- Employee awareness
- 7 min read
In this comprehensive guide for cyber security decision-makers in aerospace and defence organisations, we will explore the evolving landscape of cyber threats, the imperative for heightened security awareness, and the solutions and partnerships that can fortify your defences.
The aerospace and aviation sector, crucial to global transportation and commerce, faces a growing onslaught of cyber threats. In Europe, 52 successful attacks were reported in 2020 and 48 successful attacks were reported in 2021 … but 2022 saw 50 attacks in just its first 6 months. So cyber incidents in 2022 have reached the average of 2020 and 2021 just eight months. A further eight military-related aerospace incidents were recorded and aimed at cyber espionage and data theft.
Cyberattacks in this sector can have wide ranging consequences. For example, imagine a scenario where a cyberattack targets a major airline's reservation system, resulting in mass flight cancellations, chaos at airports, financial and social disruption, and reputational damage. Well, it happened; in March 2021, IT supplier SITA, which handles bookings for 90% of the world’s airlines was hacked.
Or picture a hack into an aerospace manufacturer's design files, potentially compromising the safety of future aircraft or stealing data and designs for competitors.
Security awareness is the first line of defence against cyber threats. In an industry where safety is paramount, fostering a culture of cyber security is essential. In this sector, cyber attackers often target employees through phishing attempts, exploiting human vulnerabilities. Eurocontrol data shows a 530% year-on-year rise from 2019 to 2020 in reported incidents across the aviation industry, and with airlines targeted in 61% of all 2020 aviation cyber-attacks. In the same report, Eurocontrol reveals the "Big 3" attacks used to target aerospace are fake websites, data theft and phishing – but we can combat this with training and awareness.
Visualise an aerospace engineer recognising a suspicious email and reporting it, thwarting a potential cyberattack. Envision a pilot receiving training on the risks of connecting personal devices to onboard systems, preventing potential breaches. This is the power of cyber security training and awareness.
In the ever-expanding skies of the aerospace and aviation sector, cyber risks and threats loom as persistent challenges that demand constant vigilance. The most common types of attacks over the past three years have been ransomware attacks (22%), data breaches (18.6%), phishing attacks (15.3%) and DDoS aka Distributed Denial of Service attacks (7.3%), however there are more.
This section dives deeper into the multifaceted cyber landscape that this industry faces, shedding light on the diverse spectrum of risks and threats that must be confronted head-on.
At the heart of the aerospace and aviation sector lies a complex web of global supply chains, which while efficient, also introduce vulnerabilities. Cyber attackers keenly target these intricate networks, seeking to exploit weaknesses within the supply chain ecosystem. Picture an aerospace manufacturer's intricate supply chain network. A cybercriminal breaches a subcontractor's network, potentially gaining access to sensitive aerospace designs and compromising the integrity of the final product. Or in April 2022, Canadian airline Sunwing Airlines experienced four days of delays after the third-party software system it used for check-in and boarding was breached by hackers. The attack forced Sunwing to resort to manually checking in passengers in an effort to minimise disruption to its schedule.
The proliferation of IoT devices and remote access points in aviation introduces new avenues of risk. Smart airports aka Airports 4.0 are popping up all over the world. Statista data reveals that 43% of airports are implementing IoT initiatives. Interconnected devices, while enhancing operational efficiency, create potential entry points for cybercriminals. Imagine a scenario where a connected aircraft's in-flight entertainment system is compromised, endangering passenger safety and privacy, highlighting the far-reaching implications of IoT vulnerabilities. However, 59% of airports are implementing cyber security measures to defend against common cyber threats.
The aviation sector must strike a delicate balance between stringent safety regulations and emerging cyber security mandates. Compliance with aviation safety standards must now harmonise seamlessly with the cyber security imperative, adding a layer of complexity to the industry's operations. An airline navigating the intricate compliance landscape hit by a breach could result in regulatory penalties, financial losses, and damage to the airline's reputation. In Europe, the EASA presented a new cyber regulation (Part-IS) that was adopted by European Parliament in 2022, which will be added to nearly all existing aviation safety regulations by 2025, for them to consider cyber risks and manage them through a certified information security management system.
Despite advanced technology, the human element remains a significant cyber risk. Employees, often unknowingly, can introduce vulnerabilities or make mistakes that open the door to cyber threats. An airline's IT department employee inadvertently clicking on a phishing email, unknowingly unleashing malware onto the network and potentially jeopardising flight operations is rooted in social engineering but that comes from human error. According to Boeing, occurrences of ransomware inside the aviation supply chain are up 600% in just one year.
