Mining & Resources

When an OT Network Goes Down, the Pit Stops Too

Australian mining operations are digitising at pace — autonomous haulage, remote operations centres, real-time production telemetry — while sitting squarely in the crosshairs of ransomware groups and state-sponsored actors targeting critical infrastructure. The IT/OT boundary is no longer a firewall rule; it is the frontline.

The BianLian ransomware group alone listed nine mining companies globally in 2024, explicitly targeting the sector for data exfiltration. Multiple Australian operations disclosed incidents to the ASX or regulators the same year. The sector’s combination of high-value commodity data, distributed SCADA environments and SOCI Act obligations makes it one of the most targeted in the country.

Orro designs, deploys and manages secure, high-performance digital infrastructure for Australian mining and resources companies — from remote site connectivity and private spectrum networks to OT security, SOCI compliance and continuous exposure management across converged environments.

0 %

increase in notifications to critical infrastructure entities by ASD’s ACSC about malicious cyber activity — FY2024–25 Source: ASD/ACSC Annual Cyber Threat Report 2024–25 — cyber.gov.au

0 mining companies

listed globally by the BianLian ransomware group in 2024 alone — with multiple Australian operations disclosing incidents to the ASX or regulators the same year Source: SecurityWeek

AUD$ 0 M

average cost of a data breach in Australia in 2024, a 27% increase since 2020 Source: IBM Cost of a Data Breach Report 2024 — securitybrief.com.au

USD$ 0 /hr

estimated cost of unplanned downtime from ransomware at an industrial or manufacturing facility Source: IBM Cost of a Data Breach Report 2024 — Industrial Sector analysis — ibm.com

Sector Intelligence Brief

The Mining Sector's Threat Reality

Why mining is targeted: Australian mining is a $300+ billion industry built on operational continuity. Production halts are measurable in lost tonnes per hour, and the data flowing across mine sites — from ore grades and drill patterns to mineral assay reports and financial hedge positions — represents genuine commercial intelligence with value to both criminal and state-sponsored actors. The sector’s combination of critical infrastructure designation under the SOCI Act, high-value IP, and operational environments that typically cannot tolerate system downtime for patching or remediation makes it an attractive and predictable target.

The BianLian ransomware group, assessed to be based in Russia, ran a sustained campaign against the global mining sector in 2024 — listing nine mining companies on its dark web leak site and targeting them for data exfiltration rather than encryption, threatening to publish corporate, operational, financial and employee data unless ransoms were paid. Multiple Australian mining operations disclosed incidents to the ASX or regulators the same year. These were not isolated events — they are consistent with ASD’s finding that state-sponsored and criminal actors are increasingly targeting Australian critical infrastructure sectors, with notifications to critical infrastructure entities about malicious activity rising 111% in FY2024–25 compared with the prior year.

The IT/OT convergence problem: The most significant structural challenge for mining technology teams is managing the collision of two environments that were designed in isolation: corporate IT networks built for connectivity and productivity, and operational technology (OT) environments — including SCADA systems, distributed control systems (DCS), programmable logic controllers (PLCs), and industrial sensors — built for reliability and safety. These two worlds are now increasingly connected, deliberately, to enable real-time production data, remote operations centres and autonomous fleet management. The result is a vastly expanded attack surface in environments where security incidents can have physical consequences. A compromised SCADA system does not just mean lost data — it can mean a conveyor malfunction, a ventilation failure, or a haul road incident.

Legacy OT environments compound the challenge. SCADA systems in Australian mining frequently run on operating systems and firmware that cannot be patched on a standard IT cycle without production risk. Vendors may no longer support the software. Network segmentation between IT and OT environments is often incomplete, with remote desktop protocols, jump servers and engineering workstations providing pathways from corporate networks into operational systems that were never designed with adversarial access in mind.

