Conformance to the GISTM will require stronger interaction and integration between the range of disciplines and various systems dealing with engineering, social and environmental monitoring. (Photo: SRK Consulting)

Tailings facility owners are facing the challenge of how to practically integrate social impacts with the systems that manage tailings – as required by the Global Industry Standard for Tailings Management (GISTM). SRK Consulting has proposed a four-step process to achieve this.

The steps cover four key aspects: knowledge sharing, training and awareness; a critical review of systems for gaps and opportunities; upgrading of data systems to highlight targets and trigger action; and strategies for ongoing collaboration and development.

“The importance of social aspects in the GISTM is quite clear,” said SRK Consulting principal environmental consultant Jacky Burke. “It appears as the very first topic in the 2020 publication of the standard, where mines are required to ‘meaningfully engage project-affected people at all phases of the tailings storage facility (TSF) lifecycle.’”

For a start, meaningful engagement requires a range of formalized systems, procedures and monitoring with reference in the GISTM to the mine’s Environmental and Social Management System (ESMS). However, Burke noted that a key hurdle is the typical separation of the more ‘technical’ tailings systems from environmental, social and governance (ESG) systems on most mining sites.

“Mines will generally have an ESMS that operationalizes several of the ESG requirements of the GISTM, while there is also a Tailings Management System (TMS) that gives effect to both engineering and governance considerations of the GISTM,” she said. “The current challenge is to integrate the ESMS with the TMS in a way that is practical and effective.”

They are usually managed as separate entities, and often within different departments.

“There are, of course, many different disciplines and skill-sets involved in each function – and each team has its own day-to-day responsibilities and imperatives,” Burke said. “Conformance to the GISTM will require stronger interaction and integration between the range of disciplines and various systems dealing with engineering, social and environmental monitoring, risk management and change management.”

Driving this integration is the growing urgency on the compliance front, as International Council on Mining and Metals (ICMM) members are working towards a conformance deadline. Mines which operate their TSFs with very high or extreme potential consequence ratings must comply with the GISTM by August 2023.

Key to the essential ‘mind-shift’ which is embodied in the GISTM requirements is to elevate social engagement from being intermittent to being ongoing. Focused engagement is often associated with permitting, as part of the regulatory public participation process during environmental authorization processes and water use licensing applications.

Engagements with affected people should therefore be focused, meaningful and ongoing during the life of the operation and throughout the lifecycle of a TSF – with integration into the regular routines of tailings and environmental management. There is already a greater focus on the importance of environmental and social scientists alongside their engineering colleagues, said Franciska Lake, partner and principal environmental scientist at SRK Consulting. This trend is a positive factor that will facilitate alignment with the GISTM requirements at an operational level.

Informed by Risk

This integration of environmental, social and engineering imperatives must, according to the GISTM, be informed by the identified risks. Further, the standard calls for a performance-based monitoring system and governance framework that encompasses both the ESMS and TMS and requires regular review and audit of these systems.

“As the cross-cutting demands of the GISTM may present challenges, the four-step process provides a framework in which mines can structure and evaluate their progress,” said Lake. “Importantly, the steps need to be applied iteratively throughout the life of the tailings facility; adaptation will be ongoing supporting effective implementation of the GISTM.”

The first proposed step is concerned with knowledge sharing, training and awareness of a mine’s environmental, social and tailings management teams. The aim is to build mutual understanding among the respective experts on their roles and functions within the site-specific context of their operation and the risks that these pose.

“It is therefore critical that this first step involves tailings engineers and operators in collaboration with environment and social management personnel – to facilitate the integration process,” said Lake. “This collaborative group needs to share how site-specific risks are currently being dealt with by the ESMS and TMS and find opportunities to engage affected people on identified tailings facilities.”

The second step of the process lays the groundwork for the mines to comply with the GISTM requirements through reviews and internal audits. It conducts a critical review of the ESMS and TMS, looks at specific areas for improvement and integration, and identifies gaps in its conformance with the GISTM.

Assess and Report

This underpins the third step, where data management systems can be upgraded to facilitate integrated assessment and reporting. The system will set performance targets, and trigger action if these are not met. Along with specifying responsible people for each variable being monitored, the system would also need to include reporting frameworks and schedules in line with what the GISTM requires.

