Copper Mountain Mining Corporation preventively shut down operations at its Copper Mountain mine, located near Princeton, B.C., from Dec. 27 to Jan. 1 after the company was hit by a ransomware attack. Courtesy of Copper Mountain Mining Corporation.

As the extractive sector becomes increasingly automated, companies have to be aware of cybersecurity threats and how they can negatively impact safety, reputation, operations and finances.

Rob Labbé was appointed chief information security officer (CISO)-in-residence on July 4 for the Mining and Metals Information Sharing and Analysis Centre (MM-ISAC), a non-profit, industry-owned corporation established with the aim of improving the cybersecurity of metals and mining companies. The organization currently has 20 members, six of which are based in Canada. 

Labbé told CIM Magazine that the MM-ISAC tracked 11 cybersecurity incidents in July 2023 from a combined sample of the organization’s members and publicly reported incidents globally. This year, MM-ISAC noted an average of two to three cybersecurity incidents in the extractive sector each month. Last year, the number was around one to two cybersecurity incidents each month, which means the number of incidents since last year has doubled. Labbé said it is too early to tell if the July figures are the start of a new trend.

He said that the most common cybersecurity threat for companies in the extractive sector is ransomware, which is a type of malware designed to lock a company out of its files or systems until a ransom is paid.

“A company that doesn’t rely on technology to perform their daily operations is not an attractive target to [hackers], because they don't have the leverage to extort you for money,” Labbé explained. “As we get more technology-driven and more complex, now we become a more attractive industry to those people.”

Labbé said that the extractive sector is seen as a lucrative target for hackers, but the threat may not be on the radar for most companies.

“Cyber risk hasn’t made it to a lot of the boards and executives in a significant way, so they’re unprepared to manage it as a company-wide event when an incident happens,” Labbé said. “Cybersecurity threats are very much seen as a technology problem in the industry, where really it needs to be looked at as a business risk.”

He added that while companies of all sizes face the risk of cybersecurity incidents, smaller companies are more at risk because of fewer resources.

In 2021, according to a Statistics Canada survey, 27.5 per cent of Canadian mining, quarrying and oil and gas extraction businesses were impacted by cybersecurity incidents, and 12.5 per cent of businesses in this sector were impacted by incidents to steal money or demand ransom payment.

Labbé pointed to a recent example of a significant cybersecurity incident in the mining industry as Copper Mountain Mining Corporation’s ransomware attack, which occurred on Dec. 27 of last year. The company preventively shutdown its mill near Princeton, B.C., until Jan. 1 to address the attack and gradually returned to full production on Jan. 4, according to a Jan. 6 press release.

In a July 19 article, the Globe and Mail reported that Canadian miner Barrick Gold Corp. was one of at least 376 organizations impacted by a global data theft incident. Barrick Gold has yet to publicly confirm the attack took place.

The Canadian Centre for Cyber Security (CCCS) counted about 305 reports of ransomware attacks last year, up from the 295 reported the year before. Sami Khoury, the head of the CCCS, told The Canadian Press in an article published on July 19 that the number could be ten times higher as many organizations are too embarrassed to report that they have been impacted by cybercrimes.

Labbé said that it is often cybercrime groups that publicly announce the attack, instead of the company itself.

“When you communicate poorly, it becomes a massive distraction,” he said. “You’ve got employees, shareholders, investors and media asking you what’s going on, which raises the pressure in the room. Good communication turns down the external volume so you can focus on the actual problems.” 

Labbé said that to prevent a cybersecurity incident in the first place, all companies should plan for cybersecurity incidents and have action protocols in place for them. He compared the importance of planning to a fire drill. “Instead of hoping it doesn’t happen, companies need to realize this is something that has a high possibility of happening. Hope is not a security control,” he said.

As the new CISO-in-residence at MM-ISAC, Labbé’s role is to provide education and guidance to the industry. He also provides one-on-one counselling to MM-ISAC members on how to increase their cyber resilience.