The IT-OT nexus is becoming a key target for cyberattacks in mining. It’s time to close the door on criminals…
By Carly Leonida, European Editor
The Industrial Internet of Things (IIoT) is giving rise to many new opportunities in mining, expanding connectivity across people, assets and systems, and enabling companies to fully use extracted data to improve their operations and processes. Leveraging real-time monitoring, data-driven business models, cloud-based and edge analytics, and digital twins of industrial processes all contribute to a seamless digital ecosystem. This connectivity closes the gap between information technology (IT) and operating technology (OT). However, it also widens the attack surface for would-be cybercriminals.
“While IT infrastructure might typically be perceived as more secure, OTs such as remote heavy mobile equipment systems, collision avoidance, GPS, wireless ore and grade control among others, are often not as secure and their defense not as in depth,” explained Bas Mutsaers, Global Strategy, Technology and Marketing Lead at Schneider Electric. “Other practices need to be considered in strategy design by working with both IT and OT stakeholders.”
As mining companies implement cybersecurity strategies, it’s essential to recognize the differences between securing the IT and the OT environments. According to research from cybersecurity specialist, Skybox Security, 2021 saw a 46% year-on-year increase in new OT-targeted vulnerabilities.
Mutsaers told E&MJ: “Every endpoint in a facility — which means every connected device — is a possible path for hackers and needs its own risk analysis before being connected to the wider value chain and enterprise.”
Like Schneider Electric, ABB works across a number of different solution areas for digital applications in mining, including sustainability, asset performance management, process performance, operational excellence and connected workforces. Ben Berwick, Global Portfolio Manager – Digital, at ABB, explained that cybersecurity cuts across all of these areas and should be embedded holistically.
“It’s critical, and a significant focus area in live projects and ongoing development initiatives,” he said. “In many industries, cybersecurity can become something of an afterthought. IT and OT is converging like never before in mining, because the industry is driving change as part of the green energy transition. Implementing technology changes and enhancing production methods could leave cybersecurity gaps if due consideration is not given.”
Ever Expanding Cyber Threats
Today’s cybercriminals have adopted a range of malicious hacking techniques involving ransomware attacks, electronic fraud, data leaks and corporate espionage. Objectives vary from financial, political and economic to simply seeking to cause disruption. This means that the effects can be multi-faceted, ranging from targets being missed, people and equipment being displaced, and protracted fault-finding and start-up processes.
Berwick explained: “Any disturbance in a mine is extremely serious. A single stoppage for just a few hours can cost millions of dollars and it can take up to a week to return to normal scheduled vehicle, equipment and staff movements. A malware or ransomware attack on the scale seen in other industries would be considered catastrophic and would entail work to remove blockages, infiltrate viruses and repair systems typically taking weeks depending on the attack.”
Mutsaers agreed: “On one hand, an attack could mean a costly disruption to mine operations and the associated monetary and reputational damage this brings,” he said. “On the other, it could result in injury or even loss of life should operational systems be compromised. Ransomware, which is an increasing global threat, can also include threats to release sensitive data or competitive information, alongside threats to the operation.”
In ransomware attacks, hackers deploy malicious software to take down critical systems until a ransom is paid. Network device vulnerabilities and ransomware attacks both increased by 20% between 2020 and 2021, and there are several ways that hackers target OT systems based on the impact they can make. Examples include targeting power systems at level 1, including switches that do not have cyber protection natively built in.
“Unlike IT attacks, which typically aim for impacting the largest number of users, OT attacks tend to target a specific weakness within a single target that might have significant flow-on effects, like the example of a switch that can take an entire process down,” explained Mutsaers. “Typical defensive measures, such as antiviruses, are not commonly applicable at that layer. Overall protection through the defense in depth [an approach that uses multiple layers of security for holistic protection] as well as monitoring for unexpected changes based on engineering limits or practices is increasingly becoming part of a company’s cyber practices and considerations.