Connectivity at scale and distance: Australian mine sites are large, remote, and distributed. A single open-cut operation might span tens of kilometres, with processing plants, tailings facilities, camp infrastructure, control rooms and port terminals that may be hundreds of kilometres apart. Reliable connectivity is not a convenience — it is the operational backbone of autonomous haulage systems, remote monitoring, safety communications, and real-time production reporting. Satellite and hybrid private LTE/Wi-Fi networks are common, and managing performance, failover and security across these architectures requires a level of network engineering and management discipline that most mining IT teams do not have the bandwidth to sustain in-house.

Regulatory pressure accelerating ahead of governance maturity: Mining operations that own or operate critical infrastructure assets are subject to the SOCI Act’s positive security obligations, including the requirement to maintain a Critical Infrastructure Risk Management Program (CIRMP) and submit a board-approved annual report. The Cyber Security Act 2024 adds mandatory ransomware payment reporting for any organisation with annual turnover above $3 million. These obligations are new to many mining technology teams, and the practical challenge of applying enterprise-grade governance frameworks to heterogeneous, geographically dispersed OT environments — while maintaining production — is one the sector is still working through.

Compliance Frameworks for Mining & Resources

Security of Critical Infrastructure Act 2018 (SOCI Act), as amended

Governing body

Cyber and Infrastructure Security Centre (CISC) — cisc.gov.au

What it requires

Mining operations that own or operate critical infrastructure assets must register those assets with the CISC, maintain a Critical Infrastructure Risk Management Program (CIRMP) addressing cybersecurity, physical security, personnel and supply chain hazards, and report significant cyber incidents to the ACSC within 12 hours of awareness. Board-approved annual CIRMP reports must be submitted to the Department of Home Affairs within 90 days of the financial year end (deadline: 28 September each year). Assets designated as Systems of National Significance face enhanced obligations including cyber exercises and the potential requirement to provide telemetry to ASD.

Applies to

Responsible entities for critical infrastructure assets across the 11 regulated sectors — mining operations with critical asset classifications under the Act.

Consequence of non-compliance

Civil penalties up to $660,000 AUD per day; government direction and intervention powers; reputational and procurement consequences.

Cyber Security Act 2024

Governing body

Australian Signals Directorate (ASD) / Department of Home Affairs — cyber.gov.au

What it requires

Mandatory reporting of ransomware payments to the Australian Government within 72 hours of payment. IoT security standards (staged commencement through 2026).

Applies to

All organisations with annual turnover above $3 million — which includes virtually all mid-tier and major mining operators.

Consequence of non-compliance

Civil penalties for failure to report ransomware payments; potential for government investigation.

Privacy Act 1988 / Notifiable Data Breaches (NDB) Scheme

Governing body

Office of the Australian Information Commissioner (OAIC) — oaic.gov.au

What it requires

Notification of eligible data breaches to affected individuals and the OAIC where the breach is likely to result in serious harm. Mining companies hold substantial employee, contractor and commercial data that triggers NDB obligations.

Applies to

All organisations with annual turnover above $3 million.

Consequence of non-compliance

Civil penalties; OAIC investigation; reputational damage and litigation exposure from affected individuals under the 2024 statutory tort for serious privacy invasions.

ASD Essential Eight

Governing body

Australian Signals Directorate — cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight

What it requires

Eight baseline mitigation strategies including application control, patching, multi-factor authentication, and regular backups. Increasingly required by cyber insurers and enterprise procurement frameworks as a minimum standard.

Who it applies to

De facto baseline for all organisations; mandatory for Commonwealth entities and increasingly embedded in state government and critical infrastructure procurement requirements.

Consequence of non-compliance

Not directly enforceable for private sector, but Essential Eight maturity is now a standard expectation in procurement and insurance contexts — failure to demonstrate progress carries commercial risk.

"What we consistently see in mining environments is a maturity gap between the ambition — real-time operational data, remote operations capability, integrated safety and production systems — and the security architecture underneath it. The connectivity investment is happening; the segmentation, visibility and response capability often isn't keeping pace. The organisations getting this right aren't treating OT security as a separate workstream from network design. They're building it in from the foundation: understanding their OT asset inventory, mapping their exposure at the IT/OT boundary, and shifting from periodic assessments to continuous visibility over what's actually running on their networks. That's the shift from knowing you have risk to being able to act on it before something breaks."

