An integrated approach to combat cyber risk Securing industrial operations in mining An integrated approach to combat cyber risk | Securing industrial operations in mining

Forward

Although numerous consumer companies The combination of greater connectivity have been thrust into the spotlight due and proliferating threat vectors has to data breaches, the alarm bell has been already resulted in cyber attacks that have slow to sound within the mining sector. compromised both production and safety. For years, mining organizations largely had These attacks have made cyber security a false sense of security, believing they a hot discussion topic within boardrooms could operate under the radar of cyber around the globe, and now a growing criminals who had more lucrative targets to number of organizations are developing pursue. Why would malicious actors hack a transformation programs to address these mining operation when they could attack a new operational threats. consumer organization that moves financial data? Today, that reasoning has become as However, making operational processes faulty as a patch on decades-old software. secure, vigilant and resilient is a challenge. For example, deploying the organization’s The mining industry is moving into its next existing cyber capabilities within the stage of evolution, which is sometimes operations environment requires referred to as “intelligent mining.” As harmonizing two cultures, which is detailed in the recent Deloitte report, challenging. In addition, the operations Intelligent Mining: Delivering real value, environment demands continuous this entails—in addition to broader availability, along with tailored technical organizational change—rapidly integrating solutions that are not always easy to robotics, automation, and the Internet secure. of Things (IoT) into the operational environment.1 At the same time, the Solving these challenges requires a good interest of cyber criminals in industrial understanding of both engineering and operations has increased over the last information technology (IT) disciplines decade, while the motives for their actions as well as leading, sector-specific cyber have become more diffuse. Malicious security practices. This paper shares the hacking, ransomware attacks, electronic understanding we’ve culled from our field fraud, data leaks and corporate espionage experience, including lessons learned in have become prevalent worldwide. These helping mining companies to go beyond illicit activities are often driven by financial, safety in securing their industrial control political, or competitive objectives—or systems (ICS). merely by the desire to cause disruption.

2 An integrated approach to combat cyber risk | Securing industrial operations in mining

Introduction

Critical infrastructure relies on Industrial the company’s control if the mine is reliant Control Systems (ICS) to maintain safe on the broader electricity grid rather than and reliable operations. Engineers have on its own distributed energy resources, successfully designed and deployed ICS such as solar panels or diesel generator with safety and reliability in mind, but not sets. always security. Why? Originally, there was little need for it. Fit-for-purpose, isolated Across multiple vectors, operational operational systems were the order of the systems can now be compromised by day. Since these operational systems were external or internal bad actors, causing not integrated to enterprise systems or safety or production failures and increasing even to each other, the risk of a large-scale commercial risk. Although ICS are typically cascading failure due to an attack—cyber designed to fail safe, the increasing or otherwise—was extremely remote. sophistication of cyber criminals heightens the risk of catastrophic incidents, along Fast forward 20 years, and digitization and with the magnitude of the impacts in terms IoT has turned the most basic assumptions of cost, safety, reputation and commercial about operational security upside down. or financial losses. Today, all sorts of industrial facilities, including mine sites, mineral processing As mining companies begin to grapple plants, and remote operations centers, with the implications of an inter-connected are vulnerable to cyber attacks. These operational environment, their corporate vulnerabilities span critical electrical back-office systems are simultaneously infrastructure, connected distributed coming under fire. Nation states, local control systems, programmable logic activist groups, and even competitors controllers (PLCs), supply chain partners, have shown a keen interest in stealing and more. Even a shaft mine with little intellectual property and proprietary internet connectivity underground is information, such as exploration data, vulnerable to cyber-attacks on the above- company valuations and other information ground electrical system, which could put pertaining to mergers and acquisitions. the mine’s ventilation system at risk. Even Often the goal is to gain an edge in more disconcerting, mitigating this type of negotiations or to influence business cyber threat may be completely outside of dynamics.

