CPECN

Mining Undermined: Column from Claudiu Popa

February 13, 2026 
By Claudiu Popa

Features Mining, Metals & Minerals Security Mining Minerals & Metals Week

Cybersecurity, Maintenance, and the Hidden Risks in Modern Mining


Talking Points

Canadian mining operations face growing cybersecurity risks as digital transformation connects legacy equipment to modern networks, Claudiu Popa, an industrial cybersecurity auditor, said in a recent analysis.

Popa said mining companies have adopted technologies such as predictive maintenance and remote diagnostics, improving efficiency but exposing critical systems to cyber threats. Outdated and unpatched legacy systems, often essential to production, can become vulnerable entry points when connected for maintenance or monitoring.

Real-world incidents have already disrupted mining operations through ransomware and unauthorized access. Popa warned that traditional defences like air-gapping are no longer effective, as routine tasks can inadvertently connect isolated systems to external networks.

Advertisement
  • Mining companies are increasingly targeted by cyberattacks due to digital integration
  • Legacy systems, though reliable, often lack modern security protections
  • Pending federal legislation, including Bill C-8, aims to regulate cybersecurity in critical infrastructure sectors

This story matters as the mining sector’s resilience and regulatory compliance now depend on integrating cybersecurity into daily operations, protecting both production and sensitive data from evolving threats.

Over the past two decades, I have audited mining operations on three continents. From the nickel-rich regions of Ontario to copper mines in the Andes and iron ore sites in Australia, I have seen firsthand the disciplined approach that defines this industry. Safety is sacred, financial reporting is exacting, maintenance is ritualized. And yet, even in these highly controlled environments, a subtle but dangerous risk has emerged. One that is often overlooked or misunderstood: cybersecurity.

Mining companies, particularly those with global footprints, have embraced digital transformation in stages. Predictive maintenance tools, remote diagnostics, automated fleet management, and cloud-connected sensors have become standard. These innovations are welcome. They save money, reduce downtime, and improve safety. But they also create new pathways into systems that were never designed to be connected in the first place.

Here lies the paradox. The older the system, the more critical it often is to production. These legacy systems are rugged, reliable, and familiar. But they are also outdated, unpatched, and unsupported. And when connected to modern networks or accessed remotely during routine maintenance, they can become open doors to attackers.

I have seen field laptops used to update haul truck software that had not been patched in years. I have watched technicians plug in USB sticks containing configuration files pulled from other sites without a second thought. In one case, a condition monitoring server had not been restarted in over 1,000 days. When it finally crashed, it revealed a long-standing vulnerability that could have been exploited at any time.

Advertisement

The danger here is not theoretical. In recent years, without naming names, we have observed real-world incidents where mining operations have been disrupted by ransomware, data corruption, and unauthorized access. Sometimes the threat enters through IT systems and makes its way into operational networks. Other times, it comes directly through an innocuous maintenance task.

Let us be clear. Maintenance is not just a safety or reliability issue anymore. It is a cybersecurity issue. And that changes the game, because it is something that decision makers and operational leaders need to get familiar with.
Some companies believe that air-gapping critical systems — the practice of disconnecting computers from the Internet – is still a viable strategy. It is not. The moment you collect diagnostics using a laptop or transmit performance data over a satellite uplink, you are connected. The illusion of isolation can lead to dangerous complacency.

What can be done?

Advertisement

Penetration
First, visibility. You cannot protect what you do not know is there. Many mining operators lack a comprehensive inventory of their digital assets. They might know every bolt on a loader but have no idea what version of firmware it is running, or who last accessed its control system.

Integration
Maintenance teams, IT departments, and cybersecurity professionals need to speak the same language. Too often, these groups operate in silos. The result is patching delays, overlooked vulnerabilities, and duplicated efforts. Cybersecurity needs to be part of the maintenance conversation, not an afterthought.

Regulation
Third, standards. While Bill C-26 may have faded from headlines after Parliament was prorogued, its successor, Bill C-8, is very much alive. It aims to regulate cybersecurity across Canada’s critical infrastructure sectors, including mining. Even before it becomes law, the intent is clear. Companies would be wise to align with its expectations now, rather than wait for enforcement.

Similarly, financial controls under Ontario’s Bill 198 remain in force. Public mining companies must certify their internal controls quarterly and annually. A cybersecurity failure that affects production or data integrity could have serious regulatory consequences. Compliance is not just about paperwork. It is about resilience.
Global standards like IEC 62443 and NIST SP 800-82 offer practical frameworks for securing industrial systems. They may not be required by law, but they are increasingly used by insurers, investors, and supply chain partners to assess risk.

Ultimately, mining operations do not need more technology. They need smarter, safer systems. That begins with recognizing that every maintenance action, from a firmware update to a calibration, is also a potential security event.

In mining, we measure success by tonnes moved and downtime avoided. But in today’s world, we must also measure it by our ability to protect the invisible systems that make those outcomes possible. The next breach may not come through a phishing email or a corporate laptop. It may come through a trusted technician performing routine maintenance on a legacy control system.

It is time to treat that risk with the seriousness it deserves.


Claudiu Popa is a published author, industrial cybersecurity auditor and speaker, and leader at OT Security Canada, where his work spans digital infrastructure, industrial policy, and critical systems. As CEO of Informatica he advises on risk, policy and compliance, particularly where operations at scaae meet emerging risk. Feedback and commentary are always welcomed at SecurityandPrivacy.ca and www.OTSEC.ca.

 

Advertisement

Stories continue below