Cybersecurity risks in mining’s operational technology: Implications of OT vulnerabilities and EU NIS2 compliance

Abstract

The mining and metals sector faces a surge in cyber incidents, with reported attacks tripling from 10 in 2023 to 30 in 2024. These attacks increasingly target operational technology (OT) – the industrial control systems that underpin extraction and processing – resulting in costly production stoppages. This study investigates the economic and governance challenges posed by these cybersecurity risks. We compare the expected costs of OT-related operational disruptions against the investments required for compliance with the European Union’s new NIS2 Directive on network and information security. Using case studies of European mining companies (e.g., Aurubis and Norsk Hydro) that experienced cyberattacks and now fall under NIS2 obligations, we examine how strong governance (such as board-level cybersecurity oversight and training for directors) correlates with incident frequency and severity. We develop an event-based Monte Carlo simulation model to estimate annual loss distributions from cyberattacks under different preventive investment levels. The results yield cost-risk curves illustrating diminishing marginal benefits of high cybersecurity expenditures. Our findings highlight a clear trade-off: proactive resilience investments and NIS2 compliance incur significant upfront costs, but can substantially reduce the probability of catastrophic OT outages and regulatory penalties. The analysis underscores that effective governance – including board accountability and dedicated cybersecurity leadership – is vital for mitigating risks. This interdisciplinary work offers insights for industry practitioners, regulators, and academics on balancing the socio-economic costs of cybersecurity in mining with the imperative of operational resilience and regulatory compliance.