3 An integrated approach to combat cyber risk | Securing industrial operations in mining

Threats such as these have made cyber programs to protect operational as well security a top concern among senior as back-office systems and embrace the leadership and boards of directors, and new level of intra-industry collaboration like other industries, the Energy, Resources required to stay ahead of the rapidly and Industrials (ER&I) industry has been evolving threat landscape. At a minimum, working to shore up its defenses. Such companies will need to think more broadly incidents inspired a group of Canadian about what cyber security entails. To date, mining companies to start the Mining and mining companies have been primarily Metals Information Sharing and Analysis focused on protecting corporate, as Center (MM-ISAC).2 Launched in April opposed to operational, systems and data. 2017, the non-profit, industry-owned That’s because the IoT—where production Center is open to all companies in the can be controlled from an iPad or a smart mining and metals industry.3 It allows phone, for instance—is relatively new, member companies to share critical cyber gaining momentum over the last decade, security information through secure and because operational systems are channels enabling them to benefit from inherently different, requiring engineering this intelligence at a reasonable cost.4 know-how, in addition to IT expertise, in Importantly, the Center hints at the type of order to secure them appropriately. information sharing and resource pooling that could help the sector to combat cyber Today, an approach is needed that brings threats more effectively, similar to the together IT and engineering to address collective approach taken by the financial cyber security programmatically and sector. sustainably. The following discusses the goals of such an approach as well as While the mining industry has suffered data practical steps for getting started. But first, breaches and loss of intellectual property, let’s take a closer look at the types of cyber it has escaped a major operational risks facing the mining sector, how they catastrophe thus far. However, this can disrupt the value chain, and what the good fortune may not last unless mining consequences could be. companies expand their cyber security

4 An integrated approach to combat cyber risk | Securing industrial operations in mining

Figure 1. How cyber threats impact the mining value chain

Cyber threat

Prospecting and Exploring Developing

•• Geophysical evaluation •• Permitting •• Research and development •• Operational logistics •• Determining feasibility •• Building the mine

Prospecting and Exploring scenario #1: Developing scenario #1: Theft of geophysical surveys research reports and feasibility Misappropriation of intellectual property such as studies. production and processing methods, chemicaI formulae, and custom software. Risk: Attempts to extort money in exchange for keeping the information confidential, weakened negotiating position Risk: Higher development costs, loss of competitive with locaI resource owners and governments damaged advantage, and erosion of site feasibility. competitive positioning, and loss of value.

Mining

•• Extracting the ore

Mining scenario #1: Mining scenario #2: Mining scenario #3: Unauthorized access to and manipulation of Breach of GPS deployment system. Breach of the mine monitoring system. automated equipment. Risk: Inappropriate mixing of ore grades or Risk: Shutdown of system for investigation, Risk: FinanciaI loss, equipment damage, and waste, heaIth and safety issues, compromised equipment integrity, health and health and safety concerns for miners and environmental concerns, and financial loss. safety issues, and stolen data. adjacent populations.

Processing Marketing

•• Refining •• Sales •• Upgrading •• Trading

Processing scenario #1: Marketing scenario #1: Interruption or tampering with operationaI controIs. Theft of pricing data and customer information.

Risk: Health and safety issues, operational downtime, sub- Risk: Damage to competitive positioning decreased market optimal yield from the ores, and revenue loss. share, diminished reputation, and lower company valuations in M&A situations.

