Cybersecurity: getting IT right, or nOT?

In July 2023, Johannesburg-based Sibanye-Stillwater joined a growing cohort of mining companies in the unenviable position of falling foul to cybercriminals. The precious metals producer said an attack on its IT system had led to “limited” disruption to global operations. Thankfully, it seemed, the company was able to isolate the system affected, confining the wider risk such incidents can often pose.

Sibanye-Stillwater is not the first mining multinational to have been targeted. Recent history is littered with such episodes, often considerably more serious. EY’s global mining and metals cybersecurity lead Clement Soh warns such targeting remains a threat, despite the fact that the risks are understood more than ever before.

“Cyber is still a ‘Top 5’ operational risk for most mining and metals organisations,” he says. “The ‘Energy and Resources’ sector is amongst the most targeted – whether for financial gain, geopolitical or cyber espionage.”

Rio Tinto perhaps knows that better than anyone, having been bestowed the unwelcome title of becoming the miner to have succumbed to one of the biggest attacks in the industry’s history. In a March 2023 hack, the personal and family data of employees, and payroll information, was stolen and published online. It was not the only victim around that time either; weeks later Australia’s Fortescue Metals confirmed it had been hit by a “a low-impact cyber incident”. A Russian ransomware group said it carried out the attack which, Fortescue added, led to the “disclosure of a small portion of data”.

Mining: an attractive target for cyberattacks

It is clear mining is an attractive target for cybercriminals. Mining companies need to take the threat seriously, sharpening their focus on cybersecurity, according to Soh. Further still, he warns, threats are growing.

“Key cyber scenarios have now expanded to include data breach and theft of intellectual property – for example, battery-tech and green manufacturing – along with the traditional disruption of front-line operations such as OT availability, and critical business and operational support systems.”

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Your download email will arrive shortly

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

The convergence of OT and IT in mining has long been debated. The reality, though, is they are both critical to modern mines and their owner organisations. “Contrary to IT, which is mainly focused on making data available, OT is focused on making machines impact the physical world,” according to Cisco Systems.

“Everything is now connected to everything,” explains Soh. “Optimising the processing plant relies on data analytics running on cloud computing; modern cyber platforms require OT systems to have connectivity to a SaaS (software as a service) platform to detect the latest threats; and a multitude of sensor data is interchanged between integrated operations and third-party vendors for conditional monitoring and near-time decision making.”

Such infrastructure, whilst helping improve operations, raises potential risk levels. Furthermore, most organisations have adopted hybrid remote working arrangements, introducing another element that requires effective oversight and robust systems. It is a concern Soh highlights.

Clement Soh is EY’s global mining and metals cybersecurity lead. Credit: Clement Soh.

“The net effect of these trends has broadened the cyberattack surface,” he notes. “As such, a legacy cyber strategy focused on building a strong external perimeter and having an ‘air-gapped’ OT environment is no longer practical or effective.”

Speaking separately to Mining Technology, Ross Phillipson, an Australia-based cybersecurity and information governance lawyer at A&O Sherman, also points to IT/OT convergence as an emerging threat in the mining sector. He adds that it is “often ageing OT equipment that gets exposed through this attack surface”.

Digital integration a top concern

Last October, EY published its ranking of risks and opportunities in mining for 2024. Speaking with 150 senior executives and stakeholders globally, it identified the sector’s most pressing challenges and greatest prospects. Cyber threats made it into the Top 10 for the first time in four years, with remote working and the IT/OT convergence as a key cause of concern, alongside the geopolitical environment, including the war in Ukraine. In fact, it put the integration of digital technologies high on mining execs’ list of concerns (at 74% compared with 37% across industries more broadly).

Mining is taking the matter seriously, with Soh suggesting that in the past five to seven years companies have heavily invested in developing the core foundations for cybersecurity. This has included appointing senior executives responsible for cyber, a chief information security officer or manager of cybersecurity, depending on the organisational size and structure, says Soh.

