Think of any major company, and it has probably been a victim of a data breach. David McCandless provides an insightful and interactive map detailing global breaches, hacks and other data disasters spanning the past 13 years across multiple industries. It’s a scary sight to behold.
The mining and aggregates industries haven’t escaped the threat, and it’s easy to see why. Important data concerning politically sensitive agreements, environmental records and studies, and projects in the developmental pipeline are like gold to hackers and the commissioners of their services.
Here’s what site managers should know so they can put together a smarter data security plan.
The data experts at Kroll Ontrack define a data breach as having sensitive, proprietary or confidential information “viewed, stolen or used by unauthorized third parties,” resulting in damage to property.
This is precisely what happened to Goldcorp Inc., one of Canada’s biggest mining companies, in April 2016. In the attack, the company had close to 15 GB of data compromised. Payroll information, budget documents, bank account details, employee passport scans and other important data were accessed.
Despite the amount of data compromised, Goldcorp CEO David Garofalo says the extent of the breach was “not of significant concern.” His team was lucky, but others haven’t been quite as fortunate.
One German steel mill was the victim of a cyber attack in December 2014 in which criminals seized control of operational procedures at the mill, thwarting processes and causing “massive damage,” according to a report from the German Federal Office for Information Security.
Pamela Cobb, writing about the incident for Security Intelligence, referred to “sophisticated social engineering and spear-phishing tactics” used to gain access to the mill’s office network. Cobb says the hacking fears portrayed in Hollywood blockbusters are materializing into reality.
And in June 2017, Maersk Group was attacked by cybercriminals, shutting down multiple business units and ships.
Looking at the numbers, it’s even worse than the case studies suggest. A PwC report from 2015 showed the rise in global cyberattacks from 3.4 million to 42.8 million between 2009 and 2014. The statistics reveal that more than a third of mining companies are at risk of being attacked.
Of the 35 mining companies surveyed in the report, only three attested to having advanced cybersecurity systems in place. The bulk cited having moderate systems in operation, which are two levels below advanced in terms of robustness. As many as 97 percent of the companies have been affected by malware.
The team at Crowell & Moring cite a report from Ernst & Young around the same time that suggested more than 40 percent of metals and mining companies surveyed had seen a rise in threats. While a 2016/17 report places cybersecurity at nine out of the top ten major risks facing the mining industry. Australian company Telstra’s Cyber Security 2016 issued a report that revealed business-interrupting security breaches were recorded twice as frequently as in 2014.
Part of the problem is the connectivity of new business. With the IoT (Internet of Things), remote access, multiple employee devices and centralized operational networks, the amount of critical data online is massive and growing.
At Computer Weekly, Bob Tarzey writes about four concerns facing IoT devices:
- protection issues with devices transmitting sensitive data,
- devices becoming entry points into IT infrastructure,
- botnets using devices for denial of service (DoS) attacks,
- and poorly defended IoT deployments.
The logic is simple: The more devices, the easier to get in.
Kevin Hua of AtlasTrend writes at Which-50 about how the IoT “effectively increases the ‘surface area’ available for breaches as more things are connected with each node becoming an entry point for attack.”
Mining and aggregates companies are under threat from a range of prospective cyberattackers, including foreign nation-states, service providers, and even environmental and political activists.
Another worrying source of attack, writes Richard Levick at Fast Company, is the “insider threat.”
Using the Bank of America’s $10 million loss in 2011 as an example, Levick laments how entire organizations can be held to account for one internal malefactor’s criminal acts.
Looming threats and the expansion of the IoT are serious causes for concern. So, what can be done to curb these crimes, and how ready are companies in the mining and aggregates industries to launch a defensive?
A 2017 report from PwC states that of the 10,000 respondents surveyed from across multiple industries, more than half said “they actively monitor and analyze threat intelligence to help detect risks and incidents.” If mining and aggregates companies are sitting at similar figures, this leaves a big percentage sitting idly, waiting to become targets.
Even for those that are prepared for a cyber onslaught, it is a battle to keep pace with the fast-evolving methods of attack. Slashed IT budgets and inadequate training mean expertise to fight the scourge is limited.
