Cyber criminals have a wide range of options for attacking industrial
control systems.

Is the industry as worried as it should be? In all honesty, that is diffi cult to say in a broad-brush way, but to put things into context, within the past two years, a magazine from another publisher that covers the oil and gas pipelines industry has carried no fewer than 10 articles on cybersecurity. This author, for one, cannot recall having seen anything carried in the mining publications that are circulated internationally.

On this admittedly simplistic basis, it might appear that cybersecurity is something that the mining industry has yet to come to grips with, at least in comparison with other resource sectors. Clearly, the oil and gas industry has had an additional spur to smartening up on how to combat the new threats, simply because its products are both highly fl ammable and — when spilt — cost a lot to clean up.

And the cyber criminals already have “form,” having demonstrated their capabilities when it comes to damaging oil-transport infrastructure — maybe. According to a report carried by Bloomberg in December 2014, investigators from Turkey, the U.K. and elsewhere concluded that an explosion in 2008 that put the Baku-Tbilisi-Ceyhan (BTC) pipeline out of action for three weeks had been caused by a cyber attack.

While the Turkish government and the pipeline operators publicly blamed domestic political terrorism for the attack, Bloomberg reported that the subsequent investigation pointed the fi nger at hackers who had infi ltrated the pipeline’s operating system, shut down security systems and overpressurized the pipeline to cause the blast. It is important to note that these conclusions were also discredited by others in the security industry, who suggested simple old-fashioned sabotage as the more likely cause.

Nonetheless, the concept proposed by the Bloomberg report was certainly conceivable, and given recent publicity over the vulnerability of ordinary household appliances — constituent parts of the Internet of Things (IoT) — to be highjacked for botnet use, the idea that the pipeline’s security cameras could have been used as a back door into its operating system may not have been so far-fetched.

On page 44, a number of “scenarios” have been assembled — suggestions as to how having insecure IT and industrial control systems have the potential to compromise a company’s business in a variety of ways. While some of them may appear rather far-fetched, they are all possible within the minerals-industry setting.

The Minerals Industry is Vulnerable, Too
It has to be remembered as well that it was only two years after the BTC incident that the fi rst offi cially recognized use of cyber technology to disrupt a mineral- based operation came to light. While some may consider the link to be tenuous, given the political background, the concept remains the same: hackers were able to access remotely and successfully disrupt a processing operation.

The incident in question was, of course, the Stuxnet campaign against Iran’s uranium-enrichment program. Security analysts are of one mind that the campaign was implemented by the U.S. and Israeli intelligence services, and effectively marked the fi rst successful use of digital weaponry.

Spread through the use of infected USB keys, the Stuxnet worm not only caused uranium-enrichment centrifuges to overspeed and break down, but also wiped records of what it had done from the control systems. And, the security industry believes, its discovery only came once a second-phase “attack” had taken place. The initial use of the software was aimed at gathering information on exactly how the control systems worked and how they could be manipulated to achieve the desired result.

What is perhaps even more worrying is that the Stuxnet worm was both tiny in terms of its fi le size — a mere 500 kb — and came with what appeared to be a wholly authentic security certifi - cate. And, of course, having been discovered, it and its more modern derivatives are now out there in the dark world of cybercrime.

If the origins and rationale behind the Stuxnet campaign can be reasonably identifi ed, the perpetrators of the attack that took place on an unnamed German steel mill in 2014 remain unclear. News of the incident fi rst came to light in a report from the German Federal Offi ce for Information Security (Bundesamts für Sicherheit in der Informationstechnik – BSI), and according to the French cybersecurity organization, Sentryo, the attackers fi rst hacked into the mill’s offi ce software network, using a “spear phishing” campaign to install malware contained in email attachments.

From there, they penetrated the mill’s production management software before taking over most of the plant’s control systems. This enabled them to systematically destroy human-machine interaction components, with the result that the procedure for shutting down a blast furnace was compromised, resulting in major damage to the plant.

The BSI report did not make any suggestions as to who the attackers may have been, or their motive, but subsequent investigation has indicated the probability that the attack was more of a demonstration of capabilities than anything else. Having done it once, and shown what can be achieved, the potential for a ransom campaign against another industrial target at some future time comes closer to reality.

An Industry Perspective
As a way of illustrating how major plant suppliers to the mining industry perceive the challenges associated with cybersecurity, E&MJ spoke to Greg Weaver, global product director for digital solutions at FLSmidth. Asked how severe he believes the problem of insecure industrial control systems really is for mining, Weaver replied that while the threat is not currently serious, it has the potential to become very signifi cant if it is not addressed properly.

The weakest link in any system: the fingers on the keyboard.

