Security for Mining: anatomy of an intrusion that threatens a mine's automation
Large-scale operations with OT, logistics, and strategic exploration data are targets of ransomware, industrial espionage, and attacks on control systems in remote environments. See how Decripte detects, contains, and structures the defense of the IT-OT link.
Direct answer
Protecting a mining operation requires treating the plant as two worlds that touch but must not be confused: the corporate IT network (ERP, email, engineering, geological data) and the OT operational technology network (PLCs, SCADA, fleet dispatch systems, crushers, conveyors, pumping). Effective defense combines four fronts operating together. First, strict segmentation between IT and OT following the Purdue model, with an industrial DMZ that prevents a compromise in email from turning into direct access to the plant floor. Second, a 24x7 SOC that monitors both domains — login and endpoint telemetry on IT, and industrial protocols (Modbus, OPC-UA, EtherNet/IP) on OT — to flag lateral movement before it crosses the border. Third, an Incident Response plan designed for the sector, with a containment SLA of up to 1 hour and playbooks that know how to isolate IT without shutting down the mine, because stopping a mining operation or a pit dewatering system has physical and environmental safety consequences. Fourth, recurring Pentesting that validates the segmentation, the remote exposure of sites, and the resilience of legacy OT assets. Decripte structures exactly this arrangement: free risk assessment at decripte.com.br/intelligence-center and sign-up at decripte.io/start.
24/7
SOC monitoring IT and OT at remote sites
<=1h
Incident containment SLA
IT/OT
Purdue segmentation as the central control
ISO 27001
Governance foundation for exploration data
In summary
- ›The number one risk in mining is not a direct attack on SCADA, but rather the lateral movement of an ordinary compromise in corporate IT to a poorly segmented OT network.
- ›Stopping IT to contain an incident is simple; stopping OT is a physical and environmental safety decision. Playbooks need to know how to isolate without shutting down the mine.
- ›Geological and exploration data are intellectual property of extremely high strategic value and a preferred target of industrial espionage — they require classification, encryption, and exfiltration control.
- ›Remote sites with satellite or microwave connectivity and lean teams make centralized continuous monitoring (24x7 SOC) the only viable defense against the attacker's nighttime window.
- ›Legacy OT assets (10-20 year old PLCs and HMIs) do not get patched like a server; the defense is by compensation: segmentation, passive monitoring, and access control, not by remediation.
- ›A continuity plan that assumes the scenario of a mine operating in manual, degraded mode is part of the security posture, not an appendix to the operational contingency plan.
Cibersegurança para Mining
Large-scale operations with OT, logistics, and strategic exploration data are targets of ransomware, industrial espionage, and attacks on control systems in remote environments. See how Decripte detects, contains, and structures the defense of the IT-OT link.
Why mining is an extremely high-value target
Mining concentrates a combination of factors that makes it disproportionately attractive to sophisticated attackers and to organized ransomware crime. First, it is capital-intensive and sensitive to downtime: every hour of a stopped plant — a processing mill, a fleet dispatch system, a long-distance conveyor belt — represents production loss that is difficult to recover, and this financial pressure is exactly the lever a ransomware operator uses to force payment of the ransom. Second, the industry operates with a deep dependence on operational technology (OT) whose life cycle is measured in decades, not years, which creates a fleet of assets that was never designed to be connected to networks, let alone to withstand a motivated human adversary.
Third, mining generates and holds data of singular strategic value. Geological models, drilling results, grade estimates, and long-term mine plans are intellectual property that defines the company's competitiveness for decades and that has direct value to competitors, to state actors interested in critical resources, and to market speculators. The silent exfiltration of this data — industrial espionage — can be as damaging as ransomware, and it is much harder to detect because it does not stop the operation. Fourth, geography: mines operate in remote locations, with limited connectivity, lean on-site IT teams, and dependence on satellite or microwave links, which has historically led to weak or nonexistent security monitoring precisely on the most critical assets.
