Cyber hacking and information security in mining
Cyber hacking and the breach of information systems security is emerging as one of the top risks to the mining and metals sector. The threats are real and on the rise.
In fact, our Global Information Security Survey 2013 found that 41% of the mining and metals respondents experienced an increase in external threats over the past 12 months, with 28% experiencing an increase in internal vulnerabilities over the same period.
Criminals are attracted to the sector because of the massive cash flows on investment. They understand the increasing dependence mining and metals has on technology, and are actively looking for ways to threaten the denial of access to data, processes and equipment.
4 reasons for the increase in cyber hacking
1. Centralized functions make easier targets
As a result of increasing cost rationalization, many business functions are being centralized across the supply chain. This has translated into the need for a more sophisticated IT system and network infrastructure to connect the geographically diverse workforce, increasing an organization’s exposure to, and dependency on, the internet.
With the trend toward remote operation to improve cost efficiency, there is a convergence of IT and OT (operations technology). This provides cyber hackers with an access path to the operation systems from the internet. OT systems are inherently less secure as many old systems were not designed with security in mind.
2. Government-led cyber attacks
Intelligence agencies and the military of sovereign states, and their funded unofficial affiliates, have become increasingly active in cyber warfare. Their enormous capabilities are being directed at economic warfare and espionage to target key industries, posing a real threat to mining and metals organizations.
The objective may be the passive collection of commercially sensitive intelligence to assist national or state-owned companies in contract negotiations. However, the objective may be more sinister, with the use of malware to incapacitate important facilities (made infamous by the Stuxnet attack on the Iranian nuclear facilities).
3. The rise of the informal activists
In trying to maintain their social license to operate, mining and metals companies endeavor to meet as many stakeholder demands as they can, but invariably cannot meet them all. Some more militant and extreme activists with unsatisfied demands can turn to hacking. They may disrupt mining and metals companies’ activities, expose confidential information and create communications mischief, such as defacing websites or triggering false announcements.
Hactivists’ use of cyber hacking to pursue a political agenda is a real risk in today’s operating environment.
4. Formal security programs not widely deployed
Surprisingly, 44% of the mining and metals survey respondents indicated that their organizations do not have a threat intelligence program in place and 38% have only an informal one in place. This leaves them completely unprepared to identify a cyber hacking or an information security threat.
It also means these organizations would not have the benefit of experiencing an early warning or of being prepared for any breaches, potentially increasing the impact.
Addressing the threats head on
The effectiveness of information security is important, and with only a small percentage of mining and metals respondents (18%) seeing that it fully meets the organization’s needs, there is a long way to go in protecting organizations from these threats.
There is usually not an organization-wide risk management approach to these threats. Often, it is viewed as an information systems security issue, and therefore the threat is narrowly defined and not widely embraced.
A top-down approach needs to be taken to these threats in order for countermeasures to be effectively taken. The executive level needs to understand and address this issue to get both the budget and buy-in to ensure information and operational security.
Steps to combat cyber hacking and bolster information security
- Making information security a board-level and senior management priority
- Developing an integrated strategy around corporate objectives, and considering the whole risk landscape
- Using data analytics to test the risk landscape and better understand the data/systems you need to protect the most
- Identifying the potential interest groups who would benefit from access to your organization’s systems and information
- Assessing the current systems and understanding their vulnerabilities and where a breach could likely occur
- Understanding the laws and regulations that help protect your organization from a cyber attack and building a relationship with the agencies that enforce them
- Creating a cyber threat or attack response protocol
- Using a three- to five-year horizon for budgeting to enable long-term planning
- Creating a working team across the organization that includes senior management, risk advisors and information systems
- Ensuring accessibility to data across all the organization’s systems
- Using data analytics to identify potential threats or a pattern of attacks
- Conducting attack and penetration tests more frequently
- Innovate, innovate, innovate
Which threats* and vulnerabilities** have most increased your risk exposure over the last 12 months
* Threat is defined as a statement to inflict a hostile action from actors in the external environment.
** Vulnerability is defined as the state in which exposure to the possibility of being attacked or harmed exists.
Source: Global Information Security Survey 2013–2014, EY, 2013.