The frequency and impact of cyber threats are increasing
Cyber threats are growing at an exponential rate globally with more than half of energy and resources participants in EY’s latest Global Information Security Survey having experienced a significant cybersecurity incident in the last year. These threats are evolving and escalating at an especially alarming rate for asset-intensive industries such as mining and metals.
Today, all mining organizations are digital by default — in an increasingly connected world, the digital landscape is vast, with every asset owned or used by an organization representing another node in the network.
Organizations are increasingly reliant on technology, automation and operations data to drive productivity gains, margin improvement and cost containment goals. At the same time, it has never been more difficult for organizations to understand and secure the digital environment in which they operate, or their interactions with it.
Cyber incidents can be malicious or unintentional. They range from business service interruptions, large-scale data breaches of commercial, personal and customer information; to cyber fraud and ransomware (such as WannaCry and NotPetya) and advanced persistence threat campaigns on strategic targets.
What is the cost of cyber threats?
By 2021, the global cost of cybersecurity breaches is expected to reach US$6 trillion, double the total for 2015.1 The World Economic Forum now rates a large-scale breach of cybersecurity as one of the five most serious risks facing the world today.2
The consequences can be significant should a cyber attack occur within an operational facility or affect operational assets:Back to Top
The complex cyber threat landscape
The cyber threat landscape spans Information Technology (IT) and Operational Technology (OT). Modern OT environments are highly connected and increasingly leverage infrastructure, protocols and operating systems that are also common within enterprise IT. Vulnerabilities associated with technologies utilized within enterprise IT are often equally applicable for critical OT.
The large number of connected devices across operating environments is also contributing to the growing threat. With increasing investment in digital and reliance on automation systems, remote monitoring of infrastructure means thousands of OT devices connected across geographical environments. However, the increased connectivity of these devices, and by extension the increased attack surface, means that the physical security of remote mining and metals operations is no longer sufficient.
Additionally, equipment and infrastructure that have traditionally been disconnected (e.g., autonomous drills, trucks and trains) are now integrated to provide greater control of operations. This combination of events, coupled with system complexity and third-party risks have led to a further expansion of the “attack paths” that may be used in cyber incidents.
For mining and metals organizations, there are four primary “attack paths” that can be used to compromise and impact operations across the value chain:
- Stock management
This means the entire supply chain is now at risk, which is not limited to the potential of causing disruptions to operations, but worse, significant health and safety consequences.Back to Top
Mounting threat levels now require a more robust response. Our 2017 Global Information Security Survey revealed that 53% of energy and resources organizations have increased their spend on cybersecurity over the last 12 months.
Cybersecurity budgets are increasing, but are not enough to effectively manage risk, particularly to mission critical OT3. As mining and metals companies continue to move into the digital age, current budgets may not be enough to manage risk, particularly in regard to the growing threat to OT.
Also, too many mining and metals companies are taking an ad hoc approach or acting when it is already too late to manage their risks and vulnerabilities. This approach unnecessarily exposes the enterprise to greater threats.
The responsibility of managing exposure to cybersecurity risks is not one that can be delegated to one or two individuals. Rather, a broad range of individual responsibilities should be brought together to form a single coherent and accessible view of the threat environment.Back to Top
Being ahead of the cyber threats
A step-change in the culture and awareness of the cyber risk within the sector is needed to resolve the gaping hole that the “human factor” exposes to cyber resilience and preparedness. The urgency becomes more critical when you accept the ideology that it is no longer “if” but “when.”
Organizations need to apply good risk management principles, and this starts with thinking about an issue such as cyber risk, just like a business risk.
- Understand the cyber threat landscape: This is the first and vital foundation step in the change to improve the cyber maturity. In order to address the step-change needed, mining and metals companies need to have a clear plan that forms part of their digital road map and risk management plan.
- Establish a baseline of basic cyber controls: This baseline, supported by a risk-based approach to prioritize strategic and long-term cyber investment, should be aligned with the organization’s top cyber threat scenarios.
- Adopt a cybersecurity framework: This will underpin the consistent identification of critical cyber control gaps, threats and actions required to achieve the target risk profile.
What is a robust cyber threat approach?
Organizations should adopt a cybersecurity framework for the consistent identification of critical cyber control gaps, threats and actions required to achieve the target risk profile. Irrespective of the framework adopted, a risk-based approach should be taken, which is fit for purpose, adopts a balance between "protect" and "react" and meets the operational requirements of an organization.
A robust cyber threat approach involves the following key steps:
- Identify the real risks: map out critical assets across systems and businesses
- Prioritize what matters most: assume breaches will occur and improve controls and processes to identify, protect, detect, respond and recover from attacks
- Govern and monitor performance: regularly assess performance and residual risk position
- Optimize investments: accept manageable risks where budget is not available
- Enable business performance: make security everyone’s responsibility
1 ”Cybercrime Report 2017 Edition,” Cyber security Ventures, 19 October 2017.
2 “Global Risks Report 2017,” World Economic Forum, 11 January 2017.
3 “2017 EY Global Information Security Survey,” EY, 2017.
Cyber risk in mining and metals
EY's Michael Rundus, Global Mining & Metals Cybersecurity Leader, discusses the impact of cybersecurity on the sector.
Cybersecurity - key findings for energy and resources companies
Our Global Information Security Survey of 121 energy and resource executives reveals interesting findings of how the sector is positioned to manage cyber risk.
Digital in mining and metals
The global mining and metals sector faces a digital disconnect - how will you overcome it?