The real vector is not SCADA, it's the bridge
The popular imagination of a mining attack is the hacker who takes control of a PLC. In practice, the overwhelming majority of serious OT incidents begin in corporate IT — a phishing email, a leaked credential, a VPN without MFA — and only become catastrophic when the attacker discovers that the industrial network is accessible from the office network. The IT-OT border is the control that matters most.
The sector's specific threat map
Threats to mining are not generic. They have their own anatomy, dictated by the IT-OT architecture, remote geography, and the value of the data. Mapping them precisely is the first step toward a defense that does not waste effort protecting what does not matter while leaving exposed what does.
The threats Decripte prioritizes in mining
- ✓Ransomware in mine operations: the attacker seeks to encrypt IT servers and, when able to cross into OT, to paralyze fleet dispatch, weighing systems, and supervision, maximizing ransom pressure through the production stoppage.
- ✓Attacks on OT and automation systems: manipulation or denial of service against PLCs, SCADA, and HMIs that control crushers, conveyors, pit dewatering, and tailings dams — with the potential to impact physical and environmental safety.
- ✓Geological data espionage: slow, stealthy exfiltration of ore body models, drilling data, grades, and mine plans — intellectual property of strategic value to competitors and state actors.
- ✓Logistics compromise: attacks on the systems that orchestrate rail transport, slurry pipeline, stockyard, and port shipment, where a stoppage propagates loss across the entire chain to the customer.
- ✓IT to OT lateral movement: the vector that turns a common office incident into an industrial crisis, exploiting nonexistent or poorly configured segmentation between the two domains.
Each of these threats has a set of controls that neutralizes it, and most of them are shared: the segmentation that prevents lateral movement is the same one that limits the reach of ransomware and the same one that hinders the exfiltration of geological data. That is why Decripte does not treat threats in isolation — it structures an architecture whose controls cover the whole set.
Is mining data already exposed or up for sale? Find out now — for free.
Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.
The Purdue model and the border that defines survival
What to separate and why
The central control of security in mining is the segmentation between IT and OT, and the vocabulary for discussing it is the Purdue reference model, widely adopted in industrial environments and reflected in the standards of the IEC 62443 family for industrial automation. The model organizes the plant into levels: Level 0 is the physical process (sensors and actuators), Levels 1 and 2 are control (PLCs, HMIs, SCADA), Level 3 is site operations (historians, engineering servers), and Levels 4 and 5 are corporate IT (ERP, email, internet). Between Level 3 and Level 4 sits the industrial DMZ — the demilitarized zone that mediates all traffic between the two worlds and that, when well built, prevents a corporate compromise from directly reaching the plant floor.
In field practice, what is frequently found is a porous border: a 'temporary' firewall rule that became permanent so a vendor could access a PLC; an engineering workstation with simultaneous access to the internet and the control network; a historian exposed to the corporate network without any mediation. Each of these bridges is the path the attacker looks for. Decripte audits these borders, documents every legitimate flow, and chokes off the rest.
Why OT is not defended like IT
A vulnerable corporate server is fixed with a patch in the next maintenance cycle. A PLC that controls a pit dewatering system has been running for 15 years, has no downtime window without operational risk, and often the manufacturer no longer even offers fixes. OT defense is by compensation: segment so that the vulnerable asset is unreachable, monitor passively to detect any anomalous command, and rigidly control who has access. It is not 'fix the vulnerability' — it is 'make the vulnerability unexploitable'.
This principle reorients the entire strategy. Where IT invests in fast remediation, OT invests in defensive architecture and visibility. OT monitoring is predominantly passive — Decripte observes industrial traffic through port mirroring without injecting packets that could disturb sensitive processes — and built on a baseline of what is normal: which commands, between which assets, at which times. Any deviation from that baseline, such as an engineering workstation writing to a PLC outside the maintenance window, is a warning sign.
