Supply chains are becoming increasingly more digital and geographically dispersed. Everything from raw material procurement to finished product delivery is potentially exposed to physical and virtual risk, including single points of failure or vulnerability through manipulation. Any such disruption to supply chains can quickly lead to significant impact on revenues while also risking the loss of sensitive data or intellectual property.
The nature of the aerospace and defense (A&D) industry is such that there is a wide spectrum of threat -- from highly sophisticated peer nation states to “hacktivists” and casual thrill seekers. The leakage of weapons-grade cyberattack tools from governments has resulted in a rapid proliferation of readily available malware. Ransomware attacks significantly spiked during the COVID-19 pandemic, with the recent Colonial Pipeline incident being a notable example. Not only do threat actors have an arsenal of sophisticated tools, but they’ve also repositioned their attack vectors. Attacking supply chains is not a new strategy, but their shape and nature in today’s day and age makes all suppliers in the industry extremely vulnerable to disruption from a cybersecurity incident.
Some industry estimates suggest 40% or more of all cyberattacks originate through the extended supply chain. The SolarWinds attack demonstrated the frailty of supply chain cybersecurity: A software component was compromised on the factory floor, resulting in the embedding of malicious remote-control capabilities into the finished code. This code was then distributed to customers of SolarWinds by an approved and secure update process.
Among the several recent attacks targeting A&D companies, one of note was in 2019 against ASCO Industries. The breach, discovered when the company was about to be acquired, forced the Belgian supplier to halt its operations temporarily and it reduced the company’s total valuation by $150 million. This incident demonstrated the potential level of disruption and provides another data point for quantifying the financial impact of cyber-related risks.
Hardware, firmware, and software attacks on IT/OT/IoT/IIoT systems have continued unabated for many years but are becoming increasingly more effective. As more platforms rely on the system-at-edge functions, the low-hanging fruit lies in software and configuration data because they are easier targets to hit. Governments have recognized the risks to nationally important industry segments and have responded through legislation. This response exacerbates the issues by adding complexity to the cybersecurity equation when addressing all components in the supply chain itself.
NIST has developed Special Publication 800-171 as a reference guide to protecting controlled unclassified information in nonfederal systems. Compliance with the framework is highly recommended for A&D suppliers and is selectively required for defense contractors. As the complexity of threats increases, it becomes obvious that static analysis by itself is insufficient to reduce the threat to acceptable levels.
The U.S. Department of Defense (DoD) has developed the Cybersecurity Maturity Model Certification (CMMC) to improve cyber resilience across the global supply chains of key industry segments. CMMC becomes fully enforced by 2026 and requires primes along with their suppliers to have certified cybersecurity audit results against the CMMC control objectives. This includes demonstrating plans to advance cybersecurity maturity over time or risk not complying with purchasing laws for Federal Acquisition Regulation/Defense Federal Acquisition Regulation Supplement. UK and EU adoption of similar requirements are underway. Given that defense-related purchasing receives government oversight with an extended footprint into commercial realms, aerospace is becoming increasingly scrutinized along similar lines as its defense counterparts. Existing certifications such as Safety-Critical Software for Airborne Systems (DO 178C) or the European equivalent, ED-12B, are both static assessments of software embedded in airborne systems. As the world of software-defined becomes more adopted into A&D markets, a more dynamic approach will need to be considered.
CMMC applied to supply chain security provides a means to convey relative security from beginning to the end. The more important the product or service function, the more critical it is to have a means to evaluate and measure trust upon delivery and throughout its lifecycle. Therefore, securing the elements of your supply chain and then providing the means to verify its fidelity is a big step toward less vulnerable products and services.
Clearly, good cybersecurity hygiene is essential. Defining effective access governance including timely audit, principles of least privilege applied at all levels, solid systems audit, and analysis on an ongoing basis all contribute to a reduction in cyber risk. Zero trust is an up-and-coming concept that has been under discussion for a long time. All of the principles discussed fit hand-in-glove with the zero-trust concept, whereby each and every element needs to be evaluated for trustworthiness.
Organizations must start to prepare for the phased implementation of CMMC and the expectation of demonstrably improving their cybersecurity maturity. The CMMC model defines five steps of maturity. While it is not expected all organizations will be at Level 5, it is important that progress in improving maturity can be demonstrated over time.
The following are key considerations for A&D security and vendor management leaders in the short term:
- How auditable are the security controls of your supply chain? Can you and your suppliers demonstrate their effectiveness?
- What parts of your cybersecurity framework lack maturity and what steps can be taken to evolve that maturity?
- How can your security leaders work with procurement and operations to guide suppliers to deliver safe and secure products across all aspects of product design, development, and delivery of finished goods and services?
- How can your team confirm each step of the supply chain is trustworthy and how will that trust be conveyed throughout the supply chain?
- Is “secure by design” baked into your design processes and conveyed in a secure fashion to give end users the ability to develop their own zero-trust model and confirm that all elements are safe at delivery?
- What continued measurement and monitoring mechanism allows your customers access to a trust chain that ends with their assured solution?
How the industry responds to these considerations will ultimately determine how we raise the bar and minimize the possibility of damage and disruption. As DoD budget increasingly shifts from platforms to systems integration and connected sensors (e.g., JADC2), the stakes are rising. In a world where all weapons systems are connected to an IoT network, any possible security breach must be prevented. Therefore, security must be an inherent feature of every trusted market enabler and not considered an extraneous cost with variable results.