Cybersecurity remains an industrial-scale challenge; mining operators need to realise they are tangible targets and have to prepare accordingly. Barry Mansfield assesses the industry’s opinion about the progress the sector has made so far, and asks whether it’s sufficient to stave off the growing cyberthreat.
Last year, cybersecurity was never far from the headlines. Critical infrastructure faced attacks on a monthly basis, such as threats from state-backed groups. In terms of mining cybersecurity, companies are at risk from cybercriminals hoping to gain financially, but they may also be targeted by ‘hacktivists’ that are rogue groups striving to make a political or environmental point by exploiting the sector’s strategic position in worldwide supply chains. These actors typically prey on weaknesses caused by heavy reliance on integrated and automated systems.
A report from professional services firm EY has shown that 55% of mining operators fell victim to a serious cybersecurity incident in 2017, with 48% admitting that it is unlikely that they would even be able to identify a sophisticated attack. EY believes the industry has been sluggish in narrowing the cybermaturity gap and that miners are lagging behind the energy sector in how they protect operational technology. Even if commodity prices are up across the board, producers are more risk-averse than ever. Accessing capital is also more difficult and expensive, putting pressure on new investments.
Advanced persistent threat (APT) campaigns, which were initially used for industrial espionage, have been repurposed to impact businesses by attacking and damaging industrial assets. In December 2015, BlackEnergy (BE) and another APT campaign, Sandworm, were identified as the likely perpetrators behind service interruptions at two power generation facilities in Ukraine. In addition, BE and KillDisk were the suspected drivers behind similar cyberattacks against a mining company and a large railway operator that were also based in Ukraine.
With these incidents, BE evolved from an energy sector problem to a threat applicable to organisations in every industry, including mining. Nation-state actors, business competitors and criminal syndicates betray varying yet sometimes overlapping interests. By 2018, these campaigns had targeted a variety of industries resulting in data and intelligence theft (Red October), deletion of data on hard drives in energy facilities (Shamoon), to the disruption of nuclear facilities (Stuxnet) and, most recently, the well-publicised attacks against power generation facilities.
Mining cybersecurity: a vulnerable marketplace?
Paradoxically, unstable economic conditions are making way for a renaissance in the area of cybersecurity. At March’s FT Commodities Global Summit in Lausanne, Switzerland, Anglo American’s chief executive Mark Cutifani said the operator would look to prioritise its existing assets first. Referring to the M&A boom of the mid-2000s, he remarked that he feels “allergic to those types of risks today”, but miners should be “careful we don’t become ‘gun shy’ either”. As a result, the company and other mining businesses are looking inward, principally with investments in technology innovation and cybersecurity.
However, cyberattacks are not an exclusive IT problem: they pose a plethora of risks to running a business, from operational shutdowns, damage to equipment and reputation and financial harm, to loss of IP and competitive advantage, as well as safety issues. The classic modus operandi and primary goal has been to steal money or financial information yet today’s cybercriminals are adaptable, not only in terms of technical ability and sophistication, but also in understanding the value of stolen sensitive data and how to monetise it. One gang, for instance, stole market-sensitive information from more than 100 companies, while another group took pre-release information from financial newswires. In both cases, the stolen knowledge was used to make profits in the stock market.
Another recent trend concerns the rise of extortive cyberattacks against organisations using ransomware and distributed denial of service (DDoS) attacks. Together, the deep web marketplace and underground forums form a massive virtual organised crime group, with Dream, Point and Wall Street Market leading the way.
Even novice customers are easily able to use these markets to purchase malware, bulletproof hosting, technical support, expertise and money laundering services, thus increasing the threat against organisations. A common vulnerability for businesses is the way their operations are set up, coupled with the trend towards more centralisation. A prominent example here is operational technology (OT), which means hardware and software that detect or cause a change through direct monitoring and control of physical devices, processes and events in an enterprise.
To be competitive in the market-driven global economy, miners need an improved overview of the supply chain. This necessity is reflected in the shift towards greater integration, visibility and intelligence in OT production control systems, as well as IT that companies use to manage their critical assets, logistics, planning and operations. The convergence of OT and IT is precisely what allows greater access to two components that are prime targets for cybercriminals.
OT infrastructure is poorly protected against attacks and is typically secured with IT solutions that are ill-adapted to legacy control systems, such as supervisory control and data acquisition (SCADA). In addition, emerging technologies like cloud computing and big data analytics have made 2018’s security challenges far more complex and critical. Admittedly, the centralisation of business functions across the supply chain is driven by cost rationalisations that appear, at first glance, to outweigh the risks. This dichotomy will have to be addressed in light of cyber-risks.
