No time to waste: metals and mining organisations must dig deep to stay ahead of cyber threats

Authored by: Juan Valbuena, EY Americas Metals & Mining Cybersecurity Leader

As the energy transition unfolds, metals and mining companies are modernizing to stay ahead of change. But will this increased adoption of technology entice cyber criminals looking to cash in on their progress?

In Brief

• The metals and mining industry is transforming to take its rightful place as an important contributor to the clean economy of the future.
• IT and operational technology (OT) convergence, integration and proactive cyber planning will be critical to minimizing shutdowns, safety concerns and reputational risk, protecting data and intellectual property and curtailing financial loss.
• As cyber criminals monetize data and influence business dynamics in a geopolitically charged landscape, collaboration will be key to locking down cybersecurity plans and protocols and building the resilience needed to react quickly and circumvent increased threat activity.

With expectations of rising to the occasion and being part of the burgeoning clean economy, today’s metals and mining companies are facing a significant dilemma. The impetus for change is clear — businesses need to update, modernize and evolve if they are to secure their rightful place in the future.

But despite the benefits, determining how to proceed and transitioning to automation, artificial intelligence (AI), internet of things (IoT) and cloud technologies are not the biggest challenges that many metals and mining businesses are facing.

New technologies are the cost of admission for miners with their eyes to the future. But while tech offers efficiencies and safety benefits, promises cost-cutting and profitability, and reduces organizations’ carbon footprint for longer-term sustainability and competitiveness, it can also put them at risk of cyber breaches that can bring operations to a standstill.

Cybersecurity should be top of mind. In relative terms, the industry has come slowly to the transition table but is making steady progress in adopting and implementing operational technologies. The complexity of change, scale and distance across which it must be implemented are costly and often daunting. Culture and skills gaps in getting teams accustomed to new ways of working create internal friction, and regulatory and stakeholder requirements add further pressure.

The burning platform

Becoming more technologically sophisticated demands that evolving businesses more deeply understand their exposure and proactively determine and plan to reflect their risk appetite. Governance and a solid risk management framework can help map an organization’s telemetry, put the right processes in place and prepare teams on the ground with the necessary protocols to properly respond to incidents with urgency and agility.

Often, an organization’s internal lack of understanding of the true and broad impacts of cyber threats is a primary barrier to action. Leadership knows, for example, that a compromise can shut down production, so they can put essential contingencies in place to address them. But what if a cyber attack manipulates readings so monitoring systems don’t recognize a compromise? Or more seriously, what if hacked health and safety controls risk not only production, but human life?

Building a cyber stronghold that can effectively anticipate and act on such issues requires on- and offsite connection and aligned synergies, priorities and oversight — from the top of an organization down. The EY Top 10 business risks and opportunities for mining and metals 2024 report indicates that risks to infrastructure, intellectual property, finances, reputation and supply chain, and potential physical and employee dangers, top the list of cybersecurity-related concerns on executives’ minds. This is proof that cybersecurity is no longer simply a technology issue. If risks are to be mitigated as disruption continues, the C-suite — Chief Executive Officer (CEO), Chief Operating Officer (COO), Chief Financial Officer (CFO), Chief Information Officer (CIO), Chief Information Security Officer (CISO), Risk Management and Operations must all march in lockstep.

Bringing all stakeholders into the conversation means cyber teams must collaborate and work alongside metals and mining personnel to identify critical service applications. Communicating openly — with full visibility and disclosure of risk management activities and the holistic impacts they have on production and safety, brand and reputation — can also help advance cyber culture, build resilience and boost preparedness to lessen the impact of the “human factor” across the business.

Setting the table

While not without its challenges, bringing leadership, tech and operational teams into the conversation is essential to defining risk profile and building a holistic cybersecurity plan. Our EY teams help organizations facilitate such discussions by conducting capability and risk assessments, defining and implementing cyber risk mitigation strategies and even simulating cyber attacks to make it real for impacted parties and better identify dangerous gaps.

Our teams bring global skills, providing critical continuity across even the most complicated cyber response plan and proactively anticipating challenges, whether assessing a client’s current governance and environment or setting up strike teams, facilitating conversations or addressing policies.

Our global network with metals and mining businesses around the world means we can readily connect with different sites wherever their operations may be. EY wavespace^TM centers of excellence for digital capabilities create opportunities to collaborate across virtual boardrooms and physical borders, making room for all voices to be heard and unique perspectives to be brought to the table.

Pop-up and mobile capabilities allow us to set up at metals and mining sites or offices, incorporating onsite teams to deliver faster and secure bespoke solutions. And through our global network of wavespace environments, EY teams can facilitate client teams in exploring and testing ideas in real time, conducting demos, data lab incubation and workshops, with access to specific skills and proprietary technologies.

High-level learnings from our labs and EY Americas Metals and Mining Center of Excellence provide guidance and innovation-led approaches to risk scenarios that many metals and mining companies are facing today — or might be tomorrow. Our multidisciplinary teams provide specialized operations capabilities and advanced knowledge of innovative technologies that can help interpret and put action plans into place to optimize data-driven diagnostics, help deliver on health and safety objectives, and safeguard a business’s digital transformation.

Starting with good risk management practices, our Cybersecurity practice takes a holistic approach by assessing operational technology and critical assets risks, including potential supply chain exposure to embed strong visibility across the business. Dovetailing each of these components with an organization’s risk appetite, controls and governance, we can help establish a tailored framework that continuously identifies gaps, reduces vulnerabilities and builds cyber resilience in a well-established and risk-aware culture.

Regardless of where your organization is on this cybersecurity journey, whether you’re just beginning to digitalize operations or even if you’ve already been infiltrated by threat actors, we can help prepare you to respond to and withstand an attack and mitigate potential losses.

Reach out to a member of our team to start the conversation. We’d be happy to share our experiences and help inform your decision-making, set up a visit with our lab or run a simulation that can pinpoint vulnerabilities, guide your cybersecurity strategies, define detailed procedures and playbooks, and prioritize your plans.