An Integrated Approach to Combat Cyber Risk Securing Industrial Operations in Ming February 2019

Home , Deloitte

An integrated approach to combat cyber risk | Foreword

An integrated approach to combat cyber risk Securing industrial operations in ming February 2019

An integrated approach to combat cyber risk | Foreword

Introduction

Foreword 3

Introduction 4

Understanding the risks 7

Conduct a maturity assessment 10

Build a unified programme 13

Implement key controls 15

Embrace good governance 17

Expand the conversation 18

Conclusion 19

Contacts 20

End Notes 21

An integrated approach to combat cyber risk | Foreword

Foreword

Although numerous consumer The combination of greater companies have been thrust into connectivity and proliferating the spotlight due to data threat vectors has already breaches, the alarm bell has been resulted in cyber-attacks that slow to sound within the mining have compromised both sector. For years, mining production and safety. organisations largely had a false sense of security, believing they These attacks have made cyber could operate under the radar of security a hot discussion topic cyber criminals who had more within boardrooms around the lucrative targets to pursue. Why globe and now a growing number would malicious actors hack a of organisations are developing mining operation when they could transformation programmes to attack a consumer organisation address these new operational that moves financial data? Today, threats. that reasoning has become as faulty as a patch on decades-old However, making operational software. processes secure, vigilant and resilient is a challenge. For The mining industry is moving example, deploying the into its next stage of evolution, organisation’s existing cyber which is sometimes referred to as capabilities within the operations “intelligent mining.” As detailed in environment requires the recent Deloitte report, harmonising two cultures, which Intelligent Mining: Delivering real is challenging. In addition, the value, this entails - in addition to operations environment demands broader organisational change - continuous availability, along with rapidly integrating robotics, tailored technical solutions that automation and the Internet of are not always easy to secure. Things (IoT) into the operational environment.1 At the same time, Solving these challenges requires the interest of cyber criminals in a good understanding of both industrial operations has engineering and information increased over the last decade, technology (IT) disciplines as well while the motives for their actions as leading, sector-specific cyber have become more diffuse. security practices. This paper Malicious hacking, ransomware shares the understanding we’ve attacks, electronic fraud, data collected from our field leaks and corporate espionage experience, including lessons have become prevalent learned in helping mining worldwide. These illicit activities companies to go beyond safety in are often driven by financial, securing their industrial control political, or competitive objectives systems (ICS). - or merely by the desire to cause disruption.

An integrated approach to combat cyber risk | Introduction

Introduction

Critical infrastructure relies on of the company’s control if the ICS to maintain safe and reliable mine is reliant on the broader operations. Engineers have electricity grid rather than on its successfully designed and own distributed energy resources, deployed ICS with safety and such as solar panels or diesel reliability in mind, but not always generator sets. security. Why? Originally, there was little need for it. Fit-for- Across multiple vectors, purpose, isolated operational operational systems can now be systems were the order of the compromised by external or day. Since these operational internal bad actors, causing systems were not integrated to safety or production failures and enterprise systems or even to increasing commercial risk. each other, the risk of a large- Although ICS are typically scale cascading failure due to an designed to fail safe, the attack - cyber or otherwise - was increasing sophistication of cyber extremely remote. criminals heightens the risk of catastrophic incidents, along with Fast forward 20 years, digitisation, the magnitude of the impacts in and IoT has turned the most basic terms of cost, safety, reputation assumptions about operational and commercial or financial security upside down. Today, all losses. sorts of industrial facilities, including mine sites, mineral As mining companies begin to processing plants and remote grapple with the implications of operations centres are vulnerable an inter-connected operational to cyber-attacks. These environment, their corporate vulnerabilities span critical back-office systems are electrical infrastructure, simultaneously coming under fire. connected distributed control Nation states, local activist systems, programmable logic groups and even competitors controllers (PLCs), supply chain have shown a keen interest in partners and more. Even a shaft stealing intellectual property and mine with little internet proprietary information, such as connectivity underground is exploration data, company vulnerable to cyber-attacks on valuations and other information the above- ground electrical pertaining to mergers and system, which could put the acquisitions. Often the goal is to mine’s ventilation system at risk. gain an edge in negotiations or to Even more disconcerting, influence business dynamics. mitigating this type of cyber threat may be completely outside