5 An integrated approach to combat cyber risk | Securing industrial operations in mining

Understanding the risks

One of the main factors that makes it so •• Weaknesses within the supply chain difficult to secure ICS is that they were not allow ICS equipment to be intercepted designed to be connected, yet today they and malware installed prior to delivery are networked. Digitization of operational at a mining site. Improper testing of the processes in the mining industry has led to components prior to deployment then new opportunities to improve productivity allows the virus to proliferate undetected, and to drive down costs. However, the resulting in a system crash, leading to convergence of operational and business disruption or shutdown of operations. systems has also opened up the enterprise This is indeed how the notorious Stuxnet to a whole new array of cyber risks. virus is believed to have been introduced Consider the following scenarios, the into Iran’s nuclear infrastructure.5 possibility of which didn’t even exist a few years ago: •• A commodity IT solution with open design protocols allows members of an •• Lack of authentication in wireless adversarial community to gain remote communications allows a cyber criminal access to PLCs, thus giving them the to hijack an autonomous hauling system, ability to disrupt the production process halting the movement of materials, at will. damaging costly equipment, and putting people’s lives at risk. As these examples illustrate, cyber threats can come from many directions, •• Poor security practices by a third-party including internal actors aiming to sabotage contractor allow a virus to migrate into production, competitors seeking to cause the production environment, shutting brand damage, and external parties, such down critical Supervisory Control and as activist groups, wanting to shut down Data Acquisition (SCADA) systems and operations. creating unsafe working conditions. However, not all vulnerabilities stem from •• Insufficient employee training about the technologies themselves. Diverse how to recognize spear phishing and mine types and locations, coupled with social engineering attempts enables the decentralized structure of many a competitor to circumvent the companies, also pose a challenge. For organization’s security protocols and instance, it is not uncommon for a mining steal sensitive pricing data. organization to be running 10 different

6 An integrated approach to combat cyber risk | Securing industrial operations in mining

versions of an industrial control system Whether a cyber breach is intentional across 10 different mines, each having or unintentional, the consequences can greater or lesser degrees of internet be grave, ranging from compromising connectivity. In this type of environment, it confidential data to triggering system is not uncommon for the corporate Chief failure or shutdown. This can result in Information Security Officer (CISO) to have decreased revenue, reputational damage, little control over site-specific security environmental disaster, legal penalties, and procedures. in extreme cases, loss of life.

Behavioral aspects additionally come into It’s easy to see why integrating effective play. For instance, sometimes a lack of and comprehensive cyber security controls security awareness within the organization into ICS is necessary, if not increasingly can inadvertently expose systems to becoming mandatory. But to get there, cyber attacks, such as when employees companies must find a way to reconcile bring portable media that is infected with the divergent points of view of IT and malware into the environment. operations: ICS specialists do not always fully understand modern IT security risks, Furthermore, many operations employees just as IT security specialists often do not simply believe that their systems are an completely comprehend the industrial unlikely target, thus they are reluctant to processes supported by ICS. In our buy into the need to change their behaviors experience, a bowtie analysis, a common and implement new security protocols. concept used in engineering for failure After all, not long ago they could safely mode analysis, can be a useful tool for assume that all equipment components bridging this gap. While any analysis will were trustworthy, which is no longer the be company-specific, Figure 2 provides an case since digital sensors and controllers example of how the “bowtie” might look for can be manipulated to provide false input a mining company. and misguiding status information. Another outdated assumption is that process failures are mainly caused by weather conditions, human error and equipment fatigue, and not necessarily malicious manipulation of the system by those intending to inflict harm.

7 An integrated approach to combat cyber risk | Securing industrial operations in mining

Figure 2. Example of a “Cyber Risk” bowtie analysis for a mining company

Likelihood management Consequence management

Threat actors

Foreign intelligence Operational services disruption

•• Policy and standards •• 24/7 Injury or fatality Terrorists •• Risk assessment security •• Training and and incident

awareness event monitoring Consequences Loss of critical •• Vendor •• Threat or confidential Employees Threats management intelligence information Event Third party •• Information •• Incident Financial loss contractors and protection response vendors and encryption •• Emergency •• Identity management response •• Network segmentation Reputational Hackers damage •• Physical security •• Malware and patch management Regulatory fines and Activists penalties

Source: Information adapted from Talbot, J, and Jakeman, M, 2008, ‘Security Risk Management Body of Knowledge’, RMIA, Carlton South

