Five imperatives when thinking about cybersecurity in mining

Mining companies are embedding cybersecurity into digital transformation to support secure, sustainable growth and create a strong and resilient supply chain

Over the past five years, the mining and metals industry has undergone a massive digital transformation. From exploration to extraction, advanced technologies like deep automation, robotics and artificial intelligence are improving operational efficiency, enhancing capability, reducing costs and increasing value at all stages of the mining lifecycle to gain a competitive advantage. However, this technology revolution is also exposing companies to new risks that can severely disrupt operations.

It’s no surprise that cyber threats are evolving and escalating at an alarming rate in the mining and metals and other asset-intensive industries. Understanding the current cyber risk landscape and the threats new technologies bring is crucial for planning reliable and resilient operations. From its geopolitical nature to the life-and-death consequences of operation system malfunctions: mining and metals companies are teeming with cyber vulnerabilities. Sophisticated criminals may be ready to hit a company’s reputation, health and safety protocols, environmental stewardship and profitability.

In an age when threats are being unearthed every day, mining companies should account for the following five imperatives when thinking about cybersecurity in their operations to build a cyber risk-based approach that improves business resilience and unlocks the true value of transformation.

1. Understand your risk appetite and tolerance and where your company stands

Risk appetite is the amount of risk an organization is willing to accept to achieve its objectives. Risk tolerance is the acceptable deviation from the organization's risk appetite. More than one third of Canadian organizations haven’t clearly articulated their cybersecurity risk. That’s simply not enough. Defining the cyber risks that are most relevant for your particular organization and building consensus around what level of risk you’ll tolerate is the first step to effective planning.

For the mining and metals industry, a seemingly small disruption — like a hacker shaking up your supply chain or stopping a critical dewatering pump — could have massive, high-profile or even life-altering impacts. You need to know where your risk lies to defend your organization well.

3. Conduct regular scenario planning

Cybersecurity control capabilities are key and must be driven by the need to mitigate risk. Therefore, you need to prioritize risk identification. Developing a risk-based approach allows the company to simulate attack scenarios on IT and OT systems. That will help you understand if there are system vulnerabilities and the severity of those vulnerabilities. This helps determine what controls are required to protect these critical assets.

Based on the risk identification procedure, the company should ask questions such as:

• Do we have the right controls to mitigate the risk?
• Do we have an efficient return on mitigation?
• What is the biggest risk that needs to be mitigated?

4. Make cybersecurity the connective thread between functional capabilities

Redrawing the organizational chart and making cybersecurity the connective thread between functional capabilities doesn’t only make your organization stronger — it can also support efficiency, cut down costs and foster the kind of collaboration that speaks directly to internal and external calls for secure products, services and solutions. 

Risk itself has changed. Findings from the EY Global Information Security Survey show more than 40% of leaders have never been as concerned as they are now about managing cyber threats the business faces. You can’t tackle that increase in disruptive risk without drawing better connections between functional teams.

5. Put a team in place to deal with compliance and regulatory requirements

The overhead of trying to stay on top of different regulatory requirements and standards is the biggest hurdle most Canadian companies face. A large majority (70%) of Canadian executives say navigating regulation will be time consuming and expensive.

Mining is global. Companies need to think bigger than just Canada — to do so effectively and efficiently, dedicated teams will be needed. They can support organizations of the future to stay on top of compliance and regulatory requirements, but also put in place a process to support with what updates they need, where to get them and how they translate to their specific organization.

Cybersecurity must support the mining and metals sector’s technology revolution. This objective should be prioritized and governed by the needs of resilience. Disruptive forces mean companies must understand how much risk they can safely take on, coupled with a dedicated team to keep the organization up to date with compliance and regulatory requirements and support the CISOs to put them in place.

We’re at a defining moment where CISOs can make a difference.