High metal prices, covid-19 increase miners’ exposure to cyberattacks — report

Cybersecurity in mining. (Image courtesy of Metso).

As metal prices are hovering around all-time highs and mining companies are enjoying some of their best years with exceptional margins — a resilience that is expected to continue through 2021 —  Fitch Solutions Country Risk & Industry Research published a report highlighting how this scenario increases the importance of cybersecurity defence in the mining industry.

According to the market analyst, its 2020 megatrends survey results showed that cybersecurity ranked second in areas respondents in extractive industries were investing in most heavily, with 51% of respondents stating that their company was investing in the issue significantly, after energy efficiency. 

“This is in line with our view that cyber risks, owing in part to the proliferation of new digital technologies, increasing degree of connectivity and a material increase in the monetization of cybercrime, will become a larger cause for mining companies’ concern, and miners will increasingly try to protect themselves from breaches,” the report reads.

Fitch’s research found that companies producing strategic minerals and commodities of the future, namely lithium, cobalt, copper, nickel, aluminum, green steel and rare earths, are expected to especially be targeted, even by nation-states as countries join the race to acquire these metals.

In Fitch’s view, the covid-19 pandemic has increased the level of risk because it pushed miners to quickly restructure the way they operate, as the need for systems that support remote working and automation became urgent.

This has created a situation in which many companies rely on third parties and less secure corporate networks – compared to isolated operational technology systems — as well as a limited workforce, thus creating new entry points for cybercrime. 

“For instance, hackers may find entry to a company’s network via a supplier with weak cybersecurity and end up directly controlling critical mine safety systems, processing facilities or heavy machinery,” the review states. “Attacks on underground ventilation units, tailings, dam monitoring systems, pipeline controls or gas monitors, for example, could significantly impact worker and community safety.”

The rising digitalization of the mining sphere also increases the risk of security breaches just because when a device is digitally connected, it can be exploited, Fitch says. 

“A cybersecurity breach has the potential to disrupt operations and revenues, disrupt global supply chains, put employees at risk, disclose confidential information, damage company reputation and create substantial financial and legal hurdles. Outages can last for weeks and even months, with disruption to global supply chains.”

The motivation

The market analyst makes a point about the motivations for cyberattacks not being just monetary. For its experts, the increasing and continued importance of commodities as traded entities on international markets, the reliance on natural resources for economic development, and the need for countries to benefit from their own mineral deposits are all motivations for attack. 

As examples of what some players in the sector have had to deal with, Fitch describes what happened to Norsk Hydro — one of the largest aluminum producers in the world — back in March 2019. The Norwegian company was hit by a cyberattack that paralyzed the company’s computer networks. As a result, Norsk Hydro was forced to isolate plants and switch some operations to manual labour. The attack cost the company an estimated $40 million.

“The mining industry is highly exposed to vulnerabilities, with extremely important and sensitive data at stake”

Fitch Solutions Country Risk & Industry Research

Another notable cyberattack was the one experienced by Canada’s Goldcorp in April 2016, when hackers leaked 14.8GBs of data online by publishing a document on Pastebin with an URL address to a full torrent download. The archive included employee and financial data.

Three years before, Anglo American’s website was breached and sensitive data on payroll information, credentials and investor information was made public online. Hacktivist group Anonymous said it was responsible for the attack, which was part of its Operations Green Rights campaign against companies accused of being responsible for ‘destroying nature and ancient cultures.’

“Indeed, the mining industry is highly exposed to vulnerabilities, with extremely important and sensitive data at stake. Comparatively, only the larger players are investing in cybersecurity defence, and even then protection does not include every aspect of operations and information,” Fitch’s report states.

Based on its review, the industry researcher is convinced that the mining sector requires government-led initiatives and legislation to invest heavily in cybersecurity defences. These initiatives are to have a data-sharing component that allows companies to aggregate data from a larger pool of resources and which provides opportunities to spot and counter criminal trends and activities. 

More News