A deep dive into aerospace and defence cyber security and awareness

In this comprehensive guide for cyber security decision-makers in aerospace and defence organisations, we will explore the evolving landscape of cyber threats, the imperative for heightened security awareness, and the solutions and partnerships that can fortify your defences.

The state of cyber threats in the aerospace and aviation sector

The aerospace and aviation sector, crucial to global transportation and commerce, faces a growing onslaught of cyber threats. In Europe, 52 successful attacks were reported in 2020 and 48 successful attacks were reported in 2021 … but 2022 saw 50 attacks in just its first 6 months. So cyber incidents in 2022 have reached the average of 2020 and 2021 just eight months. A further eight military-related aerospace incidents were recorded and aimed at cyber espionage and data theft.

Cyberattacks in this sector can have wide ranging consequences. For example, imagine a scenario where a cyberattack targets a major airline's reservation system, resulting in mass flight cancellations, chaos at airports, financial and social disruption, and reputational damage. Well, it happened; in March 2021, IT supplier SITA, which handles bookings for 90% of the world’s airlines was hacked.

Or picture a hack into an aerospace manufacturer's design files, potentially compromising the safety of future aircraft or stealing data and designs for competitors.

1. Why the aerospace and aviation sector needs security awareness

Security awareness is the first line of defence against cyber threats. In an industry where safety is paramount, fostering a culture of cyber security is essential. In this sector, cyber attackers often target employees through phishing attempts, exploiting human vulnerabilities. Eurocontrol data shows a 530% year-on-year rise from 2019 to 2020 in reported incidents across the aviation industry, and with airlines targeted in 61% of all 2020 aviation cyber-attacks. In the same report, Eurocontrol reveals the "Big 3" attacks used to target aerospace are fake websites, data theft and phishing – but we can combat this with training and awareness.

Visualise an aerospace engineer recognising a suspicious email and reporting it, thwarting a potential cyberattack. Envision a pilot receiving training on the risks of connecting personal devices to onboard systems, preventing potential breaches. This is the power of cyber security training and awareness.

2. What cyber risks and threats does the aerospace and aviation sector face?

In the ever-expanding skies of the aerospace and aviation sector, cyber risks and threats loom as persistent challenges that demand constant vigilance. The most common types of attacks over the past three years have been ransomware attacks (22%), data breaches (18.6%), phishing attacks (15.3%) and DDoS aka Distributed Denial of Service attacks (7.3%), however there are more.

This section dives deeper into the multifaceted cyber landscape that this industry faces, shedding light on the diverse spectrum of risks and threats that must be confronted head-on.

• Supply chain vulnerabilities: a web of interconnected risks

At the heart of the aerospace and aviation sector lies a complex web of global supply chains, which while efficient, also introduce vulnerabilities. Cyber attackers keenly target these intricate networks, seeking to exploit weaknesses within the supply chain ecosystem. Picture an aerospace manufacturer's intricate supply chain network. A cybercriminal breaches a subcontractor's network, potentially gaining access to sensitive aerospace designs and compromising the integrity of the final product. Or in April 2022, Canadian airline Sunwing Airlines experienced four days of delays after the third-party software system it used for check-in and boarding was breached by hackers. The attack forced Sunwing to resort to manually checking in passengers in an effort to minimise disruption to its schedule.

• IoT (Internet of Things) and remote access risks: exploiting connectivity

The proliferation of IoT devices and remote access points in aviation introduces new avenues of risk. Smart airports aka Airports 4.0 are popping up all over the world. Statista data reveals that 43% of airports are implementing IoT initiatives. Interconnected devices, while enhancing operational efficiency, create potential entry points for cybercriminals. Imagine a scenario where a connected aircraft's in-flight entertainment system is compromised, endangering passenger safety and privacy, highlighting the far-reaching implications of IoT vulnerabilities. However, 59% of airports are implementing cyber security measures to defend against common cyber threats.

• Regulatory compliance challenges: balancing aviation safety and cyber security

The aviation sector must strike a delicate balance between stringent safety regulations and emerging cyber security mandates. Compliance with aviation safety standards must now harmonise seamlessly with the cyber security imperative, adding a layer of complexity to the industry's operations. An airline navigating the intricate compliance landscape hit by a breach could result in regulatory penalties, financial losses, and damage to the airline's reputation. In Europe, the EASA presented a new cyber regulation (Part-IS) that was adopted by European Parliament in 2022, which will be added to nearly all existing aviation safety regulations by 2025, for them to consider cyber risks and manage them through a certified information security management system.

• Human error: unintentional consequences

Despite advanced technology, the human element remains a significant cyber risk. Employees, often unknowingly, can introduce vulnerabilities or make mistakes that open the door to cyber threats. An airline's IT department employee inadvertently clicking on a phishing email, unknowingly unleashing malware onto the network and potentially jeopardising flight operations is rooted in social engineering but that comes from human error. According to Boeing, occurrences of ransomware inside the aviation supply chain are up 600% in just one year.