8 An integrated approach to combat cyber risk | Securing industrial operations in mining

Conduct a maturity assessment

Once the risks are understood, a mining •• Determine if critical assets and facilities company should assess the maturity have well-known and exploitable of its cyber security controls not only vulnerabilities. In the mining industry, in a corporate context but also in an these vulnerabilities differ somewhat operational environment. While not every according to where they fall within the risk can be mitigated, it’s important to value chain. For instance, corporate know what type of controls are in place and offices are commonly exposed to where to focus improvement efforts. This theft of proprietary exploration data, means giving appropriate consideration to such as geophysical surveys, ore-body how potential security breaches within ICS composition reports, feasibility studies, link to business risks. Importantly, this can’t and strategic planning information—all be done by an engineering or IT group on of which can jeopardize competitive its own: it requires a multi-disciplinary team positioning. Back-office systems are of business, operations, engineering and IT also vulnerable to theft of sensitive data security professionals to: related to executive decision-making, payroll, company valuations, joint •• Record assets and facilities and rank ventures, M&A, and pricing, which can them in terms of criticality. This can weaken negotiations with governments involve asking questions such as: Are and their constituents. there factors that make a certain mine site or processing plant a particularly •• Mine sites and processing plants on attractive target? Are corporate IT the other hand are vulnerable to the standards, governance and monitoring malicious manipulation of supervisory processes being applied to all ICS control and data acquisition (SCADA) and assets? Have the full range of cyber other operational systems; production vulnerabilities been considered, and shutdowns due to virus infections; and have the potential consequences been loss of communication to workers and identified, and ideally quantified? remote operation centers.

9 An integrated approach to combat cyber risk | Securing industrial operations in mining

Here, the consequences are more established framework such as the physical, potentially resulting in unsafe Deloitte cyber security maturity model, working conditions, environmental which is presented in Figure 3. In damage, and production downtime, performing maturity assessments for which in turn could lead to human and a broad range of energy and resources financial loss and ultimately jeopardize companies, we’ve observed that the the company’s social license to operate. maturity of the mining industry as a Similarly, cyber risks for remote whole is about 2.5 on this scale, whereas operations centers also have both the recommended position is greater physical and financial implications, such than 4. as unsafe conditions within the mines, disruption to materials movement and Throughout the maturity assessment communication, and improper handling process, it is important to understand of chemicals or other hazardous the difference between the security materials. This could result in revenue considerations for business systems loss, brand damage, and regulatory and versus industrial control systems. In compliance violations. today’s integrated environment, IT security standards and processes must be capable •• Assess the maturity of the controls of addressing both back-office systems environment for proactively managing and ICS in a manner that neither affects these threats. In gauging the the performance of current systems nor sophistication of governance and interferes with existing mechanisms for controls, it is often helpful to use an protecting safety and reliability.

10 An integrated approach to combat cyber risk | Securing industrial operations in mining

Figure 3. The Deloitte cyber security maturity model

Observed position of Recommended position 5 the mining industry for the mining industry

4 Optimized

3 Managed maturity 2 1 Defined

Repeatable Overall cyberOverall security Initial

Behaviors

•• Dependent primarily •• Ad‑hoc approach •• Clearly defined •• Established security •• Risk sensing and on individuals and with some tools strategy supported capability, with predictive analytics isolated practices and documented with tools and methods defined processes and used to model threats •• New or relatively procedures to manage risk measures •• Highly automated inexperienced security •• Established security •• Security processes •• Focused on risk •• Five plus years team function defined and in place management and operating without •• Established security business enablement a significant failure function with •• Two plus years •• Board level integrated systems operating with engagement designed to predict, defined processes and prevent, detect, and practices respond

Key controls

•• General awareness •• ICS cyber security •• Inventory of all •• Industrial control •• Cyber threat of ICS cyber security strategy and policy cyber assets systems secured intelligence/sensing needs but not established •• Security standards according to security •• Data loss prevention considered a priority standards •• Awareness and developed •• Behavioral analytics education •• Annual vulnerability •• Identity and access •• Segmentation of testing management for ICS and corporate provisioning and •• 24/7 security authentication networks monitoring •• End point security •• Annual risk assessment •• Incident response plan with identified gaps developed and tested •• Mobile protection and remediation plan •• Virus and malware •• Third party security •• Physical security protection

