A panel of cybersecurity experts from across the industry kicked off the Global Mining Symposium this week with a discussion of how mining companies can build cybersecurity-resilience into their operations.
Yogen Appalraju, a partner and cybersecurity leader at Ernst & Young Canada, moderated the panel, which consisted of Chandra Majumdar, Ernst & Young’s cyber threat management leader, David Rae, president and CEO of Dundee Precious Metals (TSX: DPM), and Effie Simanikas, Iamgold’s (TSX: IMG; NYSE: IAG) vice president, operations, finance and information technology.
Appalarju opened the discussion by asking Majumdar about the most critical cybersecurity threats facing the mining industry. “The most common one we see is where the attacker compromises someone’s credentials and uses their email to send instructions to a third-party to change banking information for whatever reason,” Majumdar said.
That type of attack is called a business email compromise and will increase as more mining companies start using the cloud to store information, Majumdar said, adding that mining companies and vendors can be affected. Often mining companies can end up paying bills to the wrong account, he explained.
Ransomware is the second most prevalent cybersecurity threat, according to Majumdar. It occurs when the attacker holds the company’s data hostage to extort money, and has rapidly increased over the past few years. Ransomware isn’t confined to IT systems, he added, and can also target operational technologies such as plant, equipment, and machinery and the systems used to monitor and control them, preventing companies from conducting their operations.
The third type of attack, although uncommon, is where a mining company merges with another organization or sells off its mine sites, Majumdar said. “The intermediary that is negotiating the sale or purchase of the asset or assets is targeted as the information they possess, such as the terms of the bid, could allow an adversary critical information and gain an upper hand in any negotiations.”
The discussion then turned to how companies can develop effective strategies to protect themselves from these cybersecurity attacks. In particular, how they can defend against attacks on operational technologies, which are often integrated and automated systems, that target processes such as raw material supply, manufacturing and production, logistics and distribution.
Attacks against any part of the supply chain can cause substantial asset, capacity, and financial damage to the company.
Simanikas described how attitudes are beginning to change in the mining industry towards cybersecurity threats.
“About three or four years ago, if I had started talking to the board or the executive team about operational technologies, it would have been challenging to get as much buy-in,” she said, but that has changed, partly through efforts to educate the workforce about what cybersecurity means and what the threats are. “We instill in them that it is everybody’s responsibility.”
“By making everyone part of our cybersecurity framework, it’s much easier to have these types of conversations,” Simanikas said. “It’s all about establishing a relationship first and that sense of trust and awareness of what do we mean by cybersecurity threats and what we can do about them.”
Even so, she said, there can be concern at the site-level that introducing cybersecurity protections could disrupt their operations or affect production.
Dundee Precious Metals’ Rae noted that the mining industry hasn’t traditionally considered the risks posed by threats on their IT systems or operational processes.
“We realised how narrow our view was in terms of the risk and how much greater our response needed to be,” he said. “As we began to understand the risks better, we undertook a cybersecurity maturity assessment that identified around 20 different items, filtered that down to eight priority areas, and then put together a plan to address them.”
In building the different cybersecurity layers, companies have to be diligent and continually have their thinking tested to ensure that any new controls are adequate, he added.
Applaraju pointed out that many companies treat cybersecurity as a project rather than a journey.
Simanikas outlined a list of priorities in order to tackle the problem. “First and foremost, there should be regular communication to the C-suite and the board on what are the cybersecurity threats and how are they are evolving,” she said. “This approach makes cybersecurity part of the company’s culture.”
However, she also felt that running multiple projects, in which non-IT personnel are made aware of the threats to cybersecurity and how the company plans to protect against them, could also be a valuable approach.
Regular presentations to the board, an understanding of what each current phase and future phase of a cybersecurity program looks like, regular E-learning activities, and dashboard and communication meetings can help create a culture of cybersecurity awareness within the company, Simanikas said. “If you want to see it as a project, that’s fine, but be aware that it’s a hundred-year project with multiple phases,” she noted.
Rae echoed Simanikas’ view that the approach should involve understanding priorities, identifying a company’s maturity level, and measuring progress against a company’s goals.
“We’re fortunate that our board has been engaged from day one when we identified several threats that the board was seeing, and it became necessary to look at how we could set up appropriate governance,” Rae said.
However, he noted that the introduction of the General Data Protection Regulation (GDPR) in Europe last year placed the onus on companies to protect their staff’s personal information.
“As all of our gold mining operations are in Europe, there is an expectation from local governments, as well as shareholders and employees, around cybersecurity that has driven the need for companies to prioritise cybersecurity,” Rae said.
Company boards need to provide C-suite executives with the space to make the appropriate decisions, Rae continued, and the complexity of GDPR provided the necessary licence, backing, and funding to develop a comprehensive cybersecurity strategy.
GDPR contains provisions and requirements around the processing of data for individuals located in the EU and European Economic Area (EEA) countries and the transfer of this data outside the EU and EEA areas. It applies to any organisation that is processing the personal information of employees inside the EEA, regardless of its location or the employee’s citizenship or residence status.
Applaraju noted that about 75% of cybersecurity breaches exploited employees of companies, who provide a potential portal for would-be attackers.
Mujumdar expressed surprise that this figure was not closer to 90%, given that, on a daily basis, about 95% of cybersecurity attacks are on employees. He noted that cyber-attackers have to come through an employee to gain access to operational technologies, which usually happens through an email.
“The key to protecting a company from these types of attacks is to make cybersecurity an integral part of an organization’s culture,” he said.