“If we consider autonomous mining operations involving hundreds of sensors and connected devices, each is a potential entry point for hackers to access the broader industrial ecosystem and can cause a change in operating conditions. Examples include a GIS system connected for collision detection or linked to the routing of a haul truck. Also, artificial intelligence that sits at the edge or feeds back to cloud systems to affect a control function in the field might require strong cyber considerations and practices. As the weakest chain principle applies, it’s key to consider rules of thumb linked to best practices in project implementations.”
It’s also common for external vendors and field service engineers to be granted privileges to access OT devices (with service laptops or edge devices) with little overall control. This broader access poses risk, even if there is no inherent malicious intent. The attack surface widens with each connected laptop or thumb drive. And, from there, it might be possible for hackers to disrupt operations, leading to downtime, lost revenue, or even threatening human safety.
Such practices need to be overseen through remote monitoring which can include disconnecting said hardware from other processes across the value chain. As some of these systems also have administrative rights, specific practices and additional protection should be considered, for instance, network, application, cloud, internet and endpoint security.
Findings from a recent Accenture survey support this, revealing that 79% of CEOs felt their organization is “adopting new and emerging technologies faster than they can address related security issues.”
Legacy infrastructure with ageing assets increases risk and, as new integrations of current technology proliferate at lightning speed, digital risk increases if an end-to-end cybersecurity plan to address both current and legacy systems is not in place. According to Mutsaers, when new systems are rolled out, old systems are often not taken out of play which can be problematic. “Deinstallation is key, and setting practices, processes and budgeting for this are important considerations for companies that want to get this right and counter increasing risks,” he added.
Berwick said that mine operators and their suppliers must look at the bigger picture — it’s not about cybersecurity versus innovation or improvements, but about ensuring that newly deployed technology can work effectively in the long-term and not be removed due to an unforeseen security breach.
“Today’s digital ecosystems exist across the physical mine site, in digital models or twins and in remote operations,” he said. “It’s a lot to consider at once, but the benefits of a connected workplace far outweigh the efforts and costs of making them secure.”
Don’t Wait Until an Attack
There is growing awareness of the multi-faceted threats to mining assets from cyberattacks. Listing cybersecurity as a primary risk in its FY-2021 results, Endeavour Mining said that mining companies were becoming “more vulnerable to cyber threats.” Meanwhile EY’s 2022 Global Information Security Survey showed that 55% of mining executives are worried about their ability to manage a cyber threat, with 71% witnessing an increase in disruptive attacks over the past 12 months.
This finding comes against a backdrop of increasing global geopolitical tensions and continued targeting of mining and metals companies by pressure groups seeking greater speed in the energy transition or the end of mining altogether, despite it being critical to the projected adoption of clean energy solutions and electrification.
Despite this awareness, it remains the case — as with all security or assurance measures — that cybersecurity tends only to come sharply into focus when something goes wrong.
“While awareness is increasing, there is still a lack of proactivity when it comes to the challenges of combined IT and OT security,” said Mutsaers. “Also, because of the lack of knowledge about the many key systems at a typical site — over 200-300 systems and applications across the value chain is typical.”
IT security continues to be under the spotlight but thinking around how to apply best practices in the OT environment is still in its infancy, which makes it even more critical to close this gap. Right now, it is a potentially open door to hackers.
“Most mining companies would comment that their IT practices and defense in depth would keep their OT practices and systems hidden from exposure,” added Mutsaers. “But when drawing the physical network, many would see that connections are growing between levels and domains driven by data-hungry intelligence systems.”
Alongside its IoT-enabled EcoStruxure platform, which comprises connected product and edge control, as well as apps, analytics, and services, Schneider Electric has developed an OT-IT Industrial Automation Reference Architecture which enables a converged and secure OT-IT production ecosystem.
