What’s the worst thing that hackers could do to a mining company? It is a question that Cherie Burgett asks herself a lot. As the operations director of the Mining and Metals Information Sharing and Analysis Center (MM-ISAC), Burgett sees the threats every day.
“Right now I see general malware. Cryptominers” – programs that hijack computer resources to mine cryptocurrencies without permission – “are huge this year. Ransomware, which holds a company’s data hostage until a ransom is paid, is actually still pretty big as well,” Burgett told CIM Magazine. Most of these threats are mass market, common to any company in any industry, though no less problematic for their ubiquity.
But those are not the ones she loses sleep over. “The ones that we’re highly aware of are some of the nation-state activities against industrial control systems,” she said. Think Stuxnet, the highly sophisticated worm, uncovered in 2010, that destroyed Iranian centrifuges by targeting the SCADA systems controlling them. While neither mining nor Canada seem to be particular targets yet, the risk of similar attacks by ill-intentioned trespassers exists. “It is something that they’re practising,” said Burgett.
A shared defense against the dark web
Conceived in March 2017 at PDAC and incorporated in January this year, MM-ISAC is an industry-owned non-profit group with a mandate to share cybersecurity threat information and conduct security research on behalf of its members. The collaboration helps put the 10 current members on more even footing with hackers, who share and sell tools and knowledge of vulnerabilities freely amongst themselves on the dark web.
“Members get oversight,” said Burgett, “and they can stop attacks before they even start.” In one incident, a member company identified cryptomining malware on its network. Within hours of sharing the data with MM-ISAC, another member found and halted its own previously unrecognized infection at just a single computer.
Related: Cybersecurity expert Rob Labbé: Miners need to join forces to control cyberattacks
“These hackers are casting a big net, and sometimes they’re not focusing just on one company,” said Luis Canepari, VP Technology at Goldcorp, a member of MM-ISAC. “The more information that we can share across the industry and facilitate to our peers, [the better] we can prevent something happening. If somebody has been hacked, everybody else can benefit from early remediation.”
The breaches in mining to date – the public ones, at least – may seem fairly innocuous compared to other news-making cybersecurity failures. In 2015, Detour Gold admitted that a server had been hacked, apparently in a politically motivated attack by a Russian group. In 2016, hackers attempted to extort Goldcorp, a wake-up call that led the company to triple its cybersecurity budget and prompted the conversations that led to the formation of the MM-ISAC. In each case, potentially sensitive corporate and employee data was accessed and released online. While the incidents were not catastrophic for either company, cyber threats to businesses continue to evolve and expand as do regulations around data protection. This November, new provisions in Canada’s personal information security legislation came into effect. These provisions open companies up to fines if they do not document and report any data breaches, not only to the affected individuals but also to Canada’s Privacy Commissioner. These rules are in line with the EU’s General Data Protection Regulations (GDPR) enacted earlier this year.
A new operating expense
The reality is that cybersecurity is now a fundamental cost of doing business and ignoring it is even costlier. “In the last 12 months, there was $250 billion earned by the bad guys,” according to Greg Davison, Canadian area vice-president of FireEye, a cybersecurity firm that works with several miners, including Goldcorp. “That’s money the good guys are losing. And that’s just the financial side. That’s not necessarily including the reputational risk or the operational.”
Related: How can companies connect disparate data silos?
“It’s one thing to lose data,” said Canepari, “but once you start losing production because critical systems are being compromised, that’s a direct hit to your revenue. I think that is the biggest risk in the future.”
As with critical infrastructure and utilities, breaches of operational technology (OT) systems can have other consequences: lives are literally at risk when industrial machinery malfunctions. In a 2014 incident (overshadowed at the time by the headline-grabbing Sony hacks), attackers disrupted a German steel mill’s control systems, causing an unregulated shutdown of a blast furnace and “massive” system damage, though fortunately no injuries.
Playing catch-up
In spite of the growing threat, a 2017 Ernst & Young Global Information Security Survey found that 48 per cent of energy and resources respondents believed it was unlikely their organization could detect a sophisticated cyberattack, let alone prevent it.
