February 10, 2017 by Canadian Underwriter
The exploration plans of Canadian mining firms are among the “prime” targets for hackers, while autonomous vehicles used by miners could be influenced by computer viruses, Deloitte Touche Tohmatsu Ltd. warned in a recent report.
“Malicious viruses, like Stuxnet, explicitly target critical systems that control pumps, motors, valves and programmable logic controllers,” Deloitte warned in its ninth annual mining report – Tracking the trends 2017 – announced Feb. 1.
By Stuxnet, Deloitte was referring to a 2010 attack on Iran’s uranium enrichment program.
“Concerns that hackers could gain control over driverless cars extend to the mining sector, where autonomous vehicles continue to proliferate,” Deloitte stated in Tracking the Trends 2017.
“Stuxnet searches for industrial control systems, often generically (but incorrectly) known as SCADA systems, and if it finds these systems on the compromised computer, it attempts to steal code and design projects,” IT security vendor Symantec Corp. stated earlier on its website. “It may also take advantage of the programming software interface to also upload its own code to the Programmable Logic Controllers (PLC), which are ‘mini-computers’, in an industrial control system that is typically monitored by SCADA systems. Stuxnet then hides this code, so when a programmer using a compromised computer tries to view all of the code on a PLC, they will not see the code injected by Stuxnet.”
One target of Stuxnet was the Iranian nuclear program, the United States Government Accountability Office stated in a report released in 2015.
Stuxnet made uranium enrichment centrifuges work incorrectly, GAO noted in the report, titled Improvements in DOD Reporting and Cybersecurity Implementation Needed to Enhance Utility Resilience Planning.
“Stuxnet ruined almost 20% of Iran’s uranium enrichment centrifuge capability by spinning out of control while simultaneously replaying the recorded system values which showed the centrifuges functioning normally during the attack,” Willis Group Holdings said in its Energy Market Review for 2014. “Stuxnet showed that it was perfectly possible for a cyber-attack to result in significant physical damage to energy infrastructure as well as the ensuing consequential/business interruption (BI) losses.”
In its Tracking the Trends 2017 report, Deloitte warned that mining companies’ intellectual property is a “prime target” for hackers, including criminals and foreign intelligence agencies.
“The data at risk is broad, ranging from corporate intellectual property, geological studies, exploration plans and M&A targets to personal emails, executive tax positions and employee data,” Deloitte noted.
Mining firms “cannot afford to neglect” traditional information technology security measures, Deloitte suggested. “This includes activities such as increasing firewall security, restricting administrative access to systems, deploying advanced endpoint protection and segmenting networks so hackers can access only limited segments.”
Mining firms also need to train employees on safe computing practices, Deloitte added in the report.
“The global footprint of most mining companies also heightens the imperative to develop a seamless cross-border governance framework that allows for a coordinated response.”