In this episode, Rob Labbé from Mining and Metals ISAC explains how and why risk assessments are needed and conducted for OT.
OT systems are critical to mining safety. Rob Labbé, the chair of the Metals and Mining ISAC joins us to look at six steps to integrating IT & OT networks and security programs in this very sensitive environment.
Listen now or Download for later
THE INDUSTRIAL SECURITY PODCAST HOSTED BY ANDREW GINTER AND NATE NELSON AVAILABLE EVERYWHERE YOU LISTEN TO PODCASTS
About Rob Labbé
Rob Labbé is a proven cybersecurity and business leader with a focus on proactive security policies, processes, and cybersecurity tools that help enable business outcomes. He’s been the founding chair of the Mining and Metals ISAC (Information Sharing and Analysis Centre) for the past 6 years, which started out with just 5 Canadian mining companies, and today boasts 18 global mining and metal companies headquartered in Canada, US, Europe, South America and Australia .
Rob has specialized in the development of integrated IT/OT security programs, with a demonstrated ability in supporting and enabling digital transformation through effective security integration across IT and OT environments, even at a global scale.
Securing Metals and Mining OT/IT
Here’s transcript of this episode:
Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.
Nathaniel Nelson
Welcome. Everyone to the industrial security podcast. My name is Nate Nelson I’m here as usual with Andrew Ginter the vice president of industrial security at waterfall security solutions who will introduce the subject and guest of our show today Andrew, how’s it going?
Andrew Ginter
I’m very well, thank you Nate. Our guest today is Rob Labbé. He is the chair of the Mining and Metals ISAC. Which is an “information sharing and analysis center” and he’s going to be looking at industrial cybersecurity from an IT perspective. He’s going to be taking us through 6 steps to integrating IT and OT you know networks. People processes. Everything!
Nathaniel Nelson
All right! Then without further ado let’s get into your interview. So Rob covered a lot there but there is 1 point he made relatively early on that I’ve been sort of it’s but it’s been mully in my head in the time since. Rob was mentioning how automation is taking over for a lot of jobs in mining that would have otherwise historically been done by people now Andrew you and I talk a lot on the show about safety. What I would wonder then is if the jobs. Are being taken by machines and there are fewer people at these sites you know mining is if anything compared to industrial security sites around the world. Some of the most safety critical industries. You know it takes a lot more to be. You know and I’m starting to write but let me try this again. All right? So Rob covered a lot there but there’s been something that he said early on that’s been sitting with me which is he was talking about automation and how automation is increasingly taking over for jobs in mining that were historically done by people. Andrew you and I talk a lot about safety on this show. How does the industrial security calculus change though if in 1 of the most safety critical safety risk industries in industrial security namely mining. Ah.
Nathaniel Nelson
You start to find fewer people at these actual sites. Maybe then safety becomes a lower rung of the toning pole because all the jobs be done in machines.
Andrew Ginter
Ah, that’s ah, a very good observation and you know the the short answer is yes, um, you know, ah to me. It’s a very good thing that jobs that were you know, historically putting human lives at risk if there was any kind of malfunction are being. Automated to the point where robots are taking the risk not people anymore. Um, but ah, you know all of this increased automation is is sort of being coupled with remote operation and remote means you know you’re communicating through the internet you’ve got. Software that’s protecting. You not hardware. It’s um, you know you’re increasing the risk the cyber risk rather you’re you’re increasing the opportunities for attack by operating everything remotely and by automating everything but you’re taking the safety ah consequence off the table. And in a sense this makes the the cybersecurity calculus easier. Um, you still have very consequential potential outcomes but they tend to be dollar outcomes. You know large dollar outcomes rather than human life outcomes. And so that does it does simplify your your your cybersecurity equations. Um, it’s still a very big deal though we’re talking multibillion dollar investments in one of these big mines and you know, ah. so you’re still talking about potentially you know, very serious consequences dollar-wise and in a sense reliability-wise um, if if you if you compromise these systems. Um, but in a sense. It’s easier to to design security mechanisms for very large dollar losses. Ah, than it is to design them for you know large you know human casualty losses if you have a whole crew. That’s you know, underground and is at risk because you’ve messed with you know, somebody is messed with the ventilation. Um, that’s very very bad whereas. Ah you know. You know a couple of these 700 ton trucks colliding and you know suffering massive damages with no human operators inside of them is very bad. It’s not very very bad. So it it it does help in in my understanding.
