Does cyber risk only become a priority once you’ve been attacked?

Cyber threats are evolving and escalating at an especially alarming rate for asset-intensive industries such as mining and metals.

Cyber threats are growing at an exponential rate globally with more than half of energy and resources participants in EY’s latest Global Information Security Survey having experienced a significant cybersecurity incident in the last year.

Today, all mining organizations are digital by default — in an increasingly connected world, the digital landscape is vast, with every asset owned or used by an organization representing another node in the network.

Organizations are increasingly reliant on technology, automation and operations data to drive productivity gains, margin improvement and cost containment goals. At the same time, it has never been more difficult for organizations to understand and secure the digital environment in which they operate, or their interactions with it.

• Every organization’s technology landscape is both bespoke and complex: They span multiple accountable teams for strategic planning, budgeting and support; and encompass multiple networks and infrastructure that may be on-premises, in the cloud or owned and managed by a third party.
• Defining an “organization” is difficult: Blurring the security perimeter further, there has been a proliferation of devices belonging to employees, customers and suppliers (including laptops, tablets, smartphones, edge computing solutions, smart sensors and more) with access to the organization’s systems.
• Increased connectivity between Information Technology (IT) and less mature Operational Technology (OT) environments widens the “attack surface:” A cyber incident has the potential to disrupt production or processing, safety and cost efficiency and have a direct impact on business strategies and goals.

Cyber incidents can be malicious or unintentional. They range from business service interruptions, large-scale data breaches of commercial, personal and customer information, to cyber fraud and ransomware (such as WannaCry and NotPetya) and advanced persistence threat campaigns on strategic targets.

What is the cost of cyber threats?

By 2021, the global cost of cybersecurity breaches is expected to reach US$6 trillion, double the total for 2015¹. The World Economic Forum now rates a large-scale breach of cybersecurity as one of the five most serious risks facing the world today².

There can be significant consequences, as depicted below, should a cyber attack occur within an operational facility or affect operational assets.

The cyber threat landscape is complex and spans IT and OT

Historically, OT environments were isolated with limited connectivity to external networks beyond the physical site, and utilized vendor-specific protocols and proprietary technologies.

This often allowed asset owners to adopt a “security by obscurity” approach. However, this approach is no longer viable within modern OT environments as they are highly connected and increasingly leverage infrastructure, protocols and operating systems that are also common within enterprise IT. As such, vulnerabilities associated with technologies utilized within enterprise IT are often equally applicable for critical OT.

Further threats are also fueled by the prominence of malware that targets OT environments. In December 2015, Ukraine’s power grid was crippled by a cyber attack that utilized malware (BlackEnergy and KillDisk) and targeted OT and industrial control systems. Since this time, the malware has become more commoditized and widely available.

The large number of connected devices across operating environments is also contributing to the growing threat. With increasing investment in digital, reliance on automation systems, remote monitoring of infrastructure for long-term cost efficiency and near real-time decision-making across the value chain, it is the norm for mining and metals companies to have thousands of OT devices connected across geographical environments.

However, the increased connectivity of these devices, and by extension the increased attack surface, means that the physical security of remote mining and metals operations is no longer sufficient.

Additionally, equipment and infrastructure that have traditionally been disconnected (e.g., autonomous drills, trucks and trains) are now integrated to provide greater control of operations.

This combination of events, coupled with system complexity and third-party risks have led to a further expansion of the “attack paths” that may be used in cyber incidents.

For mining and metals organizations, there are four primary “attack paths” that can be used to compromise and impact operations across the value chain (e.g., extraction, processing or refinement, stock management and shipping). Hackers who exploit these paths frequently utilize a number of common weaknesses found within network architecture, legacy industrial technologies, basic access controls and security configurations, maintenance processes, remote staff and third-party access, and security awareness.

As a result, the entire supply chain is now at risk, which is not limited to the potential of causing disruptions to operations, but worse, significant health and safety consequences (e.g., resulting from shutdown or overriding of fail-safe systems, physical failure of infrastructure, equipment operating outside of expected parameters etc.). If these risks are not being effectively identified, tracked and monitored, it is likely that the organization and its employees will be left significantly exposed. Some of our clients with strong security event monitoring solutions are seeing a rapid increase in the number of new attacks on operational systems, including viruses that are specifically designed to attack these environments.

