Defending the Mining Sector Against Security Threats
Considerations When Building a Holistic Mining Security Program
Building a holistic mining security program involves integrating effective cyber and physical security controls; but many mining operations are not entirely clear on what this entails.
Similar to many other operational process control industries – such as the electric, water, oil and gas utilities – mining companies rely on centralized enterprise Information Technology (IT) systems that interface with distributed business Operational Technology (OT) Systems.
This results in varying system components that can span across multiple mine sites and regions.
“Cybersecurity is becoming increasingly important to mining companies. Many are now exploring streamlined operations that improve safety and efficiency through automation and interconnection of devices. Use of remote controlled equipment is also gaining traction, where professionals can manage operations via dedicated centers located up to thousands of miles away from a mine site," said Dennis Gibson, Chief Technical Officer for Mining at Black & Veatch.
“Security by Obscurity” No Longer
With the increased integration of IT and OT systems and networks, gone are the days of “security by obscurity” – the belief that systems can be secure through secrecy. Mining operators must now take a more transparent approach with operational, process control, health, safety, and environmental data center security (DCS), supervisory control and data acquisition (SCADA), programmable logic controllers (PLCs) and other Industrial Control System (ICS) devices and equipment.
“As a whole, the mining industry is becoming more proactive in investigating and establishing OT cybersecurity programs and projects for the protection and sustainment of their operational systems,” said Jerry Ward, Black & Veatch Security Principal.
Today, the convergent implementation of modern IT system technologies built on top of legacy OT technology and protocol foundations – that were not originally designed with cyber security requirements in mind – has resulted in systemic network and system security gaps. This exposes sensitive systems to today’s escalated levels of cyber and physical security threat.
As a result, it has become increasingly more challenging for mining companies to establish and implement effective and sustainable management, procedural and technical OT security controls.
Pairing Security Knowledge & Mining Experience
Black & Veatch assists mining companies in successfully establishing and implementing effective and sustainable cyber and physical security programs. Our unique combination of electric industry operational security expertise paired with in-depth mining industry experience offers organizations a holistic perspective for safeguarding systems.
This approach includes “best fit” process approaches that are tailored to mining entities based on their current risk profile with respect to their organizational, governance, policies, processes and procedures; technical security controls; and future objectives.
Key initial systematic process efforts include:
- Scoping criteria for identifying applicable physical mining systems and their associated cyber systems
- Current state systems data discovery and technical characterizations
- Asset management, including linked association and documentation of mining systems and their associated cyber systems
- System impact criteria development
- Security control framework selection and tailoring
- Organizational, governance, policies, processes and procedures review and development
- Requirements development and documentation
- Future state security objectives
- Solution determinations to support future state security objectives
- Development of strategic security program implementation roadmap
While it’s becoming increasingly challenging to develop and implement cyber security programs for the mining industry, long-term success comes down to the development and application of a systematic multistep process. Black & Veatch has successfully assisted industry-leading clients with establishing security programs that reduce cybersecurity risks and satisfy associated security compliance requirements.
Expect to see more insights on this topic in an upcoming series of articles.