Industry verticals like manufacturing and retail, which have been classified as critical infrastructure, can be especially vulnerable to cyber attacks, IoT Insider learned in a recent conversation with Ashish Khanna, Senior Director at Verizon Business.
“A lot of people are talking about supply chain risk and because of that, there is definitely a requirement for robust protection,” said Khanna. “Because of industrial 4.0, everything is becoming extremely connected and equally uncontrolled due to public networks by the Internet.”
Protecting retail and manufacturing
According to Khanna, retail and manufacturing have enough protection, “but they’re also taking more measures to mature themselves … primarily because we still need to do some work in how we look at attacks.”
“How do we look at attacks? How do we look at cyber threats?” he continued. “How do we look at the degradation of the stack that takes place when these cyber attacks happen? Although there has been work done, I think there is definitely an opportunity to further improve cyber defences and cyber resilience.”
Khanna characterised the right approach to cybersecurity as proactive, reactive, something I had noticed in recent conversations with other security experts that was becoming more commonplace. Rather than the traditional approach of responding to the damage incurred by a company being hacked, or experiencing a data breach, cybersecurity experts are looking at how they can prevent these breaches from happening in the first place.
“We need to look holistically at the sector itself, from the device layer to the supervision layer, that’s number one” he explained. “Number two is how we develop these systems to proactively monitor and measure their performance, not just when the code is in production but also in pre-production, as we call the test environments.
“Lastly, number three, looking at what mechanisms you would put in place to put resilience into existing frameworks. We have the metric framework as an example, which is primarily focused engineering, and that stipulates critical infrastructure cyber security departments.”
Verizon also offers a survivability framework and a risk reduction model, which Khanna said lots of organisations were starting to follow with regards to understanding the potential risks they face.
Khanna explained that the NIS2 Directive, which is set to come into force this October and outlines an approach to cybersecurity that can be characterised as identifying, protecting, detecting, responding and recovering.
“I think there have been further advancements made in terms of recognising,” Khanna detailed. “If you have found something in the environment, how do you respond to that? Do you need to tolerate it, or do you need to contain or mitigate that attack?
“We speak a lot about recovery or responding [to cyber attacks], but there is a lot of focus on rebound too … How do you put the healing process in place? How do you look at previous lessons learned, is there anything that was learned in the past that you can put into practice?”
Key recommendations
“First and foremost it’s important to look at your infrastructure, look at your connectivity partners and look at your network provider in terms of who is providing your network coverage,” Khanna recommended. “Is that secure in terms of your footprint? That’s number one.” Security in infrastructure, he said, plays a “key role” in managing the environment and looking at how the data is transferred, transposed and consumed.
Number two is governance: “Governance across the entire value chain is extremely important, and not just your value chain,” Khanna stressed. “When I talk about governance in retail and manufacturing, it has to be within countless stakeholders.” He noted that from a telecoms perspective, there are “inconsistencies” in governance and all of the different frameworks to follow, which there can be confusion about. “Customers are getting confused on which to follow. ‘Should I follow the NIS2 Directive or should I follow the Cyber Resilience Act as an example?’ That would help us to address some of the issues.”
Number three is the product life cycle. “A critical quantification of that software development life cycle process is very important,” Khanna explained. “As an example, if you’re a car provider and you use autonomous braking in your cars – which brakes itself when you’re hitting another person or another car, what is the most critical point? The braking system is the most critical part of that ecosystem. Looking into these critical aspects from the SCLC is extremely important.”
Following these recommendations and bringing connectivity partners into the dialogue is Khanna’s take home message, and definitely words to live by.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
