New approaches to mine network access security
Published by Will Owen,
Editor
Global Mining Review,
Andrew Ginter, VP Industrial Security for Waterfall Security Solutions, discusses the new hardware-enforced tools that are available to secure remote access systems against cyber attacks targeting mining automation.
Remote access to mining automation systems is increasingly important to the most modern and complex automation systems, but remote access systems are increasingly vulnerable to cyber attacks. This a problem for mines – when software systems essential to elevators, subsurface ventilation, gas monitoring, and automated vehicle controls are compromised, there is a risk of production shutdowns, equipment damage, threats to employee safety, and potentially even outright disasters. The threat is real: Copper Mountain, for example, was shut down by ransomware in 2023.
More generally, cyber attacks with physical consequences are increasing dramatically in the last half decade and remote access systems have become a preferred method of cyber attack. In 2024 alone, 2100 Ivanti Secure VPN appliances were breached using a very sophisticated ‘zero-day’ attack in one campaign, 20 000 FortiGate firewalls were breached in another zero-day campaign, and an attack was disclosed that could breach essentially all VPN systems on all operating systems, except Android.
This is why American, Canadian, and New Zealand cyber authorities recently published ‘Modern Approaches to Network Security’. In their guidance, they highlight problems with traditional VPN-based remote access systems and suggest newer, VPN-less systems for access to IT networks. For OT/industrial networks, the document also describes hardware-enforced network segmentation for “networks where cyber operations pose credible threats to public safety, national security, and critical functions.” The document does not say “mines”, but as we know, mines are often critical to local economies, mined materials can be critical to national security, and both worker and public safety are critical priorities in the industry.
The document describes two powerful hardware-enforced solutions: unidirectional remote screen view (RSV) and dual unidirectional gateways. Both solutions use unidirectional gateway technology – hardware that is physically able to send information in only one direction. Remote screen view captures screen images from mining automation systems and sends them to an external web server through the unidirectional gateway hardware. Remote experts can see the screens and can give advice to on-site personnel over the phone, but nobody and nothing on the Internet can send any remote-control commands back into the protected mine site through the one-way-outbound hardware, not even if software is compromised.
The second technique uses RSV to send screen images out and uses a second unidirectional gateway oriented the other way to send keystrokes and mouse movements back in. This enables true remote control. The strongest of this class of solution encrypts keystrokes and mouse movements, storing the decryption keys for those encrypted control signals only inside the protected mining network, not in Internet-exposed CPUs that might be compromised by a zero-day or other attack.
In a real sense, frequent and sophisticated cyber attacks are ‘on a collision course’ with sophisticated, safety-critical mining automation. A real manifestation of this is vulnerabilities in remote access systems. Authorities and experts agree: all complex software has defects and potential vulnerabilities. Thus, when employee safety, public safety, or critical infrastructures are at risk, hardware-enforced protections are preferred – protections that are immune to cyber vulnerabilities.
Read the article online at: https://www.globalminingreview.com/mining/02082024/new-approaches-to-mine-network-access-security/
You might also like
Epiroc launches new mine truck with electric drivetrain
Epiroc has launched the new Minetruck MT66 S eDrive, the first of its large-capacity mine trucks to feature the latest generation electric drivetrain.