An Overview of Cyber Security and Asset Management Standards in the Australian Mining and Minerals Sector

RMIT University Centre for Cyber Security Research and Innovation (CCSRI) was commissioned by the Joint Accreditation System of Australia and New Zealand (JASANZ) to examine the effectiveness of three ISO and ISO-IEC Standards (AS ISO/IEC 27001; AS ISO/IEC550001 and AS ISO 22301) in the mining and minerals sector, benefits of implementing these Standards, and barriers to their implementation.

The impetus for this research: between 2019 and 2020, there was a four-fold increase in reported cyber breaches among mining companies (Verizon, 2019). Mining and mineral resources are significant sources of wealth and income in Australia. The sector employs 1.2 million people and generates $50 billion average earnings per year and $160 billion of resource exports (AusIMM, 2023). Highly sophisticated cyber-attacks are proliferating across the economy. Ensuring the mining and minerals sector is resilient to these threats is pivotal for safeguarding Australia’s economic prosperity.

RMIT CCSRI conducted in-depth research through an extensive gap analysis literature review, surveying industry practitioners, and conducting focus groups and one-on-one interviews with industry experts and experienced practitioners.

The report found ten key issues, with respect to cyber security, business continuity and asset management risks in the mining and minerals sector:

Lack of a regulatory framework around cyber security and asset management in the mining industry.
Boards and company officers had limited visibility of cyber vulnerabilities and asset management risks within their business.
Awareness of ISO and ISO-IEC Standards is low amongst small-to medium companies.
The three ISO and ISO-IEC Standards are not complementary to one another.
The ISO and ISO-IEC Standards are difficult to understand: they are perceived to be difficult to understand and too technical in nature.
ISO and ISO-IEC Standards are ill-suited to the sector’s unique environment. As a result, many mining and minerals companies use in-house standards.
ISO and ISO-IEC Standards are not suitable for evolving threat environment.
ISO and ISO-IEC Standards are not used widely in procurement.
Cyber security is slowing being viewed as a series challenge by mining and minerals companies.
Mining and minerals companies use legacy systems, which are highly prone to attacks due to the age of the systems and lack of security features.

The report makes 17 recommendations for Government (including JASANZ), Industry and Mining and Minerals companies, to mitigate these risks. These are primarily for:

Government to:

Implement a legislative framework to ensure preparedness and response capabilities against cyber incidents, including potential obligations under a revised SOCI Act.
Promote relevant security standards, including ISO and ISO-IEC Standards, through national outreach programs.
Provide financial support to small and medium-sized companies to access ISO and ISO-IEC Standards.

JASANZ to:

Simplify the standards, ensure they are complimentary to each other, and tailored to the mining sector’s needs, and are updated more frequently.
Develop case studies and adoption strategies tailored for small and medium-sized enterprises to demonstrate the benefits of ISO and ISO-IEC Standards.
Establish an industry network of ISO Champions to promote ISO and ISO-IEC Standards within the mining and minerals sector.

Industry Bodies to:

Conduct low-cost or free cybersecurity and asset management awareness, training, and skills development programs to enhance preparedness in the sector.
Mining and Minerals Companies to:
Mandate ISO certification for third-party suppliers, whenever possible.
Consider adopting ISO and ISO-IEC Standards to foster an ongoing security culture and build trust with the wider community.
Invest in modernising systems, including newer Operational Technology systems. For legacy systems, implement compensating controls to mitigate risks.

Read the Key Findings Report and White Paper

Download Key Findings Report (PDF 1.7MB)

Download White Paper (PDF 730KB)

27 November 2023

Engage

Contact RMIT News

Find an expert

Study with us

Research at RMIT

Related News

RMIT University welcomes the Latvian Foreign Affairs Minister to discuss opportunities to expand international collaboration and research in the areas of hybrid security threats

06 Sep 2024

On Tuesday 3rd September, the Latvian Minister of Foreign Affairs, Her Excellency, Baiba Braže, visited RMIT University as a part of her trip to Australia.

Vietnam Cyber Capacity Building Program for SME’s & Corporates

18 Jul 2024

Cyber & Critical Technology Cooperation Program - Vietnam

Australia’s trade and the threat of autonomous uncrewed underwater vehicles

18 Jul 2024

To better understand UUV technology and the risks that weaponised UUVs may pose to Australia's economy and security, RMIT and its research partners undertook an analysis examining the likelihood, impact, and mitigation steps related to autonomous submersible weapon systems scenarios.

IT professional working on a cybersecurity solution

AUS4ASEAN: Improving Digital Readiness and Resilience

18 Jul 2024

Across 2023 and 2024, the RMIT Centre for Cyber Security Research and Innovation successfully delivered four short course programs on Digital Readiness and Resilience to 100 ASEAN participants.

Load more +

Acknowledgement of Country

RMIT University acknowledges the people of the Woi wurrung and Boon wurrung language groups of the eastern Kulin Nation on whose unceded lands we conduct the business of the University. RMIT University respectfully acknowledges their Ancestors and Elders, past and present. RMIT also acknowledges the Traditional Custodians and their Ancestors of the lands and waters across Australia where we conduct our business - Artwork 'Sentient' by Hollie Johnson, Gunaikurnai and Monero Ngarigo.

More information

An Overview of Cyber Security and Asset Management Standards in the Australian Mining and Minerals Sector