Defense in Depths: The mining industry strengthens security

More than half of the energy and resources participants in Ernst & Young’s latest Global Information Security Survey have experienced a significant cybersecurity incident in the last year. Last fall, for example, the Scottish company Weir, one of the largest mining engineering firms in the world, was hit by a ransomware attack on its IT systems. Although they did not release details, they did say that the attack did not disrupt orders, but it cost them £57 million (about $76.4 million).

Ernst & Young attributes much of the widening of the mining attack surface to increased connectivity between Information Technology (IT) and less mature Operational Technology (OT) environments.

“Historically, OT environments were isolated with limited connectivity to external networks beyond the physical site and utilized vendor-specific protocols and proprietary technologies. This often-allowed asset owners to adopt a “security by obscurity” approach. However, this approach is no longer viable within modern OT environments as they are highly connected and increasingly leverage infrastructure, protocols and operating systems that are also common within enterprise IT,” writes Paul Mitchell, EY Global Mining & Metals Leader in the EY report Does Cyber Risk Only Become a Priority Once-You’ve Been Attacked?

In the video below, EY analyst Mike Rundus discusses the impact of significant investments in autonomous mining technology, including autonomous rail, hauling and drilling, and how mining operations use data from sensors for predictive maintenance, predictive analytics and operations efficiency improvement. Much of this data, he says, is traveling across OT networks that are separate from corporate networks and are about three to four years behind IT networks in cyber maturity.

“Hackers who exploit these paths frequently utilize a number of common weaknesses found within network architecture, legacy industrial technologies, basic access controls and security configurations, maintenance processes, remote staff and third-party access, and security awareness,” Mitchell writes.

Having so many vulnerability points, he says, puts the entire supply chain at risk of operational disruptions and significant health and safety consequences, for example, by interfering with fail-safe systems, physical infrastructure failures and unsafe equipment operations. EY reports that some clients with robust security event monitoring solutions have seen a rapid increase in the number of new attacks on operational systems, including viruses specifically designed to attack these environments.

“The key question that executives and boards need to ask is, do we understand the risk exposure of our operational systems, and are we protected? Are we able to identify and respond to cyber security incidents?” Rundus said.

To enable capabilities to manage their response to cyberattacks, EY suggests adopting a cybersecurity framework for the consistent identification of critical cyber control gaps, threats and actions required to achieve the target risk profile, including the following measures:

• Identify the real risks: map out critical assets across systems and businesses
• Prioritize what matters most: assume breaches will occur and improve controls and processes to identify, protect, detect, respond and recover from attacks
• Govern and monitor performance: regularly assess performance and residual risk position
• Optimize investments: accept manageable risks where budget is not available
• Enable business performance: make security everyone’s responsibility

Deeper protection

One advantage of being in the early stages of digital transformation is that there is more opportunity to deploy modern control functionality with built-in cyber security, reducing the need to bolt cyber security appliances on after the fact. All Bedrock Automation controls, for example, come with cyber security built-in and encased in all-metal, tamperproof modules with extreme hardening to temperature, vibration, and electrical transients common in mining operations.

This article is from a blog by Robert Bergman at Bedrock Automation. To drill deeper into Open Secure Automation (OSA) control and power technology ideal for mining applications, watch video of the company’s new OSA Solutions Lab below.

https://youtu.be/JWDZN7kEqIc