A leading industry group has proposed new standards to protect aerospace businesses from cyberattacks, a move that comes as the Pentagon is warning about digital vulnerabilities across its weapons systems.
The Aerospace Industries Association’s new national aerospace standard is a list of 110 security controls that is broken down into what it describes as 22 control families. Organizations can use the rubric to assess their vulnerability to cyberattacks. The control families range from malware defenses to red team exercises.
Each AIA control family ranges from level zero, when a company meets none of the security guidelines, to level five, when a firm has constantly adapting security standards that can detect advanced cyber threats.
A goal of the AIA controls is to create a level of uniformity among defense contractors.
With the new security controls, "a company’s level of security is accepted by all prime contractors, systems integrators, and [the Department of Defense],” a copy of the new standards reads.
The AIA compliance guidelines do not replace the National Institute of Standards and Technology standards, which are widely adopted across the federal government, but are meant to be complementary of that lists, said John Luddy, the organization’s vice president for national security policy. The NIST standards operate on a “yes” or “no” basis, while the AIA standards have a sliding scale, Luddy said.
With the new AIA guidelines, it will be easier for a subcontractor to explain their security controls to defense companies, Luddy said.
“When your nephew is your cyber guy, it is a lot different than if you have hundreds of engineers,” Luddy said. “The goal of the standards is to have some commonality among the supply chain.”
The new standards come as the Pentagon has attempted to protect contractors from foreign hacking efforts. Pentagon officials and defense firms say that the Chinese intelligence service is masterminding a hacking spree against subcontractors in an attempt to collect sensitive national security secrets.
Pentagon leaders have taken steps to address the problem of poor contractor cybersecurity.
For example, the Department of Defense is conducting a pilot program to discover which companies are in their supply chain, Lockheed Martin officials told Fifth Domain in October. The Pentagon also created a specialized task force in October to prevent the pilfering of defense secrets.