11 An integrated approach to combat cyber risk | Securing industrial operations in mining

Build a unified program

For over 50 years, safety was the primary plants. Systems need to be designed motivation behind designing and deploying to consider that the entity operating an controls for physical production processes. asset may not be the only organization While this motivation is still there—keeping with rights to data. Service and supply processes in a safe and operational state— companies and equipment vendors may the landscape of potential disruptions now also be given visibility into operational and encompasses the cyber domain. This now equipment performance data in order to requires a unified program to address improve the services they can offer. Unless cyber security systematically across the properly structured, this might provide an business and operations. Although building opportunity for unforeseen data leakage and implementing a program of this nature or system weaknesses, which could be is a multi-year, transformational effort, exploited by third parties. It is essential each phase of the initiative should have to build control and monitoring systems the same objective in mind: moving up the with clearly defined data access rights maturity scale to create an ICS environment and the ability to identify when these are that is secure, vigilant, and resilient. contravened.

Secure Vigilant

Being secure is about preventing system Security alone is not enough. It must be breaches or compromises through accompanied by vigilance, or continuous effective, automated controls and monitoring to determine whether a system monitoring. But, it’s not feasible to secure is still secure or has been compromised. everything equally. Critical assets and Worthwhile efforts to be vigilant start infrastructure and their associated ICS with an understanding of what you need would obviously be at the top of the list, to defend against. There are discernable but it’s important to remember that they’re threat trends in the mining industry, not isolated components. They’re part which provide a good starting point for of larger supply chains, so it’s essential understanding the types of attacks being to shore up weaknesses throughout launched against ICS. These trends, end-to-end processes. This can involve however, need to be supplemented by many layers and types of controls, ranging an understanding of your organization’s from installing firewalls to “hardening” specific business risks in order to anticipate sensors such as on drilling machines, what might occur and design detection excavators, earth movers, crushing and systems accordingly. grinding equipment and processing

12 An integrated approach to combat cyber risk | Securing industrial operations in mining

Resilient such as degree of purity, dilution of ore, and waste volume. Therefore, it is even A resilient organization should ensure more important to build safeguards into that it has the plans and procedures in the design of these data management place to identify a cyber attack, contain or systems. neutralize it, and rapidly restore normal operations. We can refer to these steps Even if security controls fail and a cyber as “detect, respond and recover,” and the attack goes undetected, the ability to protocols for ensuring successful outcomes mount a strong response can help to will depend on the type of cyber issue contain production losses as well as identified. financial, environmental and brand damage. The response and recovery At any stage of the mining value chain, phases will need to include not only whether it be exploration, development, immediate remediation of compromised extraction, processing, or delivery logistics, equipment and systems but also continuous automated monitoring in-depth analysis of where and how of equipment should allow real-time cyber attacks occurred, what system detection of anomalies. This includes vulnerabilities allowed them to happen, continually knowing the status of a diverse and what mitigation measures should be array of property, plant and equipment, implemented to prevent further risks. spanning excavators and drag lines, drills and crushers, loaders and haul trucks, and Critically, it’s not sufficient to just put everything in between—not to mention playbooks and policies in place. Like a processing plants, tailings ponds and familiar fire drill, they should be rehearsed distributed energy resources. Ongoing periodically through cyber war-gaming and visibility into these metrics should facilitate simulations that bring together business rapid reaction to eliminate environmental and technology teams. and safety hazards stemming from out- of-control operations, up to and including shutting down where necessary. It may be harder to detect the misappropriation or alteration of commercially sensitive data,

13 An integrated approach to combat cyber risk | Securing industrial operations in mining

Implement key controls

While risk appetite and maturity levels •• Network security: Access to wired will vary, there are a few pillars for cyber and wireless networks within the ICS risk transformation in an ICS environment environment is limited and secured in that nearly every mining company should accordance with leading identity and have in place. Implementing these key access management practices, including controls can provide a starting point for a dynamic provisioning and authentication, customized program aimed at achieving 24/7 monitoring and end point security. security, vigilance and resiliency. •• Portable media: Use of portable media •• Awareness training: Cyber security within the ICS environment is restricted awareness needs to be promoted among and scanned for malicious software. professionals in different roles in the organization, along with training to give •• Incident Response: Incident management them the necessary skills to interact with policies and procedures are developed systems safely, securely and responsibly. and periodically tested.