The challenge

Mounting threat levels now require a more robust response. Our 2017 Global Information Security Survey revealed that 53% of energy and resources organizations have increased their spend on cybersecurity over the last 12 months. Cybersecurity budgets are increasing, but are not enough to effectively manage risk, particularly to mission critical OT3. As mining and metals companies continue to move into the digital age, current budgets may not be enough to manage risk, particularly in regard to the growing threat to OT.

Also, too many mining and metals companies are taking an ad hoc approach or acting when it is already too late to manage their risks and vulnerabilities. This approach unnecessarily exposes the enterprise to greater threats.

The responsibility of managing exposure to cybersecurity risks is not one that can be delegated to one or two individuals. Rather, a broad range of individual responsibilities should be brought together to form a single coherent and accessible view of the threat environment.

For example, OT cyber risks may require different technology, engineering, maintenance and process control teams to be responsible and consulted to establish the critical cyber controls and security awareness. However, an accountable owner, such as a Chief Operating Officer or Site General Manager, is needed to drive the change and priority, and sustain ongoing OT cyber risk management.

Being ahead of cyber threats

A step-change in the culture and awareness of the cyber risk within the mining and metals sector is needed to resolve the gaping hole that the “human factor” exposes to cyber resilience and preparedness. The urgency becomes more critical when you accept the ideology that it is no longer “if” but “when.”

Organizations need to apply good risk management principles; and this starts with thinking about the issue such as cyber risk, just like a business risk. Understanding the cyber threat landscape is the first and vital foundation step in the change to improve the cyber maturity. In order to address the step-change needed, mining and metals companies need to have a clear plan that forms part of their digital road map and risk management plan.

The first step is to establish a baseline of basic cyber controls. This baseline, supported by a risk-based approach to prioritize strategic and long-term cyber investment, should be aligned with the organizations’ top cyber threat scenarios.

Four key cyber threats are ever-present within mining and metals organizations that can significantly impact your operations:

1. Enterprise IT and business applications: Threats associated with the global IT network, IT managed services provider, ERP, and key on-premise or cloud-based solutions that enable end user productivity, data storage and compute. Compromises in these systems often lead to “priority one” incidents that need immediate attention and recovery.
2. Treasury, financial and commodity trading: Significant cash disbursements (by value and volume) to JV partners, suppliers, government agencies, inter or intra companies and commodity customers are synonymous with the mining industry. With the rise in CEO-, CFO- and AP-scams and spear-phishing, the occurrence of cyber-enabled crime or fraudulent payments is a real threat.
3. Commercially sensitive and personal data: The increase in data breach notification requirements and the rapid pace of online media reporting has meant that all businesses need to pay greater attention to protect sensitive and personal data. For the mining and metals sector, this often translates to personal information within HR, medical hygiene, HSE and contractor management systems, and commercially-sensitive information on senior end-user devices and cloud-based data repositories.
4. Operational technology: The emerging OT cyber threats are evolving and at the forefront of boards, executives and regulators for asset intensive industries. This typically starts with the mission critical OT systems at operational sites, processing plants, and utilities; followed by key IT and OT networks and systems enabling integrated operations, remote monitoring and control, and production sensitive planning and decision support.

To enable this, organizations should adopt a cybersecurity framework for the consistent identification of critical cyber control gaps, threats and actions required to achieve the target risk profile. We believe that irrespectively of the framework adopted, a risk-based approach should be taken, which is fit for purpose, adopts a balance between “protect” and “react,” and meets the operational requirements of an organization.

The following is a robust cyber threat approach:

Identify the real risks: map out critical assets across systems and businesses

Prioritize what matters most: assume breaches will occur and improve controls and processes to identify, protect, detect, respond and recover from attacks

Govern and monitor performance: regularly assess performance and residual risk position

Optimize investments: accept manageable risks where budget is not available

Enable business performance: make security everyone’s responsibility

Focus on boards

Boards are taking an increasingly active role in addressing the risks that cybersecurity risks posed to their business. There is an increasing demand on management to generate reporting, metrics and insight that provide visibility and assurance over the management of cybersecurity risks.

Most organizations struggle with understanding what to report to the board. This is indicative of the traditional reporting mindset that tends to focus on informing tactical decision-making and reporting on current progress. Instead, board reporting should seek to combine tangible and quantifiable metrics that demonstrate the outcomes resulting from recent key decisions and the performance of the current control environment.

Ultimately, to enable effective decision-making, a successful cybersecurity reporting framework must provide the board with a clear and continuous view of the organization’s current cyber risk exposure.

To encourage this paradigm shift, boards should apply a risk-focused mindset to transform the questions they ask of management.