• Intellectual property theft: protecting aviation innovations

The aerospace and aviation sectors are at the forefront of technological innovation. As such, protecting intellectual property from cyber espionage is paramount. 20% of global organizations consider cyber espionage to be their number-one threat. Competing nations and cybercriminal organisations relentlessly target proprietary designs and breakthrough technologies. For example, the target could be a cutting-edge aviation company's research and development lab. An insidious cyber actor targets the lab's network, stealing blueprints for next-generation aircraft, potentially undermining the company's competitive advantage.

• Advanced Persistent Threats (APTs): State-sponsored intrusions

State-sponsored cyber actors often orchestrate APTs against aerospace and aviation organisations. These prolonged and sophisticated campaigns aim to infiltrate critical systems and extract sensitive information. A state-sponsored APT campaign targeting a defence contractor could entail attackers meticulously compromising the organisation's network, stealing sensitive military technology specifications, and posing a severe national security risk. Statistics indicate that as many as 35% of all politically motivated cyberattacks have links with China or Russia, with 26.3% of all cyber warfare strikes are directed towards the United States. We’ve seen heightened cyber attack levels in this area as the Ukraine/Russian conflict persists; in March 2022, an unidentified group (presumed to be the Anonymous Hacking Group) carried out an extremely effective attack on the Russian Federal Air Transport Agency. As part of the attack, all aircraft registration data, and emails, totalling approximately a massive 65 terabytes of data, were deleted from the Agency's servers.

• Insider threats: the danger within

Personnel with access to sensitive information can pose significant insider threats. Whether through negligence, malice, or coercion, these insiders can compromise security from within. This could be a disgruntled aerospace engineer, lured by an external actor, intentionally sabotaging aircraft designs, potentially endangering countless lives and exposing the organisation to massive liabilities. Bridewell research highlights a staggering 180% surge in security incidents related to employee sabotage within aerospace and aviation organisations in just one year, with 34% of decision-makers in the industry anticipating a rise in internal employees turning to cybercrime as a direct consequence of the cost-of-living crisis.

Understanding these multifaceted challenges is the first step in building robust defences and ensuring the safety, security, and reputation of the industry. From supply chain vulnerabilities to the human element, each facet demands meticulous attention and proactive measures to safeguard this critical sector from the ever-evolving cyber landscape.

The state of cyber threats in the defence sector

The defence sector operates at the forefront of national security. However, it is also a prime target for cyber adversaries. For example, the US Department of Defence (DOD) continues to be the target of cyber-attacks, experiencing over 12,000 cyber incidents between 2015 and 2022.

Cyberattacks in this sector can have wide ranging consequences. For example, envision a state-sponsored cyberattack compromising the communications network of a military base, disrupting vital operations, and putting the operations and lives of military personnel in danger. Or consider the theft of classified defence plans through a cyber espionage campaign, potentially compromising national security and the global security and reputation of your defence organisation and nation.

1. Why the defence sector needs security awareness

In the defence sector, security awareness is a matter of life and death. Beyond the protection of classified information, it ensures the readiness of military forces and the integrity of command and control systems. Picture a scenario where a vigilant soldier detects a malware-infected USB drive and prevents it from infecting military systems. Or visualise a naval officer recognising a phishing attempt on his organisational device that could compromise the navigation systems of a warship. This is the power of cyber security training and awareness.

2. What cyber risks and threats does the defence sector face?

In the modern era of defence, where the boundaries of conflict extend into the digital realm, the defence sector faces a formidable array of cyber risks and threats. This section unveils the intricate tapestry of challenges that permeate this sector, offering a comprehensive exploration of the diverse threats and vulnerabilities that require constant vigilance.

• Advanced Persistent Threats (APTs): Nation-state aggressors

At the forefront of the defence sector's cyber risk landscape are advanced persistent threats (APTs) orchestrated by nation-state actors. These relentless and highly sophisticated campaigns often seek to infiltrate critical defence systems, extract classified information, and potentially undermine national security. For example, a state-sponsored APT group, with deep pockets and advanced capabilities, meticulously infiltrates a defence agency's network. Their objective: exfiltrate classified military intelligence, which could compromise strategic plans and security. PurpleSec data reveals that 34% of companies experienced damage to their reputations after an APT attack, 68% of companies experienced data loss after an APT attack and 78% of organisations experienced downtime.

• Insider Threats: the trojan horses within

The 2023 Insider Threat Report by Cybersecurity Insiders states that 74% of organisations are at least moderately vulnerable to insider threats. Insider threats loom as a persistent concern. Individuals with access to sensitive defence information can unwittingly or maliciously jeopardise security from within, making personnel a potential source of risk. Such as an insider, motivated by financial gain or coercion, exploiting their privileged access to defence systems to steal classified data, ultimately endangering national security and the lives of servicemen and women.

