ESC
Type to search across all articles and vendors
System Architecture 14 min read

Cybersecurity for Mining FMS

Why mining fleet management systems are prime cyber targets, what recent attacks reveal, and what every mining professional needs to understand about the risk.

Cybersecurity for Mining FMS

Why fleet management systems are prime cyber targets, what recent attacks on mining companies actually looked like, and what the risk means for operations.

The System That Moves Your Dirt Is a Target

Every truck assignment, every payload record, every production tally on your shift report flows through the fleet management system. Shut it down and you are not just missing data. You are missing production. On an autonomous site, you are also missing the system that stops 300-tonne trucks from driving into things.

Cyber attacks on mining and metals companies tripled from 10 reported incidents in 2023 to 30 in 2024. By Q2 2025, the sector was logging 11 ransomware incidents in a single quarter. Those are just the ones we know about. Most mining companies never disclose attacks.

The companion article, FMS Network Security: Architecture, Standards, and Defence in Depth, covers the technical detail for IT/OT specialists.

These Systems Were Not Built for This

Here is something that gets lost in cybersecurity discussions: most FMS platforms were architected in the late 1990s and early 2000s. Modular Mining’s DISPATCH has roots going back to the 1970s. “Security” meant a locked server room and a network that did not touch the internet.

The design decisions that look reckless now were reasonable then. Shared credentials on equipment, flat network layouts, services running with full administrator access. None of this raised alarms when the systems lived on isolated site networks with zero internet connectivity.

The world changed around these systems. ERP integration, cloud analytics, vendor remote support, and autonomous haulage all punched holes in what used to be an air gap. But the underlying architectures were never redesigned for this new reality. They were extended, integrated, and connected, incrementally, over decades.

Demanding that a vendor retrofit 25 years of security thinking into a production system overnight is not realistic. The architecture carries legacy decisions that cannot be unwound without a complete rewrite. That means the responsibility for mitigation sits primarily with the mine operator. Network segmentation, monitoring, and incident response planning are your problems to solve, not your vendor’s.

This is not about blaming vendors. It is about understanding why FMS environments operate at a different security baseline than modern corporate IT, and why that gap needs active management.

Even Your Security Tools Carry Risk

The CrowdStrike incident in July 2024 proved this from the opposite direction.

CrowdStrike is one of the world’s leading cybersecurity companies. Their security software runs on millions of computers to detect and block threats. On 19 July 2024, a faulty update caused approximately 8.5 million Windows machines worldwide to crash and fail to restart. Airlines grounded flights. Hospitals cancelled surgeries. Banks went offline. Estimated global cost: over US$5 billion.

This was not a hack. A security tool updated itself and broke the systems it was supposed to protect.

For mining, the lesson cuts both ways. When an FMS vendor says “do not install security scanning software on our dispatch servers,” CrowdStrike is Exhibit A for why that concern is legitimate. A security agent can crash a dispatch server just as effectively as malware can.

But you cannot simply accept the gap. If security software cannot safely run on FMS servers, other protections need to fill the void. Network monitoring that watches traffic patterns without touching the server. Strict controls over which programs are allowed to run. Continuous checks that critical files have not been tampered with. The companion article covers these compensating controls in detail.

What Recent Attacks Actually Looked Like

The table below covers confirmed incidents. These are the ones that made it into public reporting.

YearCompanyWhat HappenedImpact
2019Norsk HydroLockerGoga ransomware across 22,000 computers in 40 countriesUS$71M total cost; weeks of manual operations
2022Copper Mountain MiningRansomware via credentials sold on dark web two weeks priorMill shut down for 5 days; switched to manual
2023Rio TintoCl0p ransomware via GoAnywhere third-party file transfer toolEmployee payroll and family data leaked
2023Fortescue MetalsCl0p attack; company described impact as “low”Non-confidential data disclosed
2024Northern MineralsBianLian; over 1 TB exfiltrated from Browns RangeData published on dark web after ransom refusal
2024Alamos GoldBlackBasta double extortion, encryption plus data theftCorporate system disruption
2024Evolution MiningBianLian (suspected); primarily Northparkes OperationsIT systems affected; company stated fully contained

Norsk Hydro is technically aluminium smelting, not mining. But the incident is universally cited in mining cybersecurity because the operational parallels are direct: continuous production, operational technology systems, massive financial exposure. That US$71M figure got the board’s attention at every mining company that read about it.

Two numbers worth sitting with: 43% of mining and metals firms hit by ransomware paid ransoms exceeding US$1 million. And in 2024, 75% of ransomware attacks on industrial organisations caused at least partial operational shutdown.

They Do Not Even Encrypt Anymore

The biggest tactical shift in the last two years is that some ransomware groups have stopped encrypting data entirely.

BianLian, the group behind the Northern Minerals and Evolution Mining attacks, abandoned encryption in early 2024. Now they break in, steal everything they can, and threaten to publish it. No encryption. No locked systems. Just a phone call saying “we have your data.”

