The digital revolution is happening. Advanced technologies that blend hardware and software with Big Data – a combination of automation, Wi-Fi sensor technologies, cloud-based systems and data analytics – have the potential to profoundly change the face of mining forever.
These technologies show good promise to safeguard health and safety, improve collaboration, increase operational efficiency and productivity, and strengthen resilience while ensuring long-term sustainability and profitability. But as digital systems and connected devices become more prevalent, mining companies need to remain diligent in keeping cybersecurity top of mind.
The number, frequency and sophistication of cyberattacks continue to increase across all industries as hostile actors seek to inflict harm – disrupting operations, damaging equipment and the environment, and causing injury to personnel. No industry is immune to the challenge, and today’s technologically advanced mining operations are at risk.
Overall, the mining industry is being proactive when it comes to establishing cybersecurity programs. Ensuring security is a highly complex endeavor for any industry, but perhaps more so for mining, which involves large-scale, geographically dispersed locations with thousands of assets.
“Security by Obscurity” No Longer
Similar to other operational process control sectors – such as manufacturing, pharmaceuticals and energy, water and oil & gas utilities – mining companies rely on Information Technology (IT) systems that interface with Operational Technology (OT) systems. IT systems are used to process data, including software, hardware, communications technologies and related services, while OT systems consist of the hardware and software used to monitor and/or control the devices used in enterprise operations.
As IT and OT systems become increasingly integrated and march along the path to convergence, gone are the days of “security by obscurity” – the belief that systems can be secure through secrecy, or by simply being unknown. Considering the growing prevalence of technology in mining, operators need to take a more deliberate approach to protect their operational, process control, health, safety and environmental data center security, supervisory control and data acquisition (SCADA), programmable logic controllers (PLCs) and other industrial control system devices and equipment.
The Cybersecurity Asset Data Challenge
Black & Veatch has worked with several major mining companies to support assessments of their OT cybersecurity practices and develop OT cybersecurity improvement roadmaps. This experience revealed that most mining companies do not formally document or track the cyber assets they have, leading to a gap in cybersecurity-related asset data. This information is necessary to implement an effective security program – fundamentally speaking, “you can’t protect what you don’t know you have.”
Four Steps to an OT Cybersecurity Solution
An important first step for any mining company working to secure its digital assets is to establish an authoritative OT cybersecurity asset data management solution to formally control and maintain all cybersecurity-related data. This can be accomplished by following these four steps:
When developing a cybersecurity program business case, it is necessary to balance costs with enhanced security risk reduction. To do this, mining companies should identify those assets that are both vulnerable to cyber-attack and critical to maintaining operational safety and reliability. Because there are few to no mining-specific regulations around cybersecurity, Black & Veatch defines these assets as critical mining assets and their associated critical OT digital systems.
- Critical mining assets are those mechanical and/or electrical systems/assets used to perform real-time monitor, command and/or control (via human or electro-mechanical means) of one or more of the following operational mining functions: commodity processing, drill, blast, load, haul, crush, convey, mill, leaching, etc.
- Associated critical OT digital systems are those cyber systems used to monitor or provide command and/or control of the real-time critical mining assets.
The OT Asset Data SOR serves as a formally controlled and maintained asset data repository for all critical mining assets and associated critical digital systems.
The SOR should contain up-to-date information documenting key asset attributes that identify, physically locate, characterize and associate an entity’s critical mining assets and associated critical digital systems; including, at a minimum, the following asset-level data attributes:
- Critical mining assets such as drill platforms, blast systems, loaders, haul trucks, crushers and conveyors: physical location, make, model, serial number, asset type, functional parameters, asset owner, etc.
- Critical OT digital assets such as system applications, databases, computers and other devices: physical location, make, model, serial number, asset type, host ID/name, IP address, serial connectivity, asset owner, key hosted applications, etc.
Applicable OT system/component configuration information is also required to support next step security configuration management and monitoring requirements.
Many mining companies will find that the most convenient and available SOR repository for cybersecurity-related asset data is their existing Enterprise Asset Management (EAM) system. These systems already contain critical mining asset and related physical attribute data, reducing the complexity and cost of adding cyber-related attributes to a separate repository.
But mining companies should note that the sensitive nature of the data contained within the SOR means that caution must be taken when establishing user access and change controls. Restricting access should be commensurate with the security and controls of the physical and OT assets for which the data is associated.
Once the critical mining assets and associated critical OT digital systems have been defined, the next step is to identify the actual assets and systems and inventory their cybersecurity data. This is an important step that will help operators discover information gaps related to the completeness, accuracy and location of data.
To do this, mining companies should develop a process for collecting missing or inaccurate cybersecurity-related asset data. This process should specify data collection and storage methods as well as provide for the transfer of existing data from outside systems to the appropriate SOR.
Policies and procedures that govern when and where the technology may be delivered and applied, who may use it, and the data to be collected and maintained, will be necessary to establish a complete OT cybersecurity program. Operators should review existing IT security policies and procedures, conduct an OT technologies gap analysis, and update current governance documents to either include OT or create analogous OT-specific governance policies and procedures. A subset of these policies and procedures should include Disaster Recovery and Incident Response plans that should also be reviewed and updated to cover both OT and IT.
Change management will also be critical to provide information, rationale and guidance to help employees understand the purpose of the new OT cybersecurity strategy as well as how to apply these technical, operational and procedural changes. Effective execution requires proactive communication, coordination, scheduling and training. All parties will need to understand the changes, when they will take effect, and if they require any new instructions, training, devices, tools, or credentials to successfully perform their assigned tasks.
Advanced systems will play a larger role as mining companies increasingly turn to technology to drive operational improvements. It’s already happening – according to a 2015 IDC Energy Insights global survey, 69 percent of mining companies are investigating remote operation and monitoring centers, 56 percent are looking at new mining methods, 29 percent are eying robotics and 27 percent are considering unmanned drones.
With these numbers in mind, it’s not a stretch to expect to see advanced technologies become more prevalent at mining sites in the not too distant future, making it imperative that mining companies work to establish effective cybersecurity measures today. Implementing an OT cybersecurity asset data solution now will establish the foundational elements necessary for the organization’s overarching security program; ensuring safe, secure, reliable and sustainable operations for the long-term.
This article originally appeared in the June/July 2019 issue of Canadian Mining Journal, and has been reprinted with their permission.