Theo Yameogo: Hey Yogen, nice to talk to you today. Welcome to the series! I'm really looking forward to hearing your insight about cybersecurity for mining and metals companies.
Yogen Appalraju: Great to be here Theo, I'm looking forward to the discussion.
Theo Yameogo: Okay, let's get right into it. What advice would you give to CISO executive members and board members when it comes to cybersecurity threats in the mining and metals sector today?
Yogen Appalraju: For all executives, the first thing I would say Theo is that everyone should recognize that building cyber resiliency is a journey, it takes consistent effort and investment and typically multiple years of work.
Fundamentally important though, irrespective of what stage of maturity your capabilities are, that you prioritize your investments well. What does that mean? It means that if you have low level of maturity, focus on things like two factor authentication, protecting applications facing the internet, patching critical systems and there's many more. These are the ones you want to get at initially.
If you're the Chief Information Security Officer, you want to build a plan, you want to be able to explain and communicate the “what” and the “why” to your executives so you get the funding for it. If you're an executive or a board member, you want to ask questions such as how secure are we today? What is the target state of security for our industry, for our organization? And once that's well established, show that there's a risk-based approach. In other words, we are focusing on our critical operations, our critical assets, and once all of that is in place, ensure you have set the tone so that the CISO and the CIO get the support from all other executives and team members within the organization. Finally ensure the funding will be available to help with the execution of the plan.”
Theo Yameogo: Very interesting, Yogen. Now when we look at specifics, what kind of threats and trends should mining and metals company be aware of when it comes to cybersecurity today?
Yogen Appalraju: Theo, there's a lot of research being done in this space across all industries. In fact, there was a recent report related to the mining and metals industry and what it said was that in terms of the initial attacks, 89% of the patterns we see involve social engineering or phishing type attacks. The remainder attacks really go as IT infrastructure or web applications, but as you can tell there’s a large proportion that are really focused on people vulnerabilities, someone clicking on a link and that creates the exploitation.
The other trend we're seeing is that majority of the motivation behind these attacks is for financial gain. In fact, 78% of all attacks were motivated for financial gain and a large part of those involve ransomware type attacks.
The other thing I would say is that other industries have experienced this, and we believe it's going to happen in the mining and metals industry as well, is supply chain motivated attacks. And what that means is really attacking one of your vendors and through that vector, trying to attack an organization like a mining company.
Theo Yameogo: That is very insightful Yogen. Recently, we've seen in the pipeline industry there was a ransomware that actually shut down operation for six days and it ended up impacting supply chain and society in general. Do you anticipate such an event happening in the mining and metal sector, and what's your advice on how to prevent it from happening?
Yogen Appalraju: That's a good question, Theo. You know in a lot of ways mining and metal companies are very similar to Oil and Gas and Pipeline companies. They both have IT and OT, which is operational technology, technology that is used to run the sites, the operations and also a lot of it is there for the safety of the workers and employees.
With the pipeline recent attack that you mentioned, the attackers have really performed a ransomware attack, the intention was to exfiltrate money out of the organization. It is reported that they didn't really intend to shut down the pipeline operations, but when that organization experienced the attack, they felt that the attackers have knowledge about the pipeline and how to attack the pipeline, and for safety reasons shut down the operations. You can tell it takes a long time to bring it back up.
This could happen to a mining and metals organization as well, and I would argue that mining and metal organizations should be prepared for such an attack and show they've got good visibility so that they can detect these attacks early, understand what's happening and make good decisions about whether it affects the operations or not so you don't have such an event happen to them as well.
Theo Yameogo: Well Yogen, this has been very insightful and thanks very much for coming and sharing with us.
Yogen Appalraju: Thank you for having me.