An integrated approach to combat cyber risk | Introduction

Threats such as these have made back-office systems and embrace cyber security a top concern the new level of intra-industry among senior leadership and collaboration required to stay boards of directors and like other ahead of the rapidly evolving industries, the Energy, Resources threat landscape. At a minimum, and Industrials (ER&I) industry companies will need to think has been working to shore up its more broadly about what cyber defences. Such incidents inspired security entails. To date, mining a group of Canadian mining companies have been primarily companies to start the Mining and focused on protecting corporate, Metals Information Sharing and as opposed to operational, Analysis Centre (MM-ISAC).2 systems and data. That is Launched in April 2017, the non- because the IoT – where profit, industry-owned Centre is production can be controlled from open to all companies in the an iPad or a smart phone, for mining and metals industry.3 It instance – is relatively new, allows member companies to gaining momentum over the last share critical cyber security decade and because operational information through secure systems are inherently different, channels enabling them to benefit requiring engineering expertise, from this intelligence at a in addition to IT expertise, in reasonable cost. Importantly, the order to secure them Centre hints at the type of appropriately. information sharing and resource pooling that could help the sector Today, an approach is needed to combat cyber threats more that brings together IT and effectively, similar to the engineering to address cyber collective approach taken by the security programmatically and financial sector. sustainably. The following discusses the goals of such an While the mining industry has approach as well as practical suffered data breaches and loss steps for getting started. But of intellectual property, it has first, let us take a closer look at escaped a major operational the types of cyber risks facing the catastrophe thus far. However, mining sector, how they can this good fortune may not last disrupt the value chain and what unless mining companies expand the consequences could be. their cyber securityprogrammes to protect operational as well as

An integrated approach to combat cyber risk | Introduction

Figure 1

An integrated approach to combat cyber risk | Understanding the risks

Understanding the risks

One of the main factors that Insufficient employee training makes it so difficult to secure ICS about how to recognise spear is that they were not designed to phishing and social be connected, yet today they are engineering attempts enables networked. Digitisation of a competitor to circumvent the operational processes in the organisation’s security mining industry has led to new protocols and steal sensitive opportunities to improve pricing data. productivity and to drive down • Weaknesses within the supply costs. However, the convergence chain allow ICS equipment to of operational and business be intercepted and malware systems has also opened up the installed prior to delivery at a enterprise to a completely new mining site. Improper testing array of cyber risks. Consider the of the components prior to following scenarios, the possibility deployment then allows the of which didn’t even exist a few virus to proliferate undetected, years ago: resulting in a system crash, leading to disruption or • Lack of authentication in shutdown of operations. This wireless communications is indeed how the notorious allows a cyber-criminal to Stuxnet virus is believed to hijack an autonomous hauling have been introduced into system, halting the movement Iran’s nuclear infrastructure.5 of materials, damaging costly • A commodity IT solution with equipment and putting open design protocols allows people’s lives at risk. members of an adversarial • Poor security practices by a community to gain remote third-party contractor allow a access to PLCs, thus giving virus to migrate into the them the ability to disrupt the production environment, production process at will. shutting down critical Supervisory Control and Data Acquisition (SCADA) systems and creating unsafe working conditions.