Nathaniel Nelson
Now Sure now when you talk about it being easier to design security around money problems rather than human life problems. Are you talking about just the sheer severity of the consequences like the risks evolved like it’s so much more important to protect human lives and so it’s easier to just be talking about machines or is it that the nature of protecting against financial losses against machines. Is characteristically different like the kinds of security you might otherwise be investing in talking about putting in place is easier to implement.
Andrew Ginter
So Nate let me you know, let me chime in here and and just sort of remind ah you and our our listeners um of something I mentioned in the introduction you heard Rob give his his sort of you know description of his background. He came from the it t space into cybersecurity and mining. Um, which is sort of a bit of an unusual perspective on the space I’m thinking the last hundred episodes of of the the show here most of our guests have been from the engineering side talking about cybersecurity. You know in the first 15 years of the industrial security discipline. It was mostly engineers who were responsible and stayed responsible for ah the yeah, you know the industrial automation for the the physical process and you know we’re sort of. Pulled into the cyber security because they had to it was a new risk. They had to deal with it. This is what engineers do they took advice from the it people what we’re seeing in the last about 5 years is that increasingly enterprise security teams are being told. You’re now responsible for industrial cybersecurity. Go fix that problem. This is something that you did not really see you know in the first ten fifteen years of the discipline we are seeing it very recently and so ah, you know Rob’s perspective here really is he’s giving advice. To it teams to enterprise security teams who are sort of going through the the same lifecycle heated which is here you’re responsible now you figure out how to work with the engineers you figure out how to make this happen because you’re the ones that you know are going to be held accountable if if there’s an incident at the mine. And so ah, you know Rob’s perspective here is a little unusual because he’s giving advice to I t people sort of as an I t person who’s made the transition not as an engineer saying here’s what I wish you would do you know here’s Rob is is telling us what actually worked for him.
Nathaniel Nelson
Pause You know that sounds relatively opposite to how we usually conceive of things at least on this show. We’ve spent plenty of conversation talking about how to convince boards of the necessity of Cybersecurity. How to shake loose’ budget but here he’s saying that. The initiative comes down from the board to this cyber security people.
Andrew Ginter
Um, yes, and that that is unusual but you know I have to wonder is this another example of scale because when we’re dealing with you know the oil and gas majors. They’ve been leaders in cybersecurity from the beginning it was you know it was always understood that they had to do cybersecurity right? when we’re talking smaller operators that are much more cash constrained. You have to worry about shaking shaking budget loose. You know to me. What I see in the industry is more awareness awareness across the board in the board. Yeah sorry you know board level you know feet on the street level and everything in between um, it sounds like you know what? I’ve observed in the rail industry you know rails was sort of head down. For a century safety safety safety safety and it’s like they looked up recently and said oh shoot cyber we have to do that too. You know without without cyber security. We don’t have safety and they’ve embraced cybersec security. There’s standards coming out this progress. It sounds almost like that might be what’s happening in mining but I don’t have enough data points to be to be confident to that. Well I do have one data point in addition to you know Ah the the information Rob’s giving us I was talking recently to a the seeso of ah a large mining operation. And he said Andrew you know, ah the investment in mines is is in a sense cyclic. You have a big massive Upfront capital investment and then once you’ve built the mine at a cost of you know, $2000000000 it starts producing. And then there’s a cash crunch and you need to produce extremely efficiently to be competitive in the marketplace and so you know the the place to put you know the the opportunity the easy opportunity to get cybersecurity or anything into your mind is during the capital phase of the project. Not the you know stretch every dollar operations phase. But um, you know a if there’s a new awareness of risk at the board level. that’s ah that’s a factor and b what he said was look Andrew I’ve been in the industry a long time. He said um. You know after you’ve operated a mine for 101215 years um there comes a point where you say you know we have to modernize because we can become more efficient as a result because we can exploit another part of the of the resource. You know if we modernize and so you know after. After a period of of running you know 1012 years there tends to be another massive capital injection again, it’s an opportunity to get your new automation new security knew everything what he said was and what he’s observed in the industry is that from time to time. There’s sort of episodes where. Almost every mine on the planet looks around and says there’s new stuff out there. We have to do it and there’s over a period of 3 and 4 years there’s ah an episode where most of the mining operations on the planet upgrade and he says in his estimation one of these is coming up. There’s Ai, there’s cloud-based systems. There’s new kinds of automation. There’s new kinds of efficiencies that everybody needs to leverage in their mining operation and so it looks like you know these? ah you know these these stars might be aligning. The boards have become aware of cybersecurity and they want to fix it and. You know if if the gentleman I was talking to is right? There’s an opportunity where almost everybody is going to be investing a large number of hundreds of millions of dollars or more into their mining operations to take advantage of of modern automation and you know we can. We can. Do the automation and this cyber security at once if if this is what’s coming out so that’s in a sense. Good news. We can look forward to.
