Cyber risks in mining oil and gas companies
Jan 11th, 2017
Mining is in transition from the electro-mechanical era toward the cyber-informational one. Cyber risks in mining oil and gas companies become relevant and one should include them in any operation risk landscape assessment.
Cyber risks in mining oil and gas companies
Information technology (IT) , Internet of Things (IoT), and spreading connectivity are bringing very significant benefits to mining. However they increase the mining industry’s exposure to cyber criminals and possibly terrorists. This phenomenon is general and occurs in every single industrial, infrastructural and service space, not only in cyber risks in mining.

Insurers practice actuarial approaches, rooted in a rear-view vision of the world. Thus they seem to be less than efficient advisors insofar Cyber risks in mining oil and gas companies are concerned.
A management conundrum
At Riskope we have worked on large cyber risk assessments, at national scale, or included cyber risks in holistic multi-hazard approaches. Our clients since the very beginning of the century were civilian as well as military clients .
Reportedly at least one major mining company has been the target of a massive hack. However serious infrastructural damages have only seldom been inflicted, and not in mining (as far as we know), but in other industries.
Given the rapid escalation in the number and sophistication of cyber attacks, infrastructural damages are to be expected “any time”. Any infrastructural damage, especially those with environmental consequences or harm to people, will lead to significant crisis potential, reputational damages and legal consequences. Cyber risks in mining oil and gas companies are a reality one cannot ignore.

There is a strong temptation to squander capital on “technological solutions”. That is due to the complexity and far reaching interdependencies of the receiving system, i.e. the mining operation, corporation, etc. . Furthermore, there is and there has been a lot of focus on the technological mitigation for cyber. That include perimeter technologies like firewalls, intrusion detection, etc. That type of “specialist approach” forgets, however, that the easiest way to stop a computer is and will remain “unplugging” it. One can perpetrate a malevolent cyber-attack to a mining site in rather unsophisticated, but efficient ways. And the consequences are far from stopping at IT.
The financial implications of the capital squandering is so significant that Cyber-protection costs have been predicted to exceed benefits by 2019.
The solution
Contrary to other natural or man-made hazards cyber-hazards evolve and expand in a high-rate growth. Many hazard specialists (the IT guys) state that it is “impossible” to keep track of all the threats. Companies which specialize in network monitoring and threat detection are very successful and expanding their capabilities. However not necessarily at the pace demanded by the rate of acceleration of the threat.
Most risk assessments we review are very light on the study of interdependencies and complex consequences. That is because of the lack of methodological support.
Cyber risks, more than any other component of the overall risk landscape require solid, robust solutions.
At R&R we presented a paper “Military Grade Risk Application for Mining Defense, Resilience, and Optimization” which focuses on ORE, our flagship platform for multi-hazard scalable, drillable and convergent risk assessments.
With ORE it is possible to comparatively evaluate mitigative alternatives, process alterations. This leads to stronger leadership, transparency and finally, cultural transformation.
We recently read an encouraging note. It reported that, recently and in some cases, corporation spent two-thirds of the overall capex on the cyber risk mitigation strategies in non-technological areas.

The idea that cyber risk is not an IT issue is finally sinking. This, however, does necessarily mean the capex is allotted in the most efficient way at all, unless proper prioritization was performed and silo-culture is replaced by a “horizontal” thinking. And all of the above does not necessarily lead to proper inclusion of cyber risks in the ERM program.
Cyber risks in mining oil and gas companies are a reality. Ultimately the deployment of an adequate analysis methodology will eliminate capex squandering.
Tagged with: cyber risks, Information technology (IT), Internet of Things (IoT), mining, operation risk landscape
Category: Consequences, Crisis management, Risk analysis, Risk management
Should cyber risk be a special organization within a company or just part of IT ?
My vote is the former,
-30-
independent from -IT, be part of operational risk management