Telstra’s report said 62 percent of organizations cited a lack of experts to implement security strategies. Speaking with Mining Journal, Alan Hindes at Telstra says, “Security budgets were a big issue 18 months ago, but now the challenge is finding talent with the necessary security skills.”
Skills aside, another problem is the delegation of responsibility and decision-making. As migration to the cloud continues with pace, further risks arise. Telstra’s Director of Security, Neil Campbell, dubs this the “shadow IT” problem. Defenses weaken as other branches of an organization incorporate and manage services in the cloud without the necessary security protocols insisted on by IT.
The Telstra report recorded only 22 percent of companies across industries are equipped to deal with the risks involved in cloud-based service adoption. Hindes and Campbell suggest the BYOD (bring your own device) culture as a reason for every organization to treat cybersecurity as if it were a major bank protecting clients’ personal and businesses’ financial information.
A Question of Law
UK solicitor Jowanna Conboye writes how businesses only picked up digital communications in the 90s, and the laws have been even slower keeping pace. The EU’s Data Protection Directive 95/46/EC was passed in 1995 and applied in the UK as the Data Protection Act in 1998.
Change is coming, however. The EU’s General Data Protection Regulation 2016 (or GDPR) was passed in 2016 and takes effect in 2018.
The US, the Crowell team writes, has also been proactive. In 2015, President Barack Obama issued an executive order titled ‘Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities’ after calling cyberthreats a “national emergency.”
This allowed the U.S. Department of the Treasury to freeze assets and bar transactions of entities engaged in cyberattacks.
While the change in laws is essential to deal with this growing threat, it does not mean the process will be easy for mining and aggregates companies. There will be plenty to do to become compliant, as well as there being greater urgency to report data breaches timeously.
How to Stay Safe?
It almost feels counterintuitive given the innate competitiveness in business, but the advice from the experts is to share. An important part of generating awareness of cyberthreats and the means to defend data against them requires sharing intelligence.
The 2017 PwC report notes how sharing data “can provide actionable intelligence that enables organizations to gain visibility into their most relevant risks and more quickly detect and respond to incidents.”
But these processes need to be agile and “ingest data, analyze activity, classify and validate threats, and push alerts — all in real time”.
It’s important to think of cybersecurity as a business risk and cost rather than specifically an IT consideration. It needs to take center stage in budgeting considerations and training programs. Creating awareness among all employees at every level is a fundamental component of basic safety. There also has to be accountability records built into the processes.
Tim Cannon suggests companies invest in education. Writing at Wired about healthcare in particular, thought the lessons apply to all industries, Cannon talks about a “disconnect” in how IT firms hire talent. This leads to employers picking experience over education, which is not a good long-term strategy.
Cannon suggests partnerships with colleges and universities to train the next generation of security experts. Additionally, increased training is essential for existing staff to help bolster defenses.
All organizations need to have a response plan laid out in advance. There is no time to develop a strategy retroactively. The plan needs to include methods for detecting clients and partners who have had data accessed, how much of it has been compromised and how sensitive that data is.
Additionally, the plan needs to lay out how to notify those affected, briefing the press and minimizing damage. Production cannot be halted in the wake of an attack, and user systems and key servers need to be restorable from backups.
Cobb referenced the IBM X-Force Threat Intelligence Quarterly as a useful guide in the wake of the attack on the German steel mill. The report suggests organizations perform regular tests, implement secure design and development practices, and follow industry best practices for the IoT, as suggested by the Open Web Application Security Project.
As the IoT continues to integrate deeper into every aspect of modern life, we all become more connected. In many ways, this streamlines business processes and facilitates global cooperation. The downside is the remote reach of criminals lurking in cyber shadows ready to steal data, compromise security and disrupt operations.
Proper training of staff, good cyberhygiene and robust defense systems are essential to keep mining and aggregates companies safe. Should these defenses fail, they’ll need a fast-moving reaction plan to mitigate damage and keep up production.
Images by: Joshua Sortino, Koushik C, Markus Spiske