A group of Canadian mining companies are at the centre of a fledgling international cyber threat sharing operation set to go live next month.
Six of the 10 companies that have signed to start the Mining and Metals Information Sharing and Analysis Centre (MM-ISAC) are Canadian, with hopes that more from around the world will join
According to co-founder Rob Labbe, director of information security at Teck Resources Ltd. of Vancouver, it was the April, 2016 attack on Goldcorp. Inc. of Vancouver, with the reported theft of over 14 GB of corporate data, that set of the chain of events culminating with the creation of the MM-ISAC.
“After their breach Goldcorp hosted a meeting with the whole industry [operating in Canada] to talk about what happened,” Labbe said in an interview Thursday. Usually, he added, they only get together for weddings and funerals.
“Out of that came a general consensus that as an industry we need to do a better job of sharing information,” he said, but no one knew what.
Then in the late fall of last year during the annual conference in Toronto of the Prospectors and Developers Association of Canada, Labbe met with IT officials from five other companies and suggested the industry create an ISAC. Common in the U.S. for many industries, there is no mining ISAC.
Through Grant Lecky, founder of the Canadian Cyber Security Alliance, an association of infosec groups here, Labbe learned about the U.S.-based International Association of Certified Information Sharing and Analysis Organizations (IACI), which helps sectors set up threat sharing centres around the world. It offers a number of resources including templates for those building ISACs.
“Now we exist,” said Labbe. “We’re getting the technology finalized” through a managed service offered by Perch Security, “we’ve got staff hired, and we’re going to be open probably July 10.”
The Goldcorp breach wasn’t the first suffered by a Canadian miner. In 2015 Detour Gold Corp. reported it had been hacked, potentially exposing sensitive corporate and employee records.
The industry isn’t thought of as a target, but activists opposing mining and nation states interested in corporate secrets are believed to have been behind a number of attacks around the world. A column written by an Ernst and Young analyst for Canadian Mining Journal last fall noted that in the last eight years, there have been 10 large-scale cyber hacks at mining companies that have caused major damage, including significant data breaches.
“Traditionally, mining (cyber) security hasn’t been seen as a major priority,” Labbe admitted. Partly, he suspects there’s an attitude of ‘nobody’s after us. We have nothing anybody’s interested in.’ That was the prevailing sense of the board room until Detour Gold and Goldcorp got hacked.”
That was acknowledged at a security conference in Toronto earlier this year by Luis Canepari, Goldcorp’s vice-president of IT. “We used to think we were not reliant on technology,” he said. But ventilation and conveyor systems are managed by supervisory control and data acquisition (SCADA) systems. Even new hauling trucks come with 100 wireless sensors to be used. “Our dependence on technology means if access to the Internet is shut for a week the company will come to a halt.”
And while Goldcorp had a “state of art firewall, a security operations centre, we had all this fancy stuff, … but someone gets fished, the network is compromised.” The attacker demanded money or the stolen data would be released, but Canepari said Goldcorp refused to pay the ransom.
The hack was “a wake-up call for us,” he said, which resulted in a tripling of cyber security spend.
Eventually, Labbe said, the mining sector has realized not sharing threat information made it vulnerable.
It’s also realized that mining is increasingly moving to the digital world with more automated and online industrial control systems. Until recently the risk of a cyber attack affecting mines and plants was considered low because few systems were Internet-connected. If a cyber breach caused machinery to run haywire there were enough workers around to shut systems down. If the wireless collision-avoidance system in a huge truck went down the driver would still see another vehicle in front.
Those days are increasingly in the past. “As we look to drive efficiencies and improve environmental performance and safety what that’s requiring is a whole lot more data and automation using machine learning,” Labbe said, “Now it’s getting to the point where a plant operating can’t intervene because the system is making modifications on the fly.”
In 2014, Labbe noted, it was reported had hackers remotely raised the temperature and destroyed a blast furnace at German steel mill. According to a news report, the attackers gained access to the steel mill through a spear phishing attack. Because the corporate network wasn’t separated from the operational network the attackers were able to compromise the production system.
“In five to seven years it will become impossible to run a safe and environmentally sustainable mine – let alone a productive one – unless it’s also secure,” said Labbe. “I think the industry has started to realize that.”
Members to the MM-ISAC are charged $25,000 a year to connect to its network. Perch Security supplies the intelligence analysts and data cleansing. “The big benefit to me is if I see a threat coming in I report it out to the ISAC and within a short period of time I see what other mining companies are seeing this,” Labbe said. “Because of other data sharing agreements we’re signing with other ISACs I can see immediately if its affecting other companies in other industries. That tells me it’s a fairly commodity-based threat. That requires one level of diligence to take care of. If there’s a threat and I get nothing coming back that tells me immediately this is somebody who’s specifically coming after me, which requires another level of response from me and my team.”
If necessary a conference call with other MM-ISAC members can be arranged to co-ordinate a response.