As mining companies go down the path of digitalization, topics like interoperability, autonomous systems, and network connectivity increase productivity, but they also increase cybersecurity risks arising from connected systems. All global mining stakeholders need to address cybersecurity together, and as an open, global, multistakeholder group, a GMG working group will help mining stakeholders as they look to design safe, secure, reliable and resilient cybersecurity infrastructure that adheres to regulatory, trust, and privacy best practices. The GMG Cybersecurity Working Group will:
- Actively seek out existing content from other partners and only create new material when the mining industry requires unique content.
- Be responsive to the priorities of the industry. Projects will be created based upon a defined roadmap that the industry agrees upon. A list of potential topics is noted below, however these may not be the highest priority projects following the roadmap exercise.
- Seek out projects that leverage its open, collaborative principles and processes in a way that it is able to create unique, high value work that could not be easily done elsewhere.
The group should support business leaders who need to understand and prioritize cybersecurity decisions and provide mining-specific guidance for technical experts as they look to design and implement cybersecurity systems.
Background
Cybersecurity has been an important consideration across many GMG Working Groups and Projects. There has also been a rise in both interest and expertise within the global mining industry. Leveraging this expertise to accelerate progress for cybersecurity in mining will have significant implications as the industry becomes increasingly digitalized.
Objectives
- Create a working group with mining and cybersecurity expertise that can guide the development of new collaborative cybersecurity projects for mining.
- Develop a collaborative framework with MM-ISAC to leverage work from both the organizations and amplify results.
- Create a mining project guide that project leaders can use to successfully build cybersecurity into any mining project.
First Project: Roadmap
The first project for this will be a joint roadmap with the MM-ISAC that itentifies what projects that the two organizations will work on. There will be engagement within the Working Group in November that will culminate in the development of this roadmap.
Other Potential Projects
Foundations of Cybersecurity in Mining
- Articulate a clear and unified understanding of the framework of what cybersecurity is and how it can benefit the mining industry, including business use case examples.
- Risk assessment models for mining (eg. 40-year ICS technology, autonomous systems, critical parts of the mining value chain)
- Standard terms, metrics and KPIs
- Environmental scan for relevant-to-mining cybersecurity guidelines
- Governance and policies, including organizational structure and accountability
Activities: white paper, educational content (video)
Tie-in Work with MM-ISAC
- Cyber resilience: How mines can structure their cybersecurity system to minimize damage and maximize functionality in the event of a cyberattack
- Monitoring and analysis: How mines can develop methods to monitor and analyze threats.
- Safety and reliability: Functional Safety for Autonomous Equipment addresses these topics, and a Cybersecurity Working Group could decide to expand into other areas within mining if required.
- Data security, privacy and trust: How mines can protect the privacy of their data in case of an attack, and implement methodologies for ensuring trust for accessing data and control systems.
Activities: guideline, educational content, short course, an MM-ISAC guide for insurance providers assessing cybersecurity, a guide for mining companies doing cybersecurity diligence on third-party suppliers such as engineering firms
Cybersecurity for Communications and Connectivity
- How to structure networking equipment and endpoints for optimal ICS and corporate data security across the mining value chain. One example of a security framework is from Industrial Internet Consortium
- Network configuration and monitoring: Authorization, and technologies such as SDN and NFV
- Connectivity Standards that are relevant to mining (eg. IEEE, ISO, NIST, etc.)
- Endpoint security, including fog/edge/cloud networking
- Encryption: Applications of cryptography at different OSI layers, as well as for blockchain security applications
Activities: guideline, short course
Cybersecurity Maturity Model for Mining
- Develop a maturity model for cybersecurity in mining
- The U.S. government has created a general Cybersecurity Capability Maturity Model, and also ones for specific industries like Oil & Gas.
Activities: a similar guideline for the mining industry to help mining companies diagnose their current levels of maturity and act in accordance.
Enviornmental Landscape
As noted above, GMG is working closely with the MM-ISAC – who are currently leaders in this space – to collaborate on projects, prevent duplication and identify other efforts outside of our organizations. We also intend to identify and leverage existing cybersecurity standards that are relevant, many of which have been referenced in past projects.
Key Stakeholders
The working group should be composed of practitioners that live and breathe transformation and technology in the mining industry so that the content is relevant and a value-add for the industry. These stakeholders include mine operators, those from technical organizations working on cybersecurity, cybersecurity experts from within mining, and cybersecurity experts from outside mining.
However, throughout the course of specific projects it will also be important to engage non-cybersecurity experts. This includes third party suppliers who will benefit from education in an effort to increase cybersecurity capabilities across the industry.