The aerospace and aviation sectors are at the forefront of technological innovation. As such, protecting intellectual property from cyber espionage is paramount. 20% of global organizations consider cyber espionage to be their number-one threat. Competing nations and cybercriminal organisations relentlessly target proprietary designs and breakthrough technologies. For example, the target could be a cutting-edge aviation company's research and development lab. An insidious cyber actor targets the lab's network, stealing blueprints for next-generation aircraft, potentially undermining the company's competitive advantage.
State-sponsored cyber actors often orchestrate APTs against aerospace and aviation organisations. These prolonged and sophisticated campaigns aim to infiltrate critical systems and extract sensitive information. A state-sponsored APT campaign targeting a defence contractor could entail attackers meticulously compromising the organisation's network, stealing sensitive military technology specifications, and posing a severe national security risk. Statistics indicate that as many as 35% of all politically motivated cyberattacks have links with China or Russia, with 26.3% of all cyber warfare strikes are directed towards the United States. We’ve seen heightened cyber attack levels in this area as the Ukraine/Russian conflict persists; in March 2022, an unidentified group (presumed to be the Anonymous Hacking Group) carried out an extremely effective attack on the Russian Federal Air Transport Agency. As part of the attack, all aircraft registration data, and emails, totalling approximately a massive 65 terabytes of data, were deleted from the Agency's servers.
Personnel with access to sensitive information can pose significant insider threats. Whether through negligence, malice, or coercion, these insiders can compromise security from within. This could be a disgruntled aerospace engineer, lured by an external actor, intentionally sabotaging aircraft designs, potentially endangering countless lives and exposing the organisation to massive liabilities. Bridewell research highlights a staggering 180% surge in security incidents related to employee sabotage within aerospace and aviation organisations in just one year, with 34% of decision-makers in the industry anticipating a rise in internal employees turning to cybercrime as a direct consequence of the cost-of-living crisis.
Understanding these multifaceted challenges is the first step in building robust defences and ensuring the safety, security, and reputation of the industry. From supply chain vulnerabilities to the human element, each facet demands meticulous attention and proactive measures to safeguard this critical sector from the ever-evolving cyber landscape.
The defence sector operates at the forefront of national security. However, it is also a prime target for cyber adversaries. For example, the US Department of Defence (DOD) continues to be the target of cyber-attacks, experiencing over 12,000 cyber incidents between 2015 and 2022.
Cyberattacks in this sector can have wide ranging consequences. For example, envision a state-sponsored cyberattack compromising the communications network of a military base, disrupting vital operations, and putting the operations and lives of military personnel in danger. Or consider the theft of classified defence plans through a cyber espionage campaign, potentially compromising national security and the global security and reputation of your defence organisation and nation.
In the defence sector, security awareness is a matter of life and death. Beyond the protection of classified information, it ensures the readiness of military forces and the integrity of command and control systems. Picture a scenario where a vigilant soldier detects a malware-infected USB drive and prevents it from infecting military systems. Or visualise a naval officer recognising a phishing attempt on his organisational device that could compromise the navigation systems of a warship. This is the power of cyber security training and awareness.
In the modern era of defence, where the boundaries of conflict extend into the digital realm, the defence sector faces a formidable array of cyber risks and threats. This section unveils the intricate tapestry of challenges that permeate this sector, offering a comprehensive exploration of the diverse threats and vulnerabilities that require constant vigilance.
At the forefront of the defence sector's cyber risk landscape are advanced persistent threats (APTs) orchestrated by nation-state actors. These relentless and highly sophisticated campaigns often seek to infiltrate critical defence systems, extract classified information, and potentially undermine national security. For example, a state-sponsored APT group, with deep pockets and advanced capabilities, meticulously infiltrates a defence agency's network. Their objective: exfiltrate classified military intelligence, which could compromise strategic plans and security. PurpleSec data reveals that 34% of companies experienced damage to their reputations after an APT attack, 68% of companies experienced data loss after an APT attack and 78% of organisations experienced downtime.
The 2023 Insider Threat Report by Cybersecurity Insiders states that 74% of organisations are at least moderately vulnerable to insider threats. Insider threats loom as a persistent concern. Individuals with access to sensitive defence information can unwittingly or maliciously jeopardise security from within, making personnel a potential source of risk. Such as an insider, motivated by financial gain or coercion, exploiting their privileged access to defence systems to steal classified data, ultimately endangering national security and the lives of servicemen and women.
