By Luke Forsyth, Partner at Deloitte
Innovations such as autonomous mining, remote operations and electronic vehicles have profound benefits for miners – but they also increase the cyber-attack surface of the mine of the future.
As mining operations increasingly adopt automation and advanced technology, cyber security has become a critical aspect of successful mining practices. With the industry transitioning from human operators to autonomous or remotely operated systems, this increases the vulnerability of mining operations to cyber-attack.
Consequently, it is increasingly essential to establish robust cyber security measures. The industry can, however, draw lessons from the safety revolution in mining and apply some of these lessons to the cyber-defence of the mine of the future.
The current revolution in mining stretches far beyond automation. Automation itself has proven to have profound benefits in cost reduction and in reducing the probability of safety incidents and other interruptions to operations. Remote operations and remote automation supervision also bring cost reduction benefits and substantial benefits in employee welfare by reducing the requirement for travel away from family and friends. Another benefit which the industry is becoming increasingly aware of is the carbon reducing benefit of decreased travel and the capacity for greater carbon efficiency in autonomous vehicles.
Electrifying change
The next wave of change is here, as industry is now witnessing the introduction of electronic vehicles (EV) for haul trucks. This is being followed by the introduction of EV for rail, drill and blast, watering and site maintenance. Site power generation is moving from fuel oil and diesel to solar and wind; battery storage is being introduced in support of the renewable power generation; and site physical security and safety cost and effort is also being reduced through increased use of sophisticated CCTV and onboard vehicle cameras. All these innovations have substantial benefits for carbon reduction and employee welfare.
Unfortunately, all these innovations also increase the cyber-attack surface of the mine of the future. An autonomous or remotely operated vehicle or fixed plant is inherently more vulnerable to hacking than vehicles or plants under human operator control. It is hard to hack a person. This hacking can be directed at the in-situ controls of the vehicle and plant or can be directed at their communications channels.
The potential disruption to operations is by itself of sufficient concern. An 80,000t train, a 400t haul truck or a drill and blast truck carrying explosives each also present their own risks.
Solar and wind power generation must be geographically distributed and are more vulnerable than fuel-powered generation, which has substantially lower requirements for physical and electronic security. Current solar and wind farm technologies also have lower than desired communications protection. The nations of origin of many solar and wind generation technologies are another consideration. EV batteries, and in particular high-voltage fixed location storage batteries, have potential vulnerabilities to both standard logical hacking as well as electrical noise techniques.
Drones are another area of innovation that also introduces new risk. Drones can now be employed in exploration, site survey, maintenance, pest management and even physical security. The cost of drones is decreasing as rapidly as their range increases.
Commercially available drones that have extensive range and comparatively low cost are now widely available. A cleaning drone with a 20L water storage tank is also a 20kg projectile. As evident from recent wars, drones that carry a relatively small amount of explosive or incendiary material can be turned into a potent weapon. Drones can also be used to carry electronic warfare tools such as signal jamming. This could have impacts for vehicular and remote operations communications.
Generative artificial intelligence (GenAI) is highly topical. Mining already makes substantial use of other types of AI, particularly predictive AI. GenAI has particular potential for mining because of the opportunity to base decision-making on accurate simulated data and it has less dependence on the availability of accurate and referenceable historic data. This, in turn, makes GenAI more vulnerable to attacks that inject disruptive data into the model, corrupt the operational integrity of trained models or create distorted conclusions.
The presence of potentially compromising input data or output conclusions also have commercial and compliance risks. AI is being employed to model both cyber-attack and cyber-defence and this modelling is a particularly attractive target for malicious distortion. Unfortunately, AI, and GenAI in particular, forms part of the increasing cyber-attack surface of mining.
Keeping cyber safe
All is not, however, doom and gloom for those striving for the mine of the future and this hope comes in significant part from one of the key recent successes of mining, the safety revolution that began in the 1980s.
This safety revolution has had a profound impact on mining and the welfare of the people working in mining. Some of the lessons learnt, such as ‘safety shares’ and ‘if you see something, say something’, have also proven to be effective in cyber-defence. For example, one of the earliest indicators of cyber compromise of a site can be a staff member reporting strange behaviours by their desktop computer.
The systematic analysis of hazards in the workplace is sometimes known as process hazard analysis (PHA). There are many useful guides and standards that apply to the systematic reduction of risk in the workplace. An example of which is IEC61511 Functional Safety. A similarly methodical approach is required for limiting cyber risk. Cyber can learn a lot from mining.
