Cybersecurity Challenges in The Aerospace and Defense Industry

The aerospace and defense sector faces sophisticated cyber attacks from the most advanced adversaries such as Advanced Persistent Threat (APT) groups who are typically working in association with nation-states to pursue multiple objectives. The goals of a cyber campaign against a Aerospace and Defense company could include:

The aerospace and defense sector faces sophisticated cyber attacks from the most advanced adversaries

Challenges to Aerospace and Defense Sector

Attackers will continue targeting the aerospace and defense sectors in search of information that could provide their sponsors with military and economic advantages. Multiple factors may influence future threat activity towards these sectors including: 

Protecting Sensitive Data

National security concerns highlight the importance of data security for defense companies. Beyond the threat to national security, cyberattacks can disrupt supply chains, increase costs, delay scheduling, and cause significant financial and reputational damage.

cyberattacks can disrupt supply chains, increase costs, delay scheduling, and cause significant financial and reputational damage.

Some of the most common data targets include:  

Sector Breaches Highlight Risk 

As attackers seek out sensitive data to exploit for strategic advantage, aerospace and defense firms must maintain vigilance by instituting a robust cybersecurity program. Some recent examples show that if firms fail to adequately protect their systems, they risk financial loss and erosion of customer trust.  

F-35 Plans Compromised 

A small Australian subcontractor on the F-35 fighter project—a plane that will cost american taxpayers the US $1.5 trillion over its lifespan—suffered a severe cybersecurity breach that was confirmed by the DOD. Reuters found that about 30 gigabytes of data was stolen in the cyber attack, including details of the F-35 Joint Strike Fighter warplane according to a presentation on the attack by an Australian government official. The attackers used a known vulnerability to gain access to the company's IT Helpdesk Portal server, which was connected to files shared on an internal network server containing information on the F-35 fighter. The attackers gained access using the domain administrator's account whose passwords had never been changed from the defaults "admin" and "guest." 

about 30 gigabytes of data was stolen in the cyber attack, including details of the F-35 has context menu

Rheinmetall AG IT systems disrupted

German firm Rheinmetall AG is one of the world's top suppliers of military equipment and systems. In September 2019, the company's automotive group, Rheinmetall Automotive, was cyber attacked by adversaries targeting automotive plants in Brazil, Mexico, and the United States. The multiple days cyberattack resulted in "normal production processes…experiencing significant disruption." The manufacturer was forced to shut down its production line for more than two weeks to resolve the situation.

Japanese Defense Contractors Breached

Two leading defense contractors, Pasco and Kobe Steel, which also operates under the global trade name Kobelco, both admitted they were the subject of a significant data breach in 2018. 

An official statement from Pasco indicated that the attackers did not steal any information; however, financial publication The Nikkei reported that approximately 250 files containing personally identifiable data and information regarding the Ministry of Defense were stolen from Kobelco servers. Kobe Steel manufactures submarine parts for the country's military.

‍Regulatory Response to Sector Risk 

As a response to ever evolving cyber attacks on the aerospace and defense industry, governments are proactively identifying cybersecurity risks and requiring cybersecurity defense in the industry. Consequently, several regulatory responses were developed.

Defense Federal Acquisition Regulation Supplement (DFARS)

In November 2010, the White House issued Executive Order (EO) 13556. The primary goal of this legislation was to create a set of best practices and standards for the management and safekeeping of the Controlled Unclassified Information (CUI) data across both civilian and defense agencies that reside within the federal government. 

The Defense Federal Acquisition Regulation Supplement (DFARS) adds to the Federal Acquisition Record (FAR), which governs how the US federal government acquires supplies, services, and materials. DFARS is an addendum of rules, regulations codes and guidelines that the Department of Defense maintains to manage their acquisition processes.

The Department of Defense (DoD) has provided direct guidance to any firm that seeks a contract. To meet the minimum requirements, DoD contractors must:

DFARS compliance is mandatory for any outside organization that conducts business with the DoD. Any CUI received from the Department must have specialized mechanisms in place to mitigate breaches.

NIST Special Publication 800-171

To provide a sense of uniformity and ensure the legislation was not overly restrictive or complex, the National Institute of Standards and Technology (NIST) issued Special Publication 800-171. The NIST Special Publication 800-171 requirement was developed to ensure that firms working with the Department of Defense would have standardized methods in place to protect sensitive information.

This regulatory document states that "protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations."

Contractors audited by the Department of Defense and found to be non-compliant with DFARS NIST SP 800-171 could face an immediate stop-work order. In such a situation, work will be suspended until the firm implements suitable security measures. The Department may impose financial penalties or seek damages.

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a verification system released by the Department of Defense to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks.

When fully operational, the CMMC will be mandatory for any firm doing business with the Department at any level

The Department of Defense implemented requirements for safeguarding Covered Defense Information (CDI) and cyber incident reporting through DFARS in October 2016. Contractors were required to verify that adequate security controls required by NIST SP 800-171 were implemented within contractor systems to ensure that CDI confidentiality was maintained and enforced.

There will be five certification levels to the CMMC:

Importance of Cybersecurity of Defense Sector Only Growing

The vast and complex network of third party stakeholders in the aerospace and defense supply chain is facing an increasing number of attacks from state-sponsored actors seeking to target less sophisticated, small third parties on the supply chain to use these victims as a vector to access large defense contractors. 

Adversaries have regularly exploited supply chain vulnerabilities to launch sophisticated cyberattacks to gather sensitive data. Threat actors may target defense technologies to create disruptions on the battlefield or to steal intellectual property to reduce costs and produce and sell new products at lower prices, giving themselves a competitive advantage in this market space.

CyLogic builds, operates, and continuously monitors dedicated cloud platforms for enterprises that require the highest level of security with total control of their data. Our proprietary platform, CyCloud, exceeds the DFARS frameworks, NIST SP 800-171, and the Level 5 CMMC compliance.

‍