Effective Mining Cybersecurity Programs Hinge on Accurate Asset Inventories
Mining Companies Need to Establish Effective Security Controls
The mining industry as a whole is taking proactive measures to establish cybersecurity programs to help protect and sustain their strategic and operational systems. Ensuring digital security is a highly complex endeavor for any industry, but perhaps more so for mining operations, which involve large-scale, geographically dispersed locations with thousands of assets.
Although challenging, it remains imperative that mining companies establish effective security controls for critical business assets and associated cyber systems. Doing so requires an authoritative System of Record (SOR) to serve as a formally controlled and maintained asset inventory data repository.
As discussed in the first article in this series – Defending the Mining Sector Against Security Threats – building a holistic mining security program involves integrating effective cyber and physical security controls. An asset data SOR plays a large part in helping mining company leaders understand their critical business assets and associated cyber systems.
“You Can’t Protect What You Don’t Know You Have”
An asset data SOR should contain up-to-date information documenting key asset attributes. These attributes should identify, physically locate, characterize, and associate an entity’s critical mining assets and associated cyber systems. Critical mining assets are those systems used to perform real-time monitor, command, and/or control of one or more of the following operational mining functions: commodity processing, drill, blast, load, haul, crush, convey, mill, leach, carbon handling/refining. Associated cyber systems – including component-level cyber assets – monitor, command/control and/or contain data required for managing critical mining assets.
The SOR can consist of a monolithic data system solution or an integrated set of individual data systems providing portions of the required data items rolled-up to a composite user interface. The SOR should be configured to support and include the following asset-level data attributes:
- For critical mining assets such as drill platforms, blast systems, loaders, haul trucks, crushers and conveyors: physical location, make, model, serial number, asset type, functional parameters, asset owner, etc.
- For critical cyber assets such as system applications, databases, computers and other devices: physical location, make, model, serial number, asset type, host ID/name, IP address, serial connectivity, asset owner, key hosted applications, etc.
In addition, applicable cyber system/component configuration information – such as operating system (OS) version, software application versions, custom software code, firmware version, security patches, required physical and logical ports – would be required at some level to support security configuration management and monitoring requirements.
Note that this detailed level of configuration information may not be required or practical at the top-level asset management SOR. However, this information will eventually need to be stored and made accessible from a formally controlled data source as it will help identify which types of security controls that are needed.
Managing Critical Data Throughout the Life Cycle
Another benefit to developing an integrated and controlled asset SOR is that it can serve as a core data source to support downstream configuration and compliance life cycle management requirements. However, it is important to note that the SOR, through its aggregation of this critical data, is particularly sensitive and thus should be equipped with all necessary physical and logical security controls commensurate with those afforded to the assets for which the data is associated.
Development of an asset SOR should be an integral part of any cybersecurity program as it is necessary to achieve an effective and cohesive cybersecurity strategy road map.
Expect to see more insights on the topic of mining cybersecurity in upcoming articles.