Lessons learned from Rio Tinto’s massive cyber-attack

Rio Tinto’s Oyu Tolgoi project. Credit: SeongJoon Cho/Bloomberg via Getty Images.

In March, Rio Tinto was hit by one of the biggest cyber-attacks in the history of the mining industry. The attack allowed hackers to leak employees’ family information on to the ‘dark web’, as well as a wealth of company data. According to Rio Tinto, the stolen data was the result of an attack on GoAnywhere, a piece of third-party file transfer software. This is offered by the cyber security firm Fortra, which is used by Rio Tinto. In addition to the employees’ family and financial information being leaked online, payroll information, including pay slips and overpayment letters, was also seized. This was confirmed by the company in April, a month after the attack by the ransom group Cl0p, which claimed responsibility for the data hack.

The number of hacks by ransom groups is worryingly on the rise, and virtually no company’s system appears to be immune. In March, Hitachi Energy announced that it too had been the subject of a ransomware attack by the CL0P group on GoAnywhere. The leak was found to have stemmed from a “zero-day vulnerability” that Fortra identified on January 30. It was eventually patched on 7 February, but the ransom gang claimed that it had managed to exploit the vulnerability before then and steal data from over 130 organisations, including British multinational conglomerate Virgin in addition to Hitachi Energy.

Last December, another ransomware attack forced Canadian Mountain Mining Corporation (CMMC) to shut down its mill. The mine produces an average of 100 million pounds of copper-equivalent per year. In addition to the shutdown, the company isolated its operations and switched to manual processes. Although the company did not reveal how the attackers breached its systems, a report from the technology website BleepingComputer indicated that a couple of weeks earlier, credentials belonging to a CMMC employee account were offered for sale on a hacker portal.

At the end of last year, Hamburg-headquartered copper producer Arubis was also hit by a cyber-attack which forced its IT systems offline. In 2020 the Australian company BlueScope Steel was hit by a cyber-attack that caused production to be halted at its worldwide operations. The company was forced to revert for a time to manual operations. Alastair MacGibbon, chief strategy officer for cybersecurity firm CyberCX said phishing emails were likely to be the cause of the attack, and that they were becoming more common.

An undisclosed number of companies whose systems have been taken hostage have acceded to the hackers demands and decided to pay ransoms. These include the Colonial Pipeline Company, a major oil provider on the east coast of the US, which paid its attackers $4.4 million in May 2021. But some mining companies refuse to give in to the hackers’ ransom demands, and are fighting back.

One such company is Norway’s Norsk Hydro, a renewable energy and aluminium manufacturing company. When it faced a ransomware attack in March 2019, the company not only refused to pay the ransom, it also took steps to face down the hackers. The attack’s virus crippled the company’s network and stalled production in all of its manufacturing facilities. Norsk Hydro responded by shutting down access to the network, and switching most of its critical systems over to manual operation.

It then shut down the company’s own internal network to prevent propagation of the virus. With the network down, the malicious virus was easily identified and the threat was nullified. However, the entire incident was costly, and resulted in an estimated $70 million in losses, according to Norsk Hydro’s earnings report later that year.

The threat to Norsk Hydro and indeed the rest of the mining sector has not diminished, despite Norsk Hydro’s fight back. Rather, it has increased largely because the risk to the hacker of actually being apprehended and punished is minimal. As cyber experts point out, no one was ever arrested for the Norsk Hydro attack and the payouts are only getting larger.

In a recent paper, authors from global accounting and consulting firm EY said: “Cyber threats are evolving and escalating at an alarming rate for mining and metals, and other asset-intensive industries.” It advises that “understanding the current cyber risk landscape and the threats new technologies bring is critical for planning reliable and resilient operations”.

In its last Global Information Security Survey, 71% of mining participants reported seeing an increase in the number of disruptive attacks over the past 12 months and 55% worried about their ability to manage a cyber threat. “Today, all mining organizations are digital by default. [...] This will intensify given the accelerated adoption of cloud, analytics and automation across the sector, as well as disruptive innovation to achieve decarbonisation targets,” EY’s paper says. It argues that the mining and metals sector needs to undergo a “fundamental change” in cyber risk culture and awareness.

Cybersecurity providers are locked into a constant arms race against hackers to come up with the cyber solutions that the mining industry desperately needs. The increasingly wide range of cybersecurity companies each offer their own solutions, with various benefits and drawbacks.

In April, Swedish technology company ABB brought industry leaders together for a virtual ransomware summit. This included companies such as IBM, Cisco, Boston Consulting Group, Johnson Matthey, BASF Digital Solutions, Norsk Hydro and Boliden. 

Here, ABBlaunched its “Defence in Depth” strategy, aiming to help industrial customers find the best approach to mitigate cyber risks. This uses its Ability Cyber Security Fingerprint distributed control system, that relies on a multi-layer approach to increase security.

The company claims that the Cyber Security Fingerprint is a cost-effective, non-invasive service that provides diagnostics, key findings and recommendations that help protect control system investments from security risks. The system is now in use by Boliden in Sweden, which two years ago asked ABB to assist in helping it to validate existing security policies and identify areas the company might not have considered. 

Data from over 100 critical points in the system is collected, and in-depth interviews with plant personnel are conducted. A proprietary software-based analysis tool then analyses the Fingerprint’s findings and compares them with industry standards and best practices. “Mining operators cannot afford to take the risk of unauthorized interference with their operations. A virus such as the one that wrecked the German blast furnace is an even more serious matter when your facility is inside the Arctic Circle or halfway up a mountain in the Andes,” a company statement said.

BASF Digital Solutions, meanwhile, has its ‘Intelligent Mine’ solution. This is based on a custom, cloud-based architecture built with cybersecurity as a top priority. The company has enrolled with the National Cyber Security Centre in the UK and participates in their Cyber Essentials Certification programme. This combines five technical operating controls that minimize the chance of security breaches: secure internet connection using a suitable firewall, setting up devices and software using the most secure settings, implementing access controls for data and services, protection from viruses and other malware and ensuring devices and software are up-to-date. 

“Robust security protocols have been implemented to access customer data via our pipelines and data storage. [...] Application access is strictly via HTTPS, ensuring best-in-class security and protecting confidentiality when accessing our customers’ data,” says BASF. In addition, the company ring-fences its customer’s data by creating individual cluster environments per customer. This helps ensure data protection and data residency within the cluster. 

The mining industry will forever have to be vigilant against ransomware and other cyber-attacks. As Deloitte points out, “engineers have successfully designed and deployed industrial control systems with safety and reliability in mind, but not always security. Originally, there was little need for it. Fast forward 20 years, and digitisation and the internet of things has turned the most basic assumptions about operational security upside down.”

GlobalData, the leading provider of industry intelligence, provided the underlying data, research, and analysis used to produce this article.

GlobalData’s Thematic Intelligence uses proprietary data, research, and analysis to provide a forward-looking perspective on the key themes that will shape the future of the world’s largest industries and the organisations within them.