Technology

The balance of security and innovationThe mining industry is undergoing significant digital transformation, but new technologies can also increase vulnerability to cybersecurity threats

The mining industry is undergoing significant digital transformation, but new technologies can also increase vulnerability to cybersecurity threats

By Lynn Greiner

October 27, 2025

Shutterstock

Digital transformation can be a double-edged sword for mining companies. On one hand, it can improve operations, cut costs and reduce danger to miners. On the other hand, it can introduce risks that turn those improvements on their ears.

This often causes cybersecurity managers to object to digital innovation, warning companies that they are opening themselves up to unacceptable cybersecurity risks by introducing new technology. But it does not have to be that way; when properly managed, cybersecurity can be a business enabler.

“Digital transformation is supercharging efficiency in the mining sector, but it’s also widening the attack surface—the number of opportunities for cybercriminals to access a company’s internal systems—in the process,” noted Matt Breuillac, managing director at Perth, Australia-based Cyber Node. “As mining companies embrace cloud-based analytics, Industrial Internet of Things (IIoT) and remote operations, they’re also connecting OT [operational technology] and IT [information technology] environments more tightly than ever. In doing so, they’re exposing themselves to new classes of threats, many of which they’re not fully equipped to handle.”

Those threats, he explained, are some that the average enterprise does not face.

“While traditional businesses prioritize IT security, mining companies often prioritize OT security first due to its direct link to uptime, safety and environmental impact,” he said. “That’s because mining operations are built on a foundation of industrial IoT and legacy OT systems—technologies that weren’t designed with cybersecurity in mind, but now sit at the heart of critical processes. These environments are packed with sensors, SCADA [supervisory control and data acquisition] systems and remote monitoring set-ups that aren’t easily patched or rebooted like typical IT infrastructure.”

Add to that the connectivity challenges often faced at remote locations, which make secure remote access—an essential requirement for many technologies—difficult to maintain.

“All these technologies, while essential as the mining companies innovate, bring an increased set of cyber risks if not designed and deployed in a secure manner,” said Lester Chng, senior cybersecurity advisor at Rogers Cybersecure Catalyst, Toronto Metropolitan University’s national centre for cyber training, acceleration, applied research and development and public education. “Of most concern is the push for optimization of mining operations via the increased connectivity of IT networks and equipment with that of OT.”

Carlos Chalico, EY Americas metals and mining cybersecurity leader, pointed out that from a cybersecurity perspective, mining companies not only need to pay attention to IT challenges, but also to those on the OT side. “This challenge is specifically related to the fact that, in the past, OT devices and networks had their own communications protocol and they were not connected to traditional office IT networks,” he said. “But now that has changed and the two of these networks can be connected to each other—so if one is compromised, the other one can be impacted.”

Those OT networks may include anything from sensors and devices in the mine itself to automation in processing plants and autonomous vehicles hauling ore.

If an intruder manages to compromise either the IT or OT network, they could extend their attack into the other, hitting both the business side and the operations side of the company. “In the end, what we need is a way to properly segment the network, to properly manage these devices in a way that is not only responding to the operation, but is also helping reduce the risk of exposure to all these elements,” Chalico said.

Security professionals also have to protect multiple connected locations, making their jobs even more complicated. And, noted Chng, one key difference between mining companies and other businesses is the scale of the disruption caused by a cyberattack. “This disruption can cause significant revenue loss due to inability to monitor and manage incidents that impact OT equipment,” he said. “An incident impacting OT can range from catastrophic production downtime to loss of life and limb.”

The potential safety impacts on mining operations from OT cyberattacks could be severe, according to Chng. For example, a cyberattack on haul trucks or excavator control systems could cause sudden acceleration, braking or steering changes, putting operators and nearby workers at risk; attacks on ventilation controls could stop airflow or reverse fans, leading to a dangerous buildup of toxic gases or depletion of oxygen; and a sudden conveyor belt stoppage or restart could cause material spills, crushing hazards or entrapment for maintenance crews.

Increased resilience

However, those risks should not be the reason that companies step back from digital innovation, said Rob Labbé, CEO and chief information security officer (CISO)-in-residence at the Mining and Metals Information Sharing and Analysis Centre (MM-ISAC), a not-for-profit organization committed to improving the cyber resilience of mining and metals companies. Instead, they should look at ways to increase their operation’s resilience.

The solution: having a good mitigation plan. But, Labbé noted, when companies introduce technology, they may neglect to re-evaluate their business continuity, resilience and disaster recovery plans. “There are ‘now’ problems and there are ‘not now’ problems, and it’s very easy to push this into a ‘not now’ problem,” he said.

The cyber elephant in the room, of course, is artificial intelligence (AI). Although it can be a boon to miners—for example, by monitoring and optimizing the variables involved in ore extraction in real time to achieve the best yield—it is increasingly also being used by criminals for nefarious purposes.