“That will change in the future in two respects,” he went on. “Companies will have closer links, with a higher degree of automation, across their operations wherever they are in the world, and more and more devices — the Internet of Things — will be added to those corporate networks.”

Weaver went on to compare the threats facing industrial control systems in mining operations with those in other sectors, such as utilities and power distribution. Taking the example of the cyber attacks on Ukraine’s power-supply grid in 2015 and 2016, he noted that, “utilities are high-visibility targets, and attacks on them set out with the aim of getting as much attention as possible. With few exceptions, mining operations don’t have the same level of visibility, so are less attractive to attention-seeking individuals or groups who may have political motives for their actions.

“The mining industry needs to be much more concerned with hackers who have some fi nancial motivation, both in terms of trying to steal a company’s money or to blackmail it by threats,” he said.

E&MJ then asked him which parts of a mineral processing operation he perceives as being the most vulnerable to external control manipulation. In other words, what could potentially do the most economic and/or physical damage to a mineral processing operation if hackers took over the control system?

“There are two main areas of concern here,” Weaver replied. “The fi rst is high capital-cost items such as mills or primary crushers, machines for which very little redundancy is built in to the system. If one of those goes down, the economic impact can be very quick indeed.”

“At the other end of the spectrum, if hackers could attack a simple plant item such as a pump or a valve, releasing (or threatening to release) processing chemicals or waste into the environment, the reputational damage could be enormous,” he explained.

“Personal awareness is one of the key areas in the fi ght against cybercrime,” Weaver said. “When we at FLSmidth are commissioned to undertake a project, cybersecurity is defi nitely part of the discussion with our client, with control systems custom-built to minimize cybersecurity risks.”

“But personal awareness training is only one aspect of this,” he went on. “It is also really important for plant operators to bring in experts from outside who can undertake a full assessment of a plant and how it can be protected, to identify the risks and help put a mitigation plan into action.

“The mining industry has largely been isolated from this type of problem up to now,” Weaver stated. “Other industries haven’t, and mining can learn a lot from problems, failures and solutions elsewhere. Above all, everyone has to minimize the risk of complacency.”

Financial Risks
As Weaver suggested, the greatest threat that he currently perceives to mining- sector operations is fi nancial rather than physical. And fi nancial losses can come through a number of mechanisms, from straight-forward theft (the traditional “hold-up” approach) to online fraud and ransomware.

According to the cybersecurity company, CyberX, industrial organizations are excellent targets for ransomware because: • When operational data become unusable, the consequences can include catastrophic damage to production assets, production outages and risks to physical safety; • Industrial organizations cannot easily shut down network operations to prevent malware from spreading because the processes they use are themselves not easy to shut down; • Enterprises are more likely to quietly pay a ransom because of concerns that going public with cyber-attacks will invite greater scrutiny from regulators and the media; • Operational technology (OT) environments are often less mature than IT environments and, as a result, their data-backup processes may not be suffi cient to restore all required data; and • Employees are often production workers who tend to have less security awareness training and are more likely to open malicious documents delivered via phishing emails.

As an example of the potential gain to be made from a ransomware attack, look no further than the incident that affected the San Francisco Municipal Transport Authority last November. Reports later suggested that the 100 bitcoin ($73,000) ransom demanded to unlock the authority’s offi ce computer systems was not paid, and that the authority was able to restore its systems, but that it stood to lose around $500,000 per day in uncollected fares while the crisis remained unresolved.

And as the BBC’s technology of business editor, Matthew Wall, pointed out in an article earlier this year, fi nancial damage is not only confi ned to installing malware on computers. “As well as poorly- secured devices, gullible humans will continue to be targeted, with so-called ‘business email compromise’ fraud continuing to reap rich rewards for criminals,” he wrote.

“Simply tricking employees into transferring funds to criminals’ bank accounts is lo-tech but surprisingly effective, with Trend Micro reporting that the average payout in the U.S. was US$140,000 last year,” Wall added.

The Internet of Things
As E&MJ reported last month (pp.40-45), the IoT is becoming much more widely accepted within the mining industry than has previously been the case. However, as Stephen Ridley, founder of the California- based consultancy, Senrio, pointed out in an address to the 2016 ICS Cyber Security conference in Atlanta, Georgia, last October, “OT is IT, and ICS is IOT.”

“Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems have lived in relative obscurity for decades,” Ridley went on. “These devices and controllers use proprietary protocols in their build, software stacks and communications protocols. Now they are using the same technology as your smart home controller or Wi-Fi camera.

“When hearing the buzz-word ‘Internet of Things,’ we typically think of the consumer world: smart toasters and connected fridges. However, there is a staggering number of networked embedded devices that perform life- and mission-critical tasks that our daily lives depend on,” he explained. “We haven’t thought of these new types of devices as miniature computers that need the same care in deployment, management and protection as our servers, computers and mobile phones. This is a huge blind spot.”