•• Access control: ICS components, including hardware, applications and networks, are both physically and logically secured, with access only being granted after formal authentication and authorization.

14 An integrated approach to combat cyber risk | Securing industrial operations in mining

Figure 4. Key controls

Governance Secure Vigilant Resilient

Risk Management & Information Lifecycle Cyber Attack Security Incident Compliance Management Readiness Testing Response Threat Management

Security Event Business Continuity Policies & Standards Encryption Monitoring Management Incident Management Incident Information ProtectionInformation Security Analytics

Training & Awareness Authentication Cyber Security Management

Roles & Rights Vendor Management Management Management Identity Access & Identify Lifecycle Management

Network Security

Physical Security

System Security

Patch & Vulnerability Infrastructure Protection

Malware Protection

15 An integrated approach to combat cyber risk | Securing industrial operations in mining

Embrace good governance

Clear ownership of ICS security is crucial, 1. IT professionals who are forced into and roles and responsibilities should be an ICS security role will consider the clearly defined for everyone involved, from program as merely a hobby and they managers to process operators to third will not actively contribute. parties. Ultimately, there must be a single line of accountability. Without one, it is 2. Security-savvy professionals will quickly challenging not only to define requirements reach their peak at a site and then will that apply to the whole organization but search for another organization. also to identify where centralized versus local solutions are appropriate. Ideally, the organization should develop an awareness program to bridge the gap In the past, the manufacturing and between IT and ICS professionals as well engineering discipline owned the as a career development path for those production environment, including ICS and wishing to specialize in ICS security. This related security mechanisms. Today, ICS path often starts with an entry-level site security is increasingly becoming a part of analyst position and progresses to a global the corporate organization, falling under security role within the organization. the auspices of the CISO. Yet, this isn’t about IT stepping in and running the mine site or the processing plant. Even with CISO accountability, the engineering organization is still responsible for developing the right solutions and deploying them at the sites.

Implementing a cyber security program within the ICS domain additionally poses some distinct talent management challenges. The job profile often requires people to be stationed at sites for a number of years. Without providing them with a clear career path, two things can happen:

16 An integrated approach to combat cyber risk | Securing industrial operations in mining

Expand the conversation

It’s easy to see how cyber risks can damage risks, it’s often more productive to think shareholder value, but managing these about how much a potential incident could risks effectively can generate value as affect returns, even if it is highly unlikely. well. For instance, an organization can If a “black swan” does occur, how much use a secure, vigilant and resilient cyber value would it destroy? And, if it does not security program to provide stability and happen, how much value would it protect continuity, create a favorable environment and create? for innovation and R&D, build confidence among business partners and resource More expansive conversations are owners, attract and retain talent, and generally needed at the executive level to preserve the company’s social license to consider not only the likelihood but also operate. Yet, many executives in the mining the potential impact of an ever-evolving sector are focused on improving returns, spectrum of cyber risks. By elevating the and they don’t necessarily recognize the topic of cyber risk to the same level as connection between managing risk and the topic of returns in the executive suite, increasing the value of the company. mining organizations can largely avoid what In our experience, this situation can is perhaps the greatest danger of all: a false create a precarious blind-spot for mining sense of security. executives.

The most potent risk is often the one you don’t know about. Time and again, executives go through the exercise of creating risk registers, which typically detail the most likely risks. Rather than limiting the conversation to common

17 An integrated approach to combat cyber risk | Securing industrial operations in mining

Conclusion

In the past few years, the mining industry preparedness. The call to bridge the cyber- has seen the traditional boundaries readiness gap has never been louder, with between corporate IT and ICS largely growing public awareness of cyber crime disappear. Today, the evolution continues and the potentially disastrous impact it with the pursuit of intelligent mining can have on critical infrastructure. The to tackle the dual sector challenges place to start is assessing the maturity of of declining ore grades and operating your cyber security controls environment. efficiency. Beyond digitizing mining Going beyond traditional operational safety operations, intelligent mining is about considerations to implement a secure, making informed decisions through vigilant and resilient program is not only accurate, complete and timely information, essential for enhancing a mining company’s which requires forging new connections ability to protect operational integrity amid across previously isolated mines sites a growing range of cyber threats but also and functional business silos. As this to achieve operational excellence by taking interconnectedness marches on, so advantage of the productivity benefits does the frequency and sophistication of offered by a digitized, fully integrated ICS cyber attacks. However, most companies environment. have not kept pace in terms of their

