Verizon: Available vs Confidential Data & IIOT Cybersecurity
Verizon Business is one of the most influential telecommunications leaders in the world. With a 2023 revenue of US$134.0bn, Verizon operates across more than 150 countries and has served 99% of the members of the Fortune 500.
A vital aspect of the company’s offering is its consultancy services, particularily in the area of cybersecurity.
Verizon Business manages over 4,200 networks globally, processes 34 million raw logs of data annually and operates nine security operation centres worldwide.
By leveraging this capacity and experience, Verizon provides around-the-clock protection against cyber threats, helping clients strengthen security resilience, monitoring and proactiveness.
Over the years, Verizon Business has developed a strong relationship with the manufacturing industry, especially as it has embraced the transformative power of Industry 4.0.
Verizon Business’s Security Consulting Services are helping manufacturers tackle the sectors well known vulnerability to cybercrime, navigating the security challenges of OT and IT integration.
Challenges which are compounded and made distinct according to Ashish Khanna, Senior Managing Director of the Security Consulting Services division through differing types of data.
A cybersecurity & consulting expert
An experienced thought leader and cybersecurity expert, Ashish helps manufacturers develop and implement security strategies that serve business objectives, creating profound operational change and improve security outcomes across the value chain.
"I’m responsible globally for the practice, ensuring that what we are doing for our customers is fit for purpose and aligned to their outcomes,” Ashish says.
"This is a consulting business, and mine is a business-driven role. I’ve been within the industry for nearly 25 plus years and my career started with network security and cyber defence.”
Before joining Verizon Ashish worked as a Senior Consultant at Deloitte and ran Accenture’s cybersecurity, playing a critical role in its CST practice.
"I've built a lot of stacks and a lot of large security teams throughout my career,” he reflects.
“And now I’m working within Verizon to help our customers. We have a great team here who help customers in their transformation journey to become more secure.”
Ashish’s role at Verizon builds on his extensive experience advising C Level SSOs and CIOs in the media, entertainment and retail manufacturing industry on cybersecurity.
He has rich knowledge of the nuances and challenges of the manufacturing sector, and understands the necessity of building cybersecurity strategies that align with broader strategic business aims.
“I've really enjoyed working with customers trying to understand and also learn from them about the complexities and the challenges associated with the manufacturing sector,” Ashish says.
"Because of the complexity, because of the downtime, often a change request is not as simple as it appears. It’s a very interesting, transforming industry that requires a distinct approach to cybersecurity.”
Ashish explains this distinct approach is informed by two data types, or really, cultures that form in manufacturing.
These two data cultures are inherently linked to the challenge of IT and OT interoperability, a defining aspect of the conversation around digital transformation and cybersecurity.
The challenge of IT/ OT interoperability
During his interview, Ashish shared an eye-opening statistic: 60% of manufacturers have embraced IIoT in the manufacturing or assembly processes.
While this is impressive and exciting news, it's also a number that invites the question of what is holding that remaining 40% back.
Ashish says that the biggest drivers of hesitation when it comes to IIoT integration are interoperability issues- issues which are at their core about communication.
“In the past, the OT systems, or the manufacturing systems were kept isolated,” he explains.
“There used to be different communication protocols, but now with the user interfaces for these systems and IoT convergence as well, they’re using the same IP protocols that you use for the Internet, and that presents some security challenges
"There are lots of processes and there's a lot of assembly that happens as part of the orchestration. So as we go through that, there are interoperability issues, that question of how do we communicate between different devices and protocols?"
An area where this is especially prominent is secure remote connectivity.
"We all like to work remotely, right?” Ashish says. “ Vendors would love to do so as well, but secure remote connectivity poses specific security issues.”
Challenges like ensuring the security of legacy devices and adherence to cybersecurity standards whilst remote.
A data culture clash: availability vs confidentially
Core to the cybersecurity challenge of IT/ OT convergence is the need to manage two distinct cultures and approaches around data in manufacturing- availability and confidentiality.
