Where could aerospace and defence companies focus to better mitigate cybersecurity threats?

What if hackers could bring down a plane? Or take control of an unmanned military drone? Or interfere with a satellite? Or access an aerospace company’s supply-chain information? These may seem like futuristic scenarios, but the reality is that some of this is already happening today.

In recent years, increasing numbers of cyber incidents have been affecting the aerospace and defence (A&D) industry. The increased adoption of cloud computing, Internet of Things (IoT) devices and systems, and artificial intelligence (AI) has led to an increased reliance on technology. This also has presented opportunities for significant disruption, through a larger attack surface and an increased potential for cyberattacks. Even more sophisticated attacks are now possible too—including social engineering and zero-day exploits, which can bypass traditional security measures.

Though cybersecurity incidents are of concern in any industry, their repercussions are greater in the A&D sector because it often deals with sensitive information (e.g., classified data on military operations and technologies) and critical infrastructure (e.g., supply-chain information, communication systems, satellite networks, and transportation systems). A breach could thus have a significant impact on national security, defence operations, and/or a country’s technological advantage.

These risks are top of mind when Canada’s Department of National Defence sets out to develop subsequent generations of military capability. “In the Canadian military capability-development model, particular care is taken to ensure cyber resilience. We understand our people may be fighting against a determined and capable adversary, and therefore our military needs secure, reliable, and unexploited capabilities and technologies that will give us the edge in combat,” says Vice Admiral (Ret’d) Darren Hawco, an executive advisor to Deloitte Canada.

Hackers now seem to be focusing on four target goals: stealing intellectual property (IP), infiltrating A&D supplier networks and compromising supply chains, jeopardizing physical equipment, and launching ransomware and other attacks for monetary gain.²

Recognizing that risks will keep growing
Jason Hunt, a senior manager in Risk Advisory for Deloitte US, says, “As we add additional network connectivity to enable smart manufacturing and operations, we must keep cybersecurity front of mind, as this connectivity can provide a bad actor easier access to vulnerable systems in industrial environments.” The risks are further reinforced by the latest release of ChatGPT (GPT-4) and continuous progress in quantum computing technology, which add even more entry points for cyberattacks.

ChatGPT could be used to generate malicious code and more sophisticated phishing emails, disinformation and misinformation campaigns, and deep fakes, according to Kimberly Sablon, principal director for Trusted AI and Autonomy in the US Office of the Undersecretary of Defense for Research and Engineering, who spoke on the topic at the recent Pacific Operational Science & Technology Conference in Hawaii.³

As technology continues to evolve, cyber risks may continue to increase. As such, both the Canadian government and private organizations should implement effective protective cybersecurity measures.

Investing in security at all levels
Effective cybersecurity requires a comprehensive organizational approach that includes a focus on talent and a security-at-all-levels culture. This means that all employees, from top executives to entry-level staff, should understand the importance of cybersecurity, and everyone must be aware of their specific role in maintaining a secure environment.

There are several ways in which a security-at-all-levels approach can strengthen an organization’s cybersecurity. It ensures that there is a strong commitment to cybersecurity at the executive level; that all employees are trained and aware of cybersecurity risks and best practices; that access to sensitive information and systems is strictly controlled; that systems and software are regularly updated and patched, and that other controls are in place when patching is not possible; that an incident-response plan is in place; and that there is continuous monitoring of networks and systems (see figure 1).

Focusing on enterprise architecture
Enterprise architecture (EA) is a strategic planning and management framework designed to help organizations align their business goals with their technology infrastructures and investments. A thoughtful and resilient EA should complement a strong organizational culture. EA can offer a company a thorough overview of its IT system and processes, thus helping it to identify vulnerabilities and implement more effective cybersecurity strategies (see figure 2 for some of these options).

“Oftentimes there is limited network segmentation in place to reduce the blast radius if there is a cyberattack. There are no processes or tools in place to enable security monitoring—that is, we don’t know anything has happened until it physically affects the production process—and a relaxed approach is taken to manage privileged and other user access,” says Hunt.

“This lack of controls is why bad actors are more and more often targeting industrial environments, which is highlighted by an 87% increase in ransomware attacks against organizations and a 35% increase in the number of ransomware groups targeting operational systems and networks in 2022.”⁴

Managing and mitigating cyber risks

A combination of awareness of the growing risks, well-prepared talent, a security-at-all-levels culture, and EA can help foster organizational and employee commitment to cybersecurity. This provides an overall framework that can help organizations manage cybersecurity risks more effectively. The key to that framework? Collaboration.

“Cooperation among A&D organizations is essential for staying ahead of the game,” notes Alejandro Campos, a partner in Deloitte Canada Aerospace Cybersecurity practice. “The adoption of automated threat intelligence platforms within the community is highly recommended—it enables a circle of trust and a mechanism to share the latest threats impacting the industry, and it provides actionable intelligence that allows the community to help prevent, detect, and react to cyber threats.” As home of the world’s third-largest aerospace hub as well as one of the largest cybersecurity talent pools, Canada has an active role to play in securing nationally sensitive data, supply chains, and other critical infrastructure.⁵

1. Canadian Centre for Cyber Security, “Internet of Things (IoT) security—ITSAP.00.012,” Government of Canada, July 2022.
2. Canadian Centre for Cyber Security, “The cyberthreat from supply chains,” Government of Canada, modified February 8, 2023.
3. Stew Magnuson, “JUST IN: Pentagon’s Top AI Official Addresses ChatGPT’s Possible Benefits, Risks,” National Defense, March 8, 2023.
4. Jack Gillum, “Ransomware Attacks On Industrial Firms Increased By 87% In 2022,” Financial Post, February 14, 2023.
5. International Trade Administration, “Canada Country Commercial Guide: Aerospace and Defense,” US Department of Commerce, August 3, 2022.

Contributors

Elise Villeneuve

Partner, Deloitte Monitor
National leader, Aerospace and Defense

Leslie Guerin

Manager, Strategy & Business Design
Deloitte Monitor

Disclaimer

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect you or your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.