The challenge of remote sites and 24x7 monitoring
The geography of mining is a security problem in itself. Operations are located in isolated places, hundreds or thousands of kilometers from the corporate center, with connectivity that may depend on satellite links or limited-bandwidth microwave radio. On-site IT teams are small and focused on keeping the operation running, not on hunting adversaries. And the attacker knows this: the nighttime window, the weekend, the long holiday — when the site is running with a minimal crew — is exactly when the intrusion advances.
The answer to this challenge is continuous, centralized monitoring. Instead of depending on local vigilance at each site, telemetry from all assets — endpoints, servers, firewalls, OT network sensors — is forwarded to Decripte's 24x7 SOC, where human analysts and automated correlation operate around the clock. This solves two problems at once: it provides visibility where there was once nighttime blindness, and it concentrates scarce industrial security expertise in a central team that serves all sites, rather than requiring a specialist at each mine.
The SOC sees both worlds
A SOC that only monitors IT sees half the board. The difference of a SOC prepared for mining is correlating the two domains: when a corporate endpoint is compromised and, minutes later, an OT network probe detects a Modbus protocol scan originating from a host that has never spoken industrial-ese, it is the correlation between the two signals that reveals the attempt to cross the border — and triggers containment before it is completed.
Limited connectivity also shapes the architecture. Decripte designs telemetry collection to be resilient to unstable links: local buffering when the link drops, prioritization of security traffic, and OT probes that operate autonomously at the site even when communication with the central SOC is degraded, synchronizing events when the link returns. Security cannot depend on a perfect connection to headquarters.
Geological data and the silent threat of espionage
While ransomware is loud and OT disruption is immediate, geological data espionage is the opposite: silent, patient, and designed never to be noticed. The target is the information assets that define the company's value for decades — the three-dimensional ore body models, the drill hole databases with grades, the feasibility studies, the long-term mine plans. For a competitor, knowing the real grade distribution of a deposit before an area auction or an acquisition negotiation is worth extraordinary sums. For state actors interested in critical minerals, this data has geopolitical value.
The incident that does not stop the mine
The exfiltration of exploration data takes no system down. The servers stay up, production continues normally, and for this reason it can go months without being detected by a team focused solely on availability. Detection depends on monitoring the behavior of the data: who accesses the geological repository, in what volume, where the data goes. It is a data-oriented defense, not a system-oriented one.
Defense begins with classification: identifying where exploration data lives, who legitimately needs it, and in what volume. From there, least-privilege access controls, encryption at rest and in transit, and — crucially — exfiltration monitoring that establishes the baseline of normal use and flags the deviation: the engineer who suddenly downloads the entire drilling database, the service account that sends data to a never-before-seen external destination, access to the geological repository at hours incompatible with the shift. These are the signals that Decripte's 24x7 SOC hunts, because they are what reveal the espionage that no stopped system would betray.
What would an incident in mining cost? See your real risk before it happens.
Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.
The logistics link: when the stoppage propagates
Mining does not end at the mine. The product must be transported, stored, shipped, and delivered, and this logistics chain — railways, slurry pipelines, stockyards, port terminals, weighing and shipment systems — is an extension of the attack surface whose compromise propagates loss far beyond the plant. An attack that paralyzes the rail dispatch system or ship loading control can jam the flow of finished production, generating port demurrage costs, contractual penalties, and supply disruption to downstream customers.
These logistics systems live in the same gray zone between IT and OT: they have physical automation components (scales, gates, loading conveyors) and orchestration components that talk to the ERP and to third-party systems — rail operators, port authorities, customers. This integration with the external ecosystem widens the surface and introduces supply chain risk: a compromised logistics partner can be the point of entry. Decripte extends the segmentation and monitoring architecture to this link, treating logistics as its own OT zone, with its own DMZ and its own behavioral baselines.
The chain that needs end-to-end coverage
- ✓Mine fleet dispatch and optimization systems (haul trucks, excavators).
- ✓Weighing, sampling, and quality control at shipment.
- ✓Transport control by rail, slurry pipeline, or long-distance conveyor.
- ✓Stockyards and stacking and reclaiming systems (stacker/reclaimer).
