Part 1 of a four-part series on cyber resilience in the mining and metals industry. Read the series here.
Looking back at the year in cybersecurity for the mining and metals industry, and more broadly across all industries, there have been some clear lessons learned. The approach we have been applying to protecting our organizations has, at best, proven ineffective; at worst, it may be doing more harm than good.
In 2023, security and IT professionals responded to the increased risks cybersecurity incidents have posed by spending increasingly more money, time and cognitive resources on progressively more complex and expensive security controls. The past year saw 10 times more reported cybersecurity incidents involving mining and metals companies and critical suppliers than in 2022, as recorded by the Mining and Metals-Information Sharing and Analysis Centre (MM-ISAC), a not-for-profit organization committed to improving the cyber resiliency of mining and metals companies. These incidents have had significant impacts for the affected organizations in terms of multi-week production outages, multi-million-dollar response costs, regulatory investigations and stakeholder relationship challenges. In my role with MM-ISAC, I have been in a unique position to observe the results of these investments. In discussing the impacts of these security investments with the senior leadership teams and boards, operators and IT/security professionals of many mining organizations, I have identified several issues.
Unclear control objectives and value: Many security controls are implemented based on a vague best practice, in response to a perceived need to mitigate a high risk, or because of their appearance in a control framework the organization has adopted. Often, a control is implemented because it might have prevented a breach at another organization in the past. However, rarely is an analysis completed on the actual risk reduction the control will provide an organization in its own unique context, balanced against all costs of the control, including costs beyond implementation—such as productivity, change management and ongoing operational cost impacts across the organization. Do the proposed controls mitigate a cyberattack from an attacker likely to target the company? Is the risk reduction the proposed control provides worth the cost? What will the impact of that control be on current business processes, production systems or upstream/downstream partners? Can the risk be mitigated by non-technical business process adjustments at a lower cost?
Ever-increasing cognitive loads: Recognizing the reality that many cybersecurity incidents start at the end user through phishing or other social engineering methods, more and more in-depth and mandatory training is conducted with all end users across the organization. What was once an annual online class is now often supplemented by ineffective targeted quarterly or even monthly phishing exercises, targeted training and other demands—all implemented to somehow train our end users not to respond to social engineering attacks as humans do—basically to teach the human nature out of them.
Mismatch in objectives: Many security leaders talk of a “healthy tension” between an organization’s security teams and operational groups. This tension is anything but healthy—it is reflective of a mismatch of objectives. In examining the objectives of functional groups in mining, those objectives speak of safety, sustainability and production. These objectives are directly in line with and contribute to the organizational objectives and mission. However, the objectives of security teams (or the objectives contained in contracts with managed providers, in the case of outsourced security) generally speak to increased cyber maturity scores, increased control effectiveness in the prevention of cybersecurity incidents and improvement in cybersecurity metrics (phishing test performance, time-to-contain and time-to-remediate, etc.). This disconnect can lead to security teams over-implementing security controls to help them meet their objectives. In contrast, operational teams look for ways around those controls to minimize the impact on their production/cost objectives. This mismatch will, at best, lead to tension and distrust—at worst, open hostility.
Worst of all…it is not working
This significant burden of increased cybersecurity placed on an organization, and most of all the people working within it, might be justifiable if the organization was effectively protected. Unfortunately, it is not. There was a significant increase in impactful cybersecurity incidents affecting the mining industry in 2023. The impacts of these incidents have been significant and, in some cases, very public—ranging from the loss of thousands of business servers to complete, multi-week production outages.
It is no wonder that boards and management teams have started pushing back and denying the requested budget increases that security teams and outsourcers have been asking for. If the definition of insanity is doing the same thing repeatedly, while expecting a different outcome—doubling down and doing more of the same thing we have been doing for years—it looks like a poor business investment.
If we do not change our approach to cybersecurity, we will continue to see an increase in material cybersecurity incidents, increased business impacts from ever-increasing numbers of security controls, out-of-control costs and increased stress on our people.
The good news is that there is a solution to the problem—a shift in approach from control-based cybersecurity to organizational risk-based cyber resilience.
Cyber resilience differs from cybersecurity in focus and objectivity and is defined as: “the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber resources.”
This approach focuses on ensuring the business objectives of the organization are met, regardless of what may happen to the critical technology resources and systems we now depend on. Cyber resilience, by necessity, requires an organizational focus that is tightly aligned with the objectives and goals of the entire organization.
Cyber resilience is centred on the maintenance of system availability and integrity as needed to maintain safe production, with the potential sacrifice of confidentiality in some cases, as opposed to cybersecurity, which generally falls on the technical or security leadership of the organization and is highly focused on the protection of data.
It consists of three domains, which are of equal importance to its development:
» Operational cyber resilience
» Resilient cybersecurity
» Resilient cyber communications
Each of these domains will be looked at in depth in three subsequent columns in this four-part series.
We can do better
The current controls-focused approach to cybersecurity is not only proving ineffective at stopping highly impactful breaches, but is also acting as an obstacle to the ability of the mining industry to transform.
Control deployment and control effectiveness measurements have had little correlation to minimizing the frequency and impact of cybersecurity incidents. Only by shifting away from those and towards reducing the impact of breaches through resilient controls, layered with operational resilience and effective communication, can we finally begin to not only manage risk to the operation, but also reduce the impact of security controls on the organization and the people within it and manage runaway security budgets.
Rob Labbé is the CEO and CISO (chief information security officer)-in-Residence at MM-ISAC.