18 An integrated approach to combat cyber risk | Securing industrial operations in mining

Contacts

Authors

Sandeep Verma Andrew Deas Global Risk Advisory Leader - Mining & Metals Managing Director – Risk Advisory Deloitte US Deloitte US [email protected] [email protected]

Andrew Douglas Adriaan Davidse Managing Director – Risk Advisory Director – Consulting Deloitte US Deloitte Canada [email protected] [email protected]

Global contacts

Phil Hopwood Rajeev Chopra Global Leader – Mining & Metals Global Leader – Energy, Resources & Industrials Deloitte Touche Tohmatsu Limited Deloitte Touche Tohmatsu Limited [email protected] [email protected]

Paul Zonneveld Sandeep Verma Global Risk Advisory Leader – Energy, Resources & Industrials Global Risk Advisory Leader - Mining & Metals Deloitte Canada Deloitte US [email protected] [email protected]

19 An integrated approach to combat cyber risk | Securing industrial operations in mining

Country contacts

Africa China Russia – CIS Andrew Lane Kevin Xu Igor Tokarev +27 11 517 4221 +86 10 85207147 +74 95 787 0600 x 8241 [email protected] [email protected] [email protected]

Americas Colombia Southeast Asia Glenn Ives Julio Berrocal Rick Carr +1 416 874 3506 +57 5 360 8306 +65 623 27138 [email protected] [email protected] [email protected]

Argentina France Switzerland Edith Alvarez Damien Jacquart David Quinlin +11 4320 2791 +33 1 55 61 64 89 +41 58 279 6158 [email protected] [email protected] [email protected]

Australia India Turkey Ian Sanders Kalpana Jain Uygar Yörük +61 3 9671 7479 +91 11 4602 1406 +90 312 295 4700 [email protected] [email protected] [email protected]

Brazil Mexico United Arab Emirates Andre Joffily Cesar Garza Salam Awawdeh +55 21 3981 0490 +52 871 7474401 x4401 +971 4 376 8888 [email protected] [email protected] [email protected]

Canada Peru United Kingdom Andrew Swart Karla Velásquez Tim Biggs +1 416 813 2335 +51 1 211 8559 +44 20 7303 2366 [email protected] [email protected] [email protected]

Chile Poland United States Christian Duran Zbig Majtyka Amy Winsor +56 22 729 8286 +48 32 508 0333 +1 303 312 4156 [email protected] [email protected] [email protected]

20 An integrated approach to combat cyber risk | Securing industrial operations in mining

End Notes

1. “Intelligent Mining: Delivering Real Value,” Deloitte, 2018, https://www2.deloitte.com/global/en/pages/energy-and-resources/articles/ intelligent-mining-deloitte.html.

2. Mining and Metals Information Analysis Centre, http://www.mmisac.org/, accessed July 17, 2018.

3. Ibid.

4. Ibid.

5. Mark Clayton, “Exclusive: New thesis on how Stuxnet infiltrated Iran nuclear facility,” Christian Science Monitor, February 25, 2014, https://www.csmonitor.com/World/Security-Watch/2014/0225/Exclusive-New-thesis-on-how-Stuxnet-infiltrated-Iran-nuclear-facility, accessed July 18, 2018.

21 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities. DTTL (also referred to as “Deloitte Global”) and each of its member firms are legally separate and independent entities. DTTL does not provide services to clients. Please see http:// www.deloitte.com/about to learn more.

Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our network of member firms in more than 150 countries and territories serves four out of five Fortune Global 500®companies. Learn how Deloitte’s approximately 264,000 people make an impact that matters at www.deloitte.com.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.

© 2018. For information, contact Deloitte Touche Tohmatsu Limited.