An integrated approach to combat cyber risk | Understanding the risks

As these examples illustrate, components were trustworthy, cyber threats can come from which is no longer the case since many directions, including digital sensors and controllers can internal actors aiming to be manipulated to provide false sabotage production, competitors input and misguiding status seeking to cause brand damage information. Another outdated and external parties, such as assumption is that process activist groups, wanting to shut failures are mainly caused by down operations. weather conditions, human error and equipment fatigue and not However, not all vulnerabilities necessarily malicious stem from the technologies manipulation of the system by themselves. Diverse locations, those intending to inflict harm. coupled with the decentralised structure of many companies, Whether a cyber-breach is and mine types also pose a intentional or unintentional, the challenge. For instance, it is consequences can be grave, common for a mining ranging from compromising organisation to be running 10 confidential data to triggering different versions of an industrial system failure or shutdown. This control system across 10 different can result in decreased revenue, mines, each having greater or reputational damage, lesser degrees of internet environmental disaster, legal connectivity. In this type of penalties and in extreme cases, environment, it is not uncommon loss of life. for the corporate Chief Information Security Officer It is easy to see why integrating (CISO) to have little control over effective and comprehensive site-specific security procedures. cyber security controls into ICS is necessary, if not increasingly Behavioural aspects additionally mandatory. However, to get come into play. For instance, there, companies must find a way sometimes a lack of security to reconcile the divergent points awareness within the organisation of view of IT and operations: ICS can inadvertently expose systems specialists do not always fully to cyber-attacks, such as when understand modern IT security employees bring portable media risks, just as IT security that is infected with malware into specialists often do not the environment. completely comprehend the industrial processes supported by Furthermore, many operations ICS. In our experience, a bowtie employees simply believe that analysis, a common concept used their systems are an unlikely in engineering for failure mode target, thus they are reluctant to analysis, can be a useful tool for buy into the need to change their bridging this gap. While any behaviours and implement new analysis will be company-specific, security protocols. After all, not Figure 2 provides an example of long ago they could safely how the “bowtie” might look for a assume that all equipment mining company.

An integrated approach to combat cyber risk | Understanding the risks

Figure 2

Source: Information adapted from Talbot, J, and Jakeman, M, 2008, ‘Security Risk Management Body of Knowledge’, RMIA, Carlton South

An integrated approach to combat cyber risk | Conduct a maturity assessment

Conduct a maturity assessment

Once the risks are understood, a Determine if critical assets and mining company should assess facilities have well-known and the maturity of its cyber security exploitable vulnerabilities. In controls not only in a corporate the mining industry, these context but also in an operational vulnerabilities differ somewhat environment. While not every risk according to where they fall can be mitigated, it is important within the value chain. For to know what type of controls are instance, corporate offices are in place and where to focus commonly exposed to theft of improvement efforts. This means proprietary exploration data, giving appropriate consideration such as geophysical surveys, to how potential security ore-body composition reports, breaches within ICS link to feasibility studies and strategic business risks. Importantly, an planning information - all of engineering or IT group on its which can jeopardise own can’t do this: it requires a competitive positioning. Back- multi-disciplinary team of office systems are also business, operations, engineering vulnerable to theft of sensitive and IT security professionals to: data related to executive decision-making, payroll, • Record assets and facilities company valuations, joint and rank them in terms of ventures, M&A and pricing, criticality. This can involve which can weaken asking questions such as: Are negotiations with governments there factors that make a and their constituents. certain mine site or processing • Mine sites and processing plant a particularly attractive plants on the other hand are target? Are corporate IT vulnerable to the malicious standards, governance and manipulation of supervisory monitoring processes being control and data acquisition applied to all ICS assets? Have (SCADA) and other operational the full range of cyber systems; production vulnerabilities been considered shutdowns due to virus and have the potential infections; and loss of consequences been identified communication to workers and and ideally quantified? remote operation centres.

An integrated approach to combat cyber risk | Conduct a maturity assessment

Here, the consequences are more maturity model, which is physical, potentially resulting in presented in Figure 3. In unsafe working conditions, performing maturity assessments environmental damage and for a broad range of energy and production downtime, which in resources companies, we’ve turn could lead to human and observed that the maturity of the financial loss and ultimately mining industry as a whole is jeopardise the company’s social about 2.5 on this scale, whereas license to operate. Similarly, the recommended position is cyber risks for remote operations greater than 4. centres also have both physical and financial implications, such as Throughout the maturity unsafe conditions within the assessment process, it is mines, disruption to materials important to understand the movement and communication difference between the security and improper handling of considerations for business chemicals or other hazardous systems versus industrial control materials. This could result in systems. In today’s integrated revenue loss, brand damage, and environment, IT security regulatory and compliance standards and processes must be violations. capable of addressing both back- office systems and ICS in a Assess the maturity of the manner that neither affects the controls environment for performance of current systems proactively managing these nor interferes with existing threats. In gauging the mechanisms for protecting safety sophistication of governance and and reliability. controls, it is often helpful to use an established framework such as the Deloitte cyber security

