Site Search

Menu

Topics

Loading Results

The cyber canary in the coalmine during COVID-19

Key takeaways

  • Unlike many industries, the effects of the COVID-19 pandemic have not been severe for mining.
  • While a potential bedrock for economic recovery, mining companies are ignoring a different threat: cyber security.
  • With consequences that include life or death, mining companies must act now to shore up their defences.

The world’s mining companies have weathered the COVID-19 pandemic relatively unscathed and remarkably better than many other industries.

Two PwC reports, Mine 2020 and Aussie Mine 2020, provide industry and financial analysis on the mining sector this year both globally and in Australia. In particular they highlight mining’s strong position and resilience, and the key role played in supporting communities and the broader economy during the novel coronavirus crisis.

Despite the fact that global growth is set to decline in 2020 —something that’s only happened twice since the 1940s — mining continues to be turned towards as the bedrock for economic recovery.

However, there is a potential crack in mining’s facade — both locally and globally — leaving the industry vulnerable to future shock: cybersecurity.

COVID-19 and mining

Despite uncertainty during COVID-19 when operations were disrupted, such as in Brazil, iron ore prices have risen, potentially limiting the total impact to the sector. Mining companies have strong finances and are mostly still operational, albeit with increased levels of precautionary controls. In Australia, the 50 companies that make up the mid-tier mining sector (the largest ASX mining companies with a market capitalisation of less than AU$5 billion as at 30 June 2020), or MT50, as a collective, have maintained consistent levels of revenue and profit throughout the year.

Mining companies have adapted and evolved in response to the pandemic. Some changes have been for the better, such as remote workforce planning and greater use of automation. Many of these adaptations may become permanent. In an uncertain environment, miners have focused intensely on controlling the things they can, and it is serving them well.

Increasingly, they are looking to adopt smart mining technologies to optimise safety, production, and decision making in order to create the mines of the future. However, with such digitalisation comes risk —when a device is digitally connected, it can be hacked. And worryingly, at a time when mining companies are becoming more vulnerable to cyber attack, CEOs are expressing less concern about the possibility.

The harsh reality of the situation

Given their physical nature, mining organisations may think they’re an unlikely target for cyber attacks. But as reliance on autonomous and digital technology grows, so too does the cybersecurity risk — and the consequences can be a matter of life or death.

In this year’s PwC Global CEO Survey, only 12 percent of mining and metals CEOs were ‘extremely concerned’ about cyber threats, compared to 33 percent of leaders globally and 26–32 percent in energy, utilities and resources (excluding mining and metals). And it isn’t a one-off, with concern falling over the last three years even as the number of reported cyber breaches among mining companies has quadrupled.

Mining cyber security image 1

As technologies become more interconnected, the potential cybersecurity threats and attack vectors are growing. The impact of these threats can be severe, resulting in production or revenue losses, harm to the environment, regulatory fines, reputational damage, constrained economic growth, the catastrophic shutdown of critical infrastructure and even loss of life.

This has been further compounded by the emerging complexities and convergence between operational technology (OT) and information technology. COVID-19 has reshaped how the sector scales its operations, reinforcing the need for an environment that supports remote working and automation.The growing reliance on third parties and less secure corporate networks (compared to isolated OT systems), as well as its limited workforce and varying levels of COVID-19 restrictions the industry is creating new entry points for cyber crime.

The consequences of such challenges could be severe. For example, hackers may find entry to a company’s network via a supplier with weak cybersecurity and end up directly controlling critical mine safety systems, processing facilities or heavy machinery. Attacks on underground ventilation units, tailings, dam monitoring systems, pipeline controls or gas monitors, for example, could significantly impact worker and community safety.

Threat vector graphic

Shoring up cyber security

Globally, the mining sector is one of the biggest targets for malicious emails, which are used to establish a foothold to launch a cyberattack.1 Additionally, 2020 has seen an increase in state-sponsored threats. In FY20, around 35 percent of total incidents impacted Australian critical infrastructure providers, while an estimated 70 cybersecurity incidents targeted the Australian mining and resources sector.2

Aussie mines phishing

The legacy nature of many OT systems means that, for mining, the cost of a cyber attack can be even greater than for companies in other industries. It is not a straightforward task to remediate OT systems, not only due to limited maintenance windows but also because these systems are often no longer supported by vendors. Trying to alter legacy systems can often carry far greater risk.

