Get Started

Contact Us

Get In Touch

Fill out the form below and we will contact you shortly.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.


Cybersecurity Challenges in The Aerospace and Defense Industry

Many sectors in a modern economy are perceived to be critical to our nation’s economic well being. The aerospace and defense sector is uniquely positioned as it is  crucial not only to the economy but also to national security.  A cybersecurity breach in this sector could cause direct financial damage, weaken our national defense and competitive position and put lives at risk.

The aerospace and defense sector faces sophisticated cyber attacks from the most advanced adversaries

The aerospace and defense sector faces sophisticated cyber attacks from the most advanced adversaries such as Advanced Persistent Threat (APT) groups who are typically working in association with nation-states to pursue multiple objectives. The goals of a cyber campaign against a Aerospace and Defense company could include:

  • Theft of intellectual property to advance domestic aerospace and defense capabilities 
  • Develop countermeasures to technologies exposed by the breach
  • Produce competing technologies for sale 
  • Collect valuable intelligence with which to monitor, infiltrate and subvert other nations' defense systems and capabilities

Challenges to Aerospace and Defense Sector

Attackers will continue targeting the aerospace and defense sectors in search of information that could provide their sponsors with military and economic advantages. Multiple factors may influence future threat activity towards these sectors including: 

  • Reducing R&D costs by stealing intellectual property could create a competitive advantage permitting the sale of comparable technologies at lower prices. 
  • Requiring the security of numerous less sophisticated third-party partners in the supply chain which are potentially vulnerable access points to larger defense contractors' networks or IP. 

Protecting Sensitive Data

National security concerns highlight the importance of data security for defense companies. Beyond the threat to national security, cyberattacks can disrupt supply chains, increase costs, delay scheduling, and cause significant financial and reputational damage.

cyberattacks can disrupt supply chains, increase costs, delay scheduling, and cause significant financial and reputational damage.

Some of the most common data targets include:  

  • Budget Information. Having access to a rival's financial and pricing data could create a competitive advantage.
  • Business Communications. Understanding strategic objectives, potential markets and future development would be invaluable to adversaries.
  • Equipment Maintenance Records & Specifications. Detailed information on how platforms operate and their inherent weaknesses could result in the development of active exploits.
  • Personally Identifiable Information. Sensitive personal data can be used for identity theft, spear-phishing, social engineering and other tactics against employees to gain access to critical networks.
  • Product Designs/Blueprints. Accessing detailed schematics could allow a nation-state to leapfrog through rapid development and deployment of new defense technology.
  • Production Processes. How a firm builds a product is almost as important as what they produce. Understanding the production process and cycle can provide insight into weaknesses and potential improvements in production. 
  • System Log Files. Raw performance data and system information could provide insight into how a defense platform operates and interacts with the operational environment.  
  • Testing Results & Reports. Stealing test results of evaluations assessing performance could allow a nation-state to accelerate the development process and reduce cost


Sector Breaches Highlight Risk 

As attackers seek out sensitive data to exploit for strategic advantage, aerospace and defense firms must maintain vigilance by instituting a robust cybersecurity program. Some recent examples show that if firms fail to adequately protect their systems, they risk financial loss and erosion of customer trust.  

F-35 Plans Compromised 

A small Australian subcontractor on the F-35 fighter project—a plane that will cost american taxpayers the US $1.5 trillion over its lifespan—suffered a severe cybersecurity breach that was confirmed by the DOD. Reuters found that

about 30 gigabytes of data was stolen in the cyber attack, including details of the F-35

about 30 gigabytes of data was stolen in the cyber attack, including details of the F-35 Joint Strike Fighter warplane according to a presentation on the attack by an Australian government official. The attackers used a known vulnerability to gain access to the company's IT Helpdesk Portal server, which was connected to files shared on an internal network server containing information on the F-35 fighter. The attackers gained access using the domain administrator's account whose passwords had never been changed from the defaults "admin" and "guest." 

Rheinmetall AG IT systems disrupted

German firm Rheinmetall AG is one of the world's top suppliers of military equipment and systems. In September 2019, the company's automotive group, Rheinmetall Automotive, was cyber attacked by adversaries targeting automotive plants in Brazil, Mexico, and the United States. The multiple days cyberattack resulted in "normal production processes…experiencing significant disruption." The manufacturer was forced to shut down its production line for more than two weeks to resolve the situation.