Nathaniel Nelson
Pause. So Andrew that was your conversation with Rob Lebay do have any final insights to take us out with today.
Andrew Ginter
Sure, um, you know I’ve been learning a lot about the mining industry I’m I’m very grateful that Rob was able to join us. You know he’s the CEO of the mining and metals isac. Um, you know the ISAC. Is ah, comparatively new. They’re you know they’re looking for new members. Um I think there’s like 2 years old um some other information about the isac if if you want to get involved in the metals and mining industry. Um, you know waterfall is getting involved. This is how I know Rob um. Rob didn’t mention it. But um, he is also hosting a podcast for the ISAC. The first episode is up on the ISAC. It’s ah mmisac.org and the the first episode is up there. So I’m going to be listening to to his podcast as well. Um. There’s other opportunities to get involved in cybersecurity at the ice act the one that that I’m thinking of and that I’m looking to to become involved with they have a committee that is working out how to interact with cloud-based ai programs the the concrete example was look every shovel. Of ore that comes out of a mine you know is ah is sort of a quantum of 7 or eight hundred tons of ore every shovel is different and so they take the the shovel of war they dump it on the truck they’re driving it to the primary processing facility and they’re analyzing the stuff you know in the course of filling the shovel and dumping it on the truck and driving it away.
Andrew Ginter
Hello Rob and thank you for joining us on the podcast. Um, before we get started can I ask you to say a few words about yourself for our listeners and you know a few words about the good work that you’re doing at the metals and mining isaac.
Rob Labbé
Sure absolutely I’m Rob Labbe I’ve been working in cybersecurity for just over 20 years the last 10 or so of them focused on securing in the mining industry. In particular operational technology. Um through that process. We started the mining metals ice act to have a place where mining companies can work together and collaborate not just on intelligence but also best practices and processes to secure. Yeah, operational technology in our plants and the autonomous systems in our minds.
Andrew Ginter
Thanks for that. Um, our topic is cybersecurity in in mining we’re talking about you know 6 steps to to integrate it t and o t in the mining space. Um, before we dive into those details though. Um you know it’s been a long time since we’ve had anyone on the show from the mining industry. And you’re with the metals and mining isac. Um, you know I’m not sure we’ve ever had anyone on from metals I’m not even sure what that is so before we we dive into security can you can you give us sort of a ah big picture of the the physical process. What what is metals what is mining. Um, you know how are these systems automated. What are the kinds of of cybersecurity concerns that you see in in this industry.
