GECI International

Mining companies need money in order to protect themselves from cyber crime. In order to get funding new cyber risks need to be understood by at board level.

By Mike Burgess, GECI

Africa is pinning its growth ambitions on a Fourth Industrial Revolution (4IR) 4IR-enabled economy.

But 4IR adoption without putting cyber safety first could undermine growth efforts and expand the risks to mining, manufacturing, heavy industry and key infrastructure.

Operational Technology (OT) is under a growing risk of cyberattacks, bringing with it the risk of far-reaching and costly impacts.

This article first appeared in Mining Review Africa Issue 1, 2020

Read the full digimag here or subscribe to receive a print copy here

But OT in most traditional heavy industries and infrastructure facilities have been run in silos behind ‘air gaps’ for so long that the board assumes they are safe from attack.

However, traditional approaches are no longer enough to secure heavy industry and infrastructure from cyber-attacks.

The traditional ‘air gap’ between IT and OT is closing amid new business requirements associated with digitalisation, and this is increasing the potential attack surface and hence the cyber risk,” he says.

“We see a growing trend for ransomware and crippling attacks launched against key systems that keep infrastructure and societies functioning worldwide.”

Read: Joint ventures in IoT will kick-start ailing industries

Mines are starting to adopt IIoT and intelligent automation across the entire pit-to-port chain, from autonomous vehicles to robotic drilling, and all of these new technologies are connected.

Unless this new smart mine environment is built on a foundation of industry-specific cyber security, mines risk financial losses, threats to human health and safety and even complete shutdown. With margins as tight as they are, no mine can afford this risk.

The threat is real

Cyber risk has become such a major threat to the sector that Ernst & Young lists cyber risk among the top five business risks facing the mining and metals industry. 

And attacks on industrial facilities are taking place all the time, costing industries billions. For example, Norsk Hydro, an international aluminium, hydro and solar power firm, fell victim to a cyber-attack that crippled its computer networks in March 2019.

Read: Industrial organisations don’t report cybersecurity incidents

Its operations in some 50 countries were forced to revert to manual operations and clip boards to conduct their business for weeks leading to serious operational inefficiencies and sales losses.

This attack was launched through an employee clicking on a phishing email triggering a relatively new strain of ransomware called LockerGoga, and spread throughout all their international operations centres, causing losses so far forecasted at $75 million. Such attacks are occurring and increasing weekly.

As mining operations embrace digitisation and IIoT to optimise their processes, they are increasingly opening themselves up to the risk of attack by cyber criminals, activists, and even possibly competitors or national enemies. So, automation is a double-edged sword, and mines need to make cyber security a top priority.

It’s about business, not IT

But motivating for additional spend on top of existing, traditional cyber security spend can be challenging. It is best to outline the significant risks the organisation could face in the event of an attack, including costly production outages leading to financial losses, catastrophic safety failures and environmental damage leading to potential liability issues, and theft of corporate IP leading to loss of competitive advantage.

The discussion with the board around OT security should be framed as a strategic one, rather than a technology issue. Key factors to be considered are risk management, safety and regulatory and compliance requirements.

Presenting to the board with a focus on facts, risks, the future, and actionable plans; including a mapping of the current cybersecurity framework to an accepted maturity model. The board should also be alerted to any known threats and the potential business risk of each.

Read: What lurks inside: cyber threats cannot be ignored

Given the potential implications to the health and safety of human lives, environmental damage, financial losses, and in a worst-case scenario the very ability of a company to function, it is important that OT network security be addressed in a manner like IT network security – including having board-level visibility.

Nobody can afford to ignore 4IR progress with its known benefits of business efficiency and safety in mining. But mines wishing to move into the 4IR have to build cyber security into their strategies and systems from the ground up in both IT and OT environments, to counter the growing cyber risks facing them.

About the author

Mike Bergen is the Regional Director: Middle East & Africa for GECI International. GECI offers cyber-security solutions for both administrative (IT) & industrial (OT) environments. In South Africa, GECI has partnered with Sinac Group, a 100% black-woman owned to offer its cyber-security solutions to local companies.