Engineering & Mining Journal

MAR 2017

Engineering and Mining Journal - Whether the market is copper, gold, nickel, iron ore, lead/zinc, PGM, diamonds or other commodities, E&MJ takes the lead in projecting trends, following development and reporting on the most efficient operating pr

Issue link:

Contents of this Issue


Page 44 of 67

CYBERSECURITY MARCH 2017 • E&MJ 43 was not paid, and that the authority was able to restore its systems, but that it stood to lose around $500,000 per day in uncollected fares while the crisis re- mained unresolved. And as the BBC's technology of busi- ness editor, Matthew Wall, pointed out in an article earlier this year, financial damage is not only confined to installing malware on computers. "As well as poor- ly-secured devices, gullible humans will continue to be targeted, with so-called 'business email compromise' fraud con- tinuing to reap rich rewards for crimi- nals," he wrote. "Simply tricking employees into trans- ferring funds to criminals' bank accounts is lo-tech but surprisingly effective, with Trend Micro reporting that the average payout in the U.S. was US$140,000 last year," Wall added. The Internet of Things As E&MJ reported last month (pp.40-45), the IoT is becoming much more widely accepted within the mining industry than has previously been the case. However, as Stephen Ridley, founder of the Cali- fornia-based consultancy, Senrio, pointed out in an address to the 2016 ICS Cyber Security conference in Atlanta, Georgia, last October, "OT is IT, and ICS is IOT." "Industrial Control Systems (ICS) and Supervisory Control And Data Ac- quisition (SCADA) systems have lived in relative obscurity for decades," Ridley went on. "These devices and controllers use proprietary protocols in their build, software stacks and communications protocols. Now they are using the same technology as your smart home controller or Wi-Fi camera. "When hearing the buzz-word 'Internet of Things,' we typically think of the con- sumer world: smart toasters and connect- ed fridges. However, there is a staggering number of networked embedded devices that perform life- and mission-critical tasks that our daily lives depend on," he explained. "We haven't thought of these new types of devices as miniature com- puters that need the same care in deploy- ment, management and protection as our servers, computers and mobile phones. This is a huge blind spot." "Embedded devices, such as ICS and SCADA systems, are the low-hanging fruit for potential attackers," Ridley cau- tioned. "They are fairly easy to compro- mise, are connected to high-value net- works, and detection often only happens after the fact." In his presentation, Ridley described the IoT as being "a new breed of minia- ture computers that, in contrast to a PC or server, have a single-purpose operating system communicating with other devic- es and/or the internet. Embedded devices have been around for decades," he said. "What is new is their unprecedented con- nectivity and ubiquity." "Increasingly, the Internet of Things and Industrial Control Systems are using the same SoCs (systems on chips) and hardware, the same kinds of software and firmware, and the same communica- tions protocols," Ridley added. "The re- ality is that it is now increasingly simple for hackers to gain access to industrial control systems since there is so much generic software in place, offering a plethora of back doors that are ripe for exploitation." "We have seen attackers compromise DVRs and consumer cameras. It is easy to see how the same techniques can be leveraged against industrial targets," he warned. Suppliers Take it Seriously Not surprisingly, the major suppliers of the types of industrial control system widely used in the mining industry view the threat of cyber crime very seriously indeed. Siemens told E&MJ that its De- fense in Depth provides protection in and around industrial plants, based around the three core elements of plant security, network security and system integrity. While conventional plant protection protects the plant from physical access, network protection and system integrity protection prevent cyber-attacks or unau- thorized access by operators or third par- ties, so there are numerous levels of se- curity protection provided, the company explained. It offers a managed ICS securi- ty service that includes a full assessment of existing security, identification and implementation of recommended secu- rity improvement measures, continuous monitoring of the entire ICS operation, and proactive threat notification based on up-to-date global intelligence. Siemens pointed out that in mining, as with many other industries, ICS assets often have up to 20-year cycles, so it is equally as important to protect a legacy control system with upgraded connectivi- ty as it is to protect a newly installed ICS. Through assessing and then implement- ing security measures, Siemens offers to mitigate risks, comprehensively train and certify employees, deploy new technolo- gy with enhanced security processes and establish new security guidelines for the entire ICS operation. Bosch has launched an update of its Building Integration System (BIS) soft- ware, which enables security managers to manage and configure access control and authorization across the types of globally distributed sites that are a feature of to- day's mining industry. With BIS 4.3, all changes and updates made at the central corporate server are immediately replicat- ed to all sites and servers. For example, security managers can use a single central authorization server to operate a company's servers around the world for central cardholder management. The effect is immediate for all sites, ac- cording to Bosch, so that employees trav- eling between sites no longer have to ask for local access permission. Meanwhile, ABB offers its Cyber Se- curity Fingerprint service that helps users of its industrial control systems identify potential weaknesses in their IT security systems. The company recently reported on its work in this field with Sweden's Boliden, which involved using the service on one of its ABB 800xA control systems to help validate existing security policies, and possibly identify areas that might not have been considered. Boliden's ob- jective was to supplement its existing risk-mitigation program. According to ABB, the Fingerprint uses a multilayer approach to collect data from more than 100 critical points in the system and conducts in-depth interviews with plant personnel. A proprietary soft- ware-based analysis tool then analyzes its findings and compares them with industry standards and best practices. One of the Fingerprint's key features is that it high- lights areas of opportunity for protecting against security breaches caused by com- pany personnel who carelessly or mali- ciously spread malware through software or USB peripherals, as well as threats from outside hackers, ABB reported. Following the analysis, ABB produced a detailed plan that analyzed the plant's control system security and recommend- ed actions that could provide further

Articles in this issue

Links on this page

Archives of this issue

view archives of Engineering & Mining Journal - MAR 2017