Lindsey Berckman, Brian Wolfe and Chris Weggeman discuss overcoming cybersecurity challenges for the A&D industry through an integrated, mission-driven approach.
AW: Why is cybersecurity such an important topic to discuss in the aerospace and defense industry (A&D)?
LB: Cybersecurity is a multifaceted problem in aerospace and defense because of the many endpoints, and different classification levels that need to be secured. Not only do companies need to focus on standard IT security, but also securing manufacturing facilities, the supply chain, and fielded assets. Aggregate cyber risk across the system lifecycle is a very challenging problem, requiring robust collaboration, integration and vigilance from design through sustainment. Ensuring the cyber network is modernized, covers or is extended to all endpoints while being secure is crucial. Oftentimes, companies have varying levels of maturity across the different domains of their network – influencing how to focus their investments on ongoing modernization efforts.
AW: As A&D companies undergo digital transformation and integration across their business units, what are some of the key cybersecurity challenges they encounter?
BW: As companies expand internationally, integrate their business units more tightly, and adopt new technologies, they are facing significant “growing pains” when it comes to cybersecurity. How they used to secure data and information isn’t sufficient for this new, more integrated way of operating. Companies need to strike a balance between enabling new and emerging technology while navigating an unprecedented threat landscape. The lack of speed, agility, and precision when integrating cybersecurity at scale often requires overhauling many of their backend systems and processes that were built for a more siloed environment.
AW: How can companies in the A&D industry evaluate their cybersecurity maturity?
BW: Companies should go through a comprehensive assessment process to understand their cybersecurity maturity within their own organization and in relation to their peers. Bringing in industry relevance is key, as it allows companies to benchmark themselves against others in the aerospace and defense sector. This provides valuable context on where they stand and what areas they need to improve. When evaluating cybersecurity maturity, it’s less about meeting an industry benchmark and more about understanding what “good” looks like across a peer group and how an organization compares to its peers based on how the strategic initiatives are doing. When an organization understands where it stands relative to others, rather than just aiming for a high score across all domains, it can get a better, independent perspective of where it is in the marketplace and how the organization might want to adjust to meet its goals and strategic objectives.
AW: What is your perspective on security compliance versus cyber defense?
CW: Companies should be careful about only meeting security compliance standards and regulations. While compliance is important, there is an opportunity to pivot the ecosystem and focus on developing a threat and mission-risk based defensive cyber posture that allows for speed, agility, and precision in defending weapon systems against witting adversaries. The threat is always there. There is an opportunity to raise the bar and integrate security by design and have threat and mission-specific capabilities to defend systems actively and throughout their lifecycle.
AW: What key barriers or objections have you encountered when discussing shifting the mindset toward a more cyber defense-oriented approach?
CW: The key programmatic barriers are often adverse impacts to cost, schedule, and performance associated with integrating sensors, data-flows and analytics required for effective defense. Integrating robust cybersecurity and cyber defense can impact each one of those factors which can create resistance. However, one can argue that the effective integration of proactive defensive cyber capabilities actually mitigates risk to cost, schedule and performance, as well as resilience overall.
AW: What has been your experience when a company implements a more cyber defense-oriented approach?
LB: Every organization is on its own journey to progress their cyber capabilities. Given the importance of securing the asset or product, companies should continue to focus efforts to constantly mature their capabilities in this domain. The area now requiring some additional attention is securing the value chain – both production centers and the wider supply network. Organizations now need to start extending the reach of their cyber security apparatuses to cover the entirety of the end unit’s lifespan.</p>
AW: Can you provide examples of how the Department of Defense approaches cyber resiliency and response planning?
CW: Due to the military readiness imperative, the DoD is more proficient at training, exercising, and simulating cybersecurity postures within all-domain force employment. They have established processes and graded events to test their ability to respond to cyber incidents. Cultivating this culture of continuous cybersecurity readiness is a key focus in the DoD. In 21st century Great Power Competition (GPC), without cyber superiority…you’re poised to lose.
AW: From a private industry perspective, how important is it for A&D companies to regularly test their cyber incident response plans, and how often should they be doing this?
BW: It’s critical for these organizations to regularly test their cyber incident response plans, at least annually or semi-annually. Many companies have plans in place but have never actually executed them in a real-world scenario. Testing the plans, from the technical recovery processes to the executive communication and decision-making, is essential. Without this regular testing and validation, gaps and weaknesses will likely not be identified until it’s too late.
Coupling together deep industry experience and cutting-edge technology can help to drive engagement on IT security, cyber readiness, supply chain manufacturing, and fielded asset security across the Aerospace and Defense industry. Learn more about the future of cyber network modernization and the Deloitte IndustryAdvantage™ framework by visiting us online.