Rob Labbé
Sure so metals and mining are 2 separate but very highly integrated and interdependent Industries. So if we think about what this world needs as our economies Change. Um. As we worked forward. Move forward with decarbonization with you know, clean energy. The reality is everything we have on this planet as a building block is either grown like our food or trees or lumber or it’s Mine. So all the material we need to support this transition. Whether it be you know Copper for electric cars or electric infrastructure and yeah cadnium and Lithium for batteries as steel for wind turbines. All of those commodities have to be Mined. It’s the only place we know how to get them. And so when we think about you know the metals industry. That’s the next step in that process as that ore gets ah dug up and mineed from the Earth Then it’s the process of refining that and turning it into. Usable metal. Um, that can be used to build you know your tesla or your your winter turbine or your power Grid. So those those industries as global industries are critical to. To where we need to get to as a society as a planet and so if you think about what a mine might look like um you know at its core to simple process right? It’s you know. Taking big rocks turning them into little rocks and and extracting the metals from those but the process to do that is huge from a scale perspective. Um. When you look at open pit mining which is commonly used in things like you know copper and gold and Zinc and and other other base metal commodities. These are mines you can see from space. They are you know several kilometers you know wide some of them. Several kilometers deep and in those environments you’ve got you know fleets of huge trucks. You know these are trucks with 700 ton capacity of rocks and while traditionally those are maintained and and operated by drivers. We’re at the point now where very quickly those are being passed over to autonomous systems and so those vehicles are becoming autonomous you know combined with the processes required to you know, drill into the earth blast the rock away. So. Again, traditionally done by people but because we have a need to derisk and make that safer and more efficient. Those tasks are being turned over very rapidly to autonomous automated systems and then at the mine. You know other mines are underground and these are mines that have shafts running in a lot of cases dozens of kilometers ah deep into the earth and then we’ve got you know automated systems again for drilling blasting and hauling rock. But then we also have systems that are providing. Ventilation and fume control for the people that are working there. You know a lot of battery electric vehicles underground and so we have charging infrastructure and electric infrastructure and so you know. Scale and the complexity ah of these Well they vary widely from mine to mine in all cases. There’s a significant safety like safety risk component. Um, there’s a significant environmental component to ensure that we protect the environment. Um. While we do this and have left us in a position to reclaim that area of Earth Once we’re done and return that to nature when the work is finished so huge challenges from a safety. From obviously from a production from an environmental sustainability perspective that goes into into mining and then you know on the plant side. We have all the control Systems. You would see in any other manufacturing electric Environment. So. You know data systems process control systems you know Plcs Motor control units all of these systems are there and then you remember these mines are typically not located in Urban centers. Yeah you don’t put a mine in the middle of a major city. They’re located in remote areas. Ah, difficult to get to areas which requires a lot of remote control and remote access to enable remote support in those places so you take that complexity and you layer on an industry that’s rapidly changing. It’s an industry that’s that’s discovered the power of machine learning um and artificial intelligence to optimize and make their their minds and their operation safer more sustainable um and to and to allow the mining of the posits that. Might not have been economically feasible using you know older methods and so we’ve got these control systems and operational technology systems. You know based on old technology in a lot of cases that was you know designed several years ago or decades ago. And we’re layering on top of that modern remote control modern cloud-based Ai and machine learning on top of systems that were never architected or designed for that. You know we’re taking. Autonomy and looking for ways to automate equipment that maybe wasn’t originally architected for that and so about the challenge is how do we do that in a safe way. Um, you know how do we protect an environment that’s rapidly commoditizing and you know specialist dual concentric. Bring modbuts and you know specialist dedicated systems have been replaced by pc infrastructure windows networks and you know commodity Cisco switches on top of that. Yeah legacy ot environment. So. There’s a lot of challenges in the space to ensure we can keep production. But more importantly to make sure that the teams at that site. Go home to the families every day to be sure that the environment’s protected so that um. Those areas are there for us to us and nature to to use and live in and enjoy for the next hundred years. So you know it’s a challenging space makes an exciting space as we go forward.
Andrew Ginter
Wow, there’s you know there’s a lot going on there. Um, it’s a complicated space and you know we’re going to be speaking to ah you know 6 steps to integrating it and ot you know, security wise and otherwise in the the metals and mining industry. Um, you know. It integration is a phrase that was coined in like I think 2005 or so by an analyst at at the gartner group. Um, you know it can mean integrating networks you know, connecting up networks. It can mean integrating technology stacks. It can mean integrating teams and business processes. Um, and you know like I said this this kind of all started almost twenty years ago so what does IT/OT integration mean to you and to the industry and you know sort of what’s the state of that process 20 years after it was kind of invented.
