The goal of the aerospace and defense industry is to ensure the security of a country, its critical infrastructure, government authorities, and citizens. As such, they are often the targets of Advanced Persistent Threats (APT) groups working together with nation-states to steal intellectual property (IP) to advance domestic aerospace and defense capabilities, develop countermeasures, and collect intelligence with which to monitor, possibly infiltrate and subvert other nations’ defense systems.
More common cyber threats such as malware and ransomware attacks have also increased in recent years as critical military and civil infrastructures have been modernized and become connected to networks and the internet, making them vulnerable to hackers. The advent of new technology such as artificial intelligence and advanced automation brought a new category of potential vulnerabilities that enforced the need for cyber defense. As a consequence, the aerospace and defense sector is heavily regulated and closely scrutinized by governments.
In the US, the Cybersecurity Capability Maturity Model (CMMC) certification was introduced by the US government to fix low rates of compliance associated with NIST SP 800-171. CMMC is a new framework that aims to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) for all contractors or subcontractors of the United States Department of Defense (DoD). All companies that do business within the Defense Industrial Base (DIB) supply chain or wish to participate in a DoD bid, must be CMMC certified.
Since they collect personal data from customers, but also often conduct extensive background checks when hiring employees, aerospace and defense companies also need to protect the personal information they collect from data breaches. Under legislation such as the General Data Protection Regulation (GDPR), aerospace and defense organizations are obligated to ensure that EU data subjects’ personal information is not lost or stolen and face limitations in the transfer of personal data across borders. GDPR has an extraterritoriality clause which means companies collecting the data of EU data subjects must comply with the regulation regardless of where they are physically located.
For all these reasons, defense and aerospace companies require advanced cybersecurity frameworks to meet all their compliance requirements and guard against the many cyber threats they face in real-time. But what are some of the best ways defense and aerospace organizations can improve data security? Let’s take a closer look.
Assess data sensitivity
An effective security strategy not only protects a company’s network and the data stored on it, but also ensures that employees can still perform their tasks efficiently without their systems being slowed down by cumbersome policies. To minimize the impact data protection solutions have on daily business operations, defense and aerospace companies need to identify and protect only data that is considered sensitive.
Data classification is also an important part of compliance efforts. To correctly determine which level CMMC compliance an organization needs to reach, they first have to find out what types of CUI they collect. CUI refers to highly sensitive business and customer data such as tax-related information, sensitive intelligence data, patents, and intellectual property. Solutions such as Data Loss Prevention (DLP) tools allow companies to not only identify and monitor files containing sensitive information but can also help control its movements through policies that target only data defined as sensitive.
Protect data in isolated environments
Isolated environments are common in the defense and aerospace sector. This means that they are not connected to the internet and sometimes not even to a wider internal company network. While this makes them more secure from outside attacks, their isolation often means that removable devices will be connected to them to retrieve or add data to a computer. Whether it’s new software or simply a retrieval of logs and reports, removable devices such as USBs and external drives can be used to access isolated information systems.
This brings certain dangers to data security. For one, USBs in particular is a popular tool for the propagation of malware, but malicious or compromised employees may also attempt to steal data this way. Even legitimate uses of removable devices can be problematic: the data, once it leaves the security of an isolated machine, is no longer protected as such devices can easily be lost or stolen.
Device control policies can help mitigate these risks. By controlling the use of USB and peripheral ports, companies can limit their use to trusted devices that are company-issued and clearly identify the user and the time a device was connected to an isolated machine. When used in conjunction with DLP policies, device control can also be used to block, log and report any attempt to transfer highly sensitive data to removable devices.
For DLP solutions to work in isolated environments, it is necessary for them to be applied directly on the endpoint. Once this is done, the software does not require an internet connection to function. Logs are stored locally and updates can be applied offline as well.
Use Encryption
All CMMC levels include encryption-related requirements like the need to encrypt communication sessions and storage devices containing CUI such as laptops, USB drives, and smartphones. Encryption is also one of only two technical security measures explicitly mentioned in the text of the GDPR.
Encryption solutions are often required to meet current encryption standards such as FIPS 140-2 and FIPS 197. Many of those that already exist as native tools on mobile phones or operating systems such as Windows and macOS already meet these standards which mean companies do not need to invest in additional external solutions to encrypt hard drives or phones.
When it comes to removable devices, organizations can use an enforced encryption solution such as that offered by Endpoint Protector. Through it, any time-sensitive data that is transferred onto devices such as USBs will be automatically encrypted with government-approved encryption. This prevents any outsiders from accessing the data without a decryption key and helps organizations meet compliance requirements.
In conclusion
The theft of highly sensitive data or loss of control over a system can have serious consequences both for national security, but also for a defense and aerospace’s business’ bottom line. Data breaches can undermine their ability to win new contracts as security incidents are seen as red flags. It may also make obtaining certifications such as CMMC more difficult. The defense and aerospace industry must therefore make combatting these threats and building cyber resiliency a priority.
Frequently Asked Questions
Aerospace and defense companies are often the targets of Advanced Persistent Threats (APT) groups working together with nation-states to steal intellectual property (IP) to advance domestic aerospace and defense capabilities, develop countermeasures, and collect intelligence with which to monitor, possibly infiltrate and subvert other nations’ defense systems. More common cyber threats such as malware and ransomware attacks and data breaches caused by employee negligence or malicious insiders have also increased in recent years as critical military and civil infrastructures have been modernized and become connected to networks and the internet, making them vulnerable to hackers.
While isolated environments are more secure from outside attacks, their isolation often means that removable devices will be connected to them to retrieve or add data to a computer. Whether it’s new software or simply a retrieval of logs and reports, removable devices such as USBs and external drives can be used to access isolated information systems. Device control policies can help mitigate these risks. By controlling USB and peripheral ports, companies can limit their use to trusted devices that are company-issued and identify the user and the time a device was connected to an isolated machine, log and report it.
The Cybersecurity Maturity Model Certification (CMMC) has five certification levels that will assess a company’s maturity and cybersecurity preparedness to ensure that sensitive defense information is protected on contractors’ information systems. They are:
Level 1: Basic Cyber Hygiene. This level consists of 17 basic cybersecurity controls and focuses on the protection of Federal Contract Information (FCI).
Level 2: Intermediate Cyber Hygiene. This level has 72 controls and introduces a new type of data, Controlled Unclassified Information (CUI).
Level 3: Good Cyber Hygiene. This level includes 130 controls and requires organizations to establish, maintain and resource a plan demonstrating the management of activities for practice implementation.
Level 4: Proactive. This level comprises 156 controls and requires organizations to review their established plans, policies, and procedures regularly and take a proactive approach to measure, detect, and defeat threats.
Level 5: Advanced/Proactive. The highest CMMC level consists of 171 controls and adds a layer of requirements that refers to organizations’ capacity to respond to the changing threat landscape through auditing and managerial processes.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.