Unfortunately, cyber criminals read the financial news too and their attacks follow the money. It’s not just the major firms like BHP and FMG that need to be wary; smaller miners and their supporting vendors are at equal if not higher risk. In the last twelve months Slipstream Cyber has seen ransomware and account takeover attacks against a range of mining sector participants including drillers, transporters, engineering, maintenance and mine operations.
These attacks are not hitting mine operational technology but corporate IT operations. While this might be a relief, and perhaps more to do with good luck than design, these attacks are still having a major impact. Attacks on corporate IT networks may not directly shut conveyor belts that often, but they certainly cause very significant business disruption, soak up massive amounts of management time and damage investor confidence. Companies that are already working hard to maintain their social license to operate are faced with new data breach regulation concerns driven by the Office of the Information Commissioner or ASIC.
Mining focussed organisations can protect themselves by:
- Ensuring cyber is firmly on the corporate risk register. The cyber risk to mining and affiliated companies is profound and on the rise. It is not a matter of if, but when. We have helped over 150 victims of cyber-attack in the last year alone and without exception, the stress, complexity and indirect costs caused by the attack surpassed the victim’s imagination. The mining industry is well used to managing risk of all kinds from Geo-Political to Health & Safety. Using these same robust risk management processes for Cyber is essential.
- Test the assumptions about risk and controls. While OT networks have not been the primary attack destination, they remain the holy grail for many hackers. Hackers fully appreciate the value of disrupting operational technology and are persistent with their efforts. If mining boards and executives are hearing assurances that there is no chance an attack on IT can harm OT, a penetration test can show the vulnerabilities hidden in plain sight.
- Don’t lump cyber onto already stretched technology teams. Mining companies are forward leaning, adopting technology at rates far in excess of the broader economy. Just look at mining’s adoption of remotely operated and fully autonomous vehicles, remote sensing and drone technology. This drive to implement new technology can put technology organisations under considerable pressure and adding cyber risk management with adequate resourcing results in corning cutting, often with catastrophic results. Securing IT and OT networks doesn’t need to be expensive, but it does need to be deliberate, planned and coordinated.
Visit Slipstream Cyber at the Mining conference and hear about our experience and approach to protecting mining, oil and gas companies in Australia and abroad.