Mining companies have long had to contend with fluctuating commodity prices, stringent environmental regulations and the high capital costs of developing a mine – each hurdle bringing with it the potential to derail a project.
But an EY report released in late October finds that mining firms are facing a new, potentially dangerous challenge: cyber hacking.
In EY’s 2013 Global Information Security Survey, 41% of mining respondents have experienced an increase in external threats such as activists and government-led cyberattack in the past 12 months, while 28% have experienced an increase in internal vulnerabilities such insider theft of data over the same period.
Richard Henderson, a Burnaby-based security strategist with FortiGuard Labs, the research arm of network security firm Fortinet (Nasdaq:FTNT), told Business in Vancouver that while the issue of cyber-hacking is “systemic to all heavy industry in Canada and not the exclusive domain of mining,” mining companies are targets for hacking because environmental organizations and other groups oppose many of the industry’s resource extraction projects.
“In the case of activist groups, they are looking to penetrate networks or enlist people to help them penetrate networks to find information that could potentially lead to a black eye,” said Henderson.
“Then they can go to the press and say ‘Hey look, mining company 123 just dumped 20 million litres of tailings fluid into a river.’”
Cost-cutting measures are, in part, to blame for the increase in hacking. According to the report, mining firms have been combining their IT systems, typically the system that governs corporate networks and databases in offices, and their operational technology (OT), the systems that control the critical machinery and industrial systems at mine sites.
Rafael Etges, information security leader at EY, said that hackers don’t routinely attack OT systems. IT systems, however, are always under threat. By combining the two, “you are bringing the vulnerability presented to IT systems to an OT environment. An OT hack can disrupt operations. That poses a big threat.”
Although cyberattacks are on the rise, 44% of the mining firms surveyed said they had not established a formal cyber security program, while 38% have an informal one in place.
Etges said that disconnect is the result of the mining world having been historically focused on the well-being of its miners. Security has always been associated with safety, not necessarily cyber protection.
“Their business is to work on mines, they are not the banking system,” said Etges. “They have many considerations, and they have some security in place, but full allocation isn’t exactly top of mind.”
Eric Byres, chief technology officer with Tofino Security, a company that specializes in building firewalls for OT systems, said the lack of cyber security in the mining world is the result of simple, however flawed, human nature.
“We underestimate risk, especially if it is not everyday risk,” said Byres. “As long as it’s in the distance we worry about it tomorrow.”
But, echoing Etges’ sentiments, Byres said the potential threats to the mining world from hacking OT systems can be significant.
“You can use these systems to deliberately cause financial loss, reputation loss, environmental damage or the complete destruction of operations,” said Byres.
“You have to take this seriously and understand what your risks are. There are things you don’t want to happen and you should deal with that with a focused cyber security plan.”
Hacking stats for Canadian companies
In the first half of 2013, companies reported:
- Unsuccessful hacking attempts: 11.6 million
- Number of times a user was tricked into trying to visit a poten tially malicious site: 257 million
- Blocked phishing emails: 360,000
- Common phishing themes: account statements, online account suspension, verification of account info, social media alerts, infected documents
Global stats
- Unsuccessful hacking attempts: 142 million
- Number of times a user was tricked into trying to visit a potentially malicious site: 3.14 billion
- Blocked phishing emails: 4.45 million
- Common phishing themes: account statements, online account suspension, verification of account info, social media alerts, infected documents
Four reasons for cyber hacking increase: EY report
- Centralizing functions: to cut costs, mining firms have converged their IT and OT systems. OT systems are inherently less secure.
- Government-led cyberattacks: the objective of government-led attacks, according to the report, may be the collection of commercially sensitive information from mining and metals companies to help with contract negotiations or, in some cases, to shut down mining facilities through the use of malware.
- The rise of informal activists: groups opposed to mining can turn to hacking to disrupt production, expose confidential information or deface a company’s website.
- Security programs not routinely deployed: 44% of the mining firms did not have a formal cyber security program, 38% have an informal one in place.
Data for EY’s Global Information Security Survey 2013 was compiled in July and August.
In total, 1,900 respondents from sectors spanning mining, banking, life sciences, retail, manufacturing and government services participated. Of the 1,900 respondents, 39 were global mining firms.