- ✓Port loading and integration with authorities and shipowners.
The continuity plan that assumes the mine in manual mode
No defense is perfect, and security maturity in mining is measured as much by the ability to prevent as by the ability to operate under attack. The business continuity plan for a mine cannot be a generic IT document that assumes 'restore the backup and go back'. It needs to answer concrete operational questions: if the fleet dispatch system goes down, does the mine operate in manual mode with radio and spreadsheet? For how long? If the mill SCADA is isolated on suspicion of compromise, which processes can run in degraded local control without risk to physical safety? Who decides to shut down and who decides to keep running?
Isolate without shutting down
The difference between an IT IR plan and a mining one lies here. In IT, containing a compromised host means shutting it down — no drama. In OT, shutting down can mean stopping a pump that controls the level of a pit, interrupting the ventilation of an underground mine, or halting a chemical process in progress. The playbook needs to offer the option of isolating the network without cutting the physical process, and that decision is made jointly between the security responder and the operational team. Physical safety always beats cybersecurity in a tiebreaker.
Decripte builds these plans together with the operational teams and validates them with tabletop exercises that rehearse the scenario before it actually happens. Backups of PLC configurations, control logic, and engineering projects are treated with the same rigor as corporate data backups — because rebuilding the programming of an automation system from scratch, without the backup, can take weeks that the operation does not have. Continuity is part of the security posture, not an appendage.
How Decripte operates: from diagnosis to continuous defense
Decripte's work in mining follows a deliberate sequence: first understand the terrain, then stop the bleeding, then strengthen the architecture, and finally monitor continuously. You do not start by buying tools — you start by mapping where the critical assets are, how IT and OT connect, and where the border is breached. This diagnosis, which can start from the free Threat Management plan at decripte.com.br/intelligence-center, reveals the real risk before any investment.
From the diagnosis, Decripte combines services according to the maturity and risk of each operation: the 24x7 SOC for continuous visibility over IT and OT at remote sites; Incident Response for the capacity for rapid containment with playbooks that respect OT; Pentesting to validate that the segmentation and controls truly hold; and Compliance to structure governance over strategic data and meet regulatory requirements. Sign-up begins at decripte.io/start, and operations that prefer to talk first can use the form at /contato.
Diagnosis before defense
Decripte's free Threat Management plan (decripte.com.br/intelligence-center) gives a mining operation an objective first read of its exposure — what is visible on the external surface, which assets respond on the internet, where there are signs of risk — with no commitment and nothing to install. It is the natural starting point for an informed decision.
Anatomy of a real case: the intrusion that tried to cross into a mine's automation
Real, de-identified example
Real anonymized example (without identifying the client), built from typical patterns in the sector. A large mining company operates three remote sites with open-pit mining, a processing mill, and rail shipment. Corporate IT is at headquarters; each site has an OT network with SCADA, PLCs controlling crushing, conveyors, and pit dewatering, plus a fleet dispatch system. The border between corporate IT and the OT of one of the sites had a broad firewall rule, created months earlier for a maintenance vendor and never revoked. Decripte was operating with a 24x7 SOC monitoring both domains and with Incident Response under contract.
Initial vector and detection
An operator on the site's administrative team opens an attachment from a fake invoice, and the endpoint is compromised with a remote access implant. The attacker begins reconnaissance of the corporate network. In the early hours of the next morning, Decripte's OT monitoring probe detects something that should never happen: an industrial protocol scan (Modbus enumeration) originating from a corporate network host toward the control network. The 24x7 SOC, correlating this signal with the compromised-endpoint alert issued hours earlier, classifies the event as an active attempt at IT to OT lateral movement and escalates it to a critical incident within minutes.
Activation and triage
The Incident Response plan is activated. Decripte's team establishes the crisis bridge with corporate IT and, crucially, with the site's operational team — because any containment action at the OT border must be assessed for physical impact. Triage confirms the scope: one compromised endpoint, corporate network reconnaissance in progress, and the industrial scan exploiting precisely the forgotten firewall rule as a path to OT.
