Case Study
In brief
Minera Exar S.A.—joint venture between Lithium Americas Corp. (Canada) and Ganfeng Lithium (China)
Mining
Lithium production
2,100 employees (direct and indirect)
B2CLOUD
Argentina
Palo Alto Networks solutions: PA-220 and PA-850 Series Next-Generation Firewalls, Prisma Cloud, and Cortex XDR to create a security environment focused on protecting the network perimeter, VPN links, connections to the cloud, and endpoints
INTRODUCTION
Minera Exar, an Argentinian company in the mining industry, is dedicated to the production of lithium, a key mineral in the manufacturing process of rechargeable batteries for electronic systems such as computers, cell phones, and electric cars. The company is made up of a production plant—still under construction and located in the Cauchari-Olaroz salt flat (Jujuy province, in northwestern Argentina)—and two corporate offices (one in San Salvador de Jujuy and the other in Buenos Aires). After construction of the plant has been completed, Minera Exar will begin producing lithium (expected in December of 2022). The mining company will have a production capacity of 40,000 tons per year of battery quality lithium carbonate.
BACKGROUND
When the plant construction began in 2019, Minera Exar also started building the network infrastructure to provide secure convergent communications services (e.g., voice, data, video) for the site.
At this starting point, the platform would be used by almost 500 people, including contractors and company employees. Some users required the connection to access Minera Exar’s corporate applications (such as SAP) in the cloud (Microsoft Azure®). However, most individuals needed connectivity for other types of activities: due to the location of the work area (4,000 meters above sea level), these people—covering shifts of 7, 16, or 28 days—reside in camps established at the site. During their breaks, this group of users would take advantage of the internet connection provided by the company to make phone calls, enter their social networks, visit websites, or enjoy content on Netflix.
In parallel, the company had to prepare the ground to link the plant’s network, via VPN connections, with two corporate offices, one in San Salvador de Jujuy (the city closest to the plant, 350 kilometers away) and the other in Buenos Aires (each site with an installed data center). A stable and secure connection had to be established between the three locations, always protecting the exchange of information and access to the cloud and business applications.
Soon after the network in the plant started to operate, failures and degradations in the services provided by the infrastructure began to appear. Although the platform had a firewall, this equipment did not offer visibility of what was happening on the network, so it was not easy to detect the origin of the problems. More seriously, the lack of visibility increased the level of exposure to cybersecurity threats and impeded efficient management of available bandwidth, a critical factor for the company since, in this initial phase of construction, bringing an internet connection to the site was not a simple matter. Minera Exar had established two links, one for corporate use and the other for the complimentary internet.
Facing that scenario, in 2020, Minera Exar decided to renovate the security of its connectivity platform.
CHALLENGE
Minera Exar needed a higher level of visibility of the network in its production plant in order to improve the stability and security of its connectivity services. This visibility was necessary not only to meet the immediate needs in the construction site–whereas the construction progressed, more people arrived—but also to move forward in the project of linking the plant with the two corporate offices (110 users considering both offices).
To achieve this goal, significant challenges had to be overcome. The technologies chosen would have to operate in a difficult environment (4,000 meters above sea level, a critical and construction site environment) and offer quick and easy implementation (the installation process could not in any way hinder construction work).
In addition, due to the difficult access to the area where the plant is located, the startup processes, including configurations, adjustments, and customizations, and management would also have to be easy to carry out since it would hardly be possible to have on-site support from a partner or provider. If the above were not enough, 2020 came with an unexpected additional challenge: the COVID-19 pandemic.
“We did not have real visibility of what was happening in the plant’s network. We kept asking ourselves, why are the megabytes of internet we are offering not enough? What are they using them for? With the technology we had installed, we could not answer these questions. Clearly, we needed a different solution, one that would allow us to see the connections, the data, the user behavior, and that would also be scalable over time and allow us to considerably reduce opex and capex,” said Miguel Acosta, Head of Systems at Minera Exar, and responsible for starting the construction of the network platform.
We did not have real visibility of what was happening in the plant’s network. We kept asking ourselves, why are the megabytes of internet we are offering not enough? What are they using them for? With the technology we had installed, we could not answer these questions. Clearly, we needed a different solution, one that would allow us to see the connections, the data, the user behavior, and that would also be scalable over time and allow us to considerably reduce opex and capex.