“Embedded devices, such as ICS and SCADA systems, are the low-hanging fruit for potential attackers,” Ridley cautioned. “They are fairly easy to compromise, are connected to high-value networks, and detection often only happens after the fact.”

In his presentation, Ridley described the IoT as being “a new breed of miniature computers that, in contrast to a PC or server, have a single-purpose operating system communicating with other devices and/or the internet. Embedded devices have been around for decades,” he said. “What is new is their unprecedented connectivity and ubiquity.”

“Increasingly, the Internet of Things and Industrial Control Systems are using the same SoCs (systems on chips) and hardware, the same kinds of software and fi rmware, and the same communications protocols,” Ridley added. “The reality is that it is now increasingly simple for hackers to gain access to industrial control systems since there is so much generic software in place, offering a plethora of back doors that are ripe for exploitation.”

“We have seen attackers compromise DVRs and consumer cameras. It is easy to see how the same techniques can be leveraged against industrial targets,” he warned.

Suppliers Take it Seriously
Not surprisingly, the major suppliers of the types of industrial control system widely used in the mining industry view the threat of cyber crime very seriously indeed. Siemens told E&MJ that its Defense in Depth provides protection in and around industrial plants, based around the three core elements of plant security, network security and system integrity.

While conventional plant protection protects the plant from physical access, network protection and system integrity protection prevent cyber-attacks or unauthorized access by operators or third parties, so there are numerous levels of security protection provided, the company explained. It offers a managed ICS security service that includes a full assessment of existing security, identifi cation and implementation of recommended security improvement measures, continuous monitoring of the entire ICS operation, and proactive threat notifi cation based on up-to-date global intelligence.

Siemens pointed out that in mining, as with many other industries, ICS assets often have up to 20-year cycles, so it is equally as important to protect a legacy control system with upgraded connectivity as it is to protect a newly installed ICS. Through assessing and then implementing security measures, Siemens offers to mitigate risks, comprehensively train and certify employees, deploy new technology with enhanced security processes and establish new security guidelines for the entire ICS operation.

Bosch has launched an update of its Building Integration System (BIS) software, which enables security managers to manage and confi gure access control and authorization across the types of globally distributed sites that are a feature of today’s mining industry. With BIS 4.3, all changes and updates made at the central corporate server are immediately replicated to all sites and servers.

For example, security managers can use a single central authorization server to operate a company’s servers around the world for central cardholder management. The effect is immediate for all sites, according to Bosch, so that employees traveling between sites no longer have to ask for local access permission.

Meanwhile, ABB offers its Cyber Security Fingerprint service that helps users of its industrial control systems identify potential weaknesses in their IT security systems. The company recently reported on its work in this fi eld with Sweden’s Boliden, which involved using the service on one of its ABB 800xA control systems to help validate existing security policies, and possibly identify areas that might not have been considered. Boliden’s objective was to supplement its existing risk-mitigation program.

According to ABB, the Fingerprint uses a multilayer approach to collect data from more than 100 critical points in the system and conducts in-depth interviews with plant personnel. A proprietary software- based analysis tool then analyzes its fi ndings and compares them with industry standards and best practices. One of the Fingerprint’s key features is that it highlights areas of opportunity for protecting against security breaches caused by company personnel who carelessly or maliciously spread malware through software or USB peripherals, as well as threats from outside hackers, ABB reported.

Following the analysis, ABB produced a detailed plan that analyzed the plant’s control system security and recommended actions that could provide further protection. ABB also trained Boliden personnel on new methods to help improve cyber security.

Don’t Panic, Think Ahead
In a report published last June, entitled Cyber Threats to the Mining Industry, Trend Micro noted that “In today’s competitive global market for commodities … cyber espionage campaigns are designed to make sure that interest groups have access to the latest technical knowledge and intelligence so they can maintain competitive advantage and thrive in a market-driven global economy.

“The mining industry is under threat from cyber attacks aimed at exploiting its strategic position in global supply chains. Very targeted and highly coordinated, the attacks are launched by a broad set of attacker groups ranging from ‘hacktivists’ to hostile governments and organized criminals. These groups have learned how to leverage the signifi cant role that mining commodities play in regional and global supply chains and for national economies, and know how to exploit the vulnerabilities that mining companies are exposed to due to heavy reliance on integrated and automated systems.”

“The mining industry is both a geopolitical and an economic target,” the company went on. “The threat actors behind foreign cyber espionage campaigns are increasingly interested in learning about governance policies, decisions and decision- making processes of corporate executives, but also in trying to gain a competitive edge by disrupting the advantage of a competitor.”

