Cybersecurity in mining: lessons to learn from the Weir attack

A

s the mining industry continues to embrace emerging technologies, from autonomous vehicles to artificial intelligence, the sector opens itself up to new potential risks alongside the potential improvements in productivity and profitability.

The latest example is a cyberattack that hit industrial supplier Weir in October, and was described by its chief executive Jon Stanton as “a sophisticated external attack”. While the company’s own defences were able to shut down the attack before more significant damage was done, the attack is a sobering reminder of the potential for cyberattacks to damage mining operations, with Weir expecting its Q4 revenue to fall by $13.6m-$27m in the wake of the incident.

Yet miners have a range of options to improve their digital defences, from hiring external experts to improving their own cataloguing and assessment of potential risks. Considering the speed at which the cybersecurity industry moves however, will miners be able to stay one step ahead of cyber criminals?

While details on the Weir attack remain sparse, its impacts are significant. The company experienced ongoing disruptions to its core IT systems, its engineering systems, and its resource planning processes, dealing a significant blow to Weir’s administrative capabilities. This is a particular threat in the mining industry, which operates across borders and continents.

“We responded quickly and comprehensively to what was a sophisticated external attack on our business,” said Stanton in a press release following the incident, highlighting the fact that many of the systems were shut down and control regained before lasting damage could be done.

“The robust action to protect our infrastructure and data has led to significant temporary disruption but our teams have responded magnificently to this challenge and have managed to minimise the impact on our customers.

“More broadly, the continued strong demand across our markets in Q3, particularly for our more sustainable solutions, reinforces our view that Weir is ideally placed to benefit from a multi-decade growth opportunity, as the mining industry invests in expanding capacity while reducing its environmental impact,” continued Weir.

While the relatively strong financial performance of the company at other points in the year is a source of optimism for Weir, the fact that the attack could wreak such significant financial damage to the company’s overall financial position, in spite of these successes beyond the attack, is ominous.

Weir’s own reporting notes that mineral orders increased by 30% in Q3, alongside a 71% increase in original equipment orders, and that end-of-year earnings could reach as high as $330m, all positive trends that could have been undone by the sudden cyberattack.

“We will continue to focus on the safe restoration of all our systems whilst strengthening our future resilience even further,” continued Stanton, who went on to enthuse about the company’s mid-term financial future. “We remain on track to deliver our recently announced three-year performance goals, which will see us increase revenues, expand margins, and significantly reduce our environmental footprint.”

Stanton’s optimism highlights that the impacts of this attack will only be realised in the fullness of time, but the fact that up to $27m of revenue can be wiped off in a single incident will be an unwelcome sight for others in the mining industry.

The Weir incident is just one example of a growing trend of cyberattacks in the mining industry, as attackers look to exploit outdated cybersecurity systems that struggle to keep up with such a rapidly-changing industry.

“There are clear indicators that attacks on critical infrastructure, including mining, will likely increase in the future,” explains Justin Berman, technical director at cybersecurity firm Skybox Security. “For example, research shows there was an increase of 30% of vulnerabilities exploited in the wild and a dramatic rise of 46% increase in new operational technology (OT)-targeted vulnerabilities in the last year.”

“The board and other stakeholders need to understand the risk exposure of their operational systems,” Berman continues. “We are starting to see the cybersecurity industry shift to proactive defences by identifying, prioritising, and remediating vulnerabilities before incidents happen.”

Berman’s figures are taken from Skybox’s mid-year report into trends in cybersecurity, and the rest of the document makes for bleak reading. The rate of network device vulnerabilities and ransomware attacks both increased by 20%, and the latter is of particular note, as the report suggests that such attacks target types of vulnerabilities that have only been discovered in the last three years.

This adds further evidence to the idea that cyberattacks are a constantly-evolving phenomenon, which look to take advantage of newly-emerging weaknesses in digital defences.

There is also the phenomenon of cumulative vulnerabilities, where a cybersecurity risk is not immediately exploited, and so fixing the weaknesses is not a priority. Weaknesses that are allowed to fester in this way can prove to be exponentially more dangerous in the long term, with attackers able to spend years finding the most effective way to exploit them.

Skybox’s reporting notes that the prevalence of cumulative vulnerabilities has tripled in the last decade. As a result, there are both short-term and long-term threats to a company’s digital defences, and one that is particularly relevant to the mining industry.

“Autonomous mining is an example of the cyber security risks that mining companies face today,” explains Berman. “In this scenario, sensors and mining plants generate data used to analyse predictive analytics that will drive efficient and effective operations, such as preventative maintenance.

“The data runs over OT networks, which have an inherently lower security maturity level than IT networks. Thus, while the productivity gains from better data analytics mean these systems are increasingly important, the footprint and threat profile for OT systems is increasing simultaneously.”

Perhaps one of the most important lessons for miners to learn is that effective cybersecurity is not simply a nice addition to a business, but a core component of ensuring administration and logistics run smoothly. Such is the level of technological involvement in all levels of the mining industry, from record-keeping to vehicle-driving, that a sub-par cybersecurity system can endanger the entire company.

“There are a vast number of challenges in the OT security space,” explains Berman. “These include: complex networks where data is hard to find (remote industrial site/telemetry site); closed, proprietary technology and protocols managed and installed on outdated systems; one-way devices that send but not receive management data; [and a] lack of security tools (no security by design).”

Beyond these purely technological lessons, there are also more human and logistically-driven steps that miners can take to improve their digital defences. Berman pointed to a lack of skilled individuals in the cybersecurity field, which makes it difficult for companies to hire specialists to protect themselves, and even harder for them to train other members of staff in best practices.

Similarly, Skybox’s report points out that changes to the criteria by which risks are identified and assessed, such as the importance of exposure to a threat when determining the potential danger of that threat, could also be updated to help companies identify and tackle the most high-risk threats.

While difficulties in hiring and logistics are issues that go beyond the mining industry, and are weaknesses that will be fixed by no single mining company in the short term, Berman is optimistic that there are practical steps miners can take to improve their cybersecurity.

“Today, there are concrete, data-driven steps the mining sector can take to mitigate risk,” says Berman. “By strengthening security posture; implementing automation to ensure continuous compliance; finding exposed vulnerabilities with network modelling; and remediating with options that go beyond patching, the industry can understand its security weaknesses to avoid incidents by walking the path of a potential breach.