Why cyberattacks look set to get worse in LatAm

The number of cyberattacks in Latin America grew 600% last year, according to cybersecurity company Fortinet. And the threat reaches key sectors, such as mining. Canada’s Atacama Minerals suffered a major attack early in the year, while Chilean miner Enami fended off another attack in January.

BNamericas talks to Ghassan Dreibi, cybersecurity director for Latin America at Cisco.

BNamericas: Could you expand on your comment at the recent mining 4.0 seminar, when you said that IT and OT are no longer sufficient to deal with increasingly sophisticated cyberattacks?

Dreibi: Attackers are more sophisticated. They're powerful criminal organizations that know how to exploit gaps or failures in network systems to make a lot of money by affecting the industry.

There's a high sophistication [in cyberattacks]. Usually, there's more focus on energy production industries, because this affects people the most. In countries like Chile that depend on mining, this is a focus. 

On the other side, the industry doesn't discuss how operating systems could be surrounded on the internet. Security systems are from the past. It was thought that a cyberattack would never reach a mine because they had no connection. But even though the industry isn't going 100% digital, there are users, mobile phones, lots of people circulating through the mining network. So, there's a need for integration of OT and IT, which often doesn't happen.

Today we talk about IoT, connected things. IT and OT have to work together. There can’t be two different cybersecurity systems, because that's where the gaps are created. If we keep doing what we've always done, it's not going to be enough, because the attacks have changed. 

BNamericas: Even major social network companies have been affected ...

Dreibi: I just moved to the US and configured the logs of my house. I took out a report for three days and there were more than 150,000 scans, that is, searches of my IPs in my internal network carried out by someone from outside. That's 40,000 malicious banners.

When we open a website, all of us are already under attack. So, when you look at the potential for attacks on a person, imagine how this happens with an industry. If in my house I receive 150,000 scans, we'd be talking about many thousands more for an industry. We're talking about mega-data that's not possible for a human to control.

BNamericas: Aside from the energy sector, do you also have examples regarding the vulnerability of the mining industry?

Dreibi: The energy industry impacts a lot of people. If attackers want to have a national impact, attacking industries such as energy, water, gas [will affect] thousands of people. So, it's easier for government or industry to give in and pay [the ransom] so services are reestablished quickly.

In global mining, there's a tendency to suffer more attacks. If I introduce a firewall, an antivirus or some sensor, I can generate a delay that can be dangerous in mining operations. For example, if for one millisecond I stop to inspect a fault, this delay on an autonomous truck can kill someone because the truck could veer off its path. That requires another level of security.

The impact [of a cyberattack] on a mining company will affect the economy, and the government could be more flexible. But in energy [it can’t]. If you take energy from people, they'll demand a rapid solution from the government. And the attackers want to make a quick buck, like what's happening in Costa Rica, where attackers demanded a US$10mn ransom in April, but the government refused to pay.

Attackers negotiated with the government, trying to attract Interpol, the FBI, and get other terrorist organizations involved. This group is very strategic.

If one company is more vulnerable than another, I'd have to do a more in-depth analysis of the maturity of each company. The decisions we make have to be better because the attacker is faster, more sophisticated, while we continue to work the same way. 

BNamericas: Could mining companies become more attractive targets for cybercriminals because the industry has strategic importance for the global energy transition?

Dreibi: Cybersecurity is a defense and reaction strategy. The first phase of the process is knowing when the attack arrived, who was affected and what was impacted, and also considering the visibility of data collection and training of people.

This is the pre-assessment stage, which must focus on what it is, what it does, what the objective is, whether it's updated; all of this is a process. I've seen many cases in Latin America where the attack goes directly from one player to another, with nothing in between. Not having a segmentation, micro-segmentation, is a disaster. Lateral spread is what we're trying to stop.

I can't believe that in 2022, one machine is connected to another and there's nothing in between. There has to be a segmentation, isolation process. I propose to ask “can I remove a machine from my network, can I remove a network partially from my entire network”? If you don't have answers to these questions, you have no way of defending yourself.

If there are no security processes in mining or in using security equipment, it's useless. The first step is to define an incident response and a training process to know what to do when there's an incident, who to notify. People usually start looking for vendors when there's an attack, but you have to think in advance.

The processes are broader, considering frameworks, materials, studies, maintenance, support service and strategies. If this doesn't exist, [cybersecurity] products aren't very useful. 

