Mining companies continue to embrace digital technology to improve productivity and safety, and to make the most of insights made possible by big data and increasingly connected equipment and operations. But in the wake of at least two high-profile incidents involving the mining industry in recent months, experts agree that mining companies are not well prepared to deal with escalating and evolving cyber threats.
Cyber-attacks targeting miners seem to be on the rise.
Most recently, in December, Copper Mountain Mining (TSX: CMMC; ASX: C6C) put its Canadian treatment plant on a “preventative” shut down for six days after being hit by a ransomware attack.
During the downtime the company continued delivering copper concentrate to the Port of Vancouver from mine inventory and has maintained its planned shipping schedule.
On Jan. 1, the company resumed operations of the primary crusher, with mill operations (which were shut down preventatively following the attack) resuming shortly after. On Jan. 4, the mill was at full production, and the operation was being stabilized with the remaining business systems fully restored, it said at the time.
Throughout the outage, all environmental management systems at the mine were operational, and there were no environmental incidents or injuries to personnel. In October last year, a cyber gang also attacked a plant owned by Hamburg-based Aurubis, which recycles copper and produces about 1 million tonnes per annum of copper cathode.
At the time, the company said its incident “was apparently part of a larger attack on the metals and mining industry.”
Two months earlier, an environmental hacking group released documents from mining companies operating in Guatemala and Colombia.
Recorded Future, a Massachusetts-based cybersecurity company, reports that ransomware attacks in North America on manufacturing organizations, “especially related to metal products,” were frequent in 2022.
Dragos, a cybersecurity firm based in Houston, has stated that one criminal operation, LockBit, goes after mining and water treatment plants.
Professional services firm EY has also picked up on the cybersecurity threat to miners. According to the 2022 EY Global Information Security survey, 54% of mining and metals companies suffered a significant cyber-attack. The survey also found that 55% of mining and metals executives are worried about their ability to manage a cyberattack.
EY Canada cybersecurity leader Yogen Appalraju says a recent ransomware attack on an energy pipeline company again highlighted the vulnerability of asset-backed companies.
“The attacker has really performed an attack to exfiltrate money out of the organization,” he said in an EY internal video interview filmed last year.
It is reported that the attackers didn’t intend to shut down the pipeline operations. Still, when that organization was attacked, it felt that the attackers now knew about the pipeline and how to attack it. For safety reasons, they shut down the operations temporarily. “This could happen to a mining and metals organization as well,” Appalraju said. “And I would argue that mining and metal organizations should be prepared for such an attack, ensure they’ve got good visibility so that they can detect these attacks early and understand what’s happening, and make good decisions about whether it affects the operations or not, so you don’t have such an event happen.”
Rising prevalence
A 2022 analysis by Kaspersky ICS CERT found the internet itself posed the biggest threat to operations’ cybersecurity, with incidents rising in Canada in the second half of the year.
According to Kaspersky, 40% of global industrial control system (ICS) computers were attacked with malware. The firm estimates that 10.1% of ICS computers in the U.S. and Canada have been hacked since the start of 2023.
The company has tracked a fast spread of malware attacks on miners, specifically in Africa. “This is a high-growth threat landscape in Africa that no public or private sector entity, especially in critical sectors like energy and mining, can ignore,” Kaspersky said in a recent report.
One infected USB drive or a single spear-phishing email is all it takes for cyber criminals to penetrate an isolated ICS network, Brandon Muller, Kaspersky tech expert and consultant in the Middle East and African region, said in a recent press release.
“Traditional security is inadequate to protect industrial environments from rapidly evolving cyber threats,” he said.
Kaspersky advises that ICS is a collection of personnel, hardware, and software that can affect or influence an industrial process’s safe, secure, and reliable operation. IT is one component of this environment, with operational technology (OT) another critical element.
While traditional cybersecurity solutions focus on data-oriented businesses, ICS protection is geared towards OT security, which is all about cyber-physical companies such as utilities, mining, manufacturing, etc.
Proper cybersecurity precautions
According to Muller, effective OT cybersecurity measures must therefore include industrial endpoint protection to prevent accidental infections and make access by bad actors more difficult. It also entails OT network monitoring and anomaly detection to identify malicious actions on the level of programmable logic controllers and dedicated expert services to investigate the infrastructure, conduct expert analytics, or mitigate the impact of an incident.
“However, despite all the innovations in modern cybersecurity solutions, human error still plays a significant role in compromising ICS systems,” Muller suggests. “As such, it needs to be managed much more proactively than what is currently happening. This requires utility companies, mines, and others operating in the industrial environment to look at building a ‘Human Firewall.’”
Beyond the Human Firewall, Kaspersky suggests there are sector-specific interventions to consider. For instance, modern electrical power systems are complex environments requiring protection, automation, and control solutions covering all areas of electric power facility operation.
In addition to the technical challenges of securing this environment, organizational issues must also be considered. For instance, there’s a lack of guides defining actions to be taken when suspicious activity is detected within automated systems, and just as few documents and practices relating to investigating disturbances in technological environments, including malicious influence on control systems.
The bottom line is that mines are also hotbeds for potential attacks, especially when Industry 4.0 digital technologies link critical operational systems to data analytics and cloud environments, but miners lack the in-house skills to protect their OT and ICS environments adequately.
For these reasons, both Kaspersky and EY analysts agree that combining ICS cybersecurity solutions with ongoing user education and training are non-negotiables, especially when human lives are at risk.