He adds that the US National Institute of Standards and Technology (NIST) Cybersecurity Framework has become the default standard for prioritising cyber capabilities and to cyber control maturity. It provides what NIST says is a “taxonomy of high-level cybersecurity outcomes” applicable to any organisation, regardless of size or sector, “to better understand, assess, prioritise and communicate” its cyber goals.

“One common trend is the adoption of ‘Security by Design’ by high-performing organisations… intended for the cyber function to be more than just the protector for the organisation,” continues Soh, thus creating value through earlier engagement in the capital project and software development life cycle, and embedding security design requirements. He adds a cautionary note for those not yet onboard: “Without this mindset, business stakeholders will inevitably find ways to achieve their objectives; however, they may introduce cyber risk that could have been avoided.”

Phillipson, meanwhile, points to the Australian Energy Sector Cyber Security Framework (AESCSF), which he says, has a “real focus on OT componentry”. The AESCSF was developed in 2018 by the Australian Energy Market Operator, industry and the Australian Government.

A two-speed cyber strategy

Whilst technologies, protocols and security requirements seem to be ever-more complex, there is one potential breach in security that – for the time being at least – remains uncomplicated. The “human firewall” – poor patching regimes such as vulnerable systems with outdated security updates, and the lack of multi-factored authentication controls – are what Soh describes as the “common denominator for numerous high-profile cyber incidents”. He says nine in ten cyber events involve relatively simple phishing practices.

Certain mining infrastructure is more vulnerable than others. “It is not a flat risk because some of these operating assets are older than others,” says Phillipson, postulating that it may be difficult to get funding to re-architect some of the OT/IT interfaces. For remote mines in particular, improper management of patching protocols is a “real risk”, he adds, noting this is sometimes done manually with workers driving from site to site.

EY’s advice is to maintain a “two-speed’” cyber strategy, allowing for longer strategic cyber controls to be designed, tested and implemented through a traditional waterfall approach akin to a capital programme, as investment funding for cyber/technology is governed centrally. “However, in tandem maintain a tactical funding envelope that allows for small teams to rapidly assess and remediate cyber gaps, by-passing the long project life cycles – for multi-factor authentication gaps, for example,” Soh adds.

Cyber vulnerabilities in the supply chain

An organisation’s cybersecurity is not only an internal issue: supply chains can represent a significant vulnerability too. Soh looks to the financial services sector to illustrate how critical it is to ensure security through third-party vendors. Here, in certain instances, regulation already calls for oversight and control of third and fourth parties.

Remote mining site
In addition to securing remote mining sites, companies need to assess the cybersecurity of third-party vendors. Credit: Bashi Kikia/Shutterstock.

Regulations governing mining are, in some instances, forcing companies to evaluate their supply chain risks. This includes looking at potential service and operational disruption caused by third-party suppliers of software and technology services. However, Soh warns companies to beware of the “hot potato” effect. “For mining organisations the accountability for third-party risk management often falls between the cracks of procurement, commercial, legal and technology governance,” he says.

EY suggests having a framework for tiering suppliers, criticality of their services/software, and a status of key contract terms and conditions. These might include elements like a right to audit, penalties for service outages, ownership of intellectual property, compliance to certain cybersecurity standards and data breach notifications. A further element is to be ready for low-probability, high-impact, or “black swan”, events by having robust technology service and business continuity plans, and testing them regularly.

Reinforcing cybersecurity key as IT/OT converges

With reliance on IT and OT heavier than ever before, reinforcement against cyberattacks is becoming increasingly important. Recent years have shown that no industry is immune; indeed, the more critical the sector the more likely it is to be targeted. The business interruption, financial loss and reputational damage such attacks wreak can be disastrous, but other consequences might even prove fatal to mining business and those working for them – risk to health and safety and loss of licence to operate among them.

In the coming months and years, the “hot potato” that is IT, its relationship with OT and how both can be safeguarded may become a little less fraught and complex.

“We are entering a shift in architecture,” Soh concludes. “Almost all cyber strategies will align or partially align with zero trust architecture principles. Zero trust principles will reframe organisations’ baseline capabilities in cyber and zero trust readiness.”