Cybersecurity is one of the biggest risks for all businesses. However, the alarm bell has been slow to sound in the mining industry. Cybersecurity risks arise as mining equipment and software increasingly become connected to public and private data networks. Cyber-attacks keep getting more costly – the average annual cost of cybercrime to a Canadian company was over $12 million in 2018, according to Accenture.
Industrial control systems (ICS) are another key vulnerability for mining companies. ICS are now networked and it has become commonplace that production can be controlled from a device. If an intruder takes control of that device, then they also have control of your production. The Canadian Centre for Cyber Security issued 44 ICS advisories in 2019 on cyber threats, vulnerabilities or incidents affecting Canada’s critical infrastructure. 2020 is already on pace to exceed this number.
Here are 10 key things for miners to keep front of mind as they respond to the growing business risks of cybersecurity:
1. Motives for cyber-attacks against mining companies can vary. The motive may be ﬁnancial, where the attacker shuts down the mining system until a ransomware payment is made. The motive may be political, where the attacker seeks to interfere with operations. Or the attacker could be driven by competition, aiming to steal IP and proprietary data.
2. No news is NOT good news. Many organizations assume that if they have not been made aware of an incident, that is good news. However, an intruder could easily be situated within your network waiting for the appropriate time to strike.
3. Risks from cyber-attacks include personal safety, temporary shutdown of business operations, ransomware demands, destruction and theft of data, regulatory investigation and proceedings, regulatory ﬁnes, drop in share price, damage to reputation, breach of contract litigation, shareholder litigation and third-party litigation involving personal safety issues.
4. Security practices by your third-party contractor can put your organization at risk. For example, poor security practices by a third-party contractor could allow a virus to migrate into the production environment, shutting down critical systems and creating unsafe working conditions.
5. Weaknesses within the supply chain could allow ICS equipment to be intercepted and malware installed prior to delivery at a mining site. Improper testing of the components prior to deployment might then allow the virus to proliferate undetected, resulting in a system crash, disrupting operations.
6. Managing third-party risks involves more than technological measures. Ensure third-party contracts appropriately consider and address the risk. For example: in what circumstances must the third party alert you to a security incident within their organization? How quickly must they alert you to this security issue? Who bears the cost should a security incident within the third party affect your organization? Do they have insurance to cover the range of realistic risks? Does the insurance address the damages that your organization may suffer as a result of the third-party incident?
7. Your cybersecurity is only as strong as your weakest link. Insufﬁcient employee training on how to recognize spear phishing and social engineering attempts enables a competitor to circumvent the organization’s security protocols and steal sensitive data. Insufﬁcient employee training about how to recognize potentially malicious emails could enable an intruder to download malware onto your system.
8. In addition to outside intruders, hostile insiders may be a threat. What systems are in place to manage these threats?
9. Directors and ofﬁcers may have personal exposure as a result of cyber-attacks against their organization. Exposure could arise in circumstances where it is alleged that they failed to exercise due diligence in ensuring there was proper governance, policies and procedures in place.
10. Invest the resources and time to understand the risks that are particular to your organization. Undertake a risk and vulnerability assessment that examines your operations and identiﬁes the gaps in protection. Doing so not only manages the risk of attack, but can also help to minimize exposure in litigation arising from an attack.
Canadian mining companies need to be proactive as they respond to the alarm of cybersecurity risks, rather than simply reacting to incidents. It makes good business sense and can reduce the costs of responding to an inevitable attack.
RUTH PROMISLOW and MATTHEW FLYNN are both partners at Bennett Jones LLP, based in Toronto.