Deep impact: protecting mining operations from cyber attacks
The metals and mining industry is under threat from cyber attacks aimed at exploiting its strategic position in global supply chains. Julian Turner talks to Mike Elliott, global mining and metals leader at Ernst & Young, about the firm’s recent information security report and why the industry must wake up to the threat posed by hackers.
Volatile commodity markets, resource nationalism, spikes in supply and demand, a scarcity of investment capital to fund early stage exploration - until now, the threats faced by global mining and metals companies have largely been limited to commercial, logistical and political considerations.
But, as a recent report published by Ernst & Young (EY) vividly demonstrates, the industry now faces a new threat in the shape of coordinated cyber attacks launched by hacktivists, hostile governments and organised criminals, all intent on exploiting the sector's increasing reliance on integrated IT systems and the important role that mining commodities play in global, regional and local supply chains.
"The mining and metals industry thought that cyber-hacking was something that only affected banks and credit card companies - until they started to get impacted," says Mike Elliott, EY global mining & metals leader. "As we talked to companies we discovered that this was far more prevalent than we realised and that the risks were very, very large - yet no one was talking about or publicising it.
"Each group has different motivations for carrying out cyber attacks, but in the context of mining and metals the real concern is not around confidential information, which is seen as a lesser driver than denying companies the ability to produce and supply."
Risky business: identifying the threat to cyber security defences
EY's 'Global Information Security Survey 2013-2014' found that 41% of respondents from the mining and metals sector experienced an increase in external threats over the past 12 months, while 28% identified an increase in internal vulnerabilities over the same period.
According to Elliott, cyber security attacks have the potential to become a top ten strategic risk and the situation is likely to worsen as mining and metals companies invest in centralised IT systems and network infrastructure to better connect their geographically diverse workforce.
"We've been living through a period of very rapid economic growth, particularly in countries such as China and Brazil, which in turn has stimulated supply from mining and metals producers," he says. "Prices have risen, which makes cyber crime much more financially attractive. It's become a strategic soft spot for economies that are dependent upon a regular and increasing supply of raw materials."
The EY report identifies three main threats: government-led cyber attacks including advanced persistent threats involving intelligence agencies and the military of sovereign states; attacks by informal activists taking advantage of companies' increasing dependency on the internet; and organised criminal gangs looking for ways to threaten the denial of access to data, processes and equipment.
"Each group has different motivations," explains Elliott. "Politically motivated hacktivists may seek to prevent supply in order to profit from the party that has been directly impacted by the attack, while organised crime may do so in order to manipulate short-term pricing on the derivatives market."
The EY report offers up an example whereby a criminal takes a long position in copper on the London Metal Exchange and then proceeds to use cyber hacking to disrupt supply at key copper production facilities causing prices to spike.
"You're looking at commodities - copper being one example - that may be impacted by small changes in supply," Elliott says. "If you were able to shut down production at a significant copper mine even for a matter of weeks then that would have an immediate impact on copper prices. Criminals may be able to trade in those derivatives and profit by taking the opposite position. In terms of national governments it would be part of denial of raw materials to strategic supply chain with the intent of causing economic damage."
Raising the stakes: infiltrating SCADA control systems
Lest such claims give off a whiff of paranoia, Elliott cites a recent case study involving an EY mining client. After experiencing problems with a supervisory control and data acquisition (SCADA) system, the company discovered unauthorised changes that had been unintentionally uploaded into the source code from a maintenance contractor's laptop. The changes were designed to disable the auto-shutdown protections of the equipment and thereby allow the destruction of the equipment.
"They didn't suffer a loss, but they certainly could have and the idea that they discovered this almost by chance scared the stuffing out of them," says Elliott. "The SCADA system operates semi-intelligent production and factory equipment, so most companies haven't built high-level security around it.
"Now, these systems are increasingly connected. For example, a maintenance engineer running post-voyage diagnostics on a large ore carrier may plug a laptop into the ship's control centre. If that laptop contains a malicious Trojan Horse, the virus can be uploaded onto the ship and alter code.
"How does this get onto the engineer's laptop? It could come via the internet, their workplace, hacking activities or, in some cases human agents who befriend the engineer and then upload programmes onto their machine.
"The stakes are so high now that it's not simply a question of someone remotely connecting through a communications line; it could be a combination of that and using people-to-people contact in order to upload malicious programmes onto computers," he adds.
A wake-up call: taking the fight to the cyber-hackers
A total of 44% of the mining and metals respondents in the EY survey claimed their organisations do not have a threat intelligence programme in place and 38% indicated that they only employ an informal one. The reasons for this include skill shortages, security maturity, headcount reductions or budget constraints, especially amid a volatile economic environment and falling commodity prices.
Against this backdrop, is the industry finally waking up to the threat posed by coordinated cyber attacks? And what measures it can take to protect itself, besides using data analytics to identify potential threats and conducting attack and penetration tests more frequently?
"Cyber crime enforcement agencies in developed nations have been proactive in briefing impacted parties, which is making it all the more real for mining companies," Elliott says. "Belatedly we are seeing a significant response to that. It's like an arms race out there - if the other guys have the advantage, then industry is always trying to play catch up. They are doing more than they were a couple of years ago but the perpetrators are always a couple of steps ahead."
With Elliott predicting that extreme price volatility in the mining and metals sector will continue for the next two to three years, the rewards for the hackers remain high and the threat very real.