An integrated approach to combat cyber risk | Foreword An integrated approach to combat cyber risk Securing industrial operations in ming February 2019 01 An integrated approach to combat cyber risk | Foreword Introduction Foreword 3 Introduction 4 Understanding the risks 7 Conduct a maturity assessment 10 Build a unified programme 13 Implement key controls 15 Embrace good governance 17 Expand the conversation 18 Conclusion 19 Contacts 20 End Notes 21 02 An integrated approach to combat cyber risk | Foreword Foreword Although numerous consumer The combination of greater companies have been thrust into connectivity and proliferating the spotlight due to data threat vectors has already breaches, the alarm bell has been resulted in cyber-attacks that slow to sound within the mining have compromised both sector. For years, mining production and safety. organisations largely had a false sense of security, believing they These attacks have made cyber could operate under the radar of security a hot discussion topic cyber criminals who had more within boardrooms around the lucrative targets to pursue. Why globe and now a growing number would malicious actors hack a of organisations are developing mining operation when they could transformation programmes to attack a consumer organisation address these new operational that moves financial data? Today, threats. that reasoning has become as faulty as a patch on decades-old However, making operational software. processes secure, vigilant and resilient is a challenge. For The mining industry is moving example, deploying the into its next stage of evolution, organisation’s existing cyber which is sometimes referred to as capabilities within the operations “intelligent mining.” As detailed in environment requires the recent Deloitte report, harmonising two cultures, which Intelligent Mining: Delivering real is challenging. In addition, the value, this entails - in addition to operations environment demands broader organisational change - continuous availability, along with rapidly integrating robotics, tailored technical solutions that automation and the Internet of are not always easy to secure. Things (IoT) into the operational environment.1 At the same time, Solving these challenges requires the interest of cyber criminals in a good understanding of both industrial operations has engineering and information increased over the last decade, technology (IT) disciplines as well while the motives for their actions as leading, sector-specific cyber have become more diffuse. security practices. This paper Malicious hacking, ransomware shares the understanding we’ve attacks, electronic fraud, data collected from our field leaks and corporate espionage experience, including lessons have become prevalent learned in helping mining worldwide. These illicit activities companies to go beyond safety in are often driven by financial, securing their industrial control political, or competitive objectives systems (ICS). - or merely by the desire to cause disruption. 03 An integrated approach to combat cyber risk | Introduction Introduction Critical infrastructure relies on of the company’s control if the ICS to maintain safe and reliable mine is reliant on the broader operations. Engineers have electricity grid rather than on its successfully designed and own distributed energy resources, deployed ICS with safety and such as solar panels or diesel reliability in mind, but not always generator sets. security. Why? Originally, there was little need for it. Fit-for- Across multiple vectors, purpose, isolated operational operational systems can now be systems were the order of the compromised by external or day. Since these operational internal bad actors, causing systems were not integrated to safety or production failures and enterprise systems or even to increasing commercial risk. each other, the risk of a large- Although ICS are typically scale cascading failure due to an designed to fail safe, the attack - cyber or otherwise - was increasing sophistication of cyber extremely remote. criminals heightens the risk of catastrophic incidents, along with Fast forward 20 years, digitisation, the magnitude of the impacts in and IoT has turned the most basic terms of cost, safety, reputation assumptions about operational and commercial or financial security upside down. Today, all losses. sorts of industrial facilities, including mine sites, mineral As mining companies begin to processing plants and remote grapple with the implications of operations centres are vulnerable an inter-connected operational to cyber-attacks. These environment, their corporate vulnerabilities span critical back-office systems are electrical infrastructure, simultaneously coming under fire. connected distributed control Nation states, local activist systems, programmable logic groups and even competitors controllers (PLCs), supply chain have shown a keen interest in partners and more. Even a shaft stealing intellectual property and mine with little internet proprietary information, such as connectivity underground is exploration data, company vulnerable to cyber-attacks on valuations and other information the above- ground electrical pertaining to mergers and system, which could put the acquisitions. Often the goal is to mine’s ventilation system at risk. gain an edge in negotiations or to Even more disconcerting, influence business dynamics. mitigating this type of cyber threat may be completely outside 04 An integrated approach to combat cyber risk | Introduction Threats such as these have made back-office systems and embrace cyber security a top concern the new level of intra-industry among senior leadership and collaboration required to stay boards of directors and like other ahead of the rapidly evolving industries, the Energy, Resources threat landscape. At a minimum, and Industrials (ER&I) industry companies will need to think has been working to shore up its more broadly about what cyber defences. Such incidents inspired security entails. To date, mining a group of Canadian mining companies have been primarily companies to start the Mining and focused on protecting corporate, Metals Information Sharing and as opposed to operational, Analysis Centre (MM-ISAC).2 systems and data. That is Launched in April 2017, the non- because the IoT – where profit, industry-owned Centre is production can be controlled from open to all companies in the an iPad or a smart phone, for mining and metals industry.3 It instance – is relatively new, allows member companies to gaining momentum over the last share critical cyber security decade and because operational information through secure systems are inherently different, channels enabling them to benefit requiring engineering expertise, from this intelligence at a in addition to IT expertise, in reasonable cost. Importantly, the order to secure them Centre hints at the type of appropriately. information sharing and resource pooling that could help the sector Today, an approach is needed to combat cyber threats more that brings together IT and effectively, similar to the engineering to address cyber collective approach taken by the security programmatically and financial sector. sustainably. The following discusses the goals of such an While the mining industry has approach as well as practical suffered data breaches and loss steps for getting started. But of intellectual property, it has first, let us take a closer look at escaped a major operational the types of cyber risks facing the catastrophe thus far. However, mining sector, how they can this good fortune may not last disrupt the value chain and what unless mining companies expand the consequences could be. their cyber securityprogrammes to protect operational as well as 05 An integrated approach to combat cyber risk | Introduction Figure 1 06 An integrated approach to combat cyber risk | Understanding the risks Understanding the risks One of the main factors that Insufficient employee training makes it so difficult to secure ICS about how to recognise spear is that they were not designed to phishing and social be connected, yet today they are engineering attempts enables networked. Digitisation of a competitor to circumvent the operational processes in the organisation’s security mining industry has led to new protocols and steal sensitive opportunities to improve pricing data. productivity and to drive down • Weaknesses within the supply costs. However, the convergence chain allow ICS equipment to of operational and business be intercepted and malware systems has also opened up the installed prior to delivery at a enterprise to a completely new mining site. Improper testing array of cyber risks. Consider the of the components prior to following scenarios, the possibility deployment then allows the of which didn’t even exist a few virus to proliferate undetected, years ago: resulting in a system crash, leading to disruption or • Lack of authentication in shutdown of operations. This wireless communications is indeed how the notorious allows a cyber-criminal to Stuxnet virus is believed to hijack an autonomous hauling have been introduced into system, halting the movement Iran’s nuclear infrastructure.5 of materials, damaging costly • A commodity IT solution with equipment and putting open design protocols allows people’s lives at risk. members of an adversarial • Poor security practices by a community to gain remote third-party contractor allow a access to PLCs, thus giving virus to migrate into the them the ability to disrupt the
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages22 Page
-
File Size-