Stu Long

Chief Technology Officer – Orro

How Orro Supports Mining & Resources

1. Secure, High-Performance Connectivity Across Mine Sites

Mining networks are not office networks. They span open pits, processing plants, tailings facilities, camp infrastructure, haul roads, port terminals and remote operations centres — often across vast distances and in environments hostile to standard wireless equipment. The connectivity architecture that underpins autonomous haulage, real-time production telemetry, safety communications and remote fleet management must be engineered for operational continuity first, and managed with the same rigour as any critical system.

Orro designs and manages high-performance wired and wireless network infrastructure tailored to mining environments, including SD-WAN for centralised management, policy enforcement and resilient failover across geographically distributed sites. Where standard carrier coverage is insufficient — which describes most remote Australian mine sites — Orro is one of only a handful of organisations in Australia to hold private spectrum, enabling the deployment of private LTE networks that deliver carrier-grade reliability without dependence on public mobile infrastructure. This matters in environments where communications downtime is not just a productivity issue but a safety one.

Orro’s One Touch Control platform provides unified visibility and management across multi-vendor, multi-carrier network environments, giving mining IT and operations teams a single view of network performance, availability and incidents across every site — with 24/7 proactive monitoring and support escalation through Australian-based account management.

Outcome: Reliable, resilient connectivity that supports real-time mining operations, safety systems and remote management across every site, regardless of location or terrain.

2. Cybersecurity and CTEM for Mining and OT Environments

Mining operations face a threat profile unlike most enterprise environments. State-sponsored actors with an interest in commodity intelligence, ransomware groups targeting operational disruption, and opportunistic attackers exploiting internet-facing vulnerabilities in edge devices — all against a backdrop of OT systems that were never designed with network security in mind. The result is an environment where conventional endpoint and perimeter-focused security is necessary but insufficient.

Orro’s National Cyber Defence Centre provides 24/7 SOC monitoring with OT-aware detection capabilities — identifying anomalous activity across both IT and operational technology environments, not just the corporate network. For mining operations under the SOCI Act, this continuous monitoring is foundational to meeting incident detection and reporting obligations.

Beyond monitoring, Orro’s CTEM (Continuous Threat Exposure Management) service moves organisations beyond the point-in-time vulnerability scan model that leaves mining IT teams flying blind between assessment cycles. CTEM continuously maps the attack surface — including OT assets, remote access pathways, third-party connections and internet-facing systems — and prioritises exposure based on exploitability and operational impact, not just CVSS scores. For a mining CIO managing a heterogeneous environment of legacy SCADA systems, engineering workstations and modern cloud-connected operations platforms, this risk-prioritised approach to remediation is what makes security investment tractable.

Outcome: Continuous, OT-aware security coverage that meets SOCI Act obligations, reduces dwell time for undetected threats, and gives mining technology teams a defensible, evidence-based approach to managing exposure across complex environments.

3. Cloud and Application Performance for Mining Workloads

Mining operations are increasingly cloud-dependent: ERP platforms, fleet management systems, maintenance scheduling tools, production reporting and financial systems all run in hybrid environments where application performance directly affects operational decision-making. The challenge is that many mine sites have constrained or variable WAN connectivity, and a cloud application that performs well from a capital city office may be unusable from a remote operations centre without proper network and application optimisation.

Orro designs and manages hybrid cloud architectures that account for the reality of mining network environments — optimising application delivery paths, managing WAN traffic prioritisation for operational versus administrative workloads, and ensuring that business continuity and disaster recovery capabilities reflect the operational stakes of an unplanned system outage. For mining companies moving ERP or production management platforms to the cloud, Orro provides the secure data transport, connectivity architecture and managed services to make the migration operational rather than just technical.

