As the resources sector is adopting innovation, in particular digital technologies, at an increasingly rapid rate, mining companies should consider the cyber-security risks inherent with leveraging this innovation, according to mining technology company IMDEX.
Paul House, CEO for IMDEX, says the take-up of new technologies is happening on a scale that has not been seen in the past – a confluence of the effects of the COVID-19 pandemic and the need to replace depleted existing mineral reserves.
“This is partly by necessity, to enable remote working, and partly by opportunity, as these technologies will enable faster drilling, more efficient drilling, and better decision making,” he said.
But every tool and technology that is added to a mining company’s arsenal – from exploration to production – increases the attack surface for hackers, according to the company.
IMDEX says it has countered this by achieving the “gold standard” in data security – certification against the exacting standards of ISO27001, an international information security standard recognised in 161 countries. The company received recognition for this information security standard in early 2020.
House said increasingly clients were asking for such security protocols to be in place.
The threat of cyber attacks intensifies as competitors, organised crime, and “state-based actors” seek to gain advantage by malicious means – searching for vulnerabilities in business systems that will allow them access a company’s most important secrets, according to the company.
The Australian Cyber Security Centre (ACSC) has warned that the likelihood and severity of cyber attacks is increasing because of the growing dependence on new information technology platforms and interconnected devices and systems.
“Cyber crime is one of the most pervasive threats facing Australia, and the most significant threat in terms of overall volume and impact to individuals and businesses,” the ACSC said in its annual report last year.
Global communications company Inmarsat, in a 2020 report examining the rise of IoT in mining, said the majority of mining organisations were struggling to meet the security challenges presented by the IoT.
The report found that while respondents in their research were aware of the damage a cyber attack could trigger, the response so far to the threats had been minimal.
IMDEX Information Security Manager, Sameera Bandara, said cyber threats come from various sources, including hackers doing it for fun, criminal enterprises, competitors, and nation states.
“They use proxies and zombies to mask who and where they are and, even if we found them, prosecution would be a problem,” Bandara said.
IMDEX’s approach was that its systems needed to be secure to protect its data and that of its clients.
“IMDEX spends A$20 million ($15 million) a year on research and development,” Bandara said. “If competitors could get access to technology or tools in development by hacking our systems, the financial and reputational costs to IMDEX would be significant.
“But we also needed to protect our clients’ information by making our systems as secure as possible. We can then say if we have your data, then it is secure to a point where an attacker would have to spend considerably more resources to exploit than the value of the data.”
IMDEX supplies a range of technologies and tools that deliver data from exploration through to production, with the data uploaded to cloud-connected management tools and analytic software.
The company addressed the security issue by maintaining an Information Security Management System certified against ISO27001 security certification that covers:
- Software development processes;
- The product development lifecycle for its real-time subsurface intelligent solutions;
- Manufacturing and deployment of products and technologies;
- Client support processes; and
- Information technology systems for supporting these activities and digital functions.
Bandara refers to it as the “gold standard” of data security – achieved after an assessment of its information security management system and processes.
“Many companies say they are aligned with the ISO27001 requirements without actually being certified and that’s because a lot more rigour needs to go into getting certified,” he said.