“They’re playing catch-up,” stated Michael Rundus, a partner at Ernst & Young, and the consultancy’s mining cyber leader. “Four or five years ago, oil and gas companies started to take operational technology cybersecurity quite seriously. It has probably only been in the last two or three years that the global miners have made a differential investment into OT security, and the rest of the industry is really only 12 to 18 months into their own journey.”
For many companies, catching up may mean starting over. “In the early days, cybersecurity was having a firewall and an anti-virus standard,” said Davison. “It takes much more than that today.”
As more systems and equipment become centrally controllable and automated, or simply generate and share real-time operational data, OT networks have become ever more intertwined with corporate IT networks. Where there used to be literal air gaps between the two, there are now frequently multiple links, and therefore multiple vulnerabilities.
“With the Internet of Things (IOT), we have hundreds of thousands of sensors on our mills, trucks and shovels, and all kinds of equipment being connected to our network,” said Goldcorp’s Canepari. “These are now devices that are also vulnerable to cyberattacks.”
“There’s always a firewall in place, and rules and so on, but you typically have very immature patching management and password protocols in place on some of those OT systems,” Rundus explained.
Air-gapping in an ever more connected world is obviously unrealistic. Instead, mitigating the risk comes down to testing your vulnerabilities. Goldcorp does a vulnerability test every quarter, said Canepari, and does targeted ethical hacking – penetration testing – at least once a year. Rundus agreed that is an important best practice. “It helps them understand that if people can compromise the corporate network, more than likely they can hop over into the OT network, or vice versa,” he said.
“We’re only at the forefront of attacks on the OT systems. It’s early days,” he added. “If they get compromised, there could be serious safety, operational and commercial consequences for that.”
Protect your crown jewels
According to Davison, step one is to define the very specific threat profile for your company. “Too many companies don’t understand what their real crown jewels are, and they haven’t done the due diligence in prioritizing efforts to protect them,” he said.
Ernst & Young has worked with mining companies to identify their biggest assets, including information, systems and technology, and physical assets, said Rundus. “And then you have to identify plausible scenarios that management could say, ‘That could actually happen.’”
The result? “Companies that thought they were advanced still had material vulnerabilities,” said Rundus.
To Davison, it is not a matter of if, but when. “It’s almost impossible to prevent everything,” he said. “I’d be spending my money as a Chief Information Security Officer (CISO) on effective detection and remediation.”
“Of the companies we are working with, probably 20 per cent have a long term plan,” he added. “These 20 per cent are thinking strategically, understand where they’re at today, where their unique vulnerability is, and for every incremental dollar they spend, it’s buying down the highest risk.”
Getting the best bang for your buck need not be complicated. Of the 612 investigations FireEye undertook in the last 12 months, Davison said, 91 per cent of breaches originated with phishing or spearphishing attacks. “Everybody’s different, but sometimes that incremental spend to reduce the most amount of risk is just to invest in email [security].” Another simple – and often free – way to decrease risk, he added, is to implement multi-factor authentication wherever possible.
“We do a lot of cybersecurity awareness,” said Canepari, “trying to phish our own users. That has actually been very successful in reducing the amount of people who click on those phishing attempts.”
Joining information sharing groups like MM-ISAC can be another inexpensive tool. For a $25,000 annual investment, Burgett said, “members have gotten tremendous value in a short amount of time.”
“Statistically, today we see one per cent of IT spend on cybersecurity,” said Davison. “I would say the best-of-breed companies that are going at the problem the right way are typically spending six to 10 per cent of their IT budget on cybersecurity.” Needs and abilities vary, but Goldcorp, smarting from the 2016 breach, now spends 15 to 20 per cent of their IT budget on cybersecurity, according to Canepari.
“You’re never done,” said Davison. “The adversaries are always going to get better. But for every dollar you spend and every time allotment of your human capital, you want to be reducing your risk to the greatest extent.”