Japanese Defense Contractors Breached

Two leading defense contractors, Pasco and Kobe Steel, which also operates under the global trade name Kobelco, both admitted they were the subject of a significant data breach in 2018. 

An official statement from Pasco indicated that the attackers did not steal any information; however, financial publication The Nikkei reported that approximately 250 files containing personally identifiable data and information regarding the Ministry of Defense were stolen from Kobelco servers. Kobe Steel manufactures submarine parts for the country's military.

Regulatory Response to Sector Risk 

As a response to ever evolving cyber attacks on the aerospace and defense industry, governments are proactively identifying cybersecurity risks and requiring cybersecurity defense in the industry. Consequently, several regulatory responses were developed:   

Defense Federal Acquisition Regulation Supplement (DFARS)

In November 2010, the White House issued Executive Order (EO) 13556. The primary goal of this legislation was to create a set of best practices and standards for the management and safekeeping of the Controlled Unclassified Information (CUI) data across both civilian and defense agencies that reside within the federal government. 

The Defense Federal Acquisition Regulation Supplement (DFARS) adds to the Federal Acquisition Record (FAR), which governs how the US federal government acquires supplies, services, and materials. DFARS is an addendum of rules, regulations codes and guidelines that the Department of Defense maintains to manage their acquisition processes.

The Department of Defense (DoD) has provided direct guidance to any firm that seeks a contract. To meet the minimum requirements, DoD contractors must:

  • Provide adequate security to safeguard covered defense information that resides in or transits through your internal unclassified information systems from unauthorized access and disclosure.
  • Rapidly report cyber incidents and cooperate with the DoD to respond to these security incidents, including providing access to affected media and submitting malicious software.

DFARS compliance is mandatory for any outside organization that conducts business with the DoD. Any CUI received from the Department must have specialized mechanisms in place to mitigate breaches.

NIST Special Publication 800-171

To provide a sense of uniformity and ensure the legislation was not overly restrictive or complex, the National Institute of Standards and Technology (NIST) issued Special Publication 800-171. The NIST Special Publication 800-171 requirement was developed to ensure that firms working with the Department of Defense would have standardized methods in place to protect sensitive information.

This regulatory document states that "protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations."

Contractors audited by the Department of Defense and found to be non-compliant with DFARS NIST SP 800-171 could face an immediate stop-work order. In such a situation, work will be suspended until the firm implements suitable security measures. The Department may impose financial penalties or seek damages.

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a verification system released by the Department of Defense to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks.

When fully operational, the CMMC will be mandatory for any firm doing business with the Department at any level

The Department of Defense implemented requirements for safeguarding Covered Defense Information (CDI) and cyber incident reporting through DFARS in October 2016. Contractors were required to verify that adequate security controls required by NIST SP 800-171 were implemented within contractor systems to ensure that CDI confidentiality was maintained and enforced.

There will be five certification levels to the CMMC:

  • Level 1 – Basic Cyber Hygiene. Includes basic cybersecurity, including universally accepted common best practices. 
  • Level 2 – Intermediate Cyber Hygiene. Includes universally accepted cybersecurity best practices. Practices are documented, and access to CUI data will require multi-factor authentication.
  • Level 3 – Good Cyber Hygiene. Includes coverage of all NIST SP 800-171 controls. Processes at Level 3 are maintained and followed, including a comprehensive knowledge of cyber assets. 
  • Level 4 – Proactive. Includes advanced and sophisticated cybersecurity practices. Methods are regularly reviewed, adequately resourced, and continuously improved. 
  • Level 5 – Advanced / Progressive. Includes highly advanced cybersecurity practices, include continuous improvement across the enterprise and defensive responses performed at machine speed.

Importance of Cybersecurity of Defense Sector Only Growing

The vast and complex network of third party stakeholders in the aerospace and defense supply chain is facing an increasing number of attacks from state-sponsored actors seeking to target less sophisticated, small third parties on the supply chain to use these victims as a vector to access large defense contractors. 

Adversaries have regularly exploited supply chain vulnerabilities to launch sophisticated cyberattacks to gather sensitive data. Threat actors may target defense technologies to create disruptions on the battlefield or to steal intellectual property to reduce costs and produce and sell new products at lower prices, giving themselves a competitive advantage in this market space.

CyLogic builds, operates, and continuously monitors dedicated cloud platforms for enterprises that require the highest level of security with total control of their data. Our proprietary platform, CyCloud, exceeds the DFARS frameworks, NIST SP 800-171, and the Level 5 CMMC compliance.

Related Posts