Cybersecurity women on computer

Five imperatives when thinking about cybersecurity in mining

Photographic portrait of Frédéric Georgel
Frédéric Georgel

EY Canada Associate Partner, Cybersecurity Advisory Services

5 minute read 09 Nov. 2022
Related topics
Mining and metals
Cybersecurity

Mining companies are embedding cybersecurity into digital transformation to support secure, sustainable growth and create a strong and resilient supply chain

In brief:

  • Positioning resilience as a cybersecurity priority takes commitment, governance and deep knowledge.
  • Organizations must focus on the cyber risk that could compromise the operational activities at all stages of the mining lifecycle across exploration, development, extraction and closure.
  • Embedding cybersecurity into the mining industry’s digital transformation is essential to maintaining an adequate security posture.

Over the past five years, the mining and metals industry has undergone a massive digital transformation. From exploration to extraction, advanced technologies like deep automation, robotics and artificial intelligence are improving operational efficiency, enhancing capability, reducing costs and increasing value at all stages of the mining lifecycle to gain a competitive advantage. However, this technology revolution is also exposing companies to new risks that can severely disrupt operations.

It’s no surprise that cyber threats are evolving and escalating at an alarming rate in the mining and metals and other asset-intensive industries. Understanding the current cyber risk landscape and the threats new technologies bring is crucial for planning reliable and resilient operations. From its geopolitical nature to the life-and-death consequences of operation system malfunctions: mining and metals companies are teeming with cyber vulnerabilities. Sophisticated criminals may be ready to hit a company’s reputation, health and safety protocols, environmental stewardship and profitability.

In an age when threats are being unearthed every day, mining companies should account for the following five imperatives when thinking about cybersecurity in their operations to build a cyber risk-based approach that improves business resilience and unlocks the true value of transformation.

1. Understand your risk appetite and tolerance and where your company stands

Risk appetite is the amount of risk an organization is willing to accept to achieve its objectives. Risk tolerance is the acceptable deviation from the organization's risk appetite. More than one third of Canadian organizations haven’t clearly articulated their cybersecurity risk. That’s simply not enough. Defining the cyber risks that are most relevant for your particular organization and building consensus around what level of risk you’ll tolerate is the first step to effective planning.

For the mining and metals industry, a seemingly small disruption — like a hacker shaking up your supply chain or stopping a critical dewatering pump — could have massive, high-profile or even life-altering impacts. You need to know where your risk lies to defend your organization well.

55% of mining and metals
executives are worried about
their ability to manage a
cyberattack1  

How EY can help

2. Bridge the divide between IT and OT to clarify the operating model and cyber risk between the two domains
 

The patterns that work for your information technology (IT) team don’t always translate for your operational technology (OT) team. While the names are sometimes used synonymously, the two have different cultures.
 

When thinking of OT, especially at remote mining sites, teams are measured on uptime, not necessarily security. The concept of security is built on the IT side. The company’s Chief Information Security Officer (CISO) must not only ensure availability and reliability, but also that the systems are secure whenever they are being operated. It’s essential they ask questions, such as:

  • Are my operational technologies properly protected?
  • What is the current level of cyber risk?
  • Do we have the appropriate level of control to be resilient in the event of a cyberattack during the extraction phase?
  • What is the impact of a data leak during the exploration phase?

Bridging the culture divide will require CISOs to be able to translate the language of health and safety into cyber risk management. This bridge is important as environmental, social and governance (ESG) practices continue to gain momentum; the need to secure OT assets that provide the frontline ESG data to make informed decisions will be paramount.
 

According to the EY Global
Information Security survey, 71%
of mining and metals participants
saw an increase in the number of
disruptive attacks over the past 12
months2

3. Conduct regular scenario planning

Cybersecurity control capabilities are key and must be driven by the need to mitigate risk. Therefore, you need to prioritize risk identification. Developing a risk-based approach allows the company to simulate attack scenarios on IT and OT systems. That will help you understand if there are system vulnerabilities and the severity of those vulnerabilities. This helps determine what controls are required to protect these critical assets.

Based on the risk identification procedure, the company should ask questions such as:

  • Do we have the right controls to mitigate the risk?
  • Do we have an efficient return on mitigation?
  • What is the biggest risk that needs to be mitigated?

4. Make cybersecurity the connective thread between functional capabilities

Redrawing the organizational chart and making cybersecurity the connective thread between functional capabilities doesn’t only make your organization stronger — it can also support efficiency, cut down costs and foster the kind of collaboration that speaks directly to internal and external calls for secure products, services and solutions. 

Risk itself has changed. Findings from the EY Global Information Security Survey show more than 40% of leaders have never been as concerned as they are now about managing cyber threats the business faces. You can’t tackle that increase in disruptive risk without drawing better connections between functional teams.

5. Put a team in place to deal with compliance and regulatory requirements

The overhead of trying to stay on top of different regulatory requirements and standards is the biggest hurdle most Canadian companies face. A large majority (70%) of Canadian executives say navigating regulation will be time consuming and expensive.

Mining is global. Companies need to think bigger than just Canada — to do so effectively and efficiently, dedicated teams will be needed. They can support organizations of the future to stay on top of compliance and regulatory requirements, but also put in place a process to support with what updates they need, where to get them and how they translate to their specific organization.

According to the EY Global
Information Security survey,
54% of mining and metals
companies suffered a
significant cyber atttack3

 

Cybersecurity must support the mining and metals sector’s technology revolution. This objective should be prioritized and governed by the needs of resilience. Disruptive forces mean companies must understand how much risk they can safely take on, coupled with a dedicated team to keep the organization up to date with compliance and regulatory requirements and support the CISOs to put them in place.

We’re at a defining moment where CISOs can make a difference.


Summary

In an age when threats are being unearthed every day, mining companies should account for five imperatives when thinking about cybersecurity in their operations to build a cyber risk-based approach that improves business resilience and unlocks the true value of transformation.

About this article

Photographic portrait of Frédéric Georgel
Frédéric Georgel
EY Canada Associate Partner, Cybersecurity Advisory Services
Committed to help Canadian organization to manage with success their cybersecurity challenges. Proud husband, passionate by music, audiophile systems and new ideas.
Related topics
Mining and metals
Cybersecurity

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.