REQUIREMENTS
Minera Exar required a security solution for the plant’s network, which had to offer a broad and detailed view of the activities that occurred in the network (e.g., who uses the connections, how they use them, which sites they visit, and which online applications or services they use). This visibility had to be reflected in analytical reports that helped detect potential vulnerabilities, as well as understanding the use that was given to the network bandwidth. In addition, the technology would have to protect VPN connections between the plant and remote corporate offices.
Because of the implementation circumstances (an ongoing construction), technology had to allow for easy and fast installation as well as be simple to manage into the future, including:
SOLUTION
Minera Exar chose three Palo Alto Networks solutions to address the connectivity challenges it faced: NextGeneration Firewalls, Prisma® Cloud, and Cortex XDR®. From previous experience with other companies in the mining industry, the company’s IT department was already aware of the capabilities of Palo Alto Networks technology, and it only took a couple of demo sessions to confirm its vendor selection. To support the design, implementation, and support tasks, Minera Exar chose B2CLOUD as a partner.
The project began with the intense work of planning, design, and pre-configuration of equipment, especially for the implementation in the production plant, where the work scenario and complicated access circumstances would prevent a normal installation process. With the support of B2CLOUD, a Palo Alto Networks partner, the implementation started in the place with the best infrastructure conditions: the San Salvador de Jujuy office, which concentrates the company’s managerial activities (finance, administration, human resources, etc.). There, a data center was rebuilt, and a Palo Alto Networks firewall was installed—in less than an hour. Another firewall was placed in the data center of the Buenos Aires office, the smallest office, for the network deployment.
The phase that was considered the most challenging, the implementation in the production plant network, was the next step. Thanks to previous planning work, the process went smoothly. Two Palo Alto Networks firewalls were placed in the site’s data center. The teams were sent to the site and, over a weekend, with remote support from B2CLOUD, all the installation tasks were carried out—such as adjustments to some pre-configurations, optimization of functionalities, enablement, and release of services. Once this process was concluded, for two weeks, the firewalls were left operating to audit network traffic.
The audit confirmed that Palo Alto Networks technology was the solution Minera Exar was looking for. The equipment generated traffic analytics reports that finally revealed, in detail and with precision, what was happening in the plant’s network. The company now had visibility into the factors (users, computers, applications) that were causing degradation in infrastructure performance and could pose a security risk. They went from seeing nothing to seeing everything, which implied that the company could take actions to efficiently manage and protect its bandwidth. Additionally, thanks to the advanced filtering capabilities of Palo Alto Networks solutions, Minera Exar could take proactive steps to ward off any cybersecurity threats.
“We finally had visibility and content filtering capabilities. We could explain internet service degradations, strengthen link security, and take action to improve bandwidth management. When instabilities occur in the service, the solution is not simply to provide more bandwidth; it is necessary to detect where consumption is happening. We detected that the use of SAP and other business applications was affected by connections to YouTube, Netflix, and social networks,” adds Hernán Lamas, Head of Infrastructure at Minera Exar.
With network visibility already guaranteed, the company decided to advance its other connectivity and security initiatives. Together with B2CLOUD and Palo Alto Networks, Minera Exar implemented Prisma Cloud and an additional firewall to protect its infrastructure and cloud operations, an area in which the company had not installed a specialized security tool, and which today, thanks to Palo Alto Networks solutions, is protected with innovations specially designed for the cloud: user activities, detection of suspicious behavior, filtering traffic, configuration errors in network components, threat analytics, compliance policy management, etc.
Minera Exar also began the deployment of Cortex XDR to protect endpoints at the plant—400 by the end of 2020, although the number is constantly growing. As construction progresses, more people come to work at the plant. With this Palo Alto Networks solution, the company has a complete view of the security status of its data on endpoints, the cloud, and the network, which is complemented by innovative functions of automated detection and response, incident analytics, intelligent management of alerts, and constant profiling of user and endpoint behaviors, among others.
“The project in the production plant strengthened our confidence in the Palo Alto Networks solutions, especially because of their capabilities to generate network visibility and provide us with security and traffic analytics. Now we could be calmer. That is why we decided to work with Palo Alto Networks in the next phase: the protection of the cloud and the endpoints,” says Lamas.