• Emerging technologies: a double-edged sword

The integration of emerging technologies such as artificial intelligence (AI), Internet of Things (IoT) devices, and quantum computing introduces both opportunities and vulnerabilities. While these technologies offer innovative capabilities, they also open new attack vectors. For instance, a defence organisation embracing the power of AI for decision-making and logistics, could allow an adversary to exploit potential vulnerabilities in the AI system, causing strategic missteps and disruptions in military operations.

• Regulatory compliance: a complex landscape

Navigating the intricate landscape of regulatory compliance compounds the defence sector's challenges. Adhering to stringent national and international cyber security regulations while preserving operational readiness requires a delicate balance. A defence contractor must meticulously align their operations with a web of regulations, from export controls to cyber security mandates because a compliance lapse could result in legal repercussions and financial penalties.

• Supply chain disruptions: vulnerabilities beyond borders

Defence supply chains extend across borders, introducing complex vulnerabilities. Cyber adversaries may exploit weaknesses in the global supply chain, potentially compromising the integrity of military equipment and systems. For example, a cyberattack on a foreign supplier's network could lead to the insertion of malicious code into critical defence hardware, compromising security and effectiveness.

• Geopolitical tensions: cyber frontlines

The defence sector operates in an environment of geopolitical tensions, where cyberattacks can be used as tools of statecraft. Cyber conflicts between nations create additional risks, necessitating heightened security measures. In fact, the geopolitical standoff between Russia and the Ukraine has created not only a combative physical environment but also a tense digital environment.

In the dynamic landscape of defence, confronting cyber risks and threats is an unceasing mission. Understanding the intricacies of these multifaceted challenges is paramount for building and maintaining robust defences to protect national security interests. From APTs to emerging technologies and regulatory compliance, each facet demands unwavering attention and proactive measures to secure the defence sector in an era where the digital battlefield is just as critical as the physical one.

Cyber awareness is an integral part of effective command and leadership

Effective command, control, and leadership in the aerospace and defence sectors require a deep understanding of the role of cyber security. It's no longer sufficient to view cyber security as a peripheral concern; it must be at the core of strategic decision-making.

Here's an expanded look at why cyber is integral to these critical facets of leadership:

• Safeguarding mission-critical systems: Effective command and control necessitate the protection of mission-critical systems. Modern military operations and aerospace endeavours are highly dependent on interconnected digital infrastructure. Leaders must ensure that these systems are secure to guarantee the success of missions and operations.
• Setting clear expectations: Leaders should articulate their expectations regarding cyber conduct and awareness. This includes defining acceptable online behaviour, emphasising the importance of reporting security incidents, and promoting a culture of vigilance. Picture a defence sector CEO addressing employees, outlining the organisation's commitment to cyber security and the role each individual plays in maintaining it. The standard gets set, the model is clear to see and behaviours will align with what leadership is promoting.
• Continuous training and education: To develop a cyber-savvy workforce, leaders must invest in ongoing training and education. Employees should have access to resources that keep them informed about the latest cyber threats and best practices and they should be permanently reachable.
• Encouraging proactive reporting: Leaders must also create an environment where employees feel comfortable reporting security incidents or potential threats without fear of repercussions. Promoting a "see something, say something" culture is crucial.
• Enhancing decision-making with cyber intelligence: Leadership in aerospace and defence requires timely and accurate information. Cyber intelligence provides critical insights into potential threats, vulnerabilities, and unsafe behaviours. Leaders must harness the power of cyber threat intelligence to make informed decisions.
• Cultivating a cyber-resilient culture: Effective leadership entails fostering a cyber-resilient culture throughout the organisation. Leaders must set the example by championing cyber security awareness and adherence to best practices. This culture ensures that employees at all levels prioritise security in their actions and decisions. If a military base's leadership actively promotes cyber security awareness among soldiers, they will be more vigilant, reporting suspicious activity promptly and preventing potential breaches.
• Recognising and rewarding cyber vigilance: Acknowledging and rewarding individuals who exhibit exemplary cyber conduct and awareness reinforces desired behaviours. Recognition can take various forms, from awards to career development opportunities. This will only foster the dissemination of the behaviours you want to see 24/7.

Personnel at all levels should be educated and engaged in cyber security. A collective commitment to cyber conduct and awareness ensures a cohesive defence against threats. Personnel in aerospace and defence organisations play a pivotal role in cyber security. Leaders must provide clear direction and actively drive the development of their approach to cyber conduct and awareness.

