Australia’s $148b mining industry may be a major driver for the national economy, but its immature view of cybersecurity will only be changed after a “catastrophic” cybersecurity event, AustCyber has warned as the government releases a draft strategy for improving baseline Internet of Things (IoT) security.
IoT security is particularly relevant to mining, where surging automation relies on increasingly interconnected and autonomous networks of IoT devices. One recent Inmarsat report, for example, found that 70 percent of mining companies see IoT as a key competitive differentiator.
Yet with its increasing adoption of new technologies, poor legacy security technologies and practices will hit hard, says Graeme Stanway, chairman and co-founder of mining-industry research group State of Play, which recently launched a full report into the industry’s cybersecurity posture.
Fully 98 percent of mining-industry executives surveyed – in a collaboration with METS Ignited and AustCyber – believe that it will take a “catastrophic” event hitting the industry before it will mount a serious response to the threats of cybersecurity.
By contrast, only 58 percent of respondents said that legislation or regulation would be effective in changing established poor cybersecurity habits – and just 18 percent believed in the efficacy of financial incentives, education and awareness.
“In an increasingly automated and interconnected world, the risk of rogue systems and equipment is growing rapidly,” Stanway explained. “If someone hacks into a mining system, they can potentially take remote control of operational equipment. That’s the level of risk that we are facing.”
The preponderance of “legacy closed systems” with customised integrations had perpetuated cybersecurity issues, notes METS Ignited CEO Adrian Beer, who called for standards to define “what good looks like in terms of cybersecurity” and a set of industry standards “to ensure that the specific needs are met to deliver those secure outcomes.”
Laying down the law
The government’s evolving Voluntary Code of Practice would offer one such standards framework, with Home Affairs inviting comment through 1 March 2020 on a newly released draft of the guidelines.
Building on guidance from the UK – which launched its own world-first code of practice late last year – the proposed guidelines include 13 principles designed to improve security practices in an IoT industry where “devices are often developed with functionality as a priority, with security being absent or an afterthought…. It is essential that these devices have cyber security provisions to defend against potential threats.”
To “achieve the greatest security benefit”, the draft report recommends that industry prioritise three of the principles – including a ban on the use of duplicated default or weak passwords; implementation of a vulnerability disclosure policy for device manufacturers, IoT service providers and mobile application developers; and secure updates of IoT software and firmware.
Other recommendations include the secure storage of credentials and security-sensitive data; compliance with established data protection laws and the Australian Privacy Principles; encryption of data in transit and at rest; minimising attack surfaces by disabling unused functionality, limiting ports, blocking remote web-management interface access; and more.
The code offers important “recognition of some of the key IoT risks and associated steps responsible IoT vendors and service providers might take,” said Kevin Vanhaelen, regional director, Asia-Pacific, Vectra AI in the wake of the draft code’s release.
However, he continued, its effectiveness will be limited because “voluntary codes of practice will likely only attract organisations who are already proactive and bought into addressing the issues the code seeks to address.”
For now, he said, that limitation maintained the onus for security on consumers and enterprise technology users – including those in the mining and other sectors.
“The interconnectedness of Industry 4.0-driven operations, such as those that involve industrial control systems, along with the escalating deployment of industrial internet-of-things (IIoT) devices, has created a massive, attack surface for cybercriminals to exploit,” Vanhaelen said.
“Businesses and consumers alike stand to benefit from this code but time will only tell what the real impact will be given the lack of an official mandate."