NOMPU SIZIBA: We tend to think of cyber threats as being more pertinent to financial services or retail companies, as these tend to hold a lot of personal data around their customers. But Deloitte has issued a report warning that the mining sector, too, needs to heed cyber threats, particularly as the sector evolves into the realm of intelligent mining.
Well, to break down the issues for us I’m joined on the line by Tiaan van Schalkwyk, an associate director at Deloitte Risk Advisory. Thanks very much for joining us, Tiaan. Before we get into the cyber risks the mining sector faces, just explain to us what intelligent mining is all about, and is it a prevalent movement around the world?
TIAAN VAN SCHALKWYK: Good evening, Nompu. Good evening, listeners. Yes, in terms of mining it definitely is a growing movement. What it enables is the use of digitalisation technologies to provide more and more access to a wealth of data, to an increasing use of sensors all over the mining environment – so from trucks to conveyors, to processing plants, underground measuring, environmental conditions and temperatures and humidity, and so forth. All of that gets fed into a centralised system that allows you to do analytics and to start predicting events to avoid safety incidents or to improve the performance of the mining operation, to improve planning, and so forth.
NOMPU SIZIBA: So what cyber threats can disrupt the mining sector or the mining value chain, and what would be the motivation for such a disruption?
TIAAN VAN SCHALKWYK: I think I’ll start with the motivation. The motivations vary, from someone who is just malicious and wants to cause disruption – so someone who dabbles in the art of malice. But then you’d have a concerted effort, trying to commit financial fraud through the mine’s systems to manipulate share prices or commodity prices by affecting mining operations.
And then you also have the ever-present threat of nation, state or competitor industrial espionage. Those are all factors that motivate cyber attacks on mining organisations.
Types of threats are things like ransomware attacks, viruses, everything we hear about on the news that affects financial services organisations or healthcare or government. The same types of things happen in mining organisations. The big inference is that, barring I think healthcare, the impact on mining organisations is not just their production stops and the loss of money, it’s also that there are potential safety incidents, which could mean loss of life, and there could be an environmental impact, such as contamination of mines around the mining operation. Those are things that are often forgotten by the man in the street. The mining fraternity is very well versed on that key principle; they draft a safety environmental [plan].
NOMPU SIZIBA: So how can miners make their operational processes more secure and resilient in this digital age? And is it costly to get these protections in place, especially in the context of, say, your more junior miners, who probably would need to watch every cent?
TIAAN VAN SCHALKWYK: The key there is to do your risk assessment appropriately. That is, understand your threats, the value of assets you are trying to protect, and the impact if that asset is affected. So an impact could be a legal impact, the production impact, environmental safety, health and so forth. Understand and quantify that to some degree, so you can compare various locations. If you are a junior mining operation and have two small mines, you will want to compare those mines with each other, to say which one is the more important.
Then you need to get access to threat intelligence – that is knowledge about who your attackers might be. You need to understand the sociopolitical construct around your operating environment; you need to understand who would want to attack you and why, although that’s fairly standard; and then decide how much you can make available to satisfy that requirement and put controls in place.
So it’s to understand the risk, decide how much that is justified in terms of your spend, and then put a road map or plan in place to roll out your security measures over time, in a time frame you can afford.
Then you take layers of approach. You have to look at your governance: who owns it, who is accountable, who reports to the board, is your board committed and asking for cyber security in the environment? Then who exercises control? What are the foundational technologies you use: antivirus, firewalls, those types of thing, things one hears about? You must implement those and put the processes in place to make sure that they always operate.
And something that is extremely important is to build the capability to detect any kind of anomalies or instances that may be occurring in your environment. So, while you are rolling out all these clever bits of technology and it’s costing you millions, potentially, you still need to monitor your environment while you are less secure, because it’s really important to be able to detect and respond rapidly to mitigate the damage and limit the impact of any particular cyber attack.
NOMPU SIZIBA: That brings me very nicely to my next question. In the unfortunate event of a cyber attack – because we’ve been talking about what you can do to put in place measures to avoid one – what can mining companies do to mitigate the damage?
TIAAN VAN SCHALKWYK: Mitigating the damage requires a mining organisation to understand what has happened to it; and then, very importantly, understand what parts of the programme are affected so that if it needs to halt operations, halt an autonomous truck or halt a conveyor belt or the beneficiation clock, they do that as soon as possible to avoid environmental impact and safety concerns.
If those are not potential outcomes of a cyber attack, then the mining operations can continue but the cyber-security response team, with the assistance of the operational technology and IT teams, would then have to focus on limiting any further spill or event to the rest of the environment, contain the incident and respond, depending on the nature of the incident. They may need to communicate with the media, with stakeholders, shareholders, community around them and so on.
NOMPU SIZIBA: Are these conversations being had at the Mining Indaba, as we speak?
TIAAN VAN SCHALKWYK: Yes, certainly. They are being had. We ran a couple of demonstrations with some of our clients, and then prospective clients, and we’ve been involved in a number of these discussions with various mining organisations. Over the past three years there has been an upswing in this, because they definitely are taking heed of the warning and they are preparing.
NOMPU SIZIBA: In terms of job security in the mining sector we know that some sectors have more problems than others, the gold sector being one example. With all these technological advances that you are talking about, and the capabilities that exist, is there a concern on your side that we are going to see a lot of job losses in the sector because of automation and so on?
TIAAN VAN SCHALKWYK: The way we are seeing it at the moment is they are intact – all it requires is reskilling. We don’t need to cut any of the jobs because there is a lot of analytics, and different kinds of work becomes necessary if you do more automation. So it’s not necessarily an indicator when you automate that you’ll have to cut jobs and reduce your workforce. The workforce becomes much more efficient. They way they work is completely different, the way they have to think is different – but all of that contributes to a much better-performing mining organisation.
NOMPU SIZIBA: We have been talking very specifically about this technical area – thank you very much for educating us on it. But, broadly speaking, you’ve been at the Mining Indaba. What is the mood about the mining sector in South Africa, and does there appear to be a large appetite for investment among financiers and investors?
TIAAN VAN SCHALKWYK: The mood was much more positive, reportedly, than last year at this time. People I spoke to were mostly positive. The messages from the politicians and from the industry leaders who were participating in the various discussion groups and so forth – those were fairly positive. There were some controversial statements, of course, but you can’t avoid those. They are all meant to drive an industry to work better and bring more value to our economy and the economies the industries operate in.
NOMPU SIZIBA: Thank you very much, Tiaan, for your time and those insights.