Does cyber risk only become a priority once you’ve been attacked?

By Paul Mitchell

EY Global Mining & Metals Leader

Experienced mining and metals leader. Contributing insightful points of view to the market around productivity and digital.

9 minute read 8 Mar 2022

Cyber threats are evolving and escalating at an especially alarming rate for asset-intensive industries such as mining and metals (M&M).

Cyber threats are growing at an exponential rate globally. According to the latest EY Global Information Security Survey (GISS), 71% of mining respondents have seen an increase in the number of disruptive attacks over the past 12 months and 55% of M&M executives are worried about their ability to manage a threat.

Today, all mining organizations are digital by default — in an increasingly connected world, the digital landscape is vast, with every asset owned or used by an organization representing another node in the network.

Organizations are increasingly reliant on technology, automation and operations data to drive productivity gains, margin improvement and cost containment goals. At the same time, it has never been more difficult for organizations to understand and secure the digital environment in which they operate, or their interactions with it.

  • Every organization’s technology landscape is both bespoke and complex: It spans multiple accountable teams for strategic planning, budgeting and support, as well as encompasses multiple networks and infrastructure that may be on-premises, in the cloud, or owned and managed by a third party.
  • Defining an “organization” is difficult: Blurring the security perimeter further, there has been a proliferation of devices belonging to employees, customers and suppliers (including laptops, tablets, smartphones, edge computing solutions, smart sensors and more) with access to the organization’s systems.
  • Increased connectivity between information technology (IT) and less mature operational technology (OT) environments widens the “attack surface:” A cyber incident has the potential to disrupt production or processing, safety and cost efficiency and have a direct impact on business strategies and goals.

Cyber incidents can be malicious or unintentional. They range from business service interruptions and large-scale data breaches of commercial, personal and customer information, to cyber fraud, ransomware (such as WannaCry, NotPetya and REvil) and advanced persistence threat campaigns on strategic targets.

What is the cost of cyber threats?

Cybersecurity Ventures expects global cybercrime costs to grow by 15% per year over the next five years, reaching US$10.5 trillion annually by 2025, up from US$3 trillion in 2015.1

There can be significant consequences, as depicted below, should a cyber attack occur within an operational facility or affect operational assets.

The cost of a cyber attack

The cyber threat landscape is complex and spans IT and OT

One challenge is that the sector has embarked on a massive digital transformation journey in recent years, with M&M companies connecting their IT with OT to modernize infrastructure and control their supply chains and operations more effectively. Digital transformation creates powerful new opportunities but, as the different environments merge, the attack surface area increases. This is causing a lot of stress. OT systems have started using cloud services, and adoption will accelerate quickly over the next five years, which will open up more cybersecurity challenges.

Threat actors have started targeting the M&M sector with ever-greater frequency: there have been a number of major cyber incidents over the past 18 months, including those affecting Norsk Hydro and BlueScope Steel. These events had a significant impact on operations through outages and the associated financial impact, making the potential ramifications of a threat clear.

The large number of connected devices across operating environments is also contributing to the growing threat. With increasing investment in digital, reliance on automation systems, remote monitoring of infrastructure for long-term cost efficiency and near real-time decision-making across the value chain, it is the norm for M&M companies to have thousands of OT devices connected across geographical environments. 

However, the increased connectivity of these devices, and by extension the increased attack surface, means that the physical security of remote M&M operations is no longer sufficient.

Additionally, equipment and infrastructure that have traditionally been disconnected (e.g., autonomous drills, trucks and trains) are now integrated to provide greater control of operations. This combination of events, coupled with system complexity and third-party risks, has led to a further expansion of the “attack paths” that may be used in cyber incidents.

For M&M organizations, there are four primary “attack paths” that can be used to compromise and impact operations across the value chain (e.g., extraction, processing or refinement, stock management and shipping). Hackers who exploit these paths frequently utilize a number of common weaknesses found within network architecture, legacy industrial technologies, basic access controls and security configurations, maintenance processes, remote staff and third-party access, and security awareness.

As a result, the entire supply chain is now at risk, which is not limited to the potential of causing disruptions to operations, but worse, significant health and safety consequences (resulting from shutdown or overriding of fail-safe systems, physical failure of infrastructure, equipment operating outside of expected parameters, etc.). If these risks are not being effectively identified, tracked and monitored, it is likely that the organization and its employees will be left significantly exposed. Some of our clients with strong security event monitoring solutions are seeing a rapid increase in the number of new attacks on operational systems, including viruses that are specifically designed to attack these environments.

