Cybersecurity improvement of AeroSpace and Defense SupplyChain

The backGround:

The AeroSpace and Defense Extended Enterprise is composed of multiple small and medium sized companies, having usually their ICT managed in silos without even the capability to detect that they are subject to cyber-attacks or to protect from those attacks.

One of the main issue to be resolved today is that those companies are the first target of cyber criminals while being the less protected.

Over the past 3 years, the experience confirmed that attackers shifted their efforts to suppliers, as illustrated by the recent security issues report published by the UK Computer Emergency Response Team (CERT) in their white paper dedicated to “Cyber-security risks in the supply chain[1]”.

Unfortunately, while having spent a lot of efforts to secure their internal ICT, the security protections that BoostAeroSpace (BAS) founders (Airbus, Dassault Aviation, Safran, Thales) and other customer companies (Daher, Leonardo, Liebherr, MBDA, Zodiac, …)  deployed inside their ICT are not deployed equally to their partners with whom they connect with to collaborate.

Therefore, in order to solve this urgent issue, BAS proposed to the Board of Directors (BOD) to identify with security specialists who were in charge of founders internal ICT security to identify what would be the best usage of BoostAeroSpace to solve this problem.

[1] [pdf]

Aim of the initiative:

The agreed target of the initiative is to enhance security of the extended enterprise using BoostAeroSpace as a central Hub for BAS founders and other customer companies, and  to provide security solutions for suppliers and customers with a progressive approach.

Work performed: risks, issues, OEM inputs and solutions reviews

Security workshops have been organized with the key security representatives of the BAS founding companies (ie. Members of the BAS Security Management Authority, security experts appointed by BOD members and cyber security program managers).

Participants investigated what was the issues related to the collaboration in the extended enterprise and what would be the key success factor of a solution along with the risks of having a central approach on some sensitive domains like alerts management.

It is commonly agreed that BoostAeroSpace is well positioned to address some of the issues and that for some others it would not make sense to have a centralized approach, or would even increase the risk.

52 Issues/Risks/constraints were identified to be resolved, a list of 101 security products used by founders to secure their ICT were shared, 8 Key Success factors were identified to ensure the success of the program with 7 projects risks to be addressed. Those elements are summarized in the project solution concept, except for the list of security products as not relevant for a global understanding of the project.

Solution concept

The proposed solution consists in the launching of a cyber security program driven by BoostAeroSpace founders that will take all workshops inputs into consideration in order to achieve 2 main goals / Deliverables:

  1. A BAS founders’ centralized and shared standard to manage security of their supply chain extended enterprise (policies, tools and processes dedicated to EE security management validated by all founders).
  2. A central hub of trusted security solutions and services to the supply chain extended enterprise having done theirs proofs.

7 main activities (“Work Packages”) have been proposed by BoostAeroSpace to be performed by the program.

Regarding the execution of those activities BoostAeroSpace propose the following organization to be deployed over a 4-years Roadmap starting in 2017.

If you want to participate in this activity, as a supplier, service provider or partner do not hesitate to contact BoostAeroSpace CISO by email or using our website contact form.