That said, in most cases, there is little reason to suspect that each and every player in a particular commodity market is busy infi ltrating its competitors, day-in, day-out. That is no excuse, however, for complacency, and it behooves everyone to be on the lookout for anything that could suggest that cyber criminals are at work.

French cybersecurity fi rm Sentryo believes that with the growing number of cyber attacks each year, companies that use industrial control systems must regard establishing a Security Operation Centre (SOC) as a crucial step in the fi ght against cybercrime. Sentryo explains that “an SOC is a supervisory and administrative mechanism for IT systems security that enables IT security issues to be detected and analyzed by capturing events. In the case of an alert being issued, the SOC is also able to map out of the appropriate responses.”

Such an approach does, admittedly, require a substantial amount of resource input, not only to put an SOC in place, but to maintain its integrity and capabilities over time. Yet it is hard to see how such an investment is not becoming essential as the shoals of cyber-sharks seek new prey within the increasingly global business environment.

At the end of the day, one thing remains crystal clear. The weakest link in any security system is the movement of human fi ngers on a keyboard. Keeping people aware of the risks is one big step in maintaining corporate and personal security.

Scenarios:
Scenario 1: Theft by transfer
One of your accounts staff receives an email purportedly from their regular contact at a supplier, telling them that the bank account details for future online payments have changed. Three months later, the supplier calls, asking why their last two invoices have not been paid. They were, but to the hacker’s account. The original email had been fake and your company has to pay those substantial bills twice.

Ensuring that corporate and operating systems are secure is
absolutely crucial.

Scenario 3: Engineering a takeover
Your company has a small, well-run mine, but has to renegotiate fi nancing before long. Securing a good deal will be dependent on maintaining the cashfl ow from your operation. But there is a predator out there, who likes the look of the mine but wants it cheap. For some reason, your mill starts to run outside its settings, and breaks down badly, stopping production just when you need it most. The lender pulls out and the alternatives are too expensive — but all of a sudden there is a white knight out there, offering a deal that, in the circumstances, you can’t refuse. Target achieved.

Scenario 4: Political strings
The country where you operate is fi nancially dependent on revenue from its minerals sector, with your operations making a substantial contribution to the national budget each year. However, political relations between the country and one of its neighbors are strained, and the neighboring state is bent on making life uncomfortable for your country’s government — both politically and economically. Cutting off a main income stream would be one way of achieving this, with the control systems at your operations a key target for hacking and manipulation. Over time, the government’s negotiating position is weakened as reduced mineral-sector income undermines its fi nances and international credit rating.

Scenario 5: Trucks amok
Just because industrial control systems are mainly used in mineral processing plants does not mean that other parts of a mining operation are cyber risk-free. Imagine a situation where the links between a remote control room and a fl eet of autonomous haulers became the target for hackers. The potential for mayhem is indescribable, and while the replacement cost would be substantial, the sudden loss of production could be economically disastrous.

Scenario 6: Held to ransom
With the incident at the German steel mill, the perpetrators’ intention was perhaps to show that they have the capability of infl icting serious physical and fi nancial damage. After all, a demonstration is a lot more effective than merely making an unsupported threat. Financial demands follow and, of course, unless a plant’s entire management and control systems are replaced with something more secure, the threat will always remain. Ransomware is already out there, effectively locking down business IT systems until payment is made, and according to CyberX, the FBI predicted ransom-demanding to be a US$1 billion business last year.

Scenario 7: Manipulating commodity markets
Your negotiations with your customers are confi dential, affecting the way you organize your operations and your company’s profi tability. This is especially true when your business is involved in regular renegotiation with a small group of large purchasers — whose custom is being eagerly sought by your competitors. How much effort would they be prepared to invest in being able to see all of your internal correspondence relating to the next pricing round?

Scenario 8: Eyes in the sky
With online retailers offering professional-capability, high-defi nition camera-equipped drones for well less than US$1,000, people with an interest in your operations can easily stand outside the fence and see what is happening by remote control. And, as Jeff Melrose, principal technology strategist for cybersecurity at Yokogawa US told the ICS conference last year, drones can not only be used for photographing industrial sites but also for data gathering and control system infi ltration. Having photos of sensitive areas of an operation splashed across unfriendly media could cause reputational damage, as well as compromising a company’s competitive position.

Scenario 9: Just for fun
Kids will be kids, and today’s kids are no exception. Let them loose with technology, and they’ll fi nd some way of either breaking it or extending its capabilities beyond its designers’ intentions. Computers, coding and the internet are today’s analogies for the plastic model kits and railway layouts of yesteryear, and experimentation knows no bounds. The intent to do damage may not be there, but if corporate IT systems are suffi ciently insecure that they can be compromised, there is a chance that it will happen — inadvertently or otherwise.