Cloud security is integrated into Orro’s managed cloud offering — not bolted on. Identity and access management, cloud workload protection, and data loss prevention are scoped to the specific regulatory and operational requirements of mining environments, including SOCI Act obligations around data storage and protection.

Outcome: Cloud and application infrastructure that performs reliably from remote sites, supports operational decision-making in real time, and is secured in line with SOCI and Privacy Act obligations.

4. OT and Industrial Systems Security

Operational technology security in mining is not a cybersecurity sub-category — it is an engineering discipline. SCADA systems, DCS platforms, PLCs, historian servers, safety instrumented systems and industrial wireless networks have operational logic, patching constraints and resilience requirements that standard IT security approaches cannot simply be applied to. Treating an OT environment like an enterprise network is how well-intentioned security programmes create new operational risk.

Orro’s OT security capability is grounded in understanding how industrial systems work before advising on how to secure them. This means beginning with OT asset discovery and network mapping — understanding what is actually running on the operational network, how it is connected, and where the exposure exists at the IT/OT boundary — rather than starting with a controls framework and working backwards. For many mining operations, the first outcome of this process is a level of network visibility they did not previously have.

From that foundation, Orro works with mining technology and operations teams to implement appropriate segmentation between IT, OT and safety-critical systems; establish monitoring that detects anomalous behaviour in OT protocols without disrupting operational processes; and build an incident response capability that accounts for the operational consequences of a response action — including the option to isolate OT environments from IT networks while maintaining production continuity. The ASD’s 2024–25 guidance specifically recommends that critical infrastructure operators with OT environments be able to isolate and rebuild those systems independently for up to three months in the event of a major incident.

Outcome: A defensible, operationally-aware OT security posture that reduces exposure at the IT/OT boundary, supports SOCI Act CIRMP obligations, and preserves production continuity as a design principle — not an afterthought.

5. Operational Excellence and Managed Services for Mining

Mining IT and OT teams are typically lean relative to the complexity of the environments they manage. A single site may span multiple network domains, OT vendors, cloud platforms and carrier services — each with its own management interface, alert stream and escalation path. The operational overhead of maintaining visibility and control across this complexity, while managing day-to-day support requests and responding to incidents, leaves limited capacity for strategic security and infrastructure work.

Orro’s managed services model is built around One Touch Control — Orro’s proprietary platform providing unified, multi-vendor, multi-carrier network visibility and management. For mining operators, this means a single pane of glass across all sites, all carriers and all network layers — with proactive monitoring that identifies and resolves issues before they become outages. Across Orro’s managed environment, 80% of tickets are proactively managed, reducing reactive incident response and freeing mining IT teams to focus on strategic priorities.

Orro’s Australian-owned structure and Australian-based support escalation means that mining clients have direct access to experienced engineers who understand operational environments — not a generic helpdesk. For critical incidents with operational implications, Orro’s escalation model is designed to get the right people engaged quickly, with 24/7 global operations capability backed by local engineering knowledge.

Outcome: Proactive, unified management of complex mining network and security environments, with reduced operational overhead for in-house teams and confidence that issues are identified and resolved before they affect production.

Proof of Impact

Northern Minerals — Browns Range Rare Earth Project, Western Australia

The Browns Range site is one of the most connectivity-constrained mining environments in Australia — a remote rare earth extraction project in the East Kimberley with no reliable carrier coverage and a legacy network that could not support the move to commercial-scale production. Orro undertook a full overhaul of the site’s network, security and cyber infrastructure: deploying LEO satellite technology via SatOne augmented with Starlink capacity, and Fortinet SD-WAN to dynamically optimise multiple carriage links based on real-time network conditions. Network latency dropped from 600ms to under 80ms. Managed XDR via SentinelOne provided centralised threat visibility across security layers, backed by Orro’s Incident Response Retainer for rapid specialist access. One Touch Control now provides a single management view across the entire network ecosystem.

