What if hackers could bring down a plane? Or take control of an unmanned military drone? Or interfere with a satellite? Or access an aerospace company’s supply-chain information? These may seem like futuristic scenarios, but the reality is that some of this is already happening today.
In recent years, increasing numbers of cyber incidents have been affecting the aerospace & defense (A&D) industry. The increased adoption of cloud computing, Internet of Things (IoT)1 devices and systems, and artificial intelligence (AI) has led to an increased reliance on technology. This also has presented opportunities for significant disruption, through a larger attack surface and an increased potential for cyberattacks. Furthermore, more sophisticated attacks are now possible—including social engineering and zero-day exploits, which can bypass traditional security measures.
Though cybersecurity incidents are of concern in any industry, their repercussions are greater in the A&D sector. This industry often deals with sensitive information (e.g., classified data on military operations and technologies) and critical infrastructure (e.g., supply-chain information, communication systems, satellite networks, and transportation systems). A breach could thus have a significant impact on national security, defense operations, and/or a country’s technological advantage. These risks are top of mind when Canada’s Department of National Defence sets out to develop subsequent generations of military capability. “In the Canadian military capability-development model, particular care is taken to ensure cyber resilience. We understand our people may be fighting against a determined and capable adversary, and therefore our military needs secure, reliable, and unexploited capabilities and technologies that will give us the edge in combat,” says Vice Admiral (Ret’d) Darren Hawco, Executive Advisor, Deloitte Canada.
As a result of this current reality, hackers now seem to focus on four target goals: stealing intellectual property (IP), infiltrating A&D supplier networks and compromising supply chains, jeopardizing physical equipment, and launching ransomware and other attacks for monetary gain.2
Recognizing that risks will keep growing
Jason Hunt, senior manager, Risk Advisory, Deloitte US, says: “As we add additional network connectivity to enable smart manufacturing and operations, we must keep cybersecurity front of mind, as this connectivity can provide a bad actor easier access to vulnerable systems in industrial environments.” That sentiment is reinforced with the latest release of ChatGPT (GPT-4)3 and continuous progress in quantum computing technology, which add even more entry points for cyberattacks.
ChatGPT could be used to generate malicious code and more sophisticated phishing emails, as well as disinformation and misinformation campaigns and deep fakes, according to Kimberly Sablon, principal director for Trusted AI and Autonomy in the US Office of the Undersecretary of Defense for Research and Engineering at the recent Pacific Operational Science & Technology Conference in Hawaii.4
As technology continues to evolve, cyber risks may continue to increase. As such, both the Canadian government and private organizations should adapt and implement effective protective cybersecurity measures.
Investing in security at all levels
Effective cybersecurity requires a comprehensive organizational approach that includes a focus on talent and a security-at-all-levels culture. This means that talent, from top executives to entry-level staff, should understand the importance of cybersecurity, and all involved must be aware of their specific roles in maintaining a secure environment.
There are several means by which security at all levels can strengthen an organization’s cybersecurity, such as by helping to ensure there is a strong commitment to cybersecurity at the executive level; that all employees are trained and aware of cybersecurity risks and best practices; that access to sensitive information and systems is strictly controlled; that systems and software are regularly updated and patched, and that other controls are in place when patching is not possible; that an incident-response plan is in place; and that there is continuous monitoring of networks and systems.
Focusing on enterprise architecture
Enterprise architecture (EA) is a strategic planning and management framework that could help organizations align their business goals with their technology infrastructures and investments. A thoughtful and resilient EA should complement a strong organizational culture. EA can offer a company a thorough overview of its IT system and processes, thus helping it to identify vulnerabilities and implement more effective cybersecurity strategies.
“Oftentimes there is limited network segmentation in place to reduce the blast radius if there is a cyberattack. There are no processes or tools in place to enable security monitoring—that is, we do not know anything has happened until it physically affects the production process—and a relaxed approach is taken to manage privileged and other user access,” says Hunt.
“This lack of controls is why bad actors are more and more often targeting industrial environments, which is highlighted by an 87% increase in ransomware attacks against organizations and a 35% increase in the number of ransomware groups targeting operational systems and networks in 2022.” 5
Managing and mitigating cyber risks
A combination of awareness of growing risks, well-prepared talent, a security-at-all-levels culture, and EA can help foster organizational and employee commitment to cybersecurity. This provides an overall framework that can help organizations manage cybersecurity risks more effectively.
Canada, as home of the world’s third-largest aerospace hub as well as one of the largest cybersecurity talent pools, has an active role to play in securing national sensitive data, supply chains, and other critical infrastructure.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms or their related entities (collectively, the “Deloitte organization”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities. DTTL (also referred to as “Deloitte Global”) and each of its member firms are legally separate and independent entities. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.
©2023. For information, contact Deloitte Global.