Do mining companies need to wake up to the cyber threat?

3 September 2018 (Last Updated December 23rd, 2019 11:11)

A recent report from EY reveals that 97% of mining companies admit their current cybersecurity systems do not meet their needs, despite 55% of mining operators experiencing a significant cybersecurity incident in 2016. Do mining companies need to wake up to the cyber threat?

Do mining companies need to wake up to the cyber threat?
EY’s report shows that 48% of mining companies think it is unlikely that their organisation would be able to detect a sophisticated cyberattack. Credit: Courtesy of EY

Cybersecurity is paramount for companies in all industries, with global breaches predicted to cost $6tn by 2023, more than double the figure in 2015. But despite the importance of effective cybersecurity for the mining and mineral sectors, the industry has been slow to react, instead taking an “ad hoc” approach, according to a new study by EY.

The report, entitled Does cyber risk only become a priority once you’ve been attacked?, examines the stance that mining companies take on cybersecurity and asks whether more should be done. “Our primary objective was to increase awareness across the mining industry that cyber risk in mining companies is a real risk and that there are significant gaps in many organisations that need attention,” says EY global mining and metals cybersecurity leader Michael Rundus.

As the industry becomes increasingly digitalised, with automation taking over mine sites and artificial intelligence and big data increasing efficiency, the cyber threat will only continue to grow.

Change, however, is not coming quickly enough, leaving the mining industry vulnerable. EY’s report shows that 97% of mining companies admit that their current cybersecurity systems do not meet their needs. So, why has the industry been slow to respond to this major threat?

A growing threat

The mining sector has been quicker to embrace technological leaps in recent years. The benefits are clear, with developments increasing efficiency and safety during what has been a downturn for many metals and minerals. But companies must adequately protect themselves to ensure those benefits are not lost to malicious malware.

EY’s report shows that 48% of mining companies think it is unlikely that their organisation would be able to detect a sophisticated cyberattack. The World Economic Forum now considers a large-scale breach of cybersecurity to be one of the five biggest risks facing the world today. This places cyberattacks as a global threat in the same league as climate change.

Attacks tend to target four sections of the mining industry: extraction, processing/refinement, stock management, and shipping. Each presents a different set of dangers, reducing productivity, stalling operations and causing financial turmoil. But given the notoriously dangerous environments that mine sites present, with heavy machinery, fumes and explosives, the effect of an attack on safety technologies such as wearables and gas detectors is potentially the most severe.

“Recently cybersecurity trends have targeted industrial control systems and these are the very systems that both drive the productivity of mining companies and the safety of the workforce,” says Rundus. “A compromise of these industrial control systems due to a cyberattack could have far-reaching implications on production and safety. Now imagine that the attack was caused by a well-known vulnerability that should have already been resolved. This poses some very difficult questions for a board and management.”

Funding and training

Ensuring effective cybersecurity solutions is easier said than done, and there are a number of challenges holding back mining companies. Mining companies have increased their cybersecurity budgets by 53% in the last 12 months, according to EY’s report, but this funding is not always used for the greatest benefit.

“While we have seen increased targeted investment by our clients to address cybersecurity, current budgets are not big enough to manage risk, particularly with the growing threat to operational technology,” says Rundus. The increasingly connected nature of devices, through cloud platforms for example, only compounds the problem.

Crucially, many companies struggle with the education of their workforce, meaning they are not always able to identify threats.

“Organisations are undertaking cybersecurity training and awareness programmes designed to educate the workforce about cybersecurity risks and making sure the right security behaviours are in place,” says Rundus. “Cybersecurity issues [exist] in all areas of their business from customers, operations and the back office. We must also remember that in many security breaches the ‘human factor’ has been exploited by some form of phishing or targeted campaign.”

For training initiatives to be truly successful, strong leadership will be needed in the mining sector. “Leaders in digital strategy are also leaders in collaboration,” says Rundus.

“Successful innovation is difficult for any organisation to achieve, so identifying the right partners is key to staying ahead of the curve. We estimate that mining companies are, in fact, lagging [behind] the rest of the energy sector in how they protect their operational technology. The technology that is in use in industrial control systems is typically old. If companies continue to take an ad hoc approach to cybersecurity, cyber risk could be their eventual downfall.”

Avoiding the ad hoc approach

Technology is advancing at a ferocious pace that is set to continue. But threats have developed alongside technology, keeping pace with these advances. In order for companies to really step up and prevent cyberattacks, they must stay ahead of the threats.

“Too many companies are taking an ad hoc approach or acting when it is already too late to manage their risks and vulnerabilities,” says Rundus. “Organisations need to understand the cyber threat landscape and have a clear plan that forms part of their digital road map and risk management plan.”

To truly prevent an attack, instead of simply fixing it after, companies need tailored solutions. “Companies need an effective digital strategy,” says Rundus. “The strategy needs to be meaningful and aligned to a company's overall purpose, and not something that is bolted on to existing business models.”

Collaboration can help educate the workforce and allow companies to learn from best practices. For mining and minerals companies to protect themselves, they will have to look to other industries to allow them to develop a fully formed and effective strategy that can evolves as a company progresses.

“In a world of disruption and industry convergence, companies find they need to collaborate to secure the skills, assets and support they need,” says Rundus. “Firms must put in place digital strategies which have collaboration and innovation at their core. The future of mining has a heavy digital lens with autonomous operations and data driving real-time decision making for efficient operations.

“Cyber needs to be a key consideration moving forward as the industry embarks on this significant change otherwise the cyber risk may outweigh the business benefits.”