“Orro’s team are local, responsive, and have focused expertise in the fields of network and cyber security, providing real confidence that they are the right strategic partner for the long term.” — Ryan Strauch, CIO, Northern Minerals

Proven at scale beyond mining

For cross-sector proof of operational scale, Orro manages Australia Post’s network of over 4,000 sites — Australia’s largest retail network — with verified outcomes including a 70% reduction in network outages, 4x faster connections, and 80% of tickets proactively managed through One Touch Control. The same operational discipline and managed services model Orro applies across that programme underpins its work in mining environments.

Frequently Asked Questions

Is my mining operation required to comply with the SOCI Act?

If your organisation owns or operates a critical infrastructure asset as defined by the SOCI Act 2018, you have positive security obligations including registration with the CISC, maintaining a Critical Infrastructure Risk Management Program (CIRMP), and reporting significant cyber incidents to the ACSC within 12 hours. Mining operations with critical infrastructure asset classifications are subject to these obligations. The Cyber and Infrastructure Security Centre (CISC) publishes sector-specific guidance on which asset classes are captured and what obligations apply. If you are uncertain whether your assets are in scope, the starting point is the CISC’s asset register framework at cisc.gov.au.

What does the Cyber Security Act 2024 require from mining companies?

The Cyber Security Act 2024 introduces mandatory reporting of ransomware payments to the Australian Government within 72 hours of making a payment, for any organisation with annual turnover above $3 million — which captures virtually all mining operators. The Act also introduces IoT security standards with staged commencement dates through 2026. This reporting obligation applies regardless of whether the incident has been reported to the ACSC under SOCI Act obligations, and non-compliance carries civil penalty exposure.

What is CTEM and why is it relevant to mining?

Continuous Threat Exposure Management (CTEM) is a security programme model that continuously assesses and prioritises an organisation’s attack surface — including IT systems, OT environments, remote access pathways and third-party connections — rather than relying on point-in-time penetration tests or vulnerability scans. For mining, where the attack surface includes SCADA systems, industrial wireless networks, engineering workstations and satellite-connected remote sites, CTEM provides ongoing visibility into what is actually exposed and what the highest-priority remediation actions are. This is particularly valuable in OT environments where not every vulnerability can be patched immediately — CTEM helps prioritise what poses the most material operational risk.

How should we approach segmentation between IT and OT networks on a mine site?

Effective IT/OT segmentation in mining requires starting with an accurate asset inventory — you cannot segment what you cannot see. The typical architecture involves a demilitarised zone (DMZ) or industrial DMZ (IDMZ) between the corporate IT network and the OT network, with strict controls on data flows, no direct IT-to-OT connectivity, and dedicated jump servers with strong identity controls for any remote access into OT environments. Safety instrumented systems (SIS) should be air-gapped or logically isolated from both IT and OT networks. The specific architecture depends on the OT platforms in use, the operational requirements for data flows, and the risk tolerance of the operation — but the starting point is always network mapping and OT asset discovery before designing controls.

What are the risks of ransomware hitting our OT environment, not just IT?

If ransomware propagates from the corporate IT network into OT environments — which happens when segmentation is incomplete or remote access pathways are poorly controlled — the operational consequences go beyond data loss. A SCADA system that is encrypted or taken offline can halt production, disrupt safety systems, or prevent operators from monitoring and controlling processes. The 2024–25 ASD Annual Cyber Threat Report specifically advises critical infrastructure operators to be capable of isolating essential OT and supporting systems for up to three months and rebuilding them independently. For mining operations, that means having both the technical architecture to isolate OT from IT in an emergency and the documented procedures to operate in that degraded state while recovery occurs.

How does private LTE help with connectivity and security on mine sites?

Private LTE (using licensed spectrum) provides carrier-grade wireless connectivity without reliance on public mobile networks, which is essential for remote mine sites where coverage is limited or absent. From a security perspective, private LTE networks are isolated from public carrier infrastructure, reducing the external attack surface for wireless systems. They also support Quality of Service (QoS) controls, enabling prioritisation of safety-critical communications — such as emergency alerts and vehicle tracking — over general data traffic. Orro holds private spectrum, making it one of the very few managed services providers in Australia able to deploy and manage private LTE networks for mining clients.

