyber risks that threaten the availability and confidentiality of corporate, operational, personnel and customer information. Considering it takes, on average, 200 days to discover that a cyber attack has been perpetrated within a company, a robust cyber threat intelligence program can help collect intelligence information that is relevant to the business in order to assess the threat level and drive appropriate strategic and tactical counter-measures. The approach to cyber security should be driven from the top down, and companies should focus their efforts to complicate attacks, detect malicious activity, respond to threats and educate the organization to keep operations in sync with business imperatives. And it is not just about systems – an approach that includes threat and risk-based implementation of people, processes and technology capabilities to develop a resilient cyber security environment is critical. For mining and metals companies, marketing systems, reserve data and mergers and acquisitions (M&A) data are key areas to secure. For example, as mining and metals companies begin to operate their own trading systems, the risk of strategic manipulation of trading models becomes more prominent. This can result in missed trading opportunities, so securing these systems is key. In addition, access to reserve data can result in loss of trading advantage, as cyber hackers could use the data to drive prices up or down. This can also have a broader market impact on commodity markets if leaked. And, leaked M&A data could result in counter-trading positions and allegations of insider dealing leading to regulatory investigation. Understanding what information about a company is out there, whether on the Internet, in news groups or other arenas, provide actionable intelligence, and monitoring this information provides a view into the efficacy of security awareness programs as well. In many cases, for mining and metals companies, investment in people, processes and culture are as important as the investment in the technology. Mining and metals companies need to ensure that their teams can bridge the gaps between IT/OT, bearing in mind that they may need to re-skill their existing teams to the heightened risk, and that there are limited IT security practitioners with exposure/experience with OT platforms. MOBILE RISK While connectivity from remote mine sites to corporate offices is key to keeping in contact with the remote workforce, many mobile devices are not governed by their respective corporate security policies. They do not offer strong security protection mechanisms and are built for ease of access and use as opposed to being secure, and, hence, offer another gateway for cyber attack. The reality is that the easier it is for employees to access IT, the easier it is for hackers. The most effective way to compromise a system is still through the person who accesses it. As mining and metals companies continue to digitize their operations, they need to focus on reducing and controlling the number of Internet gateways to reduce the risk of cyber attack. The high value of transactions in the mining and metals sector, even for smaller operators, makes the sector a greater target for cyber criminals. And now, with the sector in the midst of a “super correction” to the super-cycle, moving beyond point productivity solutions, and adopting end-to-end solutions that have the potential to transform the sector – companies are also opening themselves up to new cyber security risks. To stay on the right track, they must heed this risk and put in place proper checks and balances to detect – and deal with – cyber risks. Save Stroke 1 Print Group 8 Share LI logo