Rob Labbé
Yeah I think when I look at mining and I think the same is true in a lot of the resource based operational technology spaces when I look at mining even ten years ago or even looking five years ago at most miners you had your corporate network corporate systems and they looked very much like any other business and then you had at each mine an individual operational technology system. Unique technology, unique design unique architecture that is really driven by that site at that plant that general manager owning that um, really in a lot of ways each mine each operation being its own pstone and. What we’ve seen over the last ten years rapidly accelerating I would say over the last five years is as technology changes and we have the ability to commoditize a lot of those systems that can drive down cost which is. Wonderful. But it also opens up the door now to you know using things like ai machine learning to um, help optimize and so what it means to us is you know. A site now instead of some one of authentication solution. It’s active directory instead of um, unique linux distributions driving of the brains behind the ah process control system its windows instead of. Specialized, expensive unique industrial switches it Cisco. You know we wrote were really seeing um the techniques used in it pushed down to those sites. Um. And that’s starting to enable initially centralized management. You know does every site need an active directory expert. Well they’re hard enough to find you know in a city. They’re really hard to find in the middle of nowhere. Why can’t the corporate services provide that so we started to see shared services. Um. And then with that we start to see a major change of risks. So I think itot integration from a security perspective is really enabling that commoditization enabling the use of things like cloud while adjusting to the unique risk and operational requirements of a. Operational technology and a safety sensitive operational technology setting.
Andrew Ginter
So I mean that makes sense you know business wise every every you know industrial automation operation wants to improve their efficiencies. They want to use you know, cheaper stuff. They want to use the standard stuff to reduce training costs but you know the more that. In in my books you know the more that ot systems look like it systems the more you can attack the ot systems the same way you attack the it t systems and you know there’s thousands of ransomware incidents on on itt systems every year we really can’t afford that on the ot side I mean what? What do you do about. I don’t know risk ah sort of the yes you’re migrating technology are you not also migrating risk.
Rob Labbé
You are and you’re introducing new risk to the operations that maybe you know somebody who’s been mining for 20 years hasn’t had to think of before at the site level. You know we’re seeing now if you open up the news. You know, almost. Quarterly if not more often. A mining company needing to shut down operations because of a ranoware incident or the ransoware incident shutting it down for them now there was one in Canada in January for example, yeah, another one in Germany in March and so. Those are becoming exceedly common the other challenge riskwise is with the geopolitical situation globally which you know I’ve got no idea where it’s going, but it’s certainly not going to get less complicated mining. And the metals industries sit at the beginning of every single global supply chain. So if we have adversaries that want to disrupt those supply chains targeting mining in the metals industry is a great opportunity to interfere with. International and you know national international supply chains at a macro level very efficiently because yeah, that’s the commonplace they’ll start and so the risk is going up and the accessibility of those systems is going up and so because of that. We’re starting to see over the last say three years the corporate it teams being asked to step into operational technology to you know start to manage that risk to secure those systems ah to secure those plants and and quite frankly will last. Few years. Um, those teams are struggling and so one of the focuses for me and for the isac is to come up with a plan or a a cycle or or a model that those teams can apply and use in order to secure. Operational technology from the IT site and secure that shared technology.
Andrew Ginter
Okay, and and our you know our topic is 6 steps to integrating IT and o t this was an article you wrote recently sort of summarizing your your experience in the field these 6 steps that you’re talking about what what are they. So really, it starts with with people so the the steps the first stages really are learning and building relationships with the people at site and establishing trust the next the next 2 really a bit understanding the technology. It’s understanding the assets and understanding the risks and quantifying those risks and then the last you know then we get into deploying tools and ttps. Ah and and practices to that environment. Ah, followed by testing and validation of what you’ve done to be sure. It’s actually working and so you know those are those are those 6 steps going through. Okay, and and it all starts with relationships. Can you can you take us little deeper What does building relationships mean?
Rob Labbé
So when I started pushing or deploying you know into operational technology. You know a lot of teams make the mistake of thinking that the technology is the same windows is windows, active directories active directory. Ah, Cisco switch is a cissco switch but really in the environment of mining where safety is such an issue reliance on such an issue. The environment that you run in is very different. It’s not a. It’s a not a. It’s an environment where availability and safety are king not data integrity. For example, you need to take the time to learn the process to learn the business to build relationships with people to understand what’s going on really that phase is really about. Learning that operation how it works and earning your right to be at the table up site building the relationships you know from the top down. So if you’re sitting in in a senior mind managers meeting with the gm you at least understand all the words that are being spoken at that meeting that is. It’s no longer a foreign language to you? um that you know all the people that are there. You understand what their priorities are what keeps them up at night. So that’s that’s that first step and really I consider that earning your rate to be at the table. So once you’ve earned that right to be at that table it then becomes an exercise of establishing trust in your abilities and your teams abilities. Not just to secure stuff but to deliver on and protect what’s important to that site and it’s in these conversations that a lot of security people make mistakes. Um, because they’ll go in and say well here’s the right way to do something the right way to patch is to patch monthly. You know right? after patch Tuesday we have to get rid of these legacy you know windows ninety eight or Windows Xp systems that are kicking around. We just. Have to do that. But the reality is in operational technology. The right thing to do is not often correct is not always correct and so by building trust and understanding. How. You can adjust security posture to what you learned in the previous step. Um, you start to be seen as somebody who has the priorities of that operation as your priorities not trying to just push security best practices from the it side.
