To avoid business interruption and loss of credibility in the face of a cyber-attack, the aerospace sector must become more cyber-resilient.
July 2, 2019
By Scott Neas, BSI Service Delivery Director
The WannaCry cyber-attack provided the world with a glimpse of just how great an impact a full-scale data breach could have. WannaCry crippled more than 200,000 computers running Microsoft Windows in 150 countries, bringing business to a halt for organizations around the globe, including Britain’s National Health Service, Germany’s Deutsche Bahn, Denmark’s Maersk and FedEx in the United States. Although the aerospace industry was largely spared in the initial attack, in 2018, Boeing was hit by WannaCry at its plant in Charleston, SC. While the company insists the impact was limited, it certainly serves as a warning that the aerospace industry as a whole needs to be steadfast in its commitment to ensuring that information security systems are updated and private data is protected.
Typically, the aerospace sector plans for the long-term, with production cycles spanning decades, but the industry needs to be more agile than ever in the face of changing technology, including increased connectivity for planes and parts up and down the supply chain. For companies across the industry, safeguarding information is more important now than ever.
To avoid business interruption and loss of credibility in the face of a cyber-attack or other security breach, aerospace companies need to become more flexible and adaptable in the management of their information—physical, digital and intellectual property—throughout their lifecycles There are internationally-recognized standards that instill best practice that can help manage the security of an organization’s information. ISO/IEC 27001, for example, provides a holistic approach and features a number of controls that facilitate information security. By creating a flexible framework, ISO/IEC 27001 can hold additional aerospace-specific requirements as well, including FAR 52.204-21, DFARS 252.204-7012, NIST 800-171 and NIST CSF. This “implement once, comply many” approach maximizes the efficiency of the management system and helps aerospace organizations manage and protect their information assets so that they remain safe and secure.
Implementation of ISO/IEC 27001 can not only help shield aerospace businesses in the face of a cyberattack, it also sends a clear signal to customers, suppliers and the marketplace that a company can handle information—from credit card details to intellectual property to private customer data—securely.
Taking the First Step
The first step on the road to successfully managing information security is to evaluate current practices to achieve a better sense of how implementing a standard like ISO/IEC 27001 would benefit the organization and hone business practices. Starting out, aerospace companies generally should:
Assess the Current Situation
The organization’s policies and procedures may already address a lot of what is needed to meet the requirements of the standard, so when setting out, a comprehensive review of systems, policies, procedures and processes that are already in place. In this way, the company can adapt the standard so that it works best and adds overall value.
Implementing an information security management system requires buy-in from across the organization, but achieving top management commitment is critical to its success. Company leadership will need to be actively involved, embed information security in the organization’s strategy and provide the resources required. Additionally, implementation requires all departments and stakeholders to work together. By avoiding silos, the organization can ensure that it is executing and adhering its policies and procedures to the requirements in a way that benefits and protects its operations and its customers.
Evaluate Current Performance
By determining how the business evaluates performance of any existing information security management program, it can determine what is working well and where there is room for improvement. That way it will be apparent where to focus efforts as the implementation team works toward certification of its information security management system.
Next Steps: Establish Partnerships for Success
Getting started on the road to improved information security operations may seem like a daunting task, but standards like ISO/IEC 27001 are customizable and flexible enough to fit the organization’s needs and goals. Regardless of whether the company has a full-scale information security management program, or is just toying with the idea of one, adhering to a standard sets the bar to ensure that security becomes and remains central to the aerospace company’s operations.
About the Author
Scott is the Service Delivery Director for Aerospace Americas and Core QMS ISO9001 USA. He is responsible for assurance operations of these certification schemes with a team of 30 fulltime Client Managers, 2 Planners, and 35 contract External Resources. His team plans and delivers over 7,500 assessment days annually.
Additionally, Scott provides strategic direction and technical support for the Marketing, Sales, Training, Certification, and Regulatory teams at BSI. Responsibilities also include maintaining the BSI Americas ANAB accreditations for AS9100, AS9110, AS9120, and ISO9001 Quality.
Upon joining BSI in 2015, Scott was a Client Manager delivering certification audits as an Aerospace Lead Auditor before becoming the Aerospace Technical Manager and then Service Delivery Director.
With a background in engineering and quality, Scott began his career at Lockheed Martin Aeronautics with positions in Manufacturing, Engineering, and Quality for the F-22, F-35, C-5, C-130, and P-3. These roles included Lockheed’s Operational Leadership Development Program, supply chain management, production final assembly, and flight line operations.