“The fourth step in the process is ongoing collaboration and development, which could involve regular meetings of a forum of GISTM disciplines on the mine,” said Burke. “This forum shares lessons learned and keeps everyone informed of risks and corrective actions.”

Lake acknowledged that applying the four-step approach demanded considerable effort and commitment by mine personnel, especially being an iterative
process where adaptation and adjustment would always be required.

Data Protection: Don’t Take Standard Back-up Strategy at Face Value

A ransomware attack on a North American copper producer highlights the continued threat to critical industrial sectors such as mining posed by criminal enterprises and state-sponsored hackers. Copper Mountain Mining Corp., 75% owner of the Copper Mountain open-pit copper mine in southern British Columbia, reported in late December that it had been subject to a ransomware attack. The company said it isolated operations, switched to manual processes where possible, and shut down its mill as a precautionary measure.

The company resumed operations about a week later, declaring that its internal and external IT teams and cybersecurity experts were working to establish additional safeguards to mitigate further risk to the company.

Consulting firm Ernst & Young notes that cyber threats are growing at an exponential rate globally against mining and other asset-heavy industries, with 71% of mining participants in its Global Information Security Survey 2021 having seen an increase in the number of disruptive attacks over the past 12 months, and 55% were worried about their ability to manage a cyber threat.

Copper Mountain appears to have survived the cyberattack without extensive harm – but is that a typical outcome?

According to a recent blog post at cybersecurity software developer Crowdstrike, there are times when an incident has progressed beyond the realm of straightforward, rapid response. The victim organization typically arrives at that point through a series of events, that when unraveled through an investigation and viewed retrospectively, looks like the following:

• A threat actor, whether targeted or opportunistic, leveraged stolen credentials or identified a weakness in a perimeter system to exploit.

• That attacker (or other threat actor that has purchased access to the victim network) gained initial access to one system.

• Undetected, the attacker escalated their privileges, evaded defenses, obtained privileged credentials and moved laterally to many systems in the environment.

• The attacker stole information and, in many cases, destroyed backups before deploying ransomware widely across the environment.

As traditional methods of protecting information continuously change to meet emerging challenges, global IT research and advisory firm Info-Tech Research Group has published a new industry blueprint, Data Backup Moves Closer to Data Protection, to help businesses modernize their data protection strategy for the current and evolving climate.

According to the company, data backup has traditionally been in the operational domain of IT, while security teams have been responsible for threats to data from malicious attacks. As these attacks have become more sophisticated, backups have come under threat and vendors have had to incorporate new features into their software to address attacks and protect data.

“There was a time when backing up data required separate premises-based infrastructure to ensure protection from data loss,” said Darryl Levesque, principal research advisor at Info-Tech Research. “However, things have changed with modern data centers today. It is time to stop thinking about data backup and start thinking about data protection. Newer technologies are making backup redundant.”

Info-Tech’s blueprint explains that understanding where backup stops and data protection starts can be difficult as the products evolve. Although many vendors now provide numerous additional product features, it can be challenging for an organization to determine which product is best for their environment or whether there is a need for a combination of products.

The firm recommends that technology leaders keep up and understand the changes in the backup marketplace, considering what the new features can offer in terms of additional functionality. It’s important to recognize which of these functions suits the need and then compare offerings to find the best fit.

Info-Tech recommends that the new features offered by backup vendors be used as additional tools in the data protection armory rather than replacements for existing tools such as endpoint protection or effective security practices. To do this, organizations should consider the following key data protection features:

• Continuous Data Protection (CDP): A data protection method that backs up information as it changes, without schedules.

• Zero Trust Framework: Works on the principle of least privilege. Providers are leveraging the framework for back-up and recovery.

• Air Gapping: Isolates one or several backups through various methods so malicious actors cannot access them.

• DR Orchestration: Provides a facility for automated, sequential recovery of systems after a disaster.

• Threat Prevention and Detection: Detects malware during backups and interrogates existing backups.

• All the Other Cloud: Enables support for Kubernetes, Office 365, Docker, Google Workspace, and many others.

• Cloud to Cloud: Copying from one provider to another; often used for SaaS applications.

These new features, according to Info-Tech Research, can help mitigate data loss risk and enable an environment to failover much more efficiently in the event of a disaster. The cloud backup features provide enhanced confidence in the protection of offsite data.