In April 2016, executives at Vancouver’s Goldcorp Inc. (TSX:G) were shocked to learn that hackers had penetrated the company’s computer network and stolen a load of data, including bank accounts, wire transfers, payroll records, contracts, budget documents and treasury reports. The hackers dumped some of this pilfered material online and threatened to release more unless Goldcorp delivered a ransom of more than $1 million in Bitcoin. Goldcorp refused to pay and turned the matter over to the RCMP.
At the same time, Goldcorp’s internal security team began working with outside investigators to gather facts about the breach and make modifications to its network security. But the response didn’t stop there. Five weeks later, the firm hosted an invite-only roundtable for mining companies where it openly discussed the incident and shared intel about the thieves that had cracked their system. About 100 people attended this unique gathering.
“Look, no one wants to end up in the news because they were hacked,” admits Luis Canepari, Goldcorp’s vice-president of information technology. “But this was a real eye-opener for us and we were quite frank about what had happened and what we needed to do better. You can’t wrap yourself in a cocoon. Secrecy doesn’t help anyone.”
The conference sparked plenty of enthusiasm but no action until this March, when Canepari and senior IT executives from six other major mining companies met at the Prospectors & Developers Association of Canada Convention in Toronto. “It was clear to us that cybercrime was becoming a huge problem and that the authorities were unable to do anything about it,” says Canepari. “We decided to make a commitment to work together on the problem.”
A month later the creation of the Mining and Metals Information Sharing and Analysis Center (MM-ISAC) was announced—a significant move for the mining sector that at the same time reflects a growing realization that corporate cybersecurity needs to go beyond the latest technical gear and individual firewalls to be successful.
A non-profit, industry-owned corporation, MM-ISAC’s goal is to help its members protect their facilities, personnel and customers from cyberattacks and other hazards through pooling of resources, sharing of information and contingency planning. Some 30 ISAC groups, serving a variety of industries, already exist in the United States, but this is the first such centre in Canada. “We just went live on July 1, but we already have 20 members,” says Rob Labbe, director of information security at Teck Resources Ltd. (TSX:TECK.B) and chairman of MM-ISAC. Labbe says that the quick uptake is a sign that attitudes in the mining world are shifting. “In the past the industry never viewed itself as a prime target. Mining wasn’t seen as data sensitive. The prevailing sense was that we didn’t have anything that anyone was interested in.”
That impression is echoed by Daniel Botok, CEO at Cyintelligence, a Toronto cybersecurity firm that investigates about 30 data breaches per month. “Many senior executives in mining underestimate the threat from the cyber realm. Mining is a very physical industry and the virtual world is alien to these executives. Cybercrime is an intangible danger, it’s moving, it’s dynamic, it’s ever-changing. It’s hard to get a handle on.”
Labbe feels that the level of concern varies from company to company, but admits that the old-school attitude still prevails in some quarters. However, maintaining that attitude will become more difficult as mining becomes increasingly automated and dependent upon digital systems that can be remotely co-opted. “If you lose control of your machinery because of a cyber breach it could halt production for weeks. You can’t just go down to Home Depot and pick up another floatation cell,” says Labbe. “In five to seven years it will become impossible to run a safe and environmentally sustainable mine—let alone a productive one—unless it’s also secure.”
In fact, such disruptive activity has already been occurring, although accounts of these events don’t always appear in the media. In an article published last year in the Canadian Mining Journal, an analyst with EY said there had been 10 large-scale cyberattacks at Canadian mining companies that had caused major damage, including significant data breaches.
The 2016 attack on Goldcorp was part of a wave of criminal activity generated by one outlaw group that targeted several Canadian casinos and other mining companies. As well as demanding ransoms, the hackers also caused chaos with those who did not meet their demands “by essentially shutting off production systems so that the mine or casino couldn’t operate for a period of time,” says Charles Carmakal, vice-president at Mandiant, an American cybersecurity outfit that investigated the case. The attackers scheduled the sabotage just like a time bomb; in one client’s case, taking 60 critical systems offline overnight.
Carmakal says the group responsible has been active since 2013 and has employed various monikers including Tesla Team, Angels of Truth and Anonymous Threat Agent. The same crew was also responsible for a 2015 strike on Detour Gold Corp. (TSX:DGC) in which personal information related to the Canadian company’s employees and customers, salaries, donation and medical records, legal documents, invoices and details of confidential deals was released.
In all these cases, the hackers infiltrated the companies’ networks via individual laptops, PCs, smartphones and tablets by deception. In one case, they hid malware in a webpage claiming to be an updated staff holiday schedule. In another, they disguised a malicious Microsoft Word document as an employee questionnaire. The technique, known as “spear phishing,” is the same one used by Russian hackers to breach e-mail accounts at U.S. Democratic National Committee headquarters during the American presidential election campaign.
Gaining access through endpoints rather than attacking a computer network directly is typical of today’s cyber bandits, says Botok. “Too many companies think that their firewall will stop the flood from coming through, but it’s only stopping about 30% of the flood. Hackers prey on the human element. And that’s always going to be a weakness until the day we are all robots or have computer chips sewn into our heads. Education of employees is an incredibly important, but underrated factor in all this.”
Labbe believes that MM-ISAC offers its members a better chance of defeating attacks like the one that hit Goldcorp because of its strategy of sharing information through a partnership with Perch Security, which supplies intelligence analysts and data cleansing.
“We view ourselves as being similar to a neighbourhood watch group. We share information about the bad guys, so our members can recognize them.”
As Labbe notes, the methods used in the Goldcorp and casino hacks were not especially sophisticated. “These guys just line up companies and use the same techniques each time. If companies share information about an attacker’s tools and techniques, we can force them to use new tactics each time, making it more expensive and difficult for them.”
Canepari says some people voiced concerns about the wisdom of sharing information, but he is confident there is no risk. “The data can only help the security experts. It doesn’t lend any competitive advantage to other mining companies,” he says, noting that the automated process they use allows information to be shared with all sensitive data removed.
Currently, about 50% of MM-ISAC members are Canadian and 25% to 30% are American. The group is funded by memberships, which cost US$25,000 a year. The funds pay for Perch’s involvement and an intelligence-sharing platform. “Eventually, we hope to have between 50 to 70 members. Then we can fund our own research projects,” says program manager Cherie Burgett, who notes that MM-ISAC’s structure makes it especially appealing to smaller companies. “Because of the services and technology we get with Perch, the cost is much lower all around. A smaller company would be looking at a cost of more than $500K-plus to participate in an organization like ours fully. Instead, they can participate with us for about the cost of a part-time employee and receive the same benefits that a larger enterprise has.”
Canepari believes that mining companies need to recognize that maximizing the security of the entire sector is the most effective way to combat cybercrime. “The point of our ISAC is to share information and prevent attacks,” says Canepari.” You need to learn from what has happened in the past. As long as that door of vulnerability is left open, then it will be open to other companies. If we don’t stick together then the cybercriminals will continue to profit at our expense.”
Sidebar: MM-ISAC: How it works
The Mining and Metals Information Sharing and Analysis Center started operating in July. According to its program manager, Cherie Burgett, members receive weekly threat reports and, on a day-to-day basis, have access to the MM-ISAC’s “threat intel sharing community.” The system also ensures members are alerted to any relevant concerns as they arise.
Burgett says system sensors generate attack alerts automatically and an MM-ISAC analyst manually reviews the alerts to determine if they are“false positives or true positives.”On the long-term front, MM-ISAC planning committees and member-driven working groups help define how the industry will plan for and respond to cyber incidents as they arise. — K.B.
Photography by Envato Elements