A key difference between cyber-risk and safety is that in cyber only the processes that may be targeted by a malicious external or internal actor are being looked at. This is a much smaller number of processes than may be considered for a safety analysis, when all processes should be considered. When considering these different actors, it’s also important to consider whether external and internal actors may be cooperating.
Malicious insiders are often motivated by their becoming disgruntled with their remuneration, coercion through blackmail, bribery, a change in political views such as environmental concerns, or sometimes simply boredom. External actors are increasingly organised crime groups and are acting with the support or tolerance of nation states and may be motivated by ransom, damage to a competing commercial interest, or national and industrial espionage. This analysis of potential cyber threats is unsurprisingly known as at cyber treat analysis (CTA).
Undertaking a process analysis
To choose the processes likely to be targeted by a cyber-attack organisations undertake a cyber critical process analysis (CCPA). ISO 22301 Security and Resilience – Business Continuity Management Systems or the more succinct Good Practice Guidelines (GPG) of the Business Continuity Institute (BCI) are commonly employed to facilitate the CCPA.
Where organisations have already made substantial progress on their BCP, the cyber analysis begins with a review of the hopefully complete list of processes. The CCPA then focusses on the sub-set of processes that would be critical as being the subject of a cyber incident or which may become critical during the probable duration of a cyber incident. For example, core production processes with potential cyber vulnerabilities will obviously be part of the CCPA list. However, other processes which have a critical role during an incident, such as government and media relations, customer relations or treasury will usually be part of the list.
The ability to maintain communications as well as to accept and make payments is often critical. Most organisations will have conducted a business impact analysis (BIA) for each of their processes as part of their BCP. These BIA will usually need to be reviewed as the standard BCP will need to be refocussed on potential cyber threats identified in the CTA.
The CCPA is then broken down so that for each process the company can identify:
- Each sub-process stages of each of the critical processes
- The list of assets that support each sub-process stage
- Confirm which of the supporting assets are critical to that process
- Confirm the key personnel who support each of these sub-process stages and assets
The results of this assessment can sometimes prove surprising:
- In operational technology (OT) centric environments like mining, the list of assets can be very incomplete
- Information technology (IT) environment can usually both be actively scanned and almost all IT equipment frequently self-identifies on the network
- OT equipment may not yet use Internet Protocol (IP) and may not identify on the network frequently
- Industrial Internet of Things (IIoT) may not identify on the network at all or only identify through perimeter controls (firewalls and jump hosts)
To address these shortcomings in the asset list it may be necessary to undertake a period of observing the network in each network area, known as a segment. This study is known as a traffic flow analysis (TFA). This TFA may take anywhere from 14 days to six months, depending on the complexity of the network and the infrequency with which some critical equipment may communicate.
Each process and sub-process is then cross-referenced:
- Are there assets that are not considered critical for any single sub-process but whose frequency across all critical processes requires further consideration?
- Who are the key personnel and groups supporting each critical asset and sub-process?
- Is the geographic and network location of all critical assets accurate?
- Is there real-time continuous information available on the operational status of each critical asset? If not, then plans need to be made for this to be available
- Does the current BCP need to be updated for the critical assets and their supporting personnel?
A key consideration must be establishing a priority and justification for any change that may be required. This is particularly the case where the change may need to be staged over a progressive number of shut-downs at respective sites.
Reducing risks
Risk mitigation plans should then be updated or developed with the knowledge gained during the PHA process. These risk mitigation plans should then be ranked to establish the priority of action during an incident.
The objective of the cyber process hazard analysis (CPHA) is not to create new parallel plans or introduce new unnecessary complexity. In safety centric industries like mining, CPHA will usually require the addition of new criterion to existing operational and safety processes.
Two key considerations are that the cyber then also needs to be included in the training and rehearsal of these plans and procedures, and the traditional PHA will be used with a focus on cyber-attack scenarios that would prevent safeguards from operating properly.
ISA/IEC 62443 is usually then employed to conduct this review. Unfortunately, the NIST cybersecurity framework (CSF) has insufficient detail on OT for most mining environments. ISO 27001 also lacks details on OT and is now most often found where its use is required by regulation in the finance, telecommunications and federal government mandated environments. ISA/IEC 62443 provides a workable and detailed guidance but can be used selectively rather than dogmatically, as is required by ISO 27001.
CPHA is specifically designed for safety and operationally focused industries such as mining and energy. The intention is to utilise proven tools and techniques wherever possible.
It is important to note that none of the standards or guidelines are applied in their entirety and attempts to certify to these standards are rarely justified.
The CPHA’s focus on protecting critical processes has demonstrated superior operational and cost-effectiveness. This approach not only enhances security but also optimises resource allocation, fostering a more resilient and efficient operational environment.