Cybersecurity key concern for Australian iron ore, coal amid potential supply risks

Cybersecurity has reemerged as a top concern for Australia's leading iron ore and coal producers, as new KPMG analysis indicates that potential supply disruptions could arise.

KPMG's Australian Mining Risk Forecast 2025, which analyzes Australia-listed miners' 2024 annual reports, revealed that cyber and information technology risks returned to the top 10 concerns -- ahead of traditional concerns, such as operational risk and environmental, social and governance issues -- for the first time since 2021. Cyber and IT risks were fourth, behind financial risk, commodity price risk, and climate change and decarbonization.

When the July 16 report analyzed the top five risks based on companies' commodity focus, cyber and IT risks ranked fifth for both iron ore and coal miners. Any disruptions resulting from these risks could affect their operations and, consequently, impact supply.

"Given [miners] are the supply side, I guess you are looking at a supply side imbalance or some kind of impact for some of those bulk commodities potentially," Caron Sugars, KPMG Australia's mining and risk partner, told Platts, part of S&P Global Energy.

"But remember, there are always stockpiles. Usually, you can get yourself back on your feet pretty quickly, and the stockpiles will usually see you through for a period of time on both sides, as both the customers have stockpiles typically, and so have the sellers."

Victim of hacking

Of the 65 cybersecurity incidents impacting the global mining sector in fiscal 2025, five have targeted Australian miners, according to KPMG.

Perth-based engineering and maintenance firm Pressure Dynamics International, which serves the mining sector among others, and counts Rio Tinto Group among its clients, confirmed to Platts that it recently detected a cybersecurity incident affecting certain systems within its network.

"The Australian Cybersecurity Centre recommends that most organizations aim for a Maturity Level 3, which Pressure Dynamics achieved and has been independently tested against in February 2024," the company said in a July 22 statement.

Nevertheless, the breach still took place, with cyberdaily.au reporting that the "DragonForce ransomware-as-a-service operation" had listed Pressure Dynamics as a victim on its darknet leak site June 17.

"Upon detection, our cybersecurity team immediately initiated our incident response protocols and locked down our systems," Pressure Dynamics' statement said. "Pressure Dynamics has engaged cybersecurity experts to investigate the nature and scope of the incident and implement additional cybersecurity measures. We have also notified relevant authorities."

Shipping chaos

Matt Breuillac, founder and director of Australian cybersecurity firm CyberNode, said any delay in shipments resulting from a cyberattack could mean miners need to pay penalties, "depending on the contract that they have with their customers."

"Even if they have cyber insurance, if the cyber insurance can prove that they did not do the basic steps for security, if there was any negligence, even though they have insurance, they would not be covered," Breuillac told Platts.

Breuillac also cited the 2023 incident in which logistics company DP World Australia reported that hackers had accessed files containing employees' personal details.

"That [kind of hack] has a huge impact on the supply chain. Lots of things arrive late. It is also chaos to recover all the backlog of containers to be delivered," Breuillac said.

Breuillac said the general rule is that "it is 10 times more costly to react to a cyber incident than to be proactive."

Access to resources risk

Access to resources continues to rank among the top 10 risks for Australian-listed miners overall, according to KPMG's report. The report also noted that the country's two largest iron ore producers have stated that iron ore grades in the Pilbara are declining.

Rio Tinto Group, the world's top iron ore exporter, told its customers in March that it would lower the iron content of its flagship Pilbara Blend Fines product, citing the gradual quality degradation of its orebodies.

In 2024, BHP also lowered the iron content of two of its flagship medium-grade iron ore products -- Mining Area C Fines (MACF) and Newman High Grade Fines (NHGF), among others, to 60.6% Fe and 61.7% Fe, respectively.

"This [lowering of grades] points to an increasing risk that ore of higher quality from countries like Brazil might well replace Australian ore on the shopping lists of key customers," KPMG's report said.

"The opportunity to expedite technological solutions to maintain the attractiveness of Australian ore is already being explored and, correspondingly, considerations regarding key inputs such as energy."

KPMG expects energy security to be among the top 10 concerns for Australian miners in 2026, as efforts to produce a more attractive green iron product to aid steelmakers' decarbonization efforts will require "a lot more processing [and therefore energy] than what you have typically seen in the iron ore world," Sugars told a July 16 media roundtable in Perth.