In 2020, KPMG’s report, the Digital maturity of Canada’s energy & natural resources sector, reported 94% of Canadian energy and mining companies were investing in digital technology to create a competitive advantage – saying transformation was critical to their long-term success. With the move to digital, companies were concerned about cyber security risk, especially due to the potential threat actors that could sabotage or damage their infrastructure.

It’s a critical time for the mining industry as the cyber threat profile continues to evolve as companies digitize their operations and back office with new information technology (IT) and operational technology (OT). Mining companies are increasingly reliant on OT as they move towards the “digital mine”.

Our 2021 Mining Cyber Security Survey identified the key trends in cyber security in the mining industry and benchmarked each company’s cyber security maturity against its peers. We received responses from 23 of the largest mining companies headquartered in North America, collectively operating over 100 mine sites, and representing over $185 billion of market capitalization.

Mining companies identified the key threat actors, from a cyber security perspective, to their organizations included:

• Ransomware
• Activists/hacktivists
• Disgruntled insiders

These threats are common in other industries; however, ransomware has surged to the top of the list since the start of the COVID-19 pandemic.

We define a “Cyber Defensible Position” as a posture that companies have implemented, given its cyber security risks and threats, to significantly reduce the impact should a breach occur. A key component of a cyber defensible position is defining the cyber governance structure, including policies, roles and responsibilities and management oversight.

The survey results indicate most mining companies have a cyber security program in place and operational for more than a year. Most companies have not clearly identified the roles and responsibilities of their cyber team and the third parties that may provide outsourcing of key functions and the majority of companies have small in-house teams responsible for critical activities, including architecture, incident response, and patching. We also noted that 39% of mining companies do not test their cyber security incident response processes and plans. Performing regular tests of the incident response capabilities and processes, in advance of a cyberattack, are key to ensuring that the organization has clear lines of communication, reporting and fully understands the roles and responsibilities of all parties, internal and external, to respond in a timely fashion to a cyberattack.

A key component of an effective cyber security strategy is understanding the organization’s IT assets, monitoring those assets for potential cyberattacks and keeping those assets patched. Only 42% of survey respondents have a complete, accurate and regularly updated IT asset inventory. In addition, 54% of mining organizations do not regularly perform patching. Patching of IT systems is a key measure to ensure that new vulnerabilities are resolved. Keeping the IT inventory up to date allows the organization to identify potential issues e.g. devices or software that are reaching their end of life or support, and planning to upgrade or replace them. The inventory is a starting point to managing the patching cycle, by identifying key devices / software that support critical functions or processes that should be patched first. The inventory is also a key source of information to support ongoing monitoring for cyberattacks.

Traditionally, OT was an ‘air-gapped’ environment, – not connected to external networks or digital technologies. In recent years, the OT has evolved. These new solutions aim to increase automation, add “smart” devices, make data more efficient and available, and interconnect networks for convenience (IT vs OT cyber security: The Operational Technology Guide at otorio.com).

As part of the interconnection, and to make OT components more accessible while being able to collect and analyze data about them, IT and OT networks are also becoming interconnected. While this opens a great door to new opportunities, it also introduces a vast landscape of cyber security threats to what was once an air-gapped network.
Of the 23 companies, 63% do not regularly report on OT cyber security and only 18% have a complete inventory of critical OT assets – “the crown jewels”, or all OT assets. In fact, 36% do not have any inventory of OT. Without a complete and accurate inventory of OT assets, it will be a challenge for cyber security teams to assist the organization in managing the related cyber threats.

Only 10% of respondents have specialized OT monitoring solutions in place and 35% have no cyber security monitoring of OT. Monitoring of the OT network and devices is critical, especially with the increasing integration between IT and OT networks. Cyberattacks to the IT network access the OT network, or attacks directly to OT devices, are increasingly common and OT networks and devices typically do not have the same protection mechanisms in place as an IT network, increasing the importance of proactive monitoring.

From a patching perspective, we noted that 46% of respondents apply patches in an ad hoc manner (no regular schedule or plan), or never apply patches to OT devices. As many OT devices run on older versions of operating systems, including some versions of operating systems that are no longer supported, when vendors release patches to resolve issues or vulnerabilities, it is recommended that organizations have a process in place to deploy those patches., otherwise potential security vulnerabilities could be exploited. With the move to digital mining and increasing interconnectedness between IT and OT networks and devices, attackers could leverage the IT network to directly or indirectly attack OT devices, resulting in the shutdown of OT devices or potentially causing significant safety or environmental issues at a mine site.

Mining organizations are increasingly challenged to manage cyber security across geographies, mine site locations, along with the breadth of technologies – IT and OT – that must be managed and secured. Building out their cyber security programs, hiring key staff and engaging 3rd parties to monitor and support their cyber security are key components. Here’s our recommends:

1. Define and implement the roles and responsibilities for cyber security, both internally between the IT function and those responsible for OT, and the external outsourced third parties that support the organization. Ensuring the accountabilities are clearly understood and operate should be validated by performing regular cyber tabletop exercises, as well as ransomware and phishing email exercises.
2. Incorporate OT into your cyber security program, including identification of critical OT assets, regular reporting on threats, vulnerabilities and actions taken, and clearly defined roles and responsibilities between the cyber security and OT operations teams.
3. Gain a complete picture of your IT environment by updating and maintaining an inventory of all IT and OT assets – both hardware and software. This will enable to organization to prioritize the key IT and OT assets for monitoring, identification of cyber security vulnerabilities and patching.
4. Patch IT and OT assets, based upon their criticality, on a regular basis. Monitor the IT and OT networks, devices, and assets, especially where vendors do not provide regular patches or updates for cyber security vulnerabilities.

This is a critical time. The cyber threat profile continues to evolve as mining organizations digitize their operations and back office with new IT and OT technologies. It is ever important to understand how you stack up against similar organizations.

If your company would like to understand where you stand against the surveyed companies in various aspects of cyber security, contact us for details on how to complete the survey and receive a bespoke report benchmarking your function against the industry peer group.