Andrew Ginter
Okay, so that’s the first 2 steps build relationships establish. Trust they both those those both sound like sort of people ah focused tasks you know goals. Um, you know you’ve got 4 more steps are we you know it. Do you dive into the technology next what comes next.
Rob Labbé
So You know once you’ve taken the time to build relationships and trust the next piece is to really understand the technology landscape and the assets of that site and it’s a bit different the IP world where I t. And we often have a cmdb that lifts all of our systems or we can run a scanner to discover all the systems on the network and get us started on that process. Those don’t work in the operation. And we can’t use scanners to find things. Oftentimes assets are listed in maintenance systems or on spreadsheets or sharepoint lists um very nontraditional places So you’ve got a process to go through to not only find and identify all the assets. But also have a great sense of what they do what part of the plant. Do they drive are they safely sensitive what happens as we go down is something were to Fail. What’s the worst thing that could happen does the protest stop or somebody get hurt. And that process will take a while as you dig through. Not only the maintenance systems but a lot of things you’re not going to find um you may have to walk the site and identify and find assets yourself. You might have to use passive Network monitoring pulling data off. Ah, switches and logs off switches to to find assets and and you know you might have to do a search on showdown and find those assets that might not even be connected to your network but might have sell sim cards in them and actually be connected to the the public cell network in those environments. And so you can’t underestimate the challenge of identifying those assets and then the fall. Is actually quantifying the risk so that’s where we take the assets. We found the process. We’ve learned the um, the actual threat information in mining that would come from the mining and metals isac or other sources and actually begin to use a model to. Quantify that risk and communicate it. Um I once spent two months shadowing a mind general manager and everybody going into his office told him how the sky was falling and the world was going to come to an end. They become. Very quickly immune to the the chicken little sky is falling 5 so you have to take the risks quantify them into dollars with some model whether you use a fair or some other quantification model and and actually quantify the risks so you can prioritize. Um, where you’ve got to focus and where you’ve got to work based on actual risk numbers.
Andrew Ginter
So quantifying risk I mean that’s in my understanding that’s hard to do I mean. Can you talk more about that. Are we talking sort of ah a qualitative thing where where you know it’s low likelihood high likelihood or you know are we talking you know dollars and cents if you’ve had. 2 mines in you know one one mine per quarter shut down from ransomware. Do you calculate the the dollar impact of that and say well you know assume it’s going to continue at 1 per quarter. How do you get numbers.
Rob Labbé
You know you have to get it to a number the the high medium low that sort of um I call it the word math risk quantification where you take you know medium likelihood. Ah times high impact and you get purple. Um, really doesn’t resonate in the operational technology space because so many people are saying the world’s going to come to an end and guess what it rarely if ever does instead though there are. Ah, number of risk quantification models your goal should be to get it down to dollars or get it down to production hours or get it down to tons lost per year. Get it down to a quantifiable number that can be supported. The model I typically use is known as fair ffa ah fair and it takes in to account the the likelihood the probability the business um impact if it if it happens and we’ve you know using. You know, measurable and you know quantified estimates and you know uses a Monte Carlo stimulation essentially to get you to a risk range. You know a range of what what this is like you know what? So. What’s a likelihood of. Um, it costs you money and how much and you know that resonates well and that works. Well once people understand the model. You don’t have to use fair. There’s you know a half dozen of other equally good models but find and identify and pick one that works for you and resonates with your business.