BNamericas: Is computer sabotage or information theft more common?

Dreibi: It's the same. Extortion has various facets. They capture machines or data and ask for a ransom payment. And if you don't pay, they won’t give you access. We call it double extortion, because they take the data, ask for the money and then use it anyway.

In Costa Rica, for example, [attackers] wanted to destroy the historical data [collected on] the population.

They enter the machine, usually through spam email, a social network or some computer, taking advantage of the lack of updates. When they encrypt or sabotage that's already the second phase. The first phase, which is to collect data, is silent. 

When I was called by Costa Rican [authorities], I said, look “now it's over, the data is out, it’s already been copied.” What can be done now is to prevent it from ever happening again.

In Latin America, the goal is quick money. That's why they ask for bitcoins. They don't ask for US$100mn, they ask for US$1bn.

A next wave could be much more aggressive because they've already passed through Brazil, Mexico and other countries. Who knows what kind of data they have and what they can do.

If a mining company suffered a loss, CEOs should sit down the next day with the IT team and analyze the impact, what was lost and make decisions. Perhaps it’s time to authenticate users differently, via a sensor, to create a new registry and start with biometrics. It's time to make those decisions because [cyberattacks] will become more and more complex.

BNamericas: What's the best way to react to sabotage?

Dreibi: In technology, there's a method for everything. When they take and encrypt your data, decryption would take millions of years. There is no technological tool or computer that does this at present. The only way is to accept that you lost, refuse payment and recover an older backup or recover something that's in the cloud.

Currently, when Interpol, the FBI and global security networks capture a criminal group, they also capture servers, computers and hard drives. Sometimes the file or code that was used to encrypt the data appears, but you have to be lucky.

Attackers create mathematical codes, personal and public passwords that are very secure. The only way to decrypt is with the public password. If they're arrested, the police can take this password and give it to you. 

BNamericas: Do current technologies make it easier to catch these criminals?

Dreibi: They're one step ahead of us. They have no limits or ethics. They are not university students who are hackers or children who play at home, as has always been claimed, but criminals who are part of an organization.

They use the dark web as an incredible form of communication. They sell data there, they sell access profiles, passwords, cards. They sell attack services to each other. And unfortunately, in the dark web, there's no way to track. The only way is how the police do it, by getting in there and starting to follow, listen, understand. But it's also dangerous, because whenever you enter, you expose yourself.

[Criminals] want money, and they know we don't follow security practices. A basic thing is to update your devices every day. Updating equipment is essential today. And the other is to segment things.

Cisco reviews five major attacks per day. There are around 40,000 attacks and of these, five or six are categorized as critical. Every day a cybersecurity war room meets to analyze situations. That's what the company has to do and with everyone in the company, because we're all part of technology now.

We're in a very dangerous situation globally. People have an incorrect perception of what cybersecurity is. When I read the newspapers [reporting] that Russia is going to start a cyberattack on Ukraine, I said this probably started two years ago.

You have to understand that cyberattacks are silent and are very rarely detected. So, if you ask me if they work well, yes, they're hard to detect and very easy to get done with help from the dark web.

BNamericas: At the mining 4.0 seminar you mentioned a possible breakdown if companies don’t make efficient cybersecurity decisions. What did you mean by that?

Dreibi: I use this concept from the World Economic Forum a lot. They say there'll be a breakdown in cybersecurity, because if a company buys US$3mn in cybersecurity equipment, but only has two or three IT professionals, the attack will take control of the company’s servers. We call that cyber fatigue and it's because companies don't invest in security and, in addition, there's a lack of cybersecurity experts in the world and in Latin America. There's no one to hire.

At some point, we can reach a situation that stops everything. A well-organized attack could cripple government services, industries, and shut down an entire country. We've watched helplessly as attackers jumped from one machine to another. But that happens because there's no segmentation. I think we should talk more about this as citizens, as governments, as companies.

BNamericas: How can mining companies prepare properly, gain knowledge and stop focusing only on known cases?

Dreibi: That's a good point. The biggest form of attack is by spam, by the clicks that people make. About 75% of attacks have an internal issue – they come through a person. If you don't educate people, you'll always be vulnerable. You can have the best security system, but if we don't prepare people, they won't know what we're going through.

BNamericas: Are cybersecurity products or better planning more efficient for defense?

Dreibi: I think both. We must evolve with threats and attacks. I believe in 40% technology and 60% people processes.