The integration of emerging technologies such as artificial intelligence (AI), Internet of Things (IoT) devices, and quantum computing introduces both opportunities and vulnerabilities. While these technologies offer innovative capabilities, they also open new attack vectors. For instance, a defence organisation embracing the power of AI for decision-making and logistics, could allow an adversary to exploit potential vulnerabilities in the AI system, causing strategic missteps and disruptions in military operations.
Navigating the intricate landscape of regulatory compliance compounds the defence sector's challenges. Adhering to stringent national and international cyber security regulations while preserving operational readiness requires a delicate balance. A defence contractor must meticulously align their operations with a web of regulations, from export controls to cyber security mandates because a compliance lapse could result in legal repercussions and financial penalties.
Defence supply chains extend across borders, introducing complex vulnerabilities. Cyber adversaries may exploit weaknesses in the global supply chain, potentially compromising the integrity of military equipment and systems. For example, a cyberattack on a foreign supplier's network could lead to the insertion of malicious code into critical defence hardware, compromising security and effectiveness.
The defence sector operates in an environment of geopolitical tensions, where cyberattacks can be used as tools of statecraft. Cyber conflicts between nations create additional risks, necessitating heightened security measures. In fact, the geopolitical standoff between Russia and the Ukraine has created not only a combative physical environment but also a tense digital environment.
In the dynamic landscape of defence, confronting cyber risks and threats is an unceasing mission. Understanding the intricacies of these multifaceted challenges is paramount for building and maintaining robust defences to protect national security interests. From APTs to emerging technologies and regulatory compliance, each facet demands unwavering attention and proactive measures to secure the defence sector in an era where the digital battlefield is just as critical as the physical one.
Effective command, control, and leadership in the aerospace and defence sectors require a deep understanding of the role of cyber security. It's no longer sufficient to view cyber security as a peripheral concern; it must be at the core of strategic decision-making.
Here's an expanded look at why cyber is integral to these critical facets of leadership:
Personnel at all levels should be educated and engaged in cyber security. A collective commitment to cyber conduct and awareness ensures a cohesive defence against threats. Personnel in aerospace and defence organisations play a pivotal role in cyber security. Leaders must provide clear direction and actively drive the development of their approach to cyber conduct and awareness.
Aerospace and defence organisations have access to a wide array of awareness and training solutions to bolster their cyber security posture. Here's a comprehensive overview of these solutions:
Assessing your security culture is not just a recommendation; it's a necessity. The Security Awareness and Behaviour Research (SABR) tool by The Security Company (TSC) offers a systematic approach to assess employee behaviour, security culture, and security gaps with quantitative data and analysis.
The SABR tool provides actionable data that goes beyond traditional qualitative assessments. It enables organisations to measure the effectiveness of their security awareness initiatives, identify areas of improvement, and make data-driven decisions to enhance their security culture. SABR can be tailored to your organisation and surveys how your employees behave, what cyber threats and risks you need to focus on and what solutions you need to employ.
A CISO, DPO or SRI can analyse our SABR’s multitude of data highlighting the need for increased cyber security training in a specific department, against a specific threat or even during a specific period. With this quantitative insight, the CISO can allocate resources effectively, justify budgets and engage board members with language and data they can connect with.
As governments and international bodies strengthen cyber regulations, compliance becomes paramount. Organisations must align with these evolving standards to avoid legal and reputational consequences. Cyber regulation is becoming increasingly stringent in response to the evolving threat landscape. Leaders in aerospace and defence must recognise the importance of compliance and adapt their cyber security measures accordingly.
Compliance with cyber regulations is not just about avoiding legal repercussions; it's about ensuring the highest levels of security. Leaders should prioritise aligning their organisations with evolving cyber standards.
Collaborating with a specialised cyber security training and awareness company like The Security Company offers numerous benefits for aerospace and defence organisations:
The aerospace and defence sectors face a complex and ever-evolving cyber threat landscape. Heightened security awareness and training are essential to safeguarding national security interests.
Partnering with a trusted organisation like TSC can empower organisations to build a robust cyber security culture by providing direction, fostering a cyber-resilient culture, and investing in awareness and training solutions. Together with the right partner, aerospace and defence organisations can safeguard national security interests in an increasingly digital world.
If you would like information about how The Security Company can help you to formulate a cyber security training and awareness program for your aerospace or defence organisation or if you would like a demo of our products and services ... please contact our Head of Business Development and Sales, Jenny Mandley.
The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51