Containment
Within the SLA of up to 1 hour, containment executes in layers. The source endpoint is isolated from the network. The broad firewall rule at the IT-OT border is immediately choked down to strictly legitimate flows, closing the path of lateral movement. A deliberate decision, made jointly with operations: the OT network is isolated from the corporate network without shutting down any physical process — crushers, pumps, and conveyors keep operating under local control. The mine does not stop; the bridge is cut.
Eradication
With the bleeding stopped, the investigation reconstructs the attacker's complete path: the initial phishing, the credentials collected, the hosts touched on the corporate network. All implants are removed, exposed credentials are rotated, and the OT scan is confirmed as reconnaissance — no command was ever written to a PLC, because the border was closed first. The OT behavioral baseline confirms that no control logic was altered.
Recovery
The affected corporate systems are restored from clean images and returned to operation under reinforced monitoring. Controlled reconnection between IT and OT is reestablished only after the new border architecture — a proper industrial DMZ replacing the broad rule — is deployed and validated. The operation suffered no production stoppage at any point.
Lessons and structuring
The post-incident review reveals the root cause: it was not the phishing — which is inevitable — but rather the porous border that turned a common incident into a threat to automation. Decripte conducts a complete review of the segmentation of the three sites, deploys consistent industrial DMZs, establishes permanent OT monitoring as the standard, runs a Pentest to validate that the new borders hold, and conducts a tabletop exercise with the teams to rehearse the next crisis.
Outcome with Decripte
The incident was contained before any command reached the control systems, with no production stoppage and no physical or environmental damage. What could have been a ransomware paralyzing the operation or an automation manipulation became a managed event. The decisive difference was the combination of a 24x7 SOC that saw both worlds and correlated them, with an Incident Response whose playbook knew how to isolate the network without shutting down the mine. From the incident, the operation emerged with a structured IT-OT architecture, borders validated by Pentesting, and a rehearsed continuity plan — turning an averted crisis into a leap in maturity.
Don’t wait for the incident. Start hardening mining today.
Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.
How Decripte responds to an incident in a mining operation
Decripte's Incident Response playbook for mining is designed around a constraint that does not exist in traditional IT: containment cannot compromise physical safety or the environment. Every step respects this hierarchy.
- Detection and correlation in the 24x7 SOC: the incident is identified by the correlation between IT signals (endpoint, login, email) and OT signals (anomalous industrial traffic, protocol scan, out-of-baseline command), revealing the attempt to cross the border before it is completed.
- Activation with operations in the room: the crisis bridge includes, from the first minute, the site's operational team, because every containment decision that touches OT must be assessed for physical impact — physical safety always beats cybersecurity in the tiebreaker.
- Triage and scope definition: Decripte determines which assets are compromised, whether the movement has already crossed into OT, and what path was exploited, separating the affected corporate IT from the still-intact plant floor.
- Containment within the SLA of up to 1h: isolation of compromised hosts, choking down of exploited IT-OT borders and, when necessary, isolation of the OT network without shutting down physical processes — the mine keeps running under local control while the bridge is cut.
- Cause-oriented eradication: removal of implants, rotation of exposed credentials, and confirmation, via the OT baseline, that no control logic was altered and no malicious command reached the PLCs.
- Controlled recovery: restoration of IT systems from clean images and IT-OT reconnection only after the border is rebuilt securely and validated, without compromising production continuity.
- Forensics and evidence preservation: collection and custody of the complete timeline of the attack, meeting the needs of internal investigation, of regulatory notification when personal data is involved (LGPD/ANPD), and of any legal proceedings.
- Post-incident and hardening: root cause review, correction of the border that allowed the escalation, validation by Pentesting, and a tabletop exercise with the teams so that the next crisis finds a more prepared operation.
How Decripte structures the security of a mining operation
Structuring the security of a mine is, first and foremost, about organizing the relationship between IT and OT and giving continuous visibility to remote sites. Decripte works on pillars that mutually reinforce one another.
