Why the mining industry should be taking cybersecurity seriously

Cybersecurity is a dangerous blind spot for the mining industry – but it shouldn’t take a catastrophic event for businesses to start taking this threat seriously.

Report after report has found that the mining industry is failing to grasp the seriousness of cybersecurity attacks. PricewaterhouseCoopers’ Mine 2020: Rocky but Resilient report, for instance, found that the percentage of mining and metals CEOs who are extremely concerned about cyber threats has actually gone down in recent years, from 21 per cent in 2018 to 12 per cent in 2020 – despite a four-fold increase in the number of reported cyber breaches among mining companies over a similar period.

In 2019, State of Play’s Cybersecurity report analysed Australia’s largest mining companies, including BHP, Rio Tinto, South32 and Anglo American, and found that 98 per cent of top-level executives believed it would take a catastrophic event to drive an industry-wide response to cybersecurity.

What can go wrong?

Cryptoloc founder and chairman Jamie Wilson says the stakes are high when it comes to cybersecurity and the mining industry. In today’s increasingly automated and interconnected world, a successful attack could put mining operations, equipment and data at risk – and it could threaten people’s lives.

“If someone hacks into a mining system, then they can take control of that system and its operations remotely,” he warns. “So if you’ve got autonomous vehicles running around, they could take control of those vehicles. You don’t want trucks on a mine site crashing into each other, into equipment, or into human beings.

“And that’s just the tip of the iceberg – what if you’ve got people underground, and a bad actor shuts off their air supply?”

Wilson notes that cyber espionage is another major concern for mining organisations that are “rich in data and information”, all of which could be leveraged by cyber attackers. In 2011, for instance, BHP was targeted by attackers seeking to gain access to market pricing for key commodities.

Phishing attacks, usually in the form of malware attached or linked to in an email, are increasingly common in the mining industry. A Symantec internet security threat report found that more than 38 per cent of the users in the mining industry had been hit by a malicious email, a higher percentage than any other industry.

This is no idle threat, either – Canadian mining company Goldcorp lost over 14 gigabytes of corporate data in a 2016 attack; a cyber attack on a German steel mill caused “massive damage” to a blast furnace in 2014; and Norsk Hydro, one of the world’s largest aluminium companies, was dealt up to $70 million in damage after opening an email infected with ransomware in 2018.

Why is the mining industry vulnerable?

Thomas Leen, Global Head of Cybersecurity at BHP, has said that the mining industry has “a low level of cybersecurity maturity”, mainly due to “legacy environments that lack basic capabilities”.

Cryptoloc’s Jamie Wilson agrees that mining is particularly vulnerable to cyber attacks because of the archaic processes and technologies that are commonplace in the industry.

“Some of the mining systems that are currently in use were developed as far back as the 1970s,” he says. “We’re talking about very specialised machines that run on very specialised software. These machines are worth large sums of money, and downtime is extremely costly. So it’s a major challenge for some of these companies to say, ‘You know what, let’s overhaul our system and start taking cybersecurity seriously’.

“Honestly, I get it. I can see why mining executives put cybersecurity at the bottom of the priority list, because the cost of making the necessary updates is substantial in terms of downtime. You start running behind time and you’re looking at massive amounts of money.

“That’s why most of these executives aren’t going to take it seriously until they fall victim to a catastrophic cyber attack. That’s when they’ll turn around and say, ‘We’ve got to do something because it’s happened now and it will happen again’.

“Until that happens, until a disaster forces their hand, you’re really looking at an industry that prioritises revenue over security.”

Short of a catastrophic event, Wilson believes the mining industry will only change its approach to cyber security if it is forced to by government-led initiatives and legislation.

“It reminds me of the industry’s approach to health and safety,” he says. “There was a time, not that long ago, when businesses wouldn’t worry about putting up safety nets and scaffolding and things like that. Today, health and safety is everyone’s number one priority, because they have to comply with strict legal obligations.

“We need to see those types of expectations being applied to cyber security – it needs to be a basic policy, for instance, for mining companies to start securely encrypting their data, so they can control who has access to their information.

“But it needs to be driven from the top down. We need to see the government putting forward cyber practices and policies to protect the people – because otherwise, there’s too much profit at stake for the industry to police itself.”