Ashish Khanna, Director of Verizon Security Consulting, explains why modern cybersecurity in manufacturing comes down to effective supply chain management.
Back in October, Ashish Khanna, Director of Verizon Security Consulting, told Manufacturing Digital about the cybersecurity challenges associated with OT/IT integration in manufacturing environments.
Ashish highlighted that, in today’s deeply interconnected industry, where Industry 4.0 enables manufacturers to communicate and collaborate across the globe, cybersecurity is about more than internal protections. He described cybersecurity in manufacturing as the careful, comprehensive management of an increasingly digitised supply chain, sharing insights on how the sector could better approach this process.
In part two of our conversation, he explains why modern cybersecurity in manufacturing comes down to effective supply chain management.
“The collaboration, the multi-stakeholder collaboration from a cybersecurity standpoint is very important,” Ashish says, explaining that often this is about more than just evaluating and keeping track of the obvious partners.
He refers here to the sports industry, which often, in its focus on keeping stadium events secure, neglects to consider threats from other sectors.
“A cybersecurity attack on the critical infrastructure of the water company that feeds water in the sports stadium could derail the entire event,” continues Ashish, describing how a hard, unwatered pitch baked by the sun will impact ball movement, playing conditions and increase the risk of serious player injuries.
This is a key example of a huge cybersecurity threat in sports, overlooked precisely because it originates from the broader supply chain.
Another high-profile example was the CrowdStrike incident from last year, where Microsoft’s flow-down provider faced a security incident during software development, resulting in a security breach. This led to a massive IT outage, crashing millions of Windows systems worldwide and grinding airports, businesses and healthcare providers to a halt.
“Microsoft was working very well with the ecosystem and look at what happened,” adds Ashish.
“The world witnessed it. So that’s another example of supply chain risk, or dependency risk as we call it, that has to be monitored through party suppliers.”
Ashish advises manufacturers to adopt a holistic approach to cybersecurity that focuses on partners and suppliers whilst anticipating emerging technologies.
“Anticipating future technology breakthroughs and applications is extremely important,” he explains, noting how adept cybercriminals are at quickly identifying and exploiting new technological vulnerabilities.
But in his mind, the biggest vulnerability that can arise within broader supply chain manufacturing is the lack of a unified security culture.
“If your culture is different to what your supply culture is, say they don’t do patch management and they don’t have security constraints, they just want to sell a product to you and see that product in your system you have a problem,” he explains.
“Ultimately you’re responsible because you are managing your customer. So you need to make sure those risks are being mitigated, so there’s no finger-pointing at the later stage.”
Ashish recommends that manufacturers evaluate governance, saying they must assess cyber programmes across the entire value chain, stakeholders and the organisation. This is a critical step, as the sector is full of partner dependencies.
“We want to avoid sovereignty issues and inconsistencies between how partners are legislatively following the frameworks versus what geography they are in,” he says.
“There could be challenges with the lack of data sharing, there could be challenges in terms of information sharing and so on. So governance is very, very important as part of that. At Verizon Security Consulting we process and work with customers to ensure it is at the top of the value chain.”
Verizon also makes sure customers “Go through the evolution of their products and their environment, ensuring the cybersecurity measures are imperative to their systems, from production to decommissioning, so that as if and if they get attacks, they don’t get disrupted by those attacks.”
Finally, Ashish advises manufacturers to engage in broader monitoring and management, not just of their own ecosystem but by maintaining TRN market players to monitor their environment as well.
“Say you are an electronics manufacturer that sources your chips from another provider,” Ashish continues. “Are you making sure that you’re not just monitoring yourself, but you’re also monitoring your source providers? That will help mitigate any of those flow-down risks that may constitute and disrupt your environment as well.”
Verizon Security Consulting helps manufacturers do all this and more.
“We also help our customers with knowledge sharing,” Ashish concludes.
“We take the lessons learned and build platforms to share that knowledge through intelligence or through threat data sharing with other manufacturers as well.
“We are making a lot of effort through our integrated platforms to contribute to the security of manufacturing and ensure nobody makes the same mistakes.”