The resource sector is adopting innovation in particular digital technologies at an increasingly rapid rate — a confluence of the effects of the COVID-19 pandemic and the need to replace depleted existing reserves — that brings with it the risk of falling victim to cyber criminals.
Paul House, chief executive officer for leading mining-tech company IMDEX, says the take-up of new technologies was happening on a scale that had not been seen in the past.
“This is partly by necessity, to enable remote working, and partly by opportunity, as these technologies will enable faster drilling, more efficient drilling, and better decision making,” he said.
But every tool and technology that is added to a mining company’s arsenal — from exploration to production — increases the attack surface for hackers.
The threat of cyber-attack is increasing as competitors, organised crime, and “State-based actors”, seek to gain advantage by malicious means — searching for vulnerabilities in business systems that will allow them access to a company’s most important secrets.
The Australian Cyber Security Centre has warned that the likelihood and severity of cyber-attacks is increasing because of the growing dependence on new information technology platforms and interconnected devices and systems.
“Cybercrime is one of the most pervasive threats facing Australia, and the most significant threat in terms of overall volume and impact to individuals and businesses,” the ACSC said in its annual report last year.
Price Waterhouse Coopers’ 2021 CEO Survey revealed that 47 per cent of CEOs said they were extremely concerned about cyber threats. It was the top threat for CEOs in North America and Western Europe, second only to pandemics and health crises, at 52 per cent.
A breakdown for Australia revealed that 95 per cent of CEOs surveyed cited cyber as a threat to business growth.
Global communications company Inmarsat, in a 2020 report examining the rise of IoT in mining, said the majority of mining organisations were struggling to meet the security challenges presented by the IoT.
The report found that while respondents in their research were aware of the damage that a cyber attack could trigger, the response so far to the threats had been minimal.
Inmarsat Director of Mining Nicholas Prevost said the mining sector stood to make considerable gains by leveraging IoT.
“However, as IoT connects more parts of a mining company’s operations and infrastructure to the internet, this will inevitably create more access points for potential security breaches,” he said.
“Although most organisations are aware of these new dangers, the measures that have been introduced to address them have, so far, been insufficient.
“Considering the sector’s reliance on data for its operations and productivity, it is particularly worrying to see that some mining organisations have not taken any action to ensure they have an adequate cybersecurity strategy in place, as any security breach or compromise of data would likely grind an entire operation to a halt.”
IMDEX Information Security Manager Sameera Bandara said cyber threats come from various sources, including hackers doing it for fun, criminal enterprises, competitors, and nation states.
“They use proxies and zombies to mask who and where they are and even if we found them prosecution would be a problem,” Mr Bandara said.
The company’s approach was that its systems needed to be secure to protect its data and that of its clients.
“IMDEX spends $20 million [SB1] a year on research and development. If competitors could get access to technology or tools in development by hacking our systems, the financial and reputational costs to IMDEX would be enormous.
“But we also needed to protect our clients’ information by making our systems as secure as possible.
“We can then say if we have your data, then it is secure to a point where an attacker would have to spend considerably more resources to exploit than the value of the data.”
IMDEX supplies a range of technologies and tools that deliver data from exploration through to production, with the data uploaded to cloud-connected management tools and analytic software.
The company addressed the security issue by maintaining an Information Security Management System certified against ISO27001 security certification that covers:
- Software development processes;
- The product development lifecycle for its real-time subsurface intelligent solutions;
- Manufacturing and deployment of products and technologies;
- Client support processes; and
- Information technology systems for supporting these activities and digital functions.
Mr Bandara refers to it as the “gold standard” of data security — achieved after an arduous assessment of its information security management system and processes.
“Many companies say they are aligned with the ISO27001 requirements without actually being certified and that’s because a lot more rigour needs to go into getting certified” he said.