This breaks the “just have good backups” defence. Restoring from backup defeats an encryption attack. It does nothing against the public release of proprietary geological surveys, exploration drill results, joint-venture financials, or employee records. For a publicly listed mining company, the regulatory, legal, and share price consequences of a major data leak can be worse than paying the ransom.

Groups like BianLian typically get in through compromised remote access credentials, then quietly move data out using legitimate file transfer tools that blend in with normal network traffic. By the time anyone notices, terabytes are gone.

The Northern Minerals Geopolitical Angle

The Northern Minerals attack deserves a closer look. It occurred mere hours after the Australian Government ordered China-affiliated investors to divest their shares in the company, citing national security. Northern Minerals’ Browns Range project produces dysprosium and terbium, rare earth minerals critical for defence applications and advanced technology.

BianLian is financially motivated, not a state actor. But the timing is hard to ignore.

It illustrates a broader reality: mining companies operating in strategically significant commodities face threats beyond the usual ransomware gangs. Dragos, the leading industrial cybersecurity firm, tracks 23 threat groups targeting industrial organisations. Groups designated BAUXITE and GRAPHITE specifically target mining and metals, with capabilities ranging from industrial espionage to direct manipulation of control system logic.

Where FMS Sits, and Why That Makes It Vulnerable

Industrial networks are designed in layers. Physical equipment at the bottom, control systems in the middle, business systems at the top. Each layer is supposed to talk only to its immediate neighbours, with strict boundaries between them.

FMS breaks this model. Vehicle GPS receivers and onboard gateways sit at the equipment layer. The dispatch engine and database operate at the site operations layer. ERP integration, mine planning, and cloud analytics reach into the business layer. FMS is one of the few systems that legitimately crosses all of these boundaries.

The buffer between operational technology and business IT is called the industrial demilitarised zone. In too many mining deployments, this “buffer” is a single firewall with rules that were opened wide during vendor commissioning and never tightened afterwards. Most mines find that a proper audit of those firewall rules reveals dozens of exceptions that nobody remembers approving.

If an attacker compromises a corporate email account, an ERP module, or a third-party analytics dashboard, those permissive rules can provide a direct path into the FMS dispatch servers. About 75% of operational technology attacks in 2024-2025 originated as IT breaches that crossed into operational systems. For mining, the FMS integration layer is one of the most likely crossover paths.

The Wireless Perimeter Problem

Open-pit mines rely on extensive wireless networks (private LTE, 5G, or Wi-Fi mesh) to keep the fleet connected. These networks physically blanket the operational area, and radio signals do not stop at the pit rim or the site fence.

Wi-Fi de-authentication attacks are trivially simple. Someone with a laptop and a directional antenna on a public road overlooking the pit could disrupt fleet communications without ever entering the site. On a conventional operation, this degrades dispatch efficiency. On an autonomous site, loss of communication triggers safety stops across the entire fleet. Production halts without the attacker touching a single firewall.

The Supply Chain Reality

FMS does not operate in isolation. It integrates with ERP, tyre monitoring, fuel management, maintenance systems, mine planning software, and autonomous haulage platforms. Every integration is a potential way in.

Rio Tinto was not breached through their own systems. The Cl0p group exploited a vulnerability in GoAnywhere, a third-party file transfer tool that Rio Tinto happened to use. At least 35% of all data breaches now originate from supply chain compromises. The question is not just “how secure is the FMS?” It is “how secure is everything the FMS connects to?”

Worth knowing: some FMS architectures maintain a continuous outbound data flow to the vendor’s cloud environment. Application snapshots, system logs, and configuration states may be automatically uploaded for remote support. That means operational data is routinely leaving site and sitting in a third-party tenancy. Understanding what data leaves, how often, and what controls the vendor applies is a conversation worth having.

Vendor Security and the SaaS Question

The security conversation changes depending on how your FMS is deployed.

On-premise means you own the servers, the network, and the security risk. The vendor supplies the software, but the infrastructure security sits with you.

SaaS or cloud-hosted shifts that infrastructure to the vendor. Patching, hardening, and server-level monitoring become their responsibility. A well-run SaaS vendor will do these things better than most mine sites can. The trade-off is that you are trusting them to do it, and your production data now lives in someone else’s environment.

For any SaaS FMS vendor, ISO/IEC 27001 certification should be the minimum bar. This is the international standard for information security management. It means the vendor has been independently audited and maintains documented security controls. If a SaaS vendor cannot show ISO 27001, treat that as a red flag during procurement. SOC 2 Type II certification adds another layer of assurance, with ongoing auditor verification of security and availability controls.

Currently, Wenco is the only FMS vendor with publicly confirmed ISO 27001 certification. Caterpillar has confirmed in SEC filings that its cybersecurity programme aligns with NIST CSF and ISO 27001. Other vendors may hold certifications that are not publicly documented, but if they do, they should be willing to show you.

