TECHNOLOGY

Cybersecurity in mining: Already a business imperative but soon a legal obligation

Miners and METS are prime targets for cyber-attacks. Bill designed to improve defence

Cybersecurity in mining: Already a business imperative but soon a legal obligation

Credits: Shutterstock

The Australian government has introduced its first standalone Cyber Security Bill, which – among other things – will require businesses to up their reporting standards and adhere to new regulations.  

The bill comes in an age of increasing scams and cyberattacks on organisations, not least those in the mining industry.  

In August Evolution Mining was hit with a ransomware attack

Months earlier, Northern Minerals reported a cyber-attack when a group called BianLian accessed the company's systems, operational details, research and development data, financial information, personal data of employees, shareholder information, and high-ranking executives' email archives. 

The data was then offered for sale on the dark web. 

In March 2023, Rio Tinto was hit with one of the biggest cyber-attacks in the mining industry's history when hackers accessed a wealth of company data, also with the intent of leaking it on the dark web.  

Employees' family and financial information, payroll information, and other critical data was extracted from Rio's systems.  

Latest data from the Australian Signals Directorate shows that one cyber-attack report is made in Australia every six minutes, with each attack costing large businesses just under $72,000.  

These figures are from the 2022-23 financial year. Cybercrime has expanded and evolved since then. 

 

 

Mining equipment, technology and services companies are becoming increasingly juicy targets. According to data from cybersecurity firm Darktrace, 40% of METS businesses in Australia have been hit with some form of cyber-attack in the last year.  

"We've seen some prevalent ransomware attacks, but also insider threat attacks, in organisations over the last year, specifically in mining," Darktrace ANZ regional vice president Sushant Arora said.  

While technology advancements and the growing use of artificial intelligence have made cybersecurity more effective than ever, Arora said the problem was criminals who carried out these cyber-attacks were also taking advantage of new technologies – meaning there is something of a competition between companies and cyber attackers to leverage the newest technologies first. 

Darktrace ANZ regional vice president Sushant Arora | Credits: Darktrace

"The threat landscape keeps on changing, new vulnerabilities pop up, and it's hard for organisations to keep up," he said.  

"It's a race in terms of defending yourself because the attacker is also using new techniques."  

Old threats, new methods 

While the techniques are different, the end goal is the same. One of the most common kinds of cyber-attack is still ransomware, where attackers access sensitive data, encrypt systems and lock them down, then demand a payment to unlock the network.  

Unless a business has recent full-system backups, the quickest and often cheapest way to get systems back online is to simply bite the bullet and pay the criminals, giving in to their demands.  

An issue becoming increasingly prevalent is what Arora said was known as "double extortion".

Here bad actors are not only encrypting data and holding systems for ransom, they are also exfiltrating data and copying it into their own systems. 

It means even if a company pays up, the attacker still has the data and can sell it on the dark web. 

What does the new bill propose, and who is impacted? 

The cybersecurity bill proposes stronger reporting obligations for businesses, with any "reporting business entity" that pays a ransomware fee to be required to notify the ASD and the Department of Home Affairs within 72 hours of payment.  

It is not clear how many ransomware attacks are carried out each day. A large miner, for example, might pay a relatively small ransom that is not significant enough to impact its bottom line and decide to not report the attack.  

Under the proposed laws, reporting will be a legal obligation.  

"We probably will start to see more reporting of cyber incidents than we have historically in the past, so we'll hopefully get more accurate data," Arora said.  

The bill also proposes the establishment of a Cyber Incident Review Board to investigate cybersecurity incidents.  

Notionally, the CIRB will look into how the attacks occurred, what companies could have done to better prevent or better respond to it, and what kind of technologies were used by attackers.  

These findings can then be shared with other businesses to improve cybersecurity frameworks across the board.  

Manufacturers of internet-connected devices will also be required to comply with new security standards as the internet-of-things landscape evolves.  

Cyber Security minister Tony Burke said Australia needed a "clear legislative framework" to address new and emerging cyber threats. 

"We need a framework that enables individuals to trust the products they use every day," Burke said in his speech for the second reading of the bill.

"We need a framework that enhances our ability to counter ransomware and cyberextortion. 

"We need a framework that enhances protections for victims of cyber incidents and encourages them to engage with government, and we need a framework that enables us to learn lessons from significant cybersecurity incidents so that we can be better prepared going forward." 

Why do mining companies get targeted? 

Hackers do not want to waste time on companies that do not have the money to pay up when they make their demands.  

Mining companies – particularly publicly listed ones – usually have big balance sheets. Even junior explorers can have several millions of dollars in the kitty, so if a malicious cyber group can get a few hundred thousand here and a few hundred thousand there, it can make for a lucrative endeavour.  

And METS and mining companies are often more likely to pay up because they need their systems operational for processing, smelting and refining. A lack of access to operation technology for even a day or two can have devastating impacts on profits.  

It makes them prime targets for hackers because the cost of giving in to the hackers' demands to get their operations back online can be far lower than the opportunity cost of mining downtime.  

Arora said for mining companies, in particular, many of their operational tech systems perform certain tasks exceptionally well but are decades old because it takes a lot of time, effort and money to buy and learn a new system.  

Beyond this, performing a cyber-attack is simply becoming easier, and with the help of AI, bad actors can carry out scores more attempts than they could before. The sheer increase in the volume of attacks means more mining companies are being targeted simply by chance. 

AI: A double-edged sword 

The growth of AI has drastically improved cyber defence capabilities.  

Darktrace, for example, uses advanced AI to examine and learn customer trends and subsequently identify any anomalies in typical behaviour – which are often early indicators of suspicious activity – to detect threats and deal with them before they can encrypt information.  

The AI also enables automated responses triangulated on the threatened area, so entire systems do not need to be paused while a threat is handled.  

Inversely, cyber-attackers also have access to AI. They can use technologies to automate their own attacks or to learn about particular individuals in a company and starting building rapport with them until they let their guard down and open themselves up to an attack. 

The advancement of AI means bad actors are far more efficient and far more effective, so if defence systems do not respond in kind, they are behind in the race against cyberthreats.  

Who ultimately stands to lose? 

Companies can suffer reputational damage, data loss, and blows to profits if they fall victim to a cyber-attack.  

Customers can have their sensitive data leaked and personal information shared online.  

Investors can also lose out if a company they back gets hit by an attack because the impact to profits and reputation directly affects share prices.  

Thus, it is a company's duty to its shareholders – the owners of the business – to stay on top of cybersecurity.  

It is a business imperative.  

With the introduction of the cybersecurity bill, it could soon be a legal imperative, too.  

A growing series of reports, each focused on a key discussion point for the mining sector, brought to you by the Mining Monthly Intelligence team.

A growing series of reports, each focused on a key discussion point for the mining sector, brought to you by the Mining Monthly Intelligence team.

editions

Mining Magazine Intelligence Exploration Report 2024 (feat. Opaxe data)

A comprehensive review of exploration trends and technologies, highlighting the best intercepts and discoveries and the latest initial resource estimates.

editions

Mining Magazine Intelligence Future Fleets Report 2024

The report paints a picture of the equipment landscape and includes detailed profiles of mines that are employing these fleets

editions

Mining Magazine Intelligence Digitalisation Report 2023

An in-depth review of operations that use digitalisation technology to drive improvements across all areas of mining production

editions

Mining Magazine Intelligence Automation Report 2023

An in-depth review of operations using autonomous solutions in every region and sector, including analysis of the factors driving investment decisions