Straight off the bat, there are things that mining companies can do immediately to protect themselves.3

  1. Enable multi-factor authentication (MFA): The increased reliance on remote operations and third parties introduces new entry points for adversaries to attack. The use of MFA adds an additional layer of defence through combining authentication methods to verify a user’s identity and prevent unauthorised access.
  2. Patch holes. Mining companies tend to resist patching vulnerabilities in legacy OT systems, due to concern around unplanned system disruption and downtime. However, unpatched systems introduce vulnerabilities for adversaries to exploit and attack. Processes and procedures should be developed to rigorously test patches and updates to OT systems.
  3. Check privileged access management (PAM): Privileged users have full control of critical industrial control systems, making them a valuable target. Having weak PAM controls can allow hackers to target and impersonate legitimate users. Ensure that access rights for privileged accounts are allocated and regularly reviewed based on the user’s role.
  4. Partner with the Australian Cyber Security Centre (ACSC): The ACSC has a wealth of information that companies can access, helping to combat organised crime and nation state threats.

The cyber safety motherlode

Cybersecurity is just as much about behaviour as it is technology, and the ‘safety vein’ has to start at the very top before it winds down to all other levels. Embedding a safety culture across the company will be key in defending against increasingly nuanced phishing and ransomware attacks — and all organisations should have plans in place to prevent, respond and recover from a potential breach.

Many Australian mining organisations are not treating cyber as an organisation-wide risk, and often parts of the business remain unaware of their accountabilities. In fact, high-level mining executives in Australia would only trigger an industry response in the event of a catastrophic event.4 Despite this, more than 78 percent of those responsible for managing industrial control systems were concerned there would be an attack in the next 12 months.5

Cyber attacks can cause prolonged system outages that last weeks or even months, and have significant safety, operational, reputational, financial, legal and regulatory implications. There is no excuse for downplaying their likelihood or consequences. When it comes to cyber security, the time to dig in is now.

To read further about the state of the mining industry download the global top 40 Mine 2020: Resilient and resourceful report and MT50 Aussie Mine 2020: Resourcing the recovery reports. For further information on defending against, and responding to, cyber attacks check out PwC Australia’s cyber security site.

References

  1. https://docs.broadcom.com/doc/istr-24-2019-en
  2. https://www.homeaffairs.gov.au/cybersecurity-subsite/files/cyber-security-strategy-2020.pdf
  3. https://www.cyber.gov.au/acsc/view-all-content/essential-eight/essential-eight-explained
  4. https://www.e-mj.com/features/dealing-with-data-cybersecurity-in-the-covid-19-era/
  5. https://www.australianmining.com.au/news/mining-at-high-risk-of-cyber-security-threats/

{{filterContent.facetedTitle}}

Related Articles
heading
Digital Pulse shares insights from PwC experts to empower your digital journey. By exploring stories at the intersection of humanity and technology we help you solve today’s business challenges to unlock the possibilities of tomorrow.
sitelinks Home Topics About
policylinks PwC Consulting Privacy Legal disclaimer
sociallinks Connect with us Email Twitter
subscribe Get the latest in your inbox weekly. Sign up for the Digital Pulse newsletter.

© 2021 - 2024 PwC. Digital Pulse shares expertise from PwC consultants and wider industry networks to provide thought leadership and actionable insights to empower your digital journey. We focus on transformational change and how this impacts consumers and business alike.

Industries
Agribusiness and Food Banking and Capital Markets Construction and Transportation Education and Skills Entertainment and Media Government Insurance Power & Utilities Retail and Consumer Real Estate Telecommunications
Asset Management Charities and Not-for-profit Defence Energy (Oil & Gas) Financial Services Healthcare Mining Infrastructure Superannuation Technology
Capabilities
Asia Practice Assurance Business Align & Connect Consulting Cybersecurity and Digital Trust Deals Digital Transformation Energy Transformation Environment, Social and Governance (ESG)
Future of Work Indigenous Consulting Integrated Infrastructure Legal People & Organisation PwC Private Strategy Tax
About Us Alumni Governance Board Diversity and Inclusion Executive Board Non-executive Director Centre Social Impact Suppliers of PwC The New Equation
Media
Insights
Careers Student careers Graduate careers Experienced careers
Contact Us Local Offices Sitemap
Digital Pulse Topics About us Subscribe

© 2017 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. Liability limited by a scheme approved under Professional Standards Legislation.