Regardless of deployment model, ask your FMS vendor:

  • What security certifications do you hold? Can we see the certificates?
  • What data leaves our site, how often, and where does it go?
  • What are your remote access mechanisms and how are they secured?
  • What is your patch cycle for critical vulnerabilities?
  • Do you maintain a Software Bill of Materials for the FMS platform?

The Copper Mountain Lesson: Manual Fallback Saves Operations

When Copper Mountain Mining was hit on 27 December 2022, their team isolated operations, switched the mill to manual, and shut it down as a precaution. The mill was offline for about five days. Full production resumed by 4 January.

Five days is painful. But the alternative, letting ransomware propagate unchecked through operational systems, would have been catastrophic. Three principles come out of their response:

  1. Isolate fast. Shutting down the mill was precautionary but correct. Containment limits damage.
  2. Have a manual fallback. Operations that can switch to manual survive incidents. Operations that cannot are completely shut down.
  3. Test your backups. Recovery within five days only works if backups exist, are isolated from production, and have actually been tested.

If your operation depends entirely on digital dispatching with no documented manual fallback, you are uniquely vulnerable to extortion. The attacker knows that if you cannot run without the system, you will pay.

Think about what “going old school” actually looks like for your site. Truck dispatching reverts to load cards and radio calls. Drill management systems go offline, so survey crews need to physically mark up hole positions. Dig block boundaries that normally display on the operator’s screen need to be pegged and flagged in the field.

Grade control decisions that normally flow from the block model through the FMS need a geologist with a printed plan and a two-way radio.

None of this is sophisticated. All of it keeps the mine running. The point is that these fallback procedures need to exist on paper, the people who will execute them need to know they exist, and the operation needs to have practised them at least once.

It is naive to assume a cyber attack will not happen. It is much easier to explain to the GM that you have gone back to load cards for a week than to explain that the entire operation is shut down because a computer stopped working.

ASD’s Australian Cyber Security Centre sets an even higher bar. Mine sites should be capable of isolating essential operational systems from corporate IT and the internet for up to three months while maintaining essential operations. This “island mode” means running independent, localised dispatching without cloud analytics, ERP synchronisation, or vendor licensing servers. Most sites are not there yet. But that is the benchmark regulators are setting.

Autonomous Equipment Elevates the Stakes

A compromised FMS affecting manned trucks is a production problem. A compromised system controlling autonomous trucks is a safety problem. That distinction matters for how you think about risk, budget, and what you report to the board.

Autonomous haulage relies on GPS positioning, wireless communication, and centralised dispatch. Each can be attacked. GPS spoofing, broadcasting counterfeit signals to deceive receivers, has been demonstrated in academic research. Current autonomous systems mitigate this through sensor fusion, cross-referencing GPS with LiDAR, radar, and gyroscopes to detect anomalies. Communication loss triggers immediate safety stops. That is the correct fail-safe, but it is also a mechanism an attacker can deliberately trigger.

The Global Mining Guidelines Group released Version 2 of its autonomous systems guideline in 2024, explicitly incorporating cybersecurity into operational readiness assessments. The MM-ISAC has published specific risk management guidance for autonomous haulage. The consistent message: cybersecurity for autonomous systems needs to be designed in from the start, not bolted on after deployment.

Key Takeaways

  1. Assume you are a target. Mining cyber incidents tripled in one year. BianLian does not even bother encrypting anymore. They just steal your data and threaten to publish it. Good backups are necessary but no longer sufficient.

  2. Understand why FMS is different. It bridges operational technology and business IT, crosses network boundaries other systems never touch, and controls physical equipment. You cannot patch away this risk. It is architectural.

  3. Do not expect your vendor to fix this. These systems were designed when the threat did not exist. Compensating controls, segmentation, and monitoring are the mine operator’s responsibility. The CrowdStrike incident showed that even security tools themselves can take down production.

  4. Build for manual fallback, and actually test it. Copper Mountain survived because they could switch to manual. Run a drill. If your dispatchers cannot operate without the system for 48 hours, fix that before you spend money on anything else.

  5. Demand ISO 27001 from SaaS vendors. If a vendor is hosting your production data in their cloud and cannot show independent security certification, ask why. Consider whether that is a risk you are willing to carry.

  6. Treat autonomous equipment cybersecurity as a safety issue. It is not an IT problem. It is a functional safety requirement with direct implications for human safety on site.

cybersecurityransomwareOT-securityautonomous-haulagerisk-management

Related Articles

System Architecture 24 min read

FMS Network Security

How to segment, monitor, and defend mining FMS environments. Purdue model mapping, IEC 62443 zones, vendor security relaxations and compensating controls, Zero Trust for OT, and incident response.

cybersecuritynetwork-segmentationIEC-62443