Some of Australia’s largest and most remote mines seem a world away from the threat of cybercrime. 

But a leading cybersecurity expert has warned against complacency in an increasingly volatile digitalised world. 

Boston-based Dan Scali, who heads the Industrial Control Systems security consulting practice at cybersecurity firm Mandiant, told National Mining Chronicle the geographic isolation experienced by many of Australia’s major mines could work against them in the event of a cyberattack.

“One thing that’s interesting is the fact that because the mining industry is so remotely distributed it kind of drives more connectivity,” he said.

“That could be the case whether it’s for the vendor of a different control system, or maybe from a central office or even a central control centre, just given how massive some of these minesites can be geographically.

“You might think because it’s in a remote place that

makes it more isolated, but if people need to access and manage those systems there’s a variety of process control, automation and other technology involved which actually creates exposures or pathways.”

Cybersecurity is one of the greatest challenges created by an increasingly interconnected and automated Australian mining space; where attacks may have centred on IT infrastructure in the past, the digitalisation of operating

systems creates higher stakes on the ground.

“Typically there is going to be some level of interconnection between your traditional enterprise IT network and the systems that have something to do with control and processing in mining,” Mr Scali said.

“Whether it’s crushing, grinding, concentration, smelting, the drivers and conveyors; you’re going to have your systems that control the electrification of the mine and things like autonomous vehicles.

“These are all things that in an appropriate architecture would be either firewalled off or airgapped, but ultimately there has to be some level of data exchange there, along with the implications of remote access.

“Those are the kinds of things that present some level of technical exposure to some of the more sensitive systems that are critical to an operation or closer to the physical

operations of a mine.”

Automation and remote control are realities for miners in 2017 as they chase cost and productivity improvement, and Mr Scali said avoiding attacks wasn’t a case of turning away from such technologies but ensuring cyber strategy was developed alongside them to mitigate the risks.

“I don’t think it’s a zero-sum game between trying to achieve some of the benefits of automation and ultimately making those efficiency gains and digitally gathering information, but it has to be done with security in mind,” he said.

“Certainly every connection or pathway that’s made between the traditional IT or enterprise network and the operational network is going to present an element of risk.”

The consequences of losing operational networks to a cyberattack can be dire. According to a government report, in 2014 a German steel mill fell victim to an attack in which hackers took control of production software through

a corporate network and caused what was said to be significant material damage.

“It wasn’t really clear if the attackers intended to do that or if it was accidental, but ultimately that attack outlined in the report started on the IT side of the network, initiated by spearfishing [a process by which a target is tricked into supplying an attacker information] and then allowed the attacker to pivot down into the industrial control systems zone of the network,” Mr Scali said.

The cyber defence equation

While strong antivirus software may once have done the trick, defending against the increasingly dangerous cyberattack equation now requires a multifaceted approach.

Mr Scali said one of the keys to successfully mitigating the risk was to invest in people who truly understood the threats at hand.

“I think you’ve got to keep in mind that it can’t just be a technology-oriented approach,” he said.

“You’ve really got to take a more holistic look at your cybersecurity strategy, and that includes having a budget and resource for cybersecurity specialists that really understand not only the traditional threats, but also the type that could have operational impacts and the type

of operational technologies you’re going to see in the mine operations.

“Being able to bridge that knowledge between information technology and operational technology – those are two very different looking sets of technology – is key.” 

In an ideal world you would be able to protect against 100 per cent of the cyber threats to your project. However,?Mr Scali said the best approach was to invest heavily and concede the occasional attack would get through. 

“Ultimately it’s a war of resources against the adversary,” he said. 

“The more you can mature your program, the higher the bar is going to be for an attacker to compromise your network. 

“Another thing that tends to make organisations more mature or successful is if they take an approach that isn’t just prevention oriented – when organisations can see you’re not going to prevent 100 per cent of attacks. 

“You really need to understand what attacks are getting through your defences and ultimately limit the impact of attackers who get in with their initial compromise before they can reach your more critical assets.” 

Identifying motives

When it comes to hacks on industrial organisations like mining companies, Mr Scali said he broke the threat down into three groups with different motives.

Commodity ransomware

Shipping container business Maersk estimates losses of US$200-300 million ($248-372 million) after it was struck down by a NotPetya ransomware attack for a few weeks in July this year.

The virus shut down the company’s global network, bringing its work to a halt for around a week, according to a statement put out by the company in August.

NotPetya is a variant of the Petya ransomware family and an example of commodity ransomware – non- targeted criminal activity which spreads from network to network.

“This is something that’s not necessarily targeted

at disrupting a mining operation, but if there are connections or pathways between the enterprise network and the operational network it can get onto some of the more operational systems through removable media like a USB and things like that,” Mr Scali said.

Targeted ransom attacks

A group labelled FIN10 has recently caught the attention of Mandiant’s parent company FireEye. The group has been targeting casinos and mining operations in North America with the express purpose of extortion.

“What we’ve seen them do is target organisations,

compromise their networks, take sensitive information and show the organisation a sample of that to prove they have access and then demand a ransom of anywhere between 100-500 Bitcoin ($530,000-2.6 million),” Mr Scali said.

“That’s a specific threat confined to the IT side of the network – there’s no impact as far as we’re aware to the operational side, but it’s a type of threat group that, with additional capabilities and changes in intent, could potentially compromise both.”

Nation state risks

With the global geopolitical situation increasingly volatile, the risk of cyberattack by nation states is not one which should be dismissed.

Mr Scali said there were examples of critical infrastructure being compromised in Ukraine over the past few years.

“In Ukraine the past two Decembers we believe there’s been a Russian nexus group which has compromised a few electric distribution technologies and caused localised power outages across different areas of the country,” he said.

“As geopolitics change, any sort of critical infrastructure could become a target in times of conflict – you could see nation states shifting to focus on disrupting supply chains.”

Picture: FireEye’s Sydney operation centre FireEye

For the latest news click here

Follow on Twitter