An integrated approach to combat cyber risk | Conduct a maturity assessment

Figure 3

An integrated approach to combat cyber risk | Build a unified programme

Build a unified programme

For over 50 years, safety was the important to remember that they primary motivation behind are not isolated components. designing and deploying controls They are part of larger supply for physical production processes. chains, so it’s essential to shore While this motivation is still there up weaknesses throughout end- – keeping processes in a safe and to-end processes. This can operational state – the landscape involve many layers and types of of potential disruptions now controls, ranging from installing encompasses the cyber domain. firewalls to “hardening” sensors This now requires a unified such as on drilling machines, programme to address cyber excavators, earth movers, security systematically across the crushing and grinding equipment business and operations. and processing plants. Systems Although building and need to be designed to consider implementing a programme of that the entity operating an asset this nature is a multi-year, may not be the only organisation transformational effort, each with rights to data. Service and phase of the initiative should supply companies and equipment have the same objective in mind: vendors may also be given moving up the maturity scale to visibility into operational and create an ICS environment that is equipment performance data in secure, vigilant, and resilient. order to improve the services they can offer. Unless properly Secure structured, this might provide an Being secure is about preventing opportunity for unforeseen data system breaches or compromises leakage or system weaknesses, through effective, automated which could be exploited by third controls and monitoring. But, it is parties. It is essential to build not feasible to secure everything control and monitoring systems equally. Critical assets and with clearly defined data access infrastructure and their rights and the ability to identify associated ICS would obviously when these are contravened. be at the top of the list, yet it’s

An integrated approach to combat cyber risk | Build a unified programme

Vigilant and haul trucks, and everything Security alone is not enough. in between – not to mention Vigilance or continuous processing plants, tailings ponds monitoring to determine whether and distributed energy resources. a system is still secure or has Ongoing visibility into these been compromised must metrics should facilitate rapid accompany it. reaction to eliminate environmental and safety hazards Worthwhile efforts to be vigilant stemming from out-of-control start with an understanding of operations, up to and including what you need to defend against. shutting down where necessary. There are discernible threat It may be harder to detect the trends in the mining industry, misappropriation or alteration of which provide a good starting commercially sensitive data, such point for understanding the types as degree of purity, dilution of of attacks being launched against ore, and waste volume. ICS. These trends, however, need Therefore, it is even more to be supplemented by an important to build safeguards into understanding of your the design of these data organisation’s specific business management systems. risks in order to anticipate what might occur and design detection Even if security controls fail and a systems accordingly cyber attack goes undetected, the ability to mount a strong Resilient response can help to contain A resilient organisation should production losses as well as ensure that it has the plans and financial, environmental and procedures in place to identify a brand damage. The response and cyber-attack, contain or recovery phases will need to neutralise it, and rapidly restore include not only immediate normal operations. We can refer remediation of compromised to these steps as “detect, equipment and systems but also respond and recover,” and the in-depth analysis of where and protocols for ensuring successful how cyber attacks occurred, what outcomes will depend on the type system vulnerabilities allowed of cyber issue identified. them to happen, and what mitigation measures should be At any stage of the mining value implemented to prevent further chain, whether it be exploration, risks. development, extraction, processing, or delivery logistics, Critically, it is not sufficient to continuous automated monitoring just put playbooks and policies in of equipment should allow real- place. Like a familiar fire drill, time detection of anomalies. This they should be rehearsed includes continually knowing the periodically through cyber war- status of a diverse array of gaming and simulations that property, plant and equipment, bring together business and spanning excavators and drag technology teams. lines, drills and crushers, loaders