Awareness and training solutions available to you

Aerospace and defence organisations have access to a wide array of awareness and training solutions to bolster their cyber security posture. Here's a comprehensive overview of these solutions:

• Awareness training: Regular cyber security awareness training programs educate employees on the latest cyber threats and best practices. These programs should include simulated cyber exercise and scenario-based training to test their preparedness and knowledge.
• The role of cyber hygiene: Practicing good cyber hygiene remains a fundamental defence against cyber threats. Decision-makers should prioritise cyber security basics, such as software patching, strong password policies, and regular system updates. You must train and nudge employees into actively practicing good cyber hygiene with physical and digital signposts and materials to combat cyber threats and risks.
• Building cyber resilience: Cyber resilience goes beyond defence; it involves rapid recovery and adaptation. Leaders should develop and test cyber incident response plans to ensure business continuity in the face of cyber disruptions.
• Risk management: Comprehensive risk management strategies identify vulnerabilities in systems and processes. Leaders should prioritise risk assessments and prioritise mitigating high-risk areas. You can use a security awareness and behaviour research tool like TSC’s SABR to analyse your workforce’s behaviours and awareness levels in order to pull quality data on risk levels, threat potential and what attack surfaces you need to address.
• Phishing and social engineering prevention: Employees should undergo simulated phishing exercises and phishing training to recognise and resist social engineering attacks. These exercises help build resilience against common cyber threats and keeps the threat potential at the forefront of employee thinking.
• Privileged user access control: Limiting access to critical systems to authorised personnel reduces the risk of insider threats. Robust access control measures are essential to prevent unauthorised access. Employing a ‘Zero Trust’ policy could be a potential solution for organisations considering privileged user access control.
• Mobile and remote working cyber security: Given the prevalence of remote work, ensuring secure remote access for off-site employees is crucial. Robust mobile and remote working training and awareness materials on threats and risks they face are essential to protect against cyber threats.

Why it is time to assess your security culture

Assessing your security culture is not just a recommendation; it's a necessity. The Security Awareness and Behaviour Research (SABR) tool by The Security Company (TSC) offers a systematic approach to assess employee behaviour, security culture, and security gaps with quantitative data and analysis.

Quantitative insights for informed decisions

The SABR tool provides actionable data that goes beyond traditional qualitative assessments. It enables organisations to measure the effectiveness of their security awareness initiatives, identify areas of improvement, and make data-driven decisions to enhance their security culture. SABR can be tailored to your organisation and surveys how your employees behave, what cyber threats and risks you need to focus on and what solutions you need to employ.

A CISO, DPO or SRI can analyse our SABR’s multitude of data highlighting the need for increased cyber security training in a specific department, against a specific threat or even during a specific period. With this quantitative insight, the CISO can allocate resources effectively, justify budgets and engage board members with language and data they can connect with.

Cyber regulation is strengthening, compliance must reciprocate

As governments and international bodies strengthen cyber regulations, compliance becomes paramount. Organisations must align with these evolving standards to avoid legal and reputational consequences. Cyber regulation is becoming increasingly stringent in response to the evolving threat landscape. Leaders in aerospace and defence must recognise the importance of compliance and adapt their cyber security measures accordingly.

Compliance with cyber regulations is not just about avoiding legal repercussions; it's about ensuring the highest levels of security. Leaders should prioritise aligning their organisations with evolving cyber standards.

Working with the right partner

Collaborating with a specialised cyber security training and awareness company like The Security Company offers numerous benefits for aerospace and defence organisations:

• Expertise in cyber security training: TSC brings over 25 years of expertise in cyber security training and awareness. Our tailored programs cater to the unique needs of aerospace and defence organisations, keeping you well-prepared against emerging threats.
• Customised solutions: TSC offers customised solutions that align with the specific requirements and challenges of your organisation. Our programs can be specifically designed to address your own vulnerabilities and enhance cyber security awareness effectively. We can even build training and awareness materials from the ground up to fit your content, brand guidelines and design.
• Quantitative data and analysis: With the SABR tool, TSC provides quantitative data and analysis to measure the effectiveness of your security awareness initiatives and what you need to focus on moving forward. This data-driven approach ensures that your investments yield tangible results.
• A proven track record: TSC has a proven track record of success in helping organisations build a robust cyber security culture. Our client testimonials attest to our ability to drive positive change. You can read our case studies and testimonials here.

In conclusion

The aerospace and defence sectors face a complex and ever-evolving cyber threat landscape. Heightened security awareness and training are essential to safeguarding national security interests.

Partnering with a trusted organisation like TSC can empower organisations to build a robust cyber security culture by providing direction, fostering a cyber-resilient culture, and investing in awareness and training solutions. Together with the right partner, aerospace and defence organisations can safeguard national security interests in an increasingly digital world.

If you would like information about how The Security Company can help you to formulate a cyber security training and awareness program for your aerospace or defence organisation or if you would like a demo of our products and services ... please contact our Head of Business Development and Sales, Jenny Mandley.

The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.