Major players like Rio Tinto have beefed up cybersecurity capabilities due to the growing influence of IT-OT convergence at mine sites. Over the past 18 months, the operator has mounted a recruitment drive for the US, Australia, South Africa and Canada, with a focus on risk analysts, penetration testers, intrusion detection and response specialists. Several new roles have been aimed at securing industrial control and enterprise resource planning/systems, applications and products systems. BHP Billiton has made similar moves, hiring two cyberincident response specialists, three forensics and investigation experts, and a manager for assurance and testing.
There are many technology applications that are specific to the mining industry’s processes. However, this does not mean that companies can afford to overlook general emerging security risks in the changing corporate IT space. The adoption of bring your own device (BYOD) and the rising use of smart devices, which are used in operational areas to access the cloud, call for the same prudent approach to cybersecurity as a bank. As does another emerging corporate IT trend, ‘shadow IT’, which sees non-IT business units procure and manage cloud-based services with little or no involvement from chief information officers.
The pitfalls of automation
To stay afloat in the competitive global market, businesses need to have efficient production processes to cut costs, and boost output and quality. One solution is automation, as it helps to improve workplace safety, limit operational costs and variance, increase precision, allow accurate process modelling, and better production consistency and capacity alongside the level of control for each stage of production. For these reasons, the automation of industrial systems has been steadily gaining momentum.
Unfortunately, most industrial control systems (ICS) in use today were developed decades ago. With changing requirements around remote access and corporate connectivity, ICS has adopted IT solutions for ease of integration and lowering development cost. The operational priorities for ICS are integrity to ensure that correct commands are issued; availability for limiting interruptions; and confidentiality in order to protect data. The operational priorities for IT systems are confidentiality for safeguarding data; integrity to guarantee that correct commands are issued; and availability so interruptions are limited.
ICS was designed to concentrate on performance, reliability, safety and flexibility, and to operate in isolated environments. Since it incorporates all manner of popular IT solutions, network connectivity and different operational priorities, it brings a host of exploitable vulnerabilities. In 2015, ICS-CERT responded to 295 cyberincidents – a 20% increase over the previous year. Attacks against the critical manufacturing sector nearly doubled to a record 97 incidents; energy was the second most targeted with 46 incidents, followed by water and wastewater with 25 cases.
David Ferbrache, technical director at KPMG’s cybersecurity practice, warned that endemic poor security in the IoT is unlikely to be solved in 2018. In a press release, he welcomed “an increasingly sophisticated response from the international community involving telcos, content delivery networks and DDoS mitigation firms”, but predicts that this will not be consistent enough with widespread disruption in the future. He also saw a strong role for cyberinsurance, in regard to covering reimbursement and providing a channel for specialist support in a crisis.
Elsewhere, analyst Barek Perelman, co-founder and chief executive of Indegy, warns that the lack of skilled ICS cybersecurity professionals will continue to be a problem for the remainder of 2018. The good news is that he expects ICS technology vendors to roll out a new batch of products that “will support encryption and other embedded security controls”. Organisations will become more interested in industrial security frameworks as they seek to stay ahead of emerging threats, he says.
Among the most important are the National Institute of Standards and Technology (NIST)’s Cybersecurity Framework, and the North American Electric Reliability Corporation (NERC)’s critical infrastructure protection (CIP) standards.
In late 2017, ICS-CERT confirmed that many of the sites it had assessed over the course of the previous year were short staffed, and that many positions had no back-up personnel. The scope of BrickerBot, Mirai and Hajime brought IoT into the spotlight because these threats exploited default or hard-coded passwords to target devices. The risks are not typical of an OT network, but the vulnerabilities are common in an ageing ICS infrastructure. In addition, the disclosure of the key reinstallation attack (KRACK) vulnerability revealed a new risk of ‘man-in-the-middle’ threats in the OT environment.
The ICS-CERT team warns that ICS components and infrastructure should only be accessible to authorised personnel – as necessary – to maintain a system. It also noticed cases where infrastructure – including routers and switches – was situated in company space where it was readily accessible to staff with no need to have physical access. Other cases included ICS components that were in public areas without any overt restrictions, like locked doors or enclosures, to deny access to a passerby. Some companies did not lock doors to the operations base, which could enable anyone to enter.
Overall, ICS-CERT observes many of the same vulnerabilities as in previous years, with the gravest area of concern being the protection of the sensitive control system environment. The use of shared and group accounts is a growing problem, as these make it difficult to identify the actual user and enable malicious parties to use them with anonymity. On top of this, passwords are often poor and changed too infrequently. However, ICS-CERT’s assessment team noted that asset owners were paying increasing attention to control system security. As the industry becomes more connected, greater awareness of these factors could prove vital, so the mining sector can successfully navigate this very modern threat.
This article was originally published in World Mining Frontiers.