An integrated approach to combat cyber risk | Implement key controls

Implement key controls

While risk appetite and maturity networks, are secured levels will vary, there are a few physically and logically, with pillars for cyber risk access only being granted transformation in an ICS after formal authentication environment that nearly every and authorisation. mining company should have in • Network security: Access to place. Implementing these key wired and wireless networks controls can provide a starting within the ICS environment is point for a customised limited and secured in programme aimed at achieving accordance with leading security, vigilance and resiliency. identity and access management practices, • Awareness training: Cyber including dynamic provisioning security awareness needs to and authentication, 24/7 be promoted among monitoring and end point professionals in different roles security in the organisation, along with • Portable media: Use of training to give them the portable media within the ICS necessary skills to interact environment is restricted and with systems safely, securely scanned for malicious software and responsibly. • Incident Response: Incident • Access control: ICS management policies and components, including procedures are developed and hardware, applications and periodically tested.

An integrated approach to combat cyber risk | Implement key controls

Governance Secure Vigilant Resilient

Risk Management & Information Lifecycle eme nt Cyber Attack Security Incident tion re g c

Compliance Management a Readiness Testing Response Th eme nt g an a M Prote

nt y cs ti ri t ide

y Security Event Business Continuity Policies & Standards Encryption Monitoring Management ecu Inc nal Information S A

Training & Awareness Authentication eme nt Cyber Security Management g a

ess an Roles & Rights Vendor Management Management Acc &

y t

ti n de

I Identify Lifecycle Management

Network Security

Physical Security tion c

System Security ture Prote c tru s

Patch & Vulnerability Infra

Malware Protection

Figure 4: Key controls

An integrated approach to combat cyber risk | Embrace good governance

Embrace good governance

Clear ownership of ICS security is domain additionally poses some crucial, and roles and distinct talent management responsibilities should be clearly challenges. The job profile often defined for everyone involved, requires people to be stationed at from managers to process sites for a number of years. operators to third parties. Without providing them with a Ultimately, there must be a single clear career path, two things can line of accountability. Without happen: one, it is challenging not only to define requirements that apply to 1. IT professionals who are the whole organisation but also to forced into an ICS security identify where centralised versus role will consider the local solutions are appropriate. programme as merely a hobby and they will not actively In the past, the manufacturing contribute. and engineering discipline owned 2. Security-savvy professionals the production environment, will quickly reach their peak at including ICS and related security a site and then will search for mechanisms. Today, ICS security another organisation. is increasingly becoming a part of the corporate organisation, falling Ideally, the organisation should under the auspices of the CISO. develop an awareness Yet, this isn’t about IT stepping in programme to bridge the gap and running the mine site or the between IT and ICS professionals processing plant. Even with CISO as well as a career development accountability, the engineering path for those wishing to organisation is still responsible for specialise in ICS security. This developing the right solutions and path often starts with an entry- deploying them at the sites. level site analyst position and progresses to a global security Implementing a cyber-security role within the organization. programme within the ICS

An integrated approach to combat cyber risk | Expand the conversation

Expand the conversation

It’s easy to see how cyber risks Repeatedly, executives go can damage shareholder value, through the exercise of creating but managing these risks risk registers, which typically effectively can generate value as detail the most likely risks. well. For instance, an Rather than limiting the organisation can use a secure, conversation to common risks, vigilant and resilient cyber it’s often more productive to think security programme to provide about how much a potential stability and incident could affect returns, even if it is highly unlikely. continuity, create a favourable environment for innovation and If a “black swan” does occur, how R&D, build confidence among much value would it destroy? business partners and resource Moreover, if it does not happen, owners, attract and retain talent, how much value would it protect and preserve the company’s and create? social licence to operate. Yet, many executives in the mining Conversations that are more sector are focused on improving expansive are generally needed returns, and they don’t at the executive level to consider necessarily recognise the not only the likelihood but also connection between managing the potential impact of an ever- risk and increasing the value of evolving spectrum of cyber risks. the company. By elevating the topic of cyber risk to the same level as the topic In our experience, this situation of returns in the executive suite, can create a precarious blind spot mining organisations can largely for mining executives. avoid what is perhaps the greatest danger of all: a false The most potent risk is often the sense of security. one you don’t know about.

