Words by Alex Hutchens
Partner, McCullough Robertson
AUTOMATION is the way of the future. And it’s not just in the mining and resources sector – everyone is talking about digital disruption now, so all industries are moving towards automation and increasing their network of connected devices to ultimately improve processes and connectivity to extract greater value and reduce costs. Automation can enable things that weren’t even possible before. The productivity benefits can be huge. But it is something that you have to do properly.
Of course, every solution is different and every business is different. But what’s most important to note is that while the positives all sound very glossy and impressive, there are actual risks. And it’s important to take the time to understand those risks because they can have real world impact. Physical damage, reputational and company valuation impact can all start with a computer virus in this new high-tech way of operating in business.
Know what the risks are in context to your business
In security lingo, they talk about the ‘attack surface’ and this vastly increases when you’ve got a network of devices connected to each other to facilitate operations and processes, whether that’s on a work site or a mining exploration operation.
As more and more devices get connected, you’ve got more and more endpoints that need be protected. Because now instead of just having a computer sitting in a corner that might hold your company’s information – whether it’s valuable records, proprietary information, intellectual property or something else – you’ve got multiple endpoints connected to the internet and potentially with USB ports that can be used as attack vectors.
If it can be accessed via the internet, then it can be accessed from anywhere.
One of the main ways external threats may attempt to target vulnerabilities is through understanding what operating systems are in use or what access protocols they’re using. There are many ways, but finding a vulnerability and targeting it is the main one.
“In security lingo, they talk about the ‘attack surface’ and this vastly increases when you’ve got a network of devices connected to each other”
There could be a conveyor belt running coal driven by computer programs that tell it things like what speed to operate at to carry a certain weight, and if the safety measures are overridden through software code that could go out of control, break or overload other systems it works in sync with and so on.
Of course, an area that is very hot right now in the resources sector is automation in vehicles, because there are a lot of safety and productivity benefits that come from deploying vehicles in remote or dangerous locations that can be controlled from a centralised office, or which apply machine learning to analyse their own performance and optimise their own productivity.
As well as attack from sources that are external to the business, there are always internal threats to consider, including employees or contractors who are working for you and have access to parts of your network.
Whether it’s through malicious intent – say if an employee’s gone rogue or has been fired and wants to get revenge or who is setting themselves up for their next job by stealing information – or just through negligence or unawareness of the risks of what they’re doing when working with connected systems, all risks need to be considered.
Effective management of potential risks is paramount
Whether internal or external, the risks are definitely manageable. I don’t think you can ever completely eliminate risk in automation – just because technology moves so fast, so it’s impossible to ensure it’s 100 per cent secure. If you’re searching for that, then you’re searching for an impossibility because it all comes down to lines of code, and people are always searching for ways to get around the code.
There’s this constant to and fro: there are cyber risks and then that risk gets patched, then a new risk emerges and then that gets patched, and so it goes on.
Hutchens says as more devices get connected, there are more endpoints that need be protected
The key measure to take is to understand what your network is and the value of what you have and making sure that you have implemented appropriate security so that those things are all covered by your firewall.
“There are always internal threats to consider, including employees or contractors who are working for you and have access to parts of your network”
Take practical measures such as patching frequently so you’ve always got the most current protection, making sure that you have appropriate virus protections, making sure that you have sufficient training for all staff and then also that you have processes and procedures in place to back up when needed, to have a failsafe.
Manual override is also important. When systems go wrong or they break it’s important to be able to override it so that you’re not there stuck looking at some automated system that’s gone crazy. So it’s possible to actually, physically intervene – whether that’s by having kill switches on production lines, or manual overrides on automated vehicles, or some sort of administrator access on software so that you can take over and do real time control.
Learning from experience and testing is key
Also, remember that any incident that might occur offers a learning opportunity. Do a thorough review to work out actually what happened. Where was the vulnerability? How was it exploited? What have you done to patch or fix that vulnerability so it doesn’t happen again and what is it in your response that you would have done differently? Do you need a different reporting line? Do you need a different part of the business to be involved in the response? Was something missing? Answer those questions. Then actually go and update your policies and procedures so you can benefit from the lessons that you’ve learned.
Another vital piece of the puzzle is testing. Much the same as you do fire drills, you can do safety tests and just see whether everything works as it’s intended to, and so people know where to go and what to do. It does involve management time, costs and disruption to the business, but the idea is that involves less disruption than having an actual disaster go and run out of control because you haven’t tested the response that you thought was going to work, and then you find out that it doesn’t.
Throughout the journey of transitioning to an automated environment, seeking the right advice can never be underestimated. Have all relevant internal departments fully involved and source external advice if you don’t have the sufficient skills and knowledge internally.
Often, this will involve third-party vendors. In that case, remember to make sure that the contractual arrangements with these vendors are appropriate in that they require the vendors to take on the right amount of risk and give you the right protections based on who can manage those risks best.
Consider cyber risk insurance
The only other thing I would keep in mind is that it’s possible to insure for your risks. Cyber risk is one the fastest growing areas of insurance globally, and certainly in Australia. It covers all sorts of things, and depends on the wording of the policy of course, but generally it can cover the costs of having to notify a regulator, the costs of restoring data and the cost of the business interruption that you may experience as a result of an incident. It’s very important to look at whether your insurance coverage is appropriate and sufficient.
It’s certainly an exciting time for business, as automation becomes more and more ingrained in the way the world operates. But you must take practical steps to try to reduce any and all risks so that you do it once, and you do it right.