Why cybersecurity is the Achilles’ heel of automation

FM Global’s Andrew Stafford tells Australian Mining about the cybersecurity risks that should be considered when introducing autonomous machinery to mining.

The outlook in several segments of the mining sector is looking up. The industry is experiencing an uptick in demand, funding and sentiment.

The appeal of electric vehicles, the implementation of more stringent environmental legislation and household solar battery use are among the trends driving increased demand for commodities including lithium, cobalt, boron, vanadium, copper and nickel.

Bucking global trends, mining overtook transportation to become the leader in merger and acquisition activity in Australia during 2017, according to Mergermarket’s Australian M&A report.

The sector is in better shape than ever to take advantage of this boom. Miners have worked hard to optimise supply chains during the past decade. Operations have become leaner. Now the focus is turning more towards making individual mine sites more efficient – with data at the heart of these plans.

When it comes to data-driven optimisation, there’s an abundance of quick wins available. Industrial control systems are generating massive amounts of data. Add a layer of analytics over the top and a rich data trove becomes ripe for insights and optimisation.

When new scenarios can now be run in seconds instead of days, the impact is smarter, faster and more strategic operational change. We’re at a technological tipping point, in which the convergence of information technology (IT) with operational technology (OT) is enabling radical new possibilities.

The other side of the coin
Yet there’s another side to this coin – cybersecurity. Nobody likes to spoil a party, but ensuring your digital investments have the appropriate protections in place is key. The cost of failure here is simply too great.

Cyberattacks are increasing in number, roughly doubling every year since 2015. The financial impact on business is also on the rise, jumping 62 per cent between 2016 and 2018. These attacks are also becoming more physical in nature, damaging property as well as disrupting processes.

Imagine a wind turbine that gets hacked and spins out of control, causing millions of dollars in damage. As recently as 2015 there had been only two such recorded cases but tangibly destructive outcomes are now increasingly common.

The very assets that promise to speed mining’s transition to a digital future – industrial control systems with built-in connectivity – also have built-in vulnerabilities. Developed during a time when cyberattacks weren’t so pervasive, their ageing technology makes them susceptible to attack.

Poor software patching discipline and easily guessed passwords exacerbate the problem. The continued introduction of automation technology increases the attack surface in mining operations.

There’s also a shift in the types of cyber incidents to factor in. Some business leaders are still convinced they won’t be targeted but the randomised nature of many attacks make this a dangerous assumption. This is especially true in the mining sector where a minor shutdown can cost millions of dollars.

The rise of indiscriminate attacks, like last year’s WannaCry and NotPetya, should be of major concern even for those without the dubious distinction of being directly targeted.

The global interconnectedness of business operations allows such untargeted attacks to spread easily throughout the system. The shutdown of a Cadbury’s factory in Tasmania in June 2017 was part of a worldwide shutdown of its parent company, Mondelez International.

These possibilities are becoming a reality for many. More than half of mining operators experienced a significant cybersecurity incident last year, according to Ernst and Young.

Resilience not compliance
Just as automation and the digital opportunity moves up the board agenda, cybersecurity must too. Yet for too many organisations, it’s yet to be escalated beyond the IT department.

This is reflected in the fact that 97 per cent of mining operators admit their cybersecurity doesn’t meet their organisational needs.

There are three key aspects to managing cyber risk – physical security, industrial control systems and information security.

Boards and leadership teams looking to ensure their businesses are protected effectively must implement products, processes and educational initiatives taking each of these areas into account.

These should be reinforced with appropriate insurance coverage based on a holistic view of cyber risk.

Resilience not simple compliance should be the watchword when designing cyber strategies. Losses experienced are directly correlated not only to the severity of the cyber incident, but to the amount of time it takes to recover.

Balance risk reduction with developing an appropriate response plan in place if the worst happens.

The very same technology that is unleashing opportunity in the mining sector could become its Achilles’ heel if due attention isn’t paid to cybersecurity. Diligence now will ensure digital potential doesn’t turn into pain.

Andrew Stafford is client services manager for FM Global Australia and New Zealand. This article originally appeared in the November edition of Australian Mining.