An integrated approach to combat cyber risk | Conclusion

Conclusion

In the past few years, the mining The call to bridge the cyber- industry has seen the traditional readiness gap has never been boundaries between corporate IT louder, with growing public and ICS largely disappear. Today, awareness of cyber-crime and the the evolution continues with the potentially disastrous impact it pursuit of intelligent mining to can have on critical tackle the dual sector challenges infrastructure. The place to start of declining ore grades and is assessing the maturity of your operating efficiency. Beyond cyber security controls digitising mining operations, environment. intelligent mining is about making informed decisions through Going beyond traditional accurate, complete and timely operational safety considerations information, which requires to implement a secure, vigilant forging new connections across and resilient programme is not previously isolated mines sites only essential for enhancing a and functional business silos. As mining company’s ability to this interconnectedness marches protect operational integrity amid on, so does the frequency and a growing range of cyber threats sophistication of cyber-attacks. but also to achieve operational However, most companies have excellence by taking advantage of not kept pace in terms of their the productivity benefits offered preparedness. by a digitised, fully integrated ICS environment.

An integrated approach to combat cyber risk | Contacts

Contacts

Navin Sing Shahil Kanjee

Managing Director Risk Advisory Africa Leader: Risk Advisory Africa Cyber & Technology Risk Mobile: +27 83 304 4225 Mobile: +27 83 634 4445 Email: [email protected] Email: [email protected]

Cathy Gibson Tiaan van Schalkwyk

Director: Risk Advisory Associate Director: Risk Advisory Southern Africa Southern Africa Mobile: +27 82 330 7711 Mobile: +27 83 475 3551 Email: [email protected] Email: [email protected]

Paul Orffer Jonathan Giliam

Assocaite Director: Risk Advisory Risk Advisory Africa: Southern Africa Energy, Resources & Industrial Industry Mobile: +27 82 411 4839 Leader Email: [email protected] Mobile: +27 82 893 1800 Email: [email protected]

Anthony Olukoju Ibukun Beecroft

Risk Advisory Regional Leader: Director: Risk Advisory West Africa West Africa Mobile: +234 805 209 0501 Mobile: +234 805 901 6634 Email: [email protected] Email: [email protected]

Julie Nyangaya Urvi Patel

Risk Advisory Regional Leader: Director: Risk Advisory East Africa East Africa Mobile: +254 720 111 888 Mobile: +254 714 056 887 Email: [email protected] Email: [email protected]

Tricha Simon Rodney Dean

Risk Advisory Regional Leader: Director: Risk Advisory Central Africa Central Africa Mobile: +260 973 224 715 Mobile: +263 867 700 0261 Email: [email protected] Email: [email protected]

An integrated approach to combat cyber risk | End Notes

End Notes

1. “Intelligent Mining: Delivering Real Value,” Deloitte, 2018, https://www2.deloitte.com/global/en/pages/energy-and-resources/articles/ intelligent-mining- deloitte.html.

2. Mining and Metals Information Analysis Centre, http://www.mmisac.org/, accessed July 17, 2018.

3. Ibid.

4. Ibid.

5. Mark Clayton, “Exclusive: New thesis on how Stuxnet infiltrated Iran nuclear facility,” Christian Science Monitor, February 25, 2014, https://www.csmonitor.com/World/Security- Watch/2014/0225/Exclusive-New-thesis-on-how-Stuxnet-infiltrated-Iran-nuclear-facility, accessed July 18, 2018.

An integrated approach to combat cyber risk | End Notes

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.

Deloitte provides audit, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global ® 500 companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class capabilities, insights, and high-quality service to address clients’ most complex business challenges. To learn more about how Deloitte’s approximately 245 000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.