Engineering and Mining Journal - Whether the market is copper, gold, nickel, iron ore, lead/zinc, PGM, diamonds or other commodities, E&MJ takes the lead in projecting trends, following development and reporting on the most efficient operating pr
Issue link: http://emj.epubxp.com/i/799329
CYBERSECURITY MARCH 2017 • E&MJ 41 www.e-mj.com If this article had been written even 10 or 15 years ago, the chances are that its focus would have been almost exclusively on physical security — what mining com- panies might need to do to protect their operations (and output) from trespass, vandalism and old-fashioned robbery. To- day, however, security has a new dimen- sion, and while physical threats remain just as real as they did in the 1990s — or the 1890s, for that matter — the rapid growth of cybercrime has brought a whole new area of concern. Is the industry as worried as it should be? In all honesty, that is difficult to say in a broad-brush way, but to put things into context, within the past two years, a magazine from another publisher that covers the oil and gas pipelines industry has carried no fewer than 10 articles on cybersecurity. This author, for one, can- not recall having seen anything carried in the mining publications that are circulat- ed internationally. On this admittedly simplistic basis, it might appear that cybersecurity is some- thing that the mining industry has yet to come to grips with, at least in comparison with other resource sectors. Clearly, the oil and gas industry has had an additional spur to smartening up on how to combat the new threats, simply because its prod- ucts are both highly flammable and — when spilt — cost a lot to clean up. And the cyber criminals already have "form," having demonstrated their ca- pabilities when it comes to damaging oil-transport infrastructure — maybe. Ac- cording to a report carried by Bloomberg in December 2014, investigators from Turkey, the U.K. and elsewhere conclud- ed that an explosion in 2008 that put the Baku-Tbilisi-Ceyhan (BTC) pipeline out of action for three weeks had been caused by a cyber attack. While the Turkish government and the pipeline operators publicly blamed do- mestic political terrorism for the attack, Bloomberg reported that the subsequent investigation pointed the finger at hackers who had infiltrated the pipeline's operat- ing system, shut down security systems and overpressurized the pipeline to cause the blast. It is important to note that these conclusions were also discredited by others in the security industry, who suggested simple old-fashioned sabotage as the more likely cause. Nonetheless, the concept proposed by the Bloomberg report was certainly con- ceivable, and given recent publicity over the vulnerability of ordinary household appliances — constituent parts of the In- ternet of Things (IoT) — to be highjacked for botnet use, the idea that the pipeline's security cameras could have been used as a back door into its operating system may not have been so far-fetched. On page 44, a number of "scenarios" have been assembled — suggestions as to how having insecure IT and industri- al control systems have the potential to compromise a company's business in a variety of ways. While some of them may appear rather far-fetched, they are all pos- sible within the minerals-industry setting. The Minerals Industry is Vulnerable, Too It has to be remembered as well that it was only two years after the BTC incident that the first officially recognized use of cyber technology to disrupt a miner- al-based operation came to light. While some may consider the link to be tenu- ous, given the political background, the concept remains the same: hackers were able to access remotely and successfully disrupt a processing operation. The incident in question was, of course, the Stuxnet campaign against Iran's uranium-enrichment program. Se- curity analysts are of one mind that the campaign was implemented by the U.S. and Israeli intelligence services, and ef- fectively marked the first successful use of digital weaponry. Spread through the use of infected USB keys, the Stuxnet worm not only caused uranium-enrichment centrifuges to overspeed and break down, but also wiped records of what it had done from the control systems. And, the security in- dustry believes, its discovery only came once a second-phase "attack" had taken place. The initial use of the software was aimed at gathering information on exactly how the control systems worked and how they could be manipulated to achieve the desired result. What is perhaps even more worrying is that the Stuxnet worm was both tiny in terms of its file size — a mere 500 kb — and came with what appeared to be a wholly authentic security certifi- cate. And, of course, having been dis- covered, it and its more modern deriva- tives are now out there in the dark world of cybercrime. If the origins and rationale behind the Stuxnet campaign can be reasonably identified, the perpetrators of the attack that took place on an unnamed German steel mill in 2014 remain unclear. News of the incident first came to light in a report from the German Federal Office for Information Security (Bundesamts für Sicherheit in der Informationstech- nik – BSI), and according to the French cybersecurity organization, Sentryo, the attackers first hacked into the mill's of- fice software network, using a "spear Security Enters a New Realm Cyber criminals have yet to target mining in a big way, but it will happen. E&MJ looks at some of the threats and what operators can do to mitigate them. By Simon Walker, European Editor Cyber criminals have a wide range of options for attacking industrial control systems.