The cyber canary in the coalmine during COVID-19

Key takeaways

  • Unlike many industries, the effects of the COVID-19 pandemic have not been severe for mining.
  • While a potential bedrock for economic recovery, mining companies are ignoring a different threat: cyber security.
  • With consequences that include life or death, mining companies must act now to shore up their defences.

The world’s mining companies have weathered the COVID-19 pandemic relatively unscathed and remarkably better than many other industries.

Two PwC reports, Mine 2020 and Aussie Mine 2020, provide industry and financial analysis on the mining sector this year both globally and in Australia. In particular they highlight mining’s strong position and resilience, and the key role played in supporting communities and the broader economy during the novel coronavirus crisis.

Despite the fact that global growth is set to decline in 2020 —something that’s only happened twice since the 1940s — mining continues to be turned towards as the bedrock for economic recovery.

However, there is a potential crack in mining’s facade — both locally and globally — leaving the industry vulnerable to future shock: cybersecurity.

COVID-19 and mining

Despite uncertainty during COVID-19 when operations were disrupted, such as in Brazil, iron ore prices have risen, potentially limiting the total impact to the sector. Mining companies have strong finances and are mostly still operational, albeit with increased levels of precautionary controls. In Australia, the 50 companies that make up the mid-tier mining sector (the largest ASX mining companies with a market capitalisation of less than AU$5 billion as at 30 June 2020), or MT50, as a collective, have maintained consistent levels of revenue and profit throughout the year.

Mining companies have adapted and evolved in response to the pandemic. Some changes have been for the better, such as remote workforce planning and greater use of automation. Many of these adaptations may become permanent. In an uncertain environment, miners have focused intensely on controlling the things they can, and it is serving them well.

Increasingly, they are looking to adopt smart mining technologies to optimise safety, production, and decision making in order to create the mines of the future. However, with such digitalisation comes risk —when a device is digitally connected, it can be hacked. And worryingly, at a time when mining companies are becoming more vulnerable to cyber attack, CEOs are expressing less concern about the possibility.

The harsh reality of the situation

Given their physical nature, mining organisations may think they’re an unlikely target for cyber attacks. But as reliance on autonomous and digital technology grows, so too does the cybersecurity risk — and the consequences can be a matter of life or death.

In this year’s PwC Global CEO Survey, only 12 percent of mining and metals CEOs were ‘extremely concerned’ about cyber threats, compared to 33 percent of leaders globally and 26–32 percent in energy, utilities and resources (excluding mining and metals). And it isn’t a one-off, with concern falling over the last three years even as the number of reported cyber breaches among mining companies has quadrupled.

Mining cyber security image 1

As technologies become more interconnected, the potential cybersecurity threats and attack vectors are growing. The impact of these threats can be severe, resulting in production or revenue losses, harm to the environment, regulatory fines, reputational damage, constrained economic growth, the catastrophic shutdown of critical infrastructure and even loss of life.

This has been further compounded by the emerging complexities and convergence between operational technology (OT) and information technology. COVID-19 has reshaped how the sector scales its operations, reinforcing the need for an environment that supports remote working and automation.The growing reliance on third parties and less secure corporate networks (compared to isolated OT systems), as well as its limited workforce and varying levels of COVID-19 restrictions the industry is creating new entry points for cyber crime.

The consequences of such challenges could be severe. For example, hackers may find entry to a company’s network via a supplier with weak cybersecurity and end up directly controlling critical mine safety systems, processing facilities or heavy machinery. Attacks on underground ventilation units, tailings, dam monitoring systems, pipeline controls or gas monitors, for example, could significantly impact worker and community safety.

Threat vector graphic

Shoring up cyber security

Globally, the mining sector is one of the biggest targets for malicious emails, which are used to establish a foothold to launch a cyberattack.1 Additionally, 2020 has seen an increase in state-sponsored threats. In FY20, around 35 percent of total incidents impacted Australian critical infrastructure providers, while an estimated 70 cybersecurity incidents targeted the Australian mining and resources sector.2

Aussie mines phishing

The legacy nature of many OT systems means that, for mining, the cost of a cyber attack can be even greater than for companies in other industries. It is not a straightforward task to remediate OT systems, not only due to limited maintenance windows but also because these systems are often no longer supported by vendors. Trying to alter legacy systems can often carry far greater risk.

Straight off the bat, there are things that mining companies can do immediately to protect themselves.3

  1. Enable multi-factor authentication (MFA): The increased reliance on remote operations and third parties introduces new entry points for adversaries to attack. The use of MFA adds an additional layer of defence through combining authentication methods to verify a user’s identity and prevent unauthorised access.
  2. Patch holes. Mining companies tend to resist patching vulnerabilities in legacy OT systems, due to concern around unplanned system disruption and downtime. However, unpatched systems introduce vulnerabilities for adversaries to exploit and attack. Processes and procedures should be developed to rigorously test patches and updates to OT systems.
  3. Check privileged access management (PAM): Privileged users have full control of critical industrial control systems, making them a valuable target. Having weak PAM controls can allow hackers to target and impersonate legitimate users. Ensure that access rights for privileged accounts are allocated and regularly reviewed based on the user’s role.
  4. Partner with the Australian Cyber Security Centre (ACSC): The ACSC has a wealth of information that companies can access, helping to combat organised crime and nation state threats.

The cyber safety motherlode

Cybersecurity is just as much about behaviour as it is technology, and the ‘safety vein’ has to start at the very top before it winds down to all other levels. Embedding a safety culture across the company will be key in defending against increasingly nuanced phishing and ransomware attacks — and all organisations should have plans in place to prevent, respond and recover from a potential breach.

Many Australian mining organisations are not treating cyber as an organisation-wide risk, and often parts of the business remain unaware of their accountabilities. In fact, high-level mining executives in Australia would only trigger an industry response in the event of a catastrophic event.4 Despite this, more than 78 percent of those responsible for managing industrial control systems were concerned there would be an attack in the next 12 months.5

Cyber attacks can cause prolonged system outages that last weeks or even months, and have significant safety, operational, reputational, financial, legal and regulatory implications. There is no excuse for downplaying their likelihood or consequences. When it comes to cyber security, the time to dig in is now.

To read further about the state of the mining industry download the global top 40 Mine 2020: Resilient and resourceful report and MT50 Aussie Mine 2020: Resourcing the recovery reports. For further information on defending against, and responding to, cyber attacks check out PwC Australia’s cyber security site.