Rob Labbé
Okay, so you know quantifying risk though that that you know I can see how you do that with let’s call it low frequency sorry high frequency or or you know medium frequency like you know, ransomware once a quarter. Um. In a mine somewhere on the planet you can run the numbers you know medium impact or medium frequency low impact or low medium impact. You know if you lose six days production on the on the site. What is that? That’s 2% of your annual production. That’s it’s um, it’s a medium impact event but you know. Can you quantify Um, low frequency high impact events I mean what’s the the how often does someone hack into the you know your your 700 ton trucks automated truck systems and cause trucks to collide and you know cause you massive. Physical damages to your your physical infrastructure. You know that’s in my estimation. My understanding never happened but it’s not impossible. How do you How do you can you can you quantify very low frequency high impact events as well. And yeah, yeah, to my best of my knowledge. That’s never happened either and I’m looking for some widt to knock ons that don’t jinx it but you actually can quantify that that risk and you have to and the model you choose has to accommodate that. So for a low frequency event you might end up with an analysis result that says something like there’s a 6 to 10 percent chance of that happening this year so it most likely will not. However, if it does it will cost you between. 20 and $30000000 all in by the time you think of the equipment equipment-damage loss production you know and so on all the other costs that get related to that then you have something you can go back and discuss with the business and say are you cool with rolling the dikes at. You know six to 10 percent chance of it costing 20 to $30000000 that’s a business discussion and a risk tolerance discussion. Um, the answer could be yeah, we’re cool with that and you know you can say peace on that risk we’re good or we can say. Ah, don’t like that so much and you can start to discuss technical and not or you know cybersecurity and physical control that could either make it a 2 to 3% chance of it happening or maybe should it occur the impact being instead of 20 to 30000000 5 to 10000000 because you know you’ve got a spare truck sitting around or you’ve got a bigger stockpile of finished commodity so you can absorb the production loss. There’s all kinds of ways we can work with the business to mitigate the risk once we identify it. It doesn’t have to be a cyber control but you have to have that risk measured to even start the discussion.
Rob Labbé
So The next thing you’re going to do is for the risks and the controls you identified you identified as things you’re going to help mitigate with cybersecurity Controls Anyways, then you’re going to start to look At. Sending your security measures from it T in Co O T Space. So you’re going to do things again, starting from looking at your existing run bookss and playbooks for things like into response. How do you have to update and modify them to work. Well. At site in the operational technology space. What about the security technology that you have your endpoint solutions. Your network solutions can they be safely extended into operational technology or do you have to procure something different. You know I’m a big fan of finding an endpoint edr or I guess the buzz word these days is Xdr solution that can work across ItenOt. You may be able to do that. You maybe not, you’re going to look at things like extending logging coverage and log aggregation there. So then you’re going to start to look at extending your base controls so that you can start to mitigate that risk and you start training the team.
Rob Labbé
And that brings us to the last step of the cycle which is testing and validation. Once you’ve worked through that process and you’ve done the testing you’ve done the validation. And that might look like some automated control testing but it should also involve an incident tabletop at that site to be sure that your plans are working that it integrates with the site emergency procedures and processes that all those things are working. You know before you can kind of hang the mission accomplished banner and you know have the team barbecue make sure you take that time to test and validate that what you’re doing is actually working and that well that’s the last step um in my article identified. it’s a it’s a cycle and it’s a cycle because as the site introduces new technology same machine learning or or Ai as the people change a new general manager gets appointed a new plant manager comes in. You have to start back with the building relationships. Building trust all of that cycle starts again. So it’s not a one and done. Um, you don’t get to finish and go oh that was really hard I’m glad I got that done I don’t have to worry but this again as soon as you get there, you’re you’re starting it again.Um, with the new people. The new technology at site.