“When we talk about the IT systems, it's heavily weighted towards confidentiality, protecting the data,” Ashish says. “Meanwhile availability is the primary objective of the OT systems and the industrial processes, as they need to improve and stay operational.”
Ashish explains that for this reason cybersecurity resilience strategies have to look different for manufacturing environments- multi-pronged with comprehensive recovery planning.
These two distinct data cultures create greater opportunities for cybercriminals to extort and attack manufacturers, through breaching confidentiality or by disrupting operations.
A pipeline disruption may not impact secure IT data, but it will have a profound impact from an availability perspective on manufacturers.
Too often when we speak about the Industrial Internet of Things, the focus is all internet rather than industry.
Though AI and automation are difficult concepts to physically conceptualise, it's critical to remember that their benefits are enacted through physical machines.
“OT has a different reporting structure as well, due to the fragility of the OT equipment,” Ashish explains.
“There’s a fuzzy logic within the OT. You know there are different suppliers, different manufacturers who each have their own energy requirements and their own changing requirements.
“Each has their own latency requirements in terms of how they connect to the network. So there's quite an open stack, so they don’t respond well to the same principles applied to security scanning and vulnerability management as they do in other sectors.”
OT/ IT convergence is a cybersecurity concern in part because of the gulf between IT and OT.
These areas have differing data cultures and differing levels of engagement.
As digital transformation surges ahead and manufacturers pursue the latest innovations, many of their production machines haven't been updated or patched in years.
This creates cybersecurity further risks and is precisely because of the need for data availability.
No time to patch
Ashish notes a major challenge surrounding IIOT integration and cybersecurity is the lack of patching common in OT environments.
"Because availability is so critical, so important there is a lack of patching,” Ashish says.
“You cannot patch an operating system on a manufacturing plant without downtime, which manufacturers seek to avoid.”
He refers to an example of a customer that hadn’t stopped their plant for nearly seventeen years, not patching it in all that time.
"They know it’s a legacy system, and still haven’t patched it,” Ashish says.
"They know the risk, they have got mitigations around to transfer that risk, but still they haven’t patched it. And the reason they haven’t patched it is because the associated downtime would lead to billions of dollars of losses and supply chain risk because they have got trucks standing to pick the orders.”
"This then impacts traffic management, as this will block the whole city’s traffic picking up products. This is an example of how considering OT infrastructure is critical from an interoperability and cybersecurity perspective.”
Downtime can have a cascading effect, impacting multiple ecosystems and even the surrounding geography and environment of a factory.
Therefore keeping data available in such scenarios is an absolute necessity.
Verizon Security Consulting: enhancing cyber resiliency
"OT is enabling the technology for the 4th Industrial Revolution. But with that and the blurred lines between the physical and digital worlds, a lot is resting on successfully coordinating these massive, ongoing forms of communication.”
Ashish says that many manufacturers have realised that having resiliency and quick time to recovery is one of their most vital OT cybersecurity considerations.
They are therefore treating resilience as a priority during every stage of the IIOT adoption process.
"This includes during the cycle across the software development tool, the incubation to the production deployment of these systems that are taking full staging,” says Ashish.
"Not just from the implementation, but also from implementation to how they’re decommissioned at the end so that whole life cycle is playing a huge proliferation within the cybersecurity landscape.”
With this in mind, Verizon Security Consultancy takes a holistic approach to evaluating cyber resilience within IIOT-enabled manufacturing environments.
Governance is a critical area they evaluate, assessing cyber programmes across the entire value chain, across stakeholders and the organisation.
Manufacturing is full of partner dependencies, and cybersecurity for this sector is about maintaining both internal operations and a broader digital supply chain.
Ultimately, they seek to address and unite the cybersecurity needs of IT and OT systems, ensuring the availability and privacy of data is maintained whilst enhancing overall cyber resiliency.
******
Make sure you check out the latest edition of Manufacturing Digital and also sign up to our global conference series - Procurement & Supply Chain 2024 & Sustainability LIVE 2024
******
Manufacturing Digital is a BizClik brand.