“We also work with vendors to achieve Tested and Validated Architectures (TVDAs) as we have done with Cisco for mining companies,” Mutsaers told E&MJ. “Our current Modicon System evolution and our direction towards EcoStruxure Automation Expert — a scalable enterprise-wide process-control system in the cloud — over time, helps mine operators to securely combine business and process data to yield insights into new levels of performance and improved control and monitoring when combining power and process.”
This combination allows IT and OT to work ‘as one’ to reduce the risks of the growing cyberattack surface, allowing companies to respond quickly to threats, and comply with regulations. The architecture enables industrial digital transformation with a converged, network-centric approach, backed by the cultural changes needed to support new processes and technologies of which autonomous considerations are a part.
“Our consultants are experienced in deploying both IT and OT solutions and ensuring secure IT-OT convergence, and often have links to industry bodies like ISA.org or NIST which set best practices for OT cybersecurity,” added Mutsaers. “By integrating offerings from multiple vendors and suppliers, we can improve customer’s ability to manage current and future cybersecurity risks as part of an overall digital strategy.”
ABB, meanwhile, offers its Ability Cyber Security portfolio, which identifies, classifies and helps clients to prioritize opportunities to improve the security of their control systems. Acting as a security ‘over-seer’ it collects system data and compares it against industry best practices and standards to detect weaknesses within a system’s defense. This not only pinpoints areas that require action, but also gives protection with multiple layers of security. By adding in the expertise of people involved, ABB and the customer can determine key performance indicators for the likes of procedures and protocols, security policies and computer settings.
“We would always advise that more could be done in the cybersecurity space, because attacks are real and are happening almost every day,” said Berwick.
Join Forces for Greatest Impact
With such nuanced OT risks, it’s essential to move from reaction to proactive planning and prevention to strengthen industrial cybersecurity. This includes adopting network segmentation, where data flowing through the network is divided into zones or domains, each isolated from the other. These ensure that only authorized traffic is allowed to traverse zone boundaries; attackers or malware that have breached one zone will find it difficult to pivot to another zone if controls are in place.
Mutsaers expanded: “It’s also vital to ensure risk management of the human factor. In the realm of industrial control systems, human error and unintentional actions are responsible for more than a quarter (27%) of network incidents. That is why it’s essential, alongside stringent policies, to implement mandatory, ongoing training that is consistently and continually adapted depending on the expected cybersecurity involvement of the worker.”
As discussed, there must also be a focus on securing legacy infrastructure and adhering to industry-recognized practices to further reduce threats to aging installations.
“Taking obsolete systems and functions out of practice is a critical part of this, particularly in larger mining companies, where subject matter experts may have moved on and others supporting the overall network may not know which key function or integration points still need to be connected,” said Mutsaers. “Taking these precautions and performing investigations and pen-tests internally, besides taking input from security consultants and cybersecurity providers, can significantly increase the many layers and practices and lead to better protection.”
Berwick added: “Cybersecurity should be properly addressed at each phase of an asset’s lifecycle, in design and development, operations and maintenance. Experts can help to identify what needs to be protected and put in place effective back-up and recovery plans from the outset, ensuring regular updates and patching. It’s surprising how much trouble can be avoided through basic digital hygiene measures and the right process controls, for example anti-virus software and backing-up to other systems. Mining companies want to get back up and running as soon as possible if they are attacked and this can be made easier through network segregation and associated recovery processes.”
Most importantly, cybersecurity is everyone’s responsibility. Manufacturers and OEMs should endeavor to provide the safest, most up-to-date devices at production, but also for the cases in ‘where’ and ‘how’ they typically connect out of the box. Mutsaers believes that manufacturers and OEMs should also design safe protocols and interfaces for and between these devices, offer basic security training and develop patches when needed.
“In parallel, end-users of the systems are obligated to train their workforce about the basic scenarios and exceptions. This will include the key exceptions and step-outs applied for achieving the functionality of high-value functions where best practices do not yet exist,” he said.
In summary, by uniting manufacturers, OEMs, and utility practices, and by sharing typical exposures, the IT-OT architectures applied to modern mines will become inherently more secure.