The EY paper, Cyber hacking and information security: mining and metals, released today, highlighted the increasing risks for companies.
EY Oceania Mining & Metals advisory leader Nathan Roost said the increased importance of the sector in global supply chains made it a target, while the increasing reliance of companies on technology made it more exposed.
“Cyber hacking targets are no longer just the big names, many more companies across the sector are now vulnerable,” he said.
“Mining companies are becoming far more reliant on integrated IT systems in their drive to improve productivity and bring down costs, and this makes them more exposed and vulnerable to cyber- attacks.
“At the same time, the relative importance these commodities play in global, regional and local supply chains means the companies have become priority targets and this is exacerbated by the extreme price volatility we expect to continue for the next 2-3 years.”
In EY’s recent Global Information Security Survey 2013-2014, 41% of mining and metals sector respondents reported an increase in external cyber threats in the past 12 months, while a further 28% identified internal vulnerabilities.
EY identifies three types of groups likely to target mining and metals companies – criminals, national governments and hacktivists.
“This means many companies who previously thought they would not be targets are now vulnerable,” he said.
Roost said it was not just an IT issue.
“The risk is heightened by the centralised nature of many business functions across supply chains now and the dependence of operations on sophisticated IT systems,” he said.
“A top down approach from the board and executive is needed to ensure the issues and threats are understood and addressed.”
EY cited an example of a mining company which used a SCADA system to control the operations of certain assets involved in the logistics and product chain.
After an equipment reliability issue, the company undertook an exercise to compare the current system source code with an unedited version to check if changes made were impacting reliability and found unauthorised malicious changes had been unintentionally uploaded into the source code from a maintenance contractor’s laptop.
The changes were designed to disable the auto-shutdown protections of the equipment and thereby allow the destruction of the equipment, with a date trigger embedded in the code.
“The increasing prevalence of cyber-hacking means companies need to identify and assess the likely threat to their organisation and mitigate accordingly,” said Roost.