Published on the 03/04/2024 | Written by Heather Wright
Breaking tradition, but staying practical…
Global mining company Rio Tinto holds two Guinness World Records.
The first is for the world’s biggest hole in the earth – its Kennecott Bingham Canyon mine, which is viewable from the moon and which, sorry to say, has little relevance to this IT story.
The second record, however, does. It’s for the world’s heaviest robot – an AutoHaul autonomous train.
“It’s billions of dollars of technology sitting under each of these platforms.”
And it’s that robot, and the myriad of others that Rio Tinto harnesses in its day to day operations as the world’s second largest diversified mining company, with operations in 35 countries – that makes OT (Operational Technology) the biggest focus for Rio Tinto CISO Scott Brown.
Brown says Rio Tinto has been investing in initially semi-autonomous and increasingly fully-autonomous operations for 15-20 years now and will continue to do so because the operational and safety benefits are massive.
“But you can imagine the technology that sits under all those platforms. It’s huge. It’s billions of dollars of technology sitting under each of these platforms we run.”
But Brown, who took over as CISO two years ago, admits that until recently, the company’s strategy when it came to OT security was ‘very traditional’.
“It was focused on segregation and segmentation of those networks and passive controls.
“So when we first started deploying stuff into these networks from a security point of view it was very clear that of that CIA triad [confidentiality, integrity and availability], availability was the most important and we were only allowed to put things on the edge that peered over the fence to see what was going on,” Brown told attendees at the recent Gartner Security and Risk Management Summit.
“That was better than what we had, 100 percent, but it is limited in what you can see and it’s limited in the fact that it doesn’t allow you to actually do anything.”
As the one who owned the central team which, on paper, is responsible for it all, Brown had a problem – how to get in and do something when one of the networks had an issue, and how to scale it and where to go with it.
The solution lies in a pivot which is underway at Rio Tinto and will see more active security controls in the networks.
“I’m not looking to put endpoint detection and response on HMIs tomorrow. I’m very practical about how we are going to approach this,” he says.
The company has spent 12 months talking ‘to anyone and everyone’ it can, globally, who has an industrial footprint – not just in resources – around what they’ve done to address the issue, how they did it and they challenges they faced.
“What has been super fascinating is when we talk about the more corporate side of security, it is reasonably well understood what good looks like, and while there are nuances, and bits and pieces to that, in general most people will give you similar answers with similar context.
“Whereas when you get to OT, from what I have seen, there are still some really strong opinions one way or the other around how this should work.”
Brown admits he doesn’t have the problem solved.
“We’re going to have a go at this.
“We can’t keep building these autonomous systems that have huge amounts of IT, we want to do all this stuff with data, as well as AI, but then you still tell me I can only have passive visibility on the side? I can’t protect the network the way I need to with that level of control.”
Rio Tinto approved a project last year and after 12 months discovery work, Brown says the company is now ‘well into where we thing we are going to go’.
Even then, he admits it’s just a theory, based in practice, but still needing testing.
Brown says he’s lucky in that cyber isn’t new at Rio Tinto – it has had a cyber security team for 10-15 years and its board and executive committees (ExCo) and wider team are versed in security.
“There has always been support from the ExCo and board.”
He says he sells them cyber security in the same way they view safety, where there is a clear recognition that sustained investment is required to maintain safety standards.
“The OT example is a great one.
“We have asked for some money this year, but not a huge amount because we are still testing and figuring out what we think we want to do, but openly saying if this plan comes off and we think it is the right way to go, we will be back for more money than what is our sustaining budget now, for the next few years to get us that next step.”
Third party risk is also a key topic for Rio Tinto, which has an ecosystem of 20,000-30,000 suppliers globally.
Brown is blunt: They can’t eliminate third party risk. Instead, it’s about trying to educate the company around how it can be managed and the things that can be done to make sure the company is on top of the risk.
“It’s about what can we do that is defensible and manageable, but also that honest conversation around residual risk or risk appetite.”
When it comes to surviving in the CISO role, Brown is open on his two tips: Take your leave, and embrace flexibility.
Taking leave, he notes, isn’t just about getting time to recharge and get offline. It’s also about ensuring his team have the opportunity to run without him.
And the embracing flexibility?
As a company with mines running 24/7, Brown embraces the chance to take a three to four hour window in the afternoon to see his family and have dinner before heading back to work.
“You can look at the flex piece as curse or blessing. You don’t want to start at 7am and finish at 11pm because you will burn yourself out. But if you start at 7am and have a massive gap to go for walk, spend time with family, go for swim, that’s awesome.”