IT-OT segmentation via the Purdue model
The central pillar. Decripte audits and rebuilds the border between the corporate network and the control network, deploying industrial DMZs that mediate all traffic and choke off the porous bridges — the forgotten firewall rules and the dual-connected hosts that are the path of lateral movement. Aligned with the practices of the IEC 62443 family for industrial automation.
Continuous monitoring of both worlds
The 24x7 SOC collects and correlates telemetry from IT (endpoints, servers, identity) and from OT (industrial protocol traffic via passive monitoring, without disturbing processes), with behavioral baselines that flag the anomalous command or flow. It is the visibility that replaces the local vigilance absent at remote sites.
OT defense by compensation
Since legacy industrial assets do not get patched like servers, the defense is done through architecture: making the vulnerable asset unreachable via segmentation, rigidly controlling the access of vendors and teams, and monitoring passively to detect any deviation. The process is protected without depending on fixing what cannot be fixed.
Protection of strategic exploration data
Classification of geological, drilling, and mine-plan data, with least-privilege access control, encryption, and exfiltration monitoring that detects silent espionage — the incident that does not stop the mine but drains its strategic value. Governance anchored in ISO 27001 and in the LGPD for associated personal data.
Recurring offensive validation
Periodic Pentesting that attacks the operation like a real adversary: testing whether the IT-OT segmentation holds, whether remote access to the sites is exploitable, whether logistics is a side door, and whether legacy OT assets expose the plant. Defense is only trustworthy when it has been proven under controlled attack.
Rehearsed continuity to operate under attack
Continuity plans that assume the mine operating in manual, degraded mode, backups of OT configurations and logic treated with production-grade rigor, and tabletop exercises that rehearse the crisis with the operational teams before it happens — so that isolating never means improvising.
Recommended plans for Mining
SOC 24x7
Mines operate at remote sites with lean teams, and the nighttime window is when the intrusion advances. Decripte's 24x7 SOC provides continuous, centralized visibility over IT and OT and — decisive in the sector — correlates the two domains to flag IT to OT lateral movement the instant it tries to cross the border, before it reaches the control systems.
See plan →Incident Response
In a mine, containing an incident is different from containing it in IT: stopping OT has physical and environmental safety consequences. The containment SLA of up to 1h comes with playbooks that know how to isolate the network without shutting down physical processes, decided jointly with operations — which stops the attack without paralyzing production.
See plan →Pentest
IT-OT segmentation, remote access to the sites, and legacy OT assets must be proven under attack, not presumed secure. Decripte's recurring Pentesting validates whether the borders hold and finds the forgotten firewall rule or the dual-connected host before the attacker does.
See plan →Compliance
Geological and exploration data are intellectual property of strategic value that demands formal governance, and personal data of employees and third parties falls under the LGPD/ANPD. The structuring of Compliance anchors classification, protection, and incident response in ISO 27001 and in the applicable regulatory obligations.
See plan →Frequently asked questions
What is the biggest security risk in a mining operation?
It is not a direct attack on SCADA, as common sense suggests, but rather the lateral movement of an ordinary compromise in corporate IT — a phishing email, a leaked credential — to a poorly segmented OT network. The overwhelming majority of serious OT incidents begin in IT and only become a catastrophe when the border between the two worlds is breached. That is why IT-OT segmentation is the control that matters most.
How do you contain an incident without stopping the mine's production?
With Incident Response playbooks designed for OT. Containment is done in layers: isolate the compromised IT hosts and choke down the exploited IT-OT borders, and — when necessary — isolate the OT network from the corporate one without shutting down physical processes, leaving crushers, pumps, and conveyors running under local control. The decision to touch any physical process is made jointly with the operational team, because physical safety beats cybersecurity in the tiebreaker.
Can the mine's old PLCs and SCADA systems be protected without replacing everything?