The project in the production plant strengthened our confidence in the Palo Alto Networks solutions, especially because of their capabilities to generate network visibility and provide us with security and traffic analytics. Now we could be calmer. That is why we decided to work with Palo Alto Networks in the next phase: the protection of the cloud and the endpoints.
BENEFITS
Today, 1,500 people—company employees and contractors—work on the construction of the Minera Exar production plant. When they need to use a network resource, these collaborators receive a secure service with high levels of stability and quality.
To achieve this, the network visibility factor, provided by Palo Alto Networks solutions, was an essential element. The company not only monitors and filters the content of the connections—to detect and address cybersecurity threats—at the same time, and thanks to the traffic analytics reports it obtains, it recognizes the causes that generate degradations in the service of networks and takes steps to stabilize bandwidth usage. It should be noted that, to date, Minera Exar has not suffered a cybersecurity incident or data breach.
“Today, when users connect to the network, I automatically know what they are doing. The deployment of Palo Alto Networks firewalls, for example, allows me to see what they do, what pages they visit, what applications they download. This issue of traffic analysis is fundamental for us. In addition, this monitoring and control work is carried out in a simple way, with the support of automated functions and without management complexities,” says Lamas.
On the other hand, when the COVID-19 pandemic began, the decision to rely on Palo Alto Networks technology took on greater value. First, during the first months of the pandemic, many workers had to remain on the construction site for longer than usual—the authorities did not allow them to leave the facility. In a crisis situation like this, Minera Exar provided, without compromising the security and stability of the network, a means for people to maintain contact with their families (via telephone, WhatsApp™, videoconference, etc.) and forced confinement to be less stressful, with access to streaming platforms and social networks, for example.
“Going through the pandemic has been a tough process. Fortunately, at the plant, the company was able to offer stable connectivity that allowed employees and contractors to maintain contact with the family. In the early stages of the construction, that stability would not have been provided by the network,” adds Lamas.
In addition, although the pandemic caused a temporary pause in the construction work, the employees dedicated to management and corporate issues—around 200 users—were adopting a remote work scheme. Minera Exar, thanks to its implementation of Prisma Cloud and Cortex XDR, made this transition in an accelerated way and without exposing itself to cybersecurity threats. Palo Alto Networks solutions are providing a granular view of these remote connections, with ongoing monitoring and protection of the data that travels through them. This capacity has been
Today, when users connect to the network, I automatically know what they are doing. The deployment of Palo Alto Networks firewalls, for example, allows me to see what they do, what pages they visit, what applications they download. This issue of traffic analysis is fundamental for us.
of huge importance, since only a few employees (e.g., managers, finance personnel, some executives) use VPN links. Most of them connect with the links that are available at home. As has happened in the production plant, Minera Exar has not registered a security incident in its remote work deployment.
These results have strengthened Minera Exar’s confidence in Palo Alto Networks technology and the service of partner B2CLOUD. For this reason, at this moment, the company is evaluating Palo Alto Networks solutions for its next major connectivity project: the security of a network of IoT devices that will soon be operational once the plant begins operations. These IoT devices, specifically for the mining industry, will enable the automation of processes in the plant and, above all, will provide key data for the business, such as at the production level, progress in the different production phases, machinery performance, production times—in general, the plant and process control information. “These are data that are of great strategic value for the business. Hence the importance of protecting the IoT network and all the information it generates,” says Lamas.
CONCLUSION
Thanks to Palo Alto Networks solutions—Next-Generation Firewalls, Prisma Cloud and Cortex XDR—Minera Exar will start operations with a network infrastructure that, in all its locations, will offer safe, stable, and reliable services. In the challenging production plant environment, all connectivity features are protected against cybersecurity threats and managed to make the most of available bandwidth. In the corporate offices, access to business applications and the cloud is always under the control and surveillance of the company, although lithium production is still a few months away.
Minera Exar is now ready to face the next set of security challenges that comes its way.
To learn more about Prisma Cloud, visit paloaltonetworks.com/prisma/cloud.
For more information on any of the products noted above and more, visit us at www.paloaltonetworks.com