The challenge

The research suggests that cybersecurity funding has not kept up with the growing risk. Half of the GISS respondents say budgets are lower than needed to deal with existing cyber-related challenges, and more than 45% think it’s just a matter of time before there is a breach that could have been avoided with adequate funding. This proportion is higher in M&M than in the other sectors surveyed where, on average, 36% of leaders believe that underfunding is making a breach inevitable.

In addition, regulatory fragmentation is causing additional work and resourcing problems. Sixty-seven percent believe that regulation will become more fragmented and therefore more time consuming to manage in the years to come, which is 10% more than other sectors. In addition, 71% of those surveyed believe that the COVID-19 pandemic and the rapid change to working practices has increased the risk of noncompliance, which is significantly more than in other sectors.

Strong connections between CISO and other departments are needed to influence security by design. Yet it appears that the cyber function within mining companies has a good or strong relationship with IT and risk functions; however, it lacks the confidence and trust of other functions.

Being ahead of cyber threats

A step change in the culture and awareness of cyber risk within the M&M sector is needed to resolve the gaping hole that the “human factor” exposes to cyber resilience and preparedness. The urgency becomes more critical when the ideology that it is no longer “if” but “when” is accepted.

Organizations need to apply good risk management principles, which starts with thinking about the issue, such as cyber risk, just like a business risk. Understanding the cyber threat landscape is the first and vital foundational step in the change to improve cyber maturity. To address this, M&M companies need to have a clear plan that forms part of their digital road map and risk management plan.

The first step is to establish a baseline of basic cyber controls. This baseline, supported by a risk-based approach to prioritize strategic and long-term cyber investment, should be aligned with each organization’s top cyber threat scenarios.

Organizations should adopt a cybersecurity framework for the consistent identification of critical cyber control gaps, threats and actions required to achieve the target risk profile. We believe that irrespectively of the framework adopted, a risk-based approach should be taken that is fit for purpose, adopts a balance between “protect” and “react,” and meets the operational requirements of an organization.

The following is a robust cyber threat approach:

  • Identify the real risks: map out critical assets across systems and businesses
  • Prioritize what matters most: assume breaches will occur, and improve controls and processes to identify, protect, detect, respond and recover from attacks
  • Govern and monitor performance: regularly assess performance and residual risk position
  • Enhance investments: accept manageable risks where the budget is not available
  • Enable business performance: make security everyone’s responsibility
Cybersecurity failure is one of the risks that worsened the most through COVID-19.
WEF Global Risk Report 2022

Focus on boards

Boards are taking an increasingly active role in addressing cybersecurity risks posed to their businesses. There is an increasing demand on management to generate reporting, metrics and insight that provide visibility and assurance over the management of cybersecurity risks.

Most organizations struggle with understanding what to report to the board. This is indicative of the traditional reporting mindset that tends to focus on informing tactical decision-making and reporting on current progress. Instead, board reporting should seek to combine tangible and quantifiable metrics that demonstrate the outcomes resulting from recent key decisions and the performance of the current control environment.

Ultimately, to enable effective decision-making, a successful cybersecurity reporting framework must provide the board with a clear and continuous view of the organization’s current cyber risk exposure.

To encourage this paradigm shift, boards should apply a risk-focused mindset to transform the questions they ask of management.

Call to action for CISOs

  • Firstly, start to prepare for a “modern” enterprise-wide security architecture, as the next five years will inevitably see significant shifts in technology and data; especially as there is accelerated adoption of cloud, analytics and automation across the sector, as well as disruptive innovation to achieve decarbonization targets
  • Raise the profile of cyber as a strategic imperative to deal with potential business interruption, safety and financial impact due to the rise of financial cybercrime (ransomware as a service), critical infrastructure protection (regulatory) and changes to ways of working
  • Communicate using the enterprise risk framework to help build trust and enable a common language, and consider linking OT cybersecurity to safety or financial value to help articulate the risk
  • Seek opportunities to reset cybersecurity foundations, such as identity and access management and zero trust security architecture, as part of broader ERP modernization and digital transformation programs
  • Develop and implement better governance: through standardizing cyber, by applying control assurance practices. These will confirm the coverage and effectiveness of the collective cyber controls and manage the key cyber risk scenarios

Global mining and metals top 10 business risks and opportunities - 2022

Read our annual survey highlighting the latest risks and opportunities for mining and metals companies.

Learn more

Summary

Cyber risk can be the downfall of a mining and metals organization’s productivity gains and digital aspirations. And the cost of these attacks is climbing steeply. According to the latest EY Global Information Security Survey (GISS), 71% of the respondents have seen an increase in the number of disruptive attacks over the past 12 months.

About this article

By Paul Mitchell

EY Global Mining & Metals Leader

Experienced mining and metals leader. Contributing insightful points of view to the market around productivity and digital.