Mitigating AI threats is a mix of training—for example, recognizing AI-generated phishing messages can sometimes be difficult—and proper management and governance of data in all areas of the organization, from head office to the sites. It can be just as expensive if an AI tool goes awry and messes up a process due to poor or corrupted training data as it can be if an AI-generated phish resulted in a data breach.

“Mitigating cyber risks in industrial environments starts with a layered approach, treating IT and OT as distinct but interconnected domains,” Breuillac said. “Segmentation between the two is critical to prevent lateral movement if one side gets breached. Visibility is another major hurdle; many mining companies still don’t have a full inventory of connected assets, particularly IIoT devices and shadow IT [unapproved or unmanaged technology, such as devices, software or cloud services, that are used within the organization without the knowledge or oversight of the IT or security team] lurking on the edges of the network.”

Chng noted that the “foundational step” is creating and maintaining a complete inventory of IT and OT assets, so companies know what they have to protect.

Baseline controls such as strong user authentication, a solid data backup strategy and an incident response plan are key in protecting the operations, Chng said, as well as implementing best practices in network segregation, access control, third-party risk management and, critically, cybersecurity awareness training.

According to Breuillac, technology alone is not enough. “Training is still one of the most effective lines of defence,” he said. “It needs to go beyond office-based staff, and reach engineers, contractors and anyone with access to critical systems, especially those in remote or rugged locations.”

Additionally, real-world testing such as penetration testing and red teaming to simulate attacks and uncover blind spots in defences are important. “[However], even with strong detection, [incident] response remains a weak point,” he cautioned. “Too many companies lack tested incident-response playbooks for cyberattacks that disrupt real-world systems and equipment.”

In addition, Breuillac pointed out, physical security is as important as cybersecurity.

Companies can ease their fears and try out new technology securely through small-scale pilots that include the necessary cybersecurity controls, Chng added, noting that the sector is comfortable with this mechanism. This, he said, will increase their confidence and make adoption more likely.

Enablers not deniers

Breuillac observed that some mining companies are hitting pause on digital innovation, not because they do not see its value, but because the risks often feel overwhelming. “There’s lingering discomfort around losing control, especially with cloud platforms and third-party remote systems,” he said. “The idea of a cyberattack disrupting physical operations is no longer hypothetical. Add regulatory fallout and reputational damage, and it’s easy to see why some firms are wary of moving too fast.”

Those fears, combined with negativity from the security team, can make management put digital innovation on hold. However, Chalico pointed out, organizations need to change the chief security officer and C-suite’s point of view about security to shut down the “Department of No”.

“We need to find a way to balance risk mitigation with operational effectiveness,” he said. “Of course we need to verify that risks are properly controlled, the risk appetite is properly defined, so that we do things that will be in alignment with the risk appetite the organization has.”

To do that, he said, cybersecurity professionals need to speak the language of business.

“There is an interesting dichotomy [between] the way cybersecurity is done at most mining companies and how that team is measured and goaled and rewarded, [which] disincentivizes and obstructs innovation by design, and that’s a problem,” added Labbé. “Some of the research I’m looking at shows that 40 per cent of innovation projects at mining and similar industrial companies get killed by cybersecurity teams. That’s not a win.”

The success of a security team is often measured on things like a high maturity score, or the control framework in use, not on how they enable the business, he said. “What are the odds that the new innovation you’re coming up with now is going to fit in a box somebody built five years ago?” he asked.

Labbé cited a mining company he spoke with last year that had an innovation team of 10 data scientists who proposed a number of initiatives, all of which were squashed by the security team.

“What’s the cost of 10 data scientists for a year that you got no value from? You paid them, you got nothing from it? That’s probably a big number,” he pointed out. “Then what’s the opportunity cost of what they would have delivered—what value did the business lose? They didn’t deliver any of their projects. It’s probably even a bigger number.”

Cultural change

Security is as much a mindset as a technology.

“One overarching factor that is often overlooked is the cultural change required when it comes to cybersecurity,” Chng said. “For cybersecurity to be adopted and be an integral part of an organization’s digital transformation, emphasis must be placed on changing the culture.”

Mining itself, he said, is a great example. “The safety culture in mining is a perfect example that leadership should look to model after as they evangelize cybersecurity within their organizations,” he said. “The parallels are uncanny, and leaders should model the training programs, governance structure, cultural norms and behaviours and leadership emphasis in order to bring about this cultural change.”

More Technology

The automation revolution

Alexandra Lopez-Pacheco

There is no doubt the future of mining is automation. But what does that look like, and how will we get there?

The future of flotation

Eavan Moore

Buoyed by pressure to cut costs and improve recovery, new flotation technologies are on the rise