How should a mining CIO think about presenting cyber risk to the board?

The most effective board-level framing for mining cyber risk connects the technical exposure to operational and financial consequences the board already cares about: production continuity, regulatory compliance, asset value, and investor obligations. Quantifying the operational impact of a significant OT incident — in terms of production downtime, recovery cost, and regulatory penalty exposure — is more compelling to a board than a technical vulnerability count. SOCI Act obligations are now a governance matter: the board is required to approve the annual CIRMP report, meaning cyber risk is formally on the board agenda. The question for the board is not whether cyber risk exists, but whether the organisation’s risk management programme is commensurate with the operational and regulatory exposure.

What should we look for in a managed security provider for a mining environment?

The key differentiators for mining are OT security capability (not just IT security), experience with remote and distributed network environments, and an Australian operations model that meets SOCI Act requirements for data sovereignty and incident response. A provider that monitors corporate IT but has no capability to detect anomalous behaviour in OT protocols such as Modbus, DNP3 or IEC 61850 is only covering part of the attack surface. Ask specifically about OT asset discovery methodology, how the SOC handles alerts from industrial environments, and what the escalation path is for a potential OT incident.

Can Orro help with SOCI Act CIRMP development and compliance?

Yes. Orro’s cybersecurity and compliance team works with mining clients to assess their current posture against CIRMP requirements, identify gaps across the four hazard categories (cybersecurity, physical security, personnel, and supply chain), and implement the technical and governance controls required to achieve and maintain compliance. This includes OT security uplift, network segmentation, incident response planning, and support for the annual CIRMP reporting process. CTEM provides the continuous exposure visibility that makes ongoing CIRMP compliance operationally sustainable rather than a periodic scramble.

What is the difference between Orro's approach to IT and OT monitoring?

IT monitoring typically focuses on network flow analysis, endpoint detection and response (EDR), and log aggregation from standard IT platforms. OT monitoring requires visibility into industrial protocols and network communications that standard IT security tools do not understand — and where aggressive response actions (such as isolating a device or blocking a network segment) can cause operational harm. Orro’s National Cyber Defence Centre monitors both environments, with OT-specific detection logic that can identify reconnaissance, lateral movement or anomalous commands within industrial control systems without relying on endpoint agents that OT systems often cannot run. The response playbooks for OT incidents are also distinct — prioritising operational continuity alongside threat containment, and escalating to OT engineering expertise when required.

Our difference

Why Orro for Mining and Resources

Genuine OT security capability

Orro's National Cyber Defence Centre monitors and responds to threats across both IT and OT environments, with OT-specific detection logic — not just IT security extended to operational networks.

Private spectrum for remote sites

Orro is one of only a handful of organisations in Australia to hold private spectrum, enabling deployment of private LTE networks for mine sites where carrier coverage is unavailable or insufficient.

SOCI Act compliance experience

Orro works with critical infrastructure operators on CIRMP development, OT security uplift and the governance frameworks required for board-approved annual reporting.

CTEM for continuous exposure visibility

Orro's Continuous Threat Exposure Management service provides ongoing attack surface visibility and risk-prioritised remediation across complex, heterogeneous mining environments — moving beyond point-in-time assessments.

Proven operational scale

Orro designs, deploys and manages Australia Post's network of 4,000+ sites — the country's largest retail network — with 70% fewer outages and 80% of tickets proactively managed. The same operational discipline applies to mining.

One Touch Control platform

Unified multi-vendor, multi-carrier visibility and management across all sites, all layers — with 24/7 proactive monitoring and Australian-based support escalation.

Australian-owned, operationally-focused

Australian-owned partner with Australian-based support escalation and 24/7 global operations capability. No offshore escalation for critical incidents.

Vendor-agnostic engineering

Orro recommends and manages the right solution for the environment — not a vendor's preferred product. Architecture decisions are driven by operational requirements, not commercial partnerships.