Rob Labbé
Here we go. So Rob you know, reflecting on what you’ve said in the episode here. Um, we’ve had a lot of people on sort of from the engineering perspective in various industries talking about. Um you know the engineering teams initially. Not really being aware of cybersecurity and becoming aware of it and eventually engaging with the the I t teams and sort of the ot perspective on itot integration the ot perspective on sort of driving cybersecurity into ot over time. Your perspective seems to be the other way around. You know you started personally in the it space this this whole discussion has been it. T you know is or at least you know enterprise security is coming in and and saying you know guys we have to do something and you know here’s advice to to the security team to you know. Make that process more effective. Um is this sort of unique to your experience or is this sort of a more common experience in the mining industry who’s leading. Ah you know the the the charge in terms of of driving security into ot is this something that. Tends to be happening from the the it side in mining more so than not so it’s interesting in mining. Um you know because if you look at a mining company. This is an organization that will derive ninety plus percent of their revenue and carry most of. And all of their safety and environmental risk at site yet traditionally up until I would say you know five years ago at most mining companies. The cyber security information security function only impacted I t. The the whole ot stuff was at a scope and it’s yeah, it’s almost comical to think that you know you’re in charge of securing an organization get you’re out of scoping 90% of the revenue generation and 100% of the safety environmental risk. Yeah when you think about it. It. Seems a little bit nonsensical because it is and so now as we’re starting to see increased attacks affecting mining companies. You’re starting to get boardrooms and senior leadership teams going to their. You know those type of secure leads or seesos and going hey are we good and the answer they’ve been getting back is a very unsatisfactory version of I don’t know which is typically followed by some kind of a direction to go figure it out and where this process comes from is now we have these it security teams being chartered um instructed. However, you want to call it to go take care of this ot thing so we don’t become like you know, picked your company in the news and they’ve been getting a lot of pushback. And a lot of struggle. Um, overall and so really, what this process is designed to do is to overcome that that pushback and struggle that they’re they’re they’re hitting at site with the engineering teams with the mind management team who who may be at the Beginning. Don’t see didn’t see cybersecurity as critical to their world. Um, you know I’ve got bigger issues. Life would be great if you know the biggest issue I got down to was you know cybersecur I’ve got you know Union contracts and communities and I’ve got. You know, supply chain issues on fuel and parts and all kinds of issues in my world that are yeah potentially going to get in the way of my success. You know they didn’t see Cyber. They don’t see at that site level always cyber security being. 1 of those things that can get in their way of their success until it is and so the drive is coming from the boardrooms um in a lot of cases and the senior management teams ah to the csos and to the security teams to you know, go figure this thing out.
Andrew Ginter
This has been great Rob thank you for joining us. Um, before we let you go can you sum up for us what what should we take away. What’s the you know the number 1 thing to to remember about this this advice you’re giving us.
Rob Labbé
I think it’s really 2 things. The first is for me, especially as a security professional the opportunity to reach into the operational technology. When I started working on it ten years ago is a golden opportunity you you shouldn’t pass up. It’s a chance to really work on securing what matters to really work on helping protect people’s safety helping protect the environment helping protect sustainability. It’s a great opportunity when you get. You know, asked to go do that. But unlike a lot of other areas. You can only move as fast as you build trust operational technology security is the most human of all security disciplines. Because you’re affecting. People’s safety. You’re affecting. People’s sense of well-being unlike almost any other discipline of security you have to go slow take the time to build the trust. Um, those first 2 steps could take a year sometimes more um, take the time that those need to get right? and you’ll get it done safely. You’ll get it done efficiently and you’ll end up with something that gives you a secure sustainable reliable operation going forward. If this is something you’veur been charged with I do encourage you to to pop onto to the mining and metal ISAC website or Linkedin um, you can you can find the article that ah that we referenced here today and you know I spent an hour in a webcast. Digging into this a bit deeper so you’re you’re more than welcome to download and watch that webcast as well.
Andrew Ginter
And they’re sending all the analysis into the cloud and the cloud-based ai figures out how to process that shovel of ore optimally and sends the optimal processing instructions back into the mine so in a real sense. You’ve got cloud-based ai controlling part of the mining process part of the the primary processing system. And you know how do you do that safely. This is something I’m keenly interested in and you know I hope to to be working with the committee. So if you’re interested in the the metals and mining isaac again, it’s comparatively new. It’s a couple of years old and there’s opportunities to get involved to learn more about it on on rob’s podcast and to contribute to the process. And isacdotorg.
Nathaniel Nelson
All right? Well with that thanks to Rob Lebbe for speaking with you Andrew and Andrew as always thanks for speaking with me this has been the industrial security podcast from waterfall. Thanks to everybody out there listening.
Andrew Ginter
It’s always a pleasure. Thank you Nate.