Engineering and Mining Journal - Whether the market is copper, gold, nickel, iron ore, lead/zinc, PGM, diamonds or other commodities, E&MJ takes the lead in projecting trends, following development and reporting on the most efficient operating pr
Issue link: http://emj.epubxp.com/i/799329
CYBERSECURITY 42 E&MJ • MARCH 2017 www.e-mj.com phishing" campaign to install malware contained in email attachments. From there, they penetrated the mill's production management software before taking over most of the plant's control systems. This enabled them to systemat- ically destroy human-machine interaction components, with the result that the pro- cedure for shutting down a blast furnace was compromised, resulting in major damage to the plant. The BSI report did not make any sug- gestions as to who the attackers may have been, or their motive, but subse- quent investigation has indicated the probability that the attack was more of a demonstration of capabilities than anything else. Having done it once, and shown what can be achieved, the po- tential for a ransom campaign against another industrial target at some future time comes closer to reality. An Industry Perspective As a way of illustrating how major plant suppliers to the mining industry perceive the challenges associated with cyberse- curity, E&MJ spoke to Greg Weaver, glob- al product director for digital solutions at FLSmidth. Asked how severe he be- lieves the problem of insecure industri- al control systems really is for mining, Weaver replied that while the threat is not currently serious, it has the potential to become very significant if it is not ad- dressed properly. "It's a question of evolution," he said. "Mining operations round the world are typically still very localized, very disconnected." "That will change in the future in two respects," he went on. "Companies will have closer links, with a higher degree of automation, across their operations wherever they are in the world, and more and more devices — the Internet of Things — will be added to those corpo- rate networks." Weaver went on to compare the threats facing industrial control systems in mining operations with those in other sectors, such as utilities and power dis- tribution. Taking the example of the cyber attacks on Ukraine's power-supply grid in 2015 and 2016, he noted that, "utilities are high-visibility targets, and attacks on them set out with the aim of getting as much attention as possible. With few ex- ceptions, mining operations don't have the same level of visibility, so are less attractive to attention-seeking individuals or groups who may have political motives for their actions. "The mining industry needs to be much more concerned with hackers who have some financial motivation, both in terms of trying to steal a com- pany's money or to blackmail it by threats," he said. E&MJ then asked him which parts of a mineral processing operation he per- ceives as being the most vulnerable to external control manipulation. In other words, what could potentially do the most economic and/or physical damage to a mineral processing operation if hackers took over the control system? "There are two main areas of concern here," Weaver replied. "The first is high capital-cost items such as mills or pri- mary crushers, machines for which very little redundancy is built in to the system. If one of those goes down, the economic impact can be very quick indeed." "At the other end of the spectrum, if hackers could attack a simple plant item such as a pump or a valve, releas- ing (or threatening to release) processing chemicals or waste into the environment, the reputational damage could be enor- mous," he explained. "Personal awareness is one of the key areas in the fight against cybercrime," Weaver said. "When we at FLSmidth are commissioned to undertake a project, cybersecurity is definitely part of the dis- cussion with our client, with control systems custom-built to minimize cyber- security risks." "But personal awareness training is only one aspect of this," he went on. "It is also really important for plant operators to bring in experts from outside who can undertake a full assessment of a plant and how it can be protected, to identify the risks and help put a mitigation plan into action. "The mining industry has largely been isolated from this type of problem up to now," Weaver stated. "Other industries haven't, and mining can learn a lot from problems, failures and solutions else- where. Above all, everyone has to mini- mize the risk of complacency." Financial Risks As Weaver suggested, the greatest threat that he currently perceives to min- ing-sector operations is financial rather than physical. And financial losses can come through a number of mechanisms, from straight-forward theft (the tradition- al "hold-up" approach) to online fraud and ransomware. According to the cybersecurity com- pany, CyberX, industrial organizations are excellent targets for ransomware because: • When operational data become unus- able, the consequences can include catastrophic damage to production assets, production outages and risks to physical safety; • Industrial organizations cannot easily shut down network operations to pre- vent malware from spreading because the processes they use are themselves not easy to shut down; • Enterprises are more likely to quietly pay a ransom because of concerns that going public with cyber-attacks will invite greater scrutiny from regula- tors and the media; • Operational technology (OT) environ- ments are often less mature than IT environments and, as a result, their data-backup processes may not be suf- ficient to restore all required data; and • Employees are often production workers who tend to have less security aware- ness training and are more likely to open malicious documents delivered via phishing emails. As an example of the potential gain to be made from a ransomware attack, look no further than the incident that affected the San Francisco Municipal Transport Authority last November. Re- ports later suggested that the 100 bitcoin ($73,000) ransom demanded to unlock the authority's office computer systems The weakest link in any system: the fingers on the keyboard.