A new survey has found that many Australian mining businesses are unprepared for and are failing to put appropriate measures in place to prevent cyber security attacks.
More than 2000 risk, compliance and security specialists took part in the Sevclove survey, which uncovered that more than 78 per cent of those responsible for their organisation’s industrial control systems were concerned there would be an attack in the next 12 months.
Of this number, 45 per cent were “extremely concerned” with large companies operating in high-risk target industries like mining, energy and utilities being the most concerned.
Seclove’s survey also found that one third of respondents with operational technology (OT) responsibilities had implemented new OT in the past two years, only 31 per cent had used a third party to test their OT security and one in 10 businesses hadn’t undertaken any reviews or updates in the past two years.
PricewaterhouseCoopers (PwC) Australia, in its Mine 2020: Rocky but Resilient report, stated that the top 40 miners have much work to do in the cyber-security space as they embrace more automation and digital technologies.
According to PwC, cyber safety is a blind spot for the industry, with only 12 per cent of mining and metal chief executive officers reporting they were “extremely concerned” about cyber threats in Mine 2020.
However, over a similar period, the number of reported cyber breaches among mining companies increased four-fold.
“The more digitally connected the company, the more vulnerable it is to disruption via cyber-attacks,” PwC stated.
“Mining companies are increasingly using automated and connected OT to run mines. In doing so, they inadvertently create multiple new entry points for would-be criminals.
“OT systems that control critical mining processes are connected with corporate office networks, (which are) a far less trusted environment, involving users, suppliers and contractors all regularly exchanging emails.
“Hackers may find entry to a company’s network via a supplier with weak cybersecurity and end up directly controlling critical mine safety systems or heavy machinery.”
Many companies have industrial control systems built to help companies defend themselves against cyber threats.
Seclove chief executive officer Laith Shahin said businesses industry control systems were often legacy systems built decades ago with little thought given to security, making them particularly vulnerable.
“A common challenge faced by many organisations is drawing the line in terms of the management between OT and information technology (IT) environments, so they usually end up being lumped together under one team,” Shahin said.
“That being said, organisations with a higher maturity tend to converge IT and OT so it’s important to make the distinction between convergence and having it lumped together due to a capacity challenge: IT supports business functions whereas OT is the business itself.”