Mining is Now a Cyber-threat Target

A new white paper says it’s not a matter of will your system be hacked, but when

By Russell A. Carter, Managing Editor

Should the mining industry be concerned about cyber threats to its security? After all, the words “mining” and “hacked” are rarely seen together in the almost constant parade of news reports listing cyber attacks on banks, government agencies, tech companies and industrial giants. It seems logical that the relative geographical remoteness of the industry’s operations and its public misperception as basically a bunch of low-tech dirt movers would shield it with a buffer of disinterest from both amateur hackers and organized gangs.

However, a recent research report from Trend Micro, a major global IT security solutions developer, takes a different view of the industry’s attractiveness to cyber criminals. The report, titled Cyber Threats to the Mining Industry, was released in late June and delves into the reasons why mine operators should be worried. It asserts that in today’s competitive global market for commodities, the reliance on natural resources for economic development and fluctuating geopolitical climates have all contributed to making industries targets for cyber espionage campaigns, and—in extreme cases—disruptive and destructive cyber attacks.

The mining industry, according to the report, is under threat from cyber attacks aimed at exploiting its strategic position in global supply chains. Tightly targeted and highly coordinated attacks emanate from a broad set of attacker groups that have learned how to leverage the significant role that mining commodities play in regional and global supply chains and for national economies, and know how to exploit the vulnerabilities that mining companies are exposed to due to heavy reliance on integrated and automated systems.

Trend Micro’s researchers noted that advanced persistent threat (APT) campaigns such as BlackEnergy, for example—a Trojan that is used to conduct denial-of-service attacks, cyber espionage and information destruction attacks—have been repurposed to cause physical impact by attacking and damaging industrial assets. BlackEnergy and another APT campaign, Sandworm, were the likely perpetrators behind outages at two power generation facilities in Ukraine in December 2015. BlackEnergy and KillDisk were discovered in similar attack attempts against a mining company and a large railway operator, also in Ukraine.

 

Not Just IT’s Problem

The Trend Micro report pointed out that cyber attacks are not exclusively an IT problem—they can have a deep impact on daily business activities, causing operational shutdowns, equipment damage, reputation damage, financial loss, intellectual property loss, competitive advantage loss, and health and safety risks. Today’s cybercriminals have evolved not only in terms of their technical ability and sophistication but are increasingly aware of the value of stolen sensitive data, how it can be monetized, and how it can influence business dynamics.

When Trend Micro looked at why the mining industry is becoming an important target, certain factors emerged:

• Increasing importance of commodities as traded entities on international markets.
• Reliance on natural resources for economic development.
• The need for countries to benefit from their own mineral deposits.

The mining industry can be considered both a geopolitical and an economic target. Those behind foreign cyber espionage campaigns are increasingly interested in learning about governance policies, decisions, and decision-making processes of corporate executives, but also in trying to gain an edge by disrupting the advantage of a competitor. Threat categories related to mining fall into three principal areas, according to the study:

Economic Factors–The mining industry is a commodity-centric global player that is affected by the ups and downs of the market-driven global economy. As a major player, it must be cognizant of the high level of vulnerability the economies of certain countries are to any disruption affecting a key contributor to their economy—such as mining.

Theft of Pricing Information–Having insider information about a mine’s pricing data can help a competitor hijack a sales deal by outbidding the competition, or a buyer negotiate a better purchase price. Customer information is another prime target for data theft. Competitors can use the stolen customer information to hijack future sales. This is the type of critical information that threat actors are after.

Hacktivism–Environmentally conscious activists who are protesting the effects of mining on the environment and wildlife habitats take it upon themselves to retaliate by inflicting damage to the mining companies. Cyber attacks offer these activist groups a new way to disrupt mining operations.

 

Identifying the Weaknesses

The study indicates that across the broad industrial landscape, two central weaknesses can be found throughout different sectors; these are: 1) the way operations are set up; and 2) increasing levels of centralization. For example, take Operational Technology (OT)—it’s the hardware and software that detects or causes a change through direct monitoring and/or control of physical devices, processes, and events in the enterprise. To be competitive in the market-driven global economy, organizations need a better overview of the supply chain. This need for a better view of the supply chain is reflected in the shift toward greater integration, visibility, and intelligence within and among the OT production control systems and IT that companies use to manage their critical assets, logistics, planning, and operations.

The convergence of OT and IT allows greater access to two components that are prime targets for cyber criminals. OT infrastructure is often poorly protected against cyber attack, often secured with IT solutions that are ill-adapted to legacy control systems such as Supervisory Control and Data Acquisition (SCADA). In addition, new and emerging technologies such as cloud computing, Big Data analytics, and Internet of Things (IoT) have made security challenges more complex and more critical.

Centralization introduces new and unknown vulnerabilities into the cyber ecosystem. The mining industry’s increasing reliance on data gathering and analysis for both equipment and operations, combined with its rising interest and use of autonomous fleets and automated processes, is driving a trend toward centralization—and within the mining universe, nothing is more centralized than the emerging concept of the remote operations center (ROC) that handles supervision, control, analysis and data acquisitions from remote mining sites. Improvements in telecommunications infrastructure, in particular telephone networks and fiber-optic links, are key enablers for the development of ROCs.

With the likelihood of ROCs increasingly serving as the nerve centers of current and future mining operations, the report warned that mining companies moving into the next generation of remote operations, cloud computing, big data/analytics and mobility will need to dramatically increase their security posture in order to maintain ongoing operations. Cyber criminals planning disruptive or destructive cyber attacks against a mining company will attempt to compromise the ROC because the ROC serves as a single point of failure that can take the entire mining operation offline.

