Rising geopolitical risks ever since Russia launched its attack on Ukraine, combined with a massive digital transformation in the mining sector in recent years to boost efficiency, has vastly increased the need for companies to update and invest in their cyber security systems, analysts and mining executives say.
Victoria Gold (TSXV: GCX) warned investors in its annual report last month that the military invasion of Ukraine could lead to “heightened cybersecurity disruptions and threats” in 2022, even though the company doesn’t have any operations in Russia or Ukraine.
In the same month, Endeavour Mining (TSX: EDV; LSE: EDV) listed cyber security as one of its principal risks and said that companies were becoming “more vulnerable to cyber threats” due to the increasing reliance on digital technology.
“Although Endeavour invests heavily to monitor, maintain, and regularly upgrade its systems, there remains a risk that we may be unable to prevent, detect, and respond to cyber-attacks in a timely manner,” it said in its annual report.
According to Ernst & Young’s Global Information Security Survey published in mid-2021, about 55% of mining executives are worried about their ability to manage a cyber threat with nearly 70% witnessing an increase in the number of disruptive attacks in the previous 12 months. Almost half of the respondents said that the industrial control systems were most frequently attacked.
Analysts say that the impacts of these attacks can range from company stocks being shorted or the lives of workers being put in danger when crucial operating systems are hacked to something as simple as assay results getting delayed.
For instance, in the last five months British Columbia-based PJX Resources (TSXV: PJX) and Getchell Gold (US-OTC: GGLDF) in Nevada reported delays in receiving their assays as the Bureau Veritas Laboratory in Nevada was recovering from a cyber-attack that hit the company in November last year.
Nadine Miller, an engineer who has worked in mining for over two decades and is currently vice-president of project development at JDS Energy & Mining, notes that the industry has a tradition of being late adaptors to new technologies and is now also lagging behind in cyber security.
“We are always in a race to be the first ones to be last in new technologies,” Miller told The Northern Miner, adding that mining companies generally don’t want to be early adaptors of any technology. “There are a few that will do it,” she said, adding they are usually larger companies.
Miller says that while the mining industry has done a good job in securing its information technology (IT) systems, which include network infrastructures, file shares or employee laptops and computers, the operational technology (OT) – which, for example, involves systems responsible for process plants, refineries, heating or ventilation in underground mines – are not secure.
Bryan Tan, an Associate partner at EY’s cyber security practice says that ransomware, a type of malicious software designed to block access to a computer system until a sum of money is paid, is one of the “key threats” in the industry right now.
“A lot of organizations… put the OT systems on the same network as the IT systems,” he told The Northern Miner. “That starts to spread on the environment in the IT side, but because it can touch the OT systems, it can potentially impact those as well. From more of a business impact, your OT comes to a standstill and that may lead to life-threatening issues as well,” he explained.
To tackle OT-related issues, JDS and Miller are promoting a new technology, based on artificial intelligence machine learning (AI/ML), that they say can detect abnormalities in industrial control systems.
Miller’s JDS colleague Joe Weiss, a global expert on industrial control systems, says that mining companies, like firms from other industries, depend upon sensors to run their operations. These can be hacked when connected to the web, a network, Bluetooth access via mobile devices, or simply a handheld calibration unit, and end up providing faulty signals that could, for instance, overheat or cool systems and damage them.
“The JDS technology can tell you if the sensors are not doing exactly what they should be or if they are inoperable,” explains Weiss. “The sensors are the input to everything you do… the technology is making sure that the input going to the brain, is actually coming from the sensors and that we know how good the sensors are. And if (they’re) not, when we need to do maintenance for the sensors.”
To further explain the role that sensors play, Miller and Weiss referred to the Taum Sauk Hydroelectric Power Station in the United States which overtopped in 2005 when water continued to be pumped from the lower reservoir even after the upper reservoir was full. While no deaths were reported during the event that wasn’t related to cyber-threat, the flood destroyed many structures in a park.
According to Weiss, the attachments holding the sensors at Taum Sauk dam failed. Although they were detached from the wall and ended up at a different location, they continued to work. “They inadvertently told the system that the level was low,” said Weiss. As a result, the pumps were instructed to fill the reservoir. The JDS technology would have noted the change in the level and instructed the operator to check the problem, which is what makes the tool unique, he added.
The technology was installed in a refinery project this year, Miller said (the name of the company was not disclosed). Aside from providing protection against hacking, it also helped in detecting operational anomalies once the AI/ML went live, she said.
“While the AI was learning their system, one of their engineers figured out that the controllers in the circuit was not working. We weren’t monitoring the controllers. But he realized that there was a problem with the controllers because the AI/ML was learning and the AI was flagging anomaly in the data,” said Miller.
EY’s Tan believes that the mining industry has “moved forward” and is a lot more willing than before to improve its cyber security environment. But he also says that the industry needs to put more money into these initiatives and ensure that IT teams build stronger relationships with different parts of the business.
According to EY’s survey, cybersecurity teams are struggling to build close relationships across the business — especially with teams that oversee the most critical systems and operational data.
“The problem is that many chief information security officers came up through IT and, today, there is a paradigm clash between IT and OT,” the survey said. “On one hand, you’ve got engineers focused on availability and safety, on systems that are potentially decades old. On the other, you’ve got a CISO (chief information security officer) urging them to patch the system straight away because of confidentiality and integrity concerns.”