Yes. Legacy OT assets rarely get patched and often have no fix available at all, so the defense is by compensation, not by remediation: segment to make the vulnerable asset unreachable, rigidly control who accesses it, and passively monitor industrial traffic to detect any anomalous command. The vulnerability is made unexploitable without requiring replacement of the fleet.
How do we protect our geological data and mine plans from espionage?
Espionage of exploration data is silent and stops no system, so the defense is data-oriented: classify where the ore body models and drilling data live, apply least-privilege access and encryption, and — centrally — monitor exfiltration with baselines of normal use that flag the deviation, such as an anomalous download of the drilling database or a transfer to a never-before-seen external destination. It is exactly this behavior that the 24x7 SOC hunts.
How do you monitor remote sites with limited connectivity?
By centralizing monitoring in the 24x7 SOC instead of depending on local vigilance at each mine. Telemetry from all sites is forwarded to a central team that operates around the clock, with collection designed to be resilient to unstable links — local buffering when the link drops and OT probes that operate autonomously at the site and synchronize when the connection returns. Security cannot depend on a perfect connection to headquarters.
How long does Decripte take to contain an incident?
The containment SLA is up to 1 hour from activation. In mining, this time includes establishing the crisis bridge with the site's operational team, because every action that touches OT is assessed for physical impact. The goal is to stop the attack — isolate hosts, close the exploited border — without causing unnecessary production stoppage.
Does the LGPD apply to mining even though it is an industrial sector?
Yes. The LGPD applies to any company that processes personal data, and a mining company processes data of employees, contractors, suppliers, and communities. In an incident that exposes personal data, there are obligations to notify the ANPD and the data subjects. Decripte structures Compliance so that incident response already contemplates these obligations and so that governance over data — both personal and strategic — is formalized before the crisis.
Where to start if we don't yet have a risk assessment?
With the diagnosis. Decripte's free Threat Management plan (decripte.com.br/intelligence-center) gives an objective first read of the operation's exposure — what is visible on the external surface, which assets respond on the internet, where there are signs of risk — with no commitment and nothing to install. From there, the contracting of the appropriate services begins at decripte.io/start, and those who prefer to talk first use the form at /contato.
Sector terms
- OT (Operational Technology)
- The set of hardware and software that monitors and controls industrial physical processes — PLCs, SCADA, HMIs, sensors, and actuators that operate crushers, conveyors, pumps, and dispatch systems. It differs from IT by prioritizing availability and physical safety, having a life cycle of decades, and not tolerating stoppages for remediation.
- Purdue Model
- An architecture reference model that organizes an industrial environment into hierarchical levels — from the physical process (Level 0) to corporate IT (Levels 4-5) — with an industrial DMZ mediating the border between control and the corporate world. It is the standard vocabulary for discussing IT-OT segmentation, reflected in the IEC 62443 family of standards.
- Lateral movement
- A technique in which the attacker, after compromising a first asset, expands their access to other systems on the network. In mining, the most dangerous scenario is lateral movement from corporate IT to OT, which turns a common office incident into a threat to the plant's control systems.
- Industrial DMZ
- A demilitarized zone that sits between the corporate IT network and the OT control network, mediating and filtering all traffic between the two domains. Well built, it prevents a compromise in the office network from directly reaching the plant floor — it is the heart of IT-OT segmentation.
- Passive OT monitoring
- Observation of industrial network traffic through port mirroring, without injecting packets that could disturb sensitive processes. It allows detecting anomalous commands, scans, and deviations from the behavioral baseline without any risk of interfering with physical operation — the standard approach to security in OT environments.
- Industrial espionage
- Stealthy theft of strategic information — in mining, geological models, drilling data, grades, and mine plans. Unlike ransomware, it is silent and does not interrupt operation, which makes it hard to detect; the defense depends on classifying the data and monitoring its access and exfiltration behavior.
Decripte protects and responds to incidents in mining.
Pentest, 24x7 SOC, incident response with a 1-hour containment SLA and compliance — without building an internal team. Or start free by seeing what has already leaked from your company.