 

Who’s Doing This—and How

The report identified several types of “bad actors” with an interest in carrying out various forms of cyber attacks. Among these are:

• Nation states, which, as potential perpetrators of attacks or interference to gather intelligence, are increasingly using cyber assets as the primary method. Governments in developed countries have created sophisticated and stealthy cyber assets that can lie undetected inside organizations for years collecting and transmitting data. Developing nations are utilizing cyber espionage as a quick and economical way of increasing their intelligence-gathering capabilities.
• Organized cyber criminal syndicates, which fall into two subgroups: The first category comprises criminal gangs who steal and sell sensitive information, encrypt sensitive documents and demand ransom, compromise computers and turn them into botnets, etc. The second category is criminal gangs who have been contracted by national governments to conduct cyber espionage campaigns, or to carry out politically motivated disruptive or destructive cyber attacks—criminals for hire. By using criminal gangs, national governments maintain plausible deniability in case of discovery. There may be an intersect between these two categories where easy profit can be made.
• Competitors interested in information such as intellectual property, production methods, true production capacity, pricing information and customer information. In these extreme cases, competitors might launch disruptive or destructive cyber attacks against their competition in order to gain a stronger foothold in the market or overcome a disadvantage.
• Hacktivists that attack cyber assets in order to draw attention to their political causes, frequently choosing high-visibility or high-profile targets. Often their targets and their stated causes do not match up. Mining and oil and gas companies are frequent targets of hacktivists protesting the effect they have in terms of environmental damage, wildlife habitat damage, corporate greed and other stated concerns.

The most common method by which companies get infiltrated is via targeted attacks. In this type of attack, the first step is entry into the organization’s network. From there the attacker will try to leverage the initial point of entry to laterally move within the network and compromise other systems. The hacker’s challenge is to find a reliable method for infecting the organization’s computers.

Some of the most commonly observed methods are:

Phishing and social engineering attacks–Malware used in targeted attacks is never spammed out to millions of potential victims. Instead it is sent to a chosen few targets via phishing emails with effective social engineering lures. The Trend Micro report explains that ICS security consultants, Digital Bond, conducted an experiment where they sent out spear phishing emails with an embedded link to key ICS (Industrial Control Systems) personnel in different companies; 25% of the targeted recipients fell victim to the spear phishing attack and clicked on the link. Job titles of the victims typically include control system supervisor, automation technician, equipment diagnostic lead, instrument technician, etc.

Vulnerability exploitation–New software vulnerabilities are disclosed and patched every month by their respective vendors—but only a handful of these are successfully “weaponized.” Exploits successfully compromise systems because patches for the vulnerabilities have not been routinely applied and many servers are still running OS, which are no longer supported.

Watering hole attacks–The attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit. The goal is to infect a targeted user’s computer and leverage that to gain access to the network at the targeted user’s place of employment.

System misconfiguration exploitation–System misconfigurations can happen at any level of an application stack. The attacker discovers these flaws and exploits them to compromise the system.

Drive-by-download attacks–Malware is automatically downloaded to the computer and executed without the user’s consent or knowledge. Drive-by-downloads can be initiated by simply visiting a website or viewing an HTML email message and requires no user interactions.

Malvertising–This involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. This is an effective infection strategy when paired with watering hole attacks.

Third-party vendors–Attackers are successfully compromising contractors and third-party vendors and leveraging them as backdoor pathways into the targeted corporate networks.

Man-in-the-Middle (MitM)–The attacker intercepts, alters, and relays communications between two systems/endpoints/parties who believe they are directly communicating with each other. The attacker must be able to intercept all relevant messages passing between the two victims, and either alters the messages or inject new ones.

Infected equipment–Manufacturers ship new equipment preloaded with malware. In Trend Micro’s conversations with IT security professionals working in different mining companies, stories of mining equipment coming preloaded with rather sophisticated malware such as Stuxnet were reportedly discussed many times.

Insiders–This, according to the Trend Micro experts, is the most difficult infection vector to protect against as it involves people that the organization trusts, or who can abuse their privileges to commit crimes.

 

What’s Needed for Protection

In order to be effective, the report concludes, cyber attack and data breach prevention strategies should be considered an integral part of daily business operations. Keep in mind that no defense is impregnable against determined adversaries—cyber attacks and data breaches are inevitable. Having effective alert, containment and mitigation processes are critical. The key principle of defense is to assume compromise and take countermeasures:

• Quickly identify and respond to ongoing security breaches.
• Contain the security breach and stop the loss of sensitive data.
• Preemptively prevent attacks by securing all exploitable avenues.
• Apply lessons learned to further strengthen defenses and prevent repeat incidents.

 

Based on Trend Micro’s research findings on the different types of cyber threats faced by the mining industry, it offers these recommendations for implementation of defensive strategies that it considers a mandatory minimum for mining companies:

1. Segment the network into distinct security zones and implement layers of protection to isolate critical parts of the network.
2. Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate and/or apply software patches, and minimize the window of opportunity for attackers.
3. Control access to networks, critical assets (e.g., data, resources, systems), devices or services (including physical and electronic access) according to the formal determination of who/what have needs and rights to access assets based on an approved classification.
4. All systems require some method of monitoring system activity and identifying potentially malicious events in the network. Without this ability to monitor a system, minor security issues will remain undetected until they become critical security incidents.
5. A comprehensive cyber incident response plan should include both proactive measures and reactive measures. Proactive measures are thosethat can help prevent incidents or better allow the organization to respond when one occurs, whereas reactive measures can help detect and manage an incident once it occurs.

 

The complete, 52-page report, which goes into additional detail regarding the who, what and where of cyber threats to the mining industry, can be downloaded here.