Organisations in the mining sector face a new and important challenge as they balance the drive for operational and environmental efficiency against the emerging risk of cyber attack.
As production costs increase, mining organisations are looking to minimise costs and maximise flexibility.
This is driving a trend to connect Industrial and Process Control Systems (ICS/PCS) with corporate IT networks.
This results in decreased operational costs through centralised management and control of mining sites and their respective processes.
However, increased connectivity carries an increased opportunity for cyber attack. With criminals, hackers and other powerful interested parties looking to sabotage operations, mining companies are a key target.
The potential gains for attackers include commercial or political gains as well as monetary gains (for example, by manipulating markets and commodity prices).
The risks to mining organisations are significant.
They include potential health and safety issues to workers which may lead to loss of life or reduced availability for production, financial impact to the organisation and shareholders due to long downtimes, and brand and reputation damage just to name a few.
Previously, ICS/PCS were separate to ICT systems because they were air-gapped (physically isolated).
While it’s true that there have been a limited number of malicious cyber incidents to date in operational environments, the threats facing the sector are constantly evolving and increasing due to the exposure of these systems to the wider corporate environments for operational purposes.
It is vital for mining operations to understand the potential risks to their organisation and protect their environments from what could be a major catastrophe to the organisation’s financial position and operational status.
That is not to say that attacks have not already occurred.
For example, in August 2012 there was an attack on RasGas, the state petroleum company of Qatar.
Cyber criminals attacked the corporate IT system of the company using malware called Shamoon, but rather than attempting to steal information, the attacker was seeking to disrupt the company’s operations.
The Shamoon attack was relatively unsophisticated, and has been widely reported to be attributable to the “Cutting Sword of Justice” group.
However, other more sophisticated attacks have also taken place.
An example of this is the Stuxnet cyber attack on an Iranian Nuclear Power reactor in 2012, widely speculated to have been a joint effort by two international governments. This was a computer worm, aimed at the Natanz uranium enrichment facility and reportedly designed to damage centrifuges by making covert adjustments to the machines controlling them. Allegedly, this was one of the first attacks designed to inflict physical destruction, rather than simply steal information.
It is possible to protect an organisation against these types of attacks without going back to the previous style of operations where ICT and ICS/PCS were completely separate. The benefits of connected ICT and ICS/PCS are many and they include not just the ability to drive down costs and meet demand efficiently, but also to communicate with business stakeholders more transparently and seamlessly.
Reversing this trend would be detrimental to the mining industry’s profit-making abilities.
Instead, organisations should assess the level of risk along with the potential business impact if that risk were to materialise. They can therefore identify the most vulnerable areas and decide where to invest in protection.
When developing the risk assessment, organisations must consider every element including people, process, training and policy as well as technology.
The human factor is important and, while security technology is essential, often it is human error or a policy failure that opens an organisation to attack.
Companies that educate employees about the risks and their role in protecting the organisation are less likely to suffer a breach.
There are four key steps towards effectively protecting mining organisations’ systems without jeopardising the business efficiencies gained by connecting ICT and ICS/PCS environments. These are:
Understand what targets the attackers may want to compromise as well as the potential impact of a successful attack. Develop a policy that articulates how to address cyber risks based on priorities. For example, while a particular area may be vulnerable to attack, the business impact of a successful attack may be negligible, so the organisation may decide not to implement specific protection for that area.
While IT managers are used to monitoring systems for signs of cyber attacks, it is less common for OT managers to do the same simply because the risk is either new to them or monitoring systems and management of these in OT systems generally differs. If a system malfunctions the focus should be on determining the cause of the malfunction as well as on getting the system back up and running as quickly as possible.
This step can present challenges for organisations. The temptation to tighten security can lead to systems becoming difficult to use because of overly onerous security settings. Organisations need to find the middle ground between securing the systems and still allowing them to work in line with business requirements and integrating well with overall business operations.
While risk assessments, skilful monitoring and strong protection are essential, there is still a chance that cyber criminals will penetrate security measures. It is therefore vital to have a clear incident response capability in place that clearly articulates the process to follow in the event of a cyber incident. This should also include the ability to learn from attacks that occur and implement new policies, technologies or processes where appropriate to prevent future attacks.
Mining organisations that implement these four steps while simultaneously addressing the inevitable human factor in system security will be well-placed to avoid being damaged by the inevitable increase in cyber attacks on ICS/PCS based systems.
Craig Searle is the head of cyber security, APAC, for BAE Systems Applied Intelligence.