Information Systems

Digital breaches heighten awareness of cybersecurity needs

The Aerospace Cybersecurity Working Group provides awareness, education and standards development to help protect aerospace’s digital infrastructure.

Governments and cybersecurity research organizations unmasked several alleged cyber espionage groups targeting the aerospace sector in 2020, including Iran-based hackers, who the U.S. Department of Justice indicted in September.

In July, ransomware reportedly hit Garmin, and the subsequent outage caused problems in Garmin’s aviation services, including flight planning and mapping. The attempt heightened awareness on ransomware cyberattacks on aviation communication and software.

In the interest of data privacy, national security and defense, President Donald Trump in May extended a ban on telecom infrastructure from Chinese companies Huawei and ZTE for another year. Multiple outlets reported in March that the White House was planning to roll out a ban on drones from China-based manufacturer DJI, but such an order was never issued.

In October, Sens. Rob Portman, R-Ohio, and Gary Peters, D-Mich., introduced the Risk-Informed Spending for Cybersecurity Act to require cyber-risk-based budgeting “in response to a 2019 report revealing most agencies lack comprehensive cyber risk frameworks.”

The U.S. Department of Transportation Office of Inspector General in September published its report, “FAA and Its Partner Agencies Have Begun Work on the Aviation Cyber Initiative and Are Implementing Priorities,” which recommends that FAA in consultation with its ACI partners identify the resources needed to meet the current schedule for achieving ACI’s remaining priorities, determine how to allocate the resources and revise the schedule as necessary.

Also in September, the U.S. Department of Defense published a notification of plans to issue an interim rule to amend the Defense Federal Acquisition Regulation Supplement to implement the Cybersecurity Maturity Model Certification framework and associated assessment methodology to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the Defense Department supply chain. CMMC certification will be a five-year rollout and is not applicable for recently awarded contracts. CMMC has five levels starting at Level 1, which focuses on performing basic cyber hygiene practices, and going to Level 5, which showcases advanced cybersecurity processes and demonstrated ability to optimize cybersecurity capabilities. CMMC’s initial focus will be acquisitions in the areas of missile defense and nuclear security.

In March, the Cyberspace Solarium Commission released its report outlining a U.S. cyber infrastructure to protect government operations, industry and Americans from cyberattack. Actions include the sharing of national intelligence information with industry to perform precise threat analysis and development of discrete protections.

In September, the U.S. National Institute of Standards and Technology published Special Publication 800-53, Revision 5, which introduces capabilities and functionality to protect personal-private information in government and within sectors of critical infrastructure. Previous versions of this baseline have not included protection of privacy as critical to the development and operation of systems. The revision aligns the Risk Management Framework, which is critical to development of Defense Department systems, with the Cybersecurity Framework, a primary base for development of cyber resilience in the critical infrastructure from a 2016 presidential executive order.

In February, Lockheed Martin released the Cyber Resiliency Level measurement tool as a means to establish a system’s current cyber resiliency risk and to allow customer discussion of a future state of cyber resiliency risk for the system under evaluation. In August, Lockheed Martin declared full operating capability of the first cyber range, specifically focused on cyber testing of avionics systems. The National Cyber Range is a DARPA project to build internet-based infrastructure that can be used to carry out cyberwar games. The project serves as a test range where the military can create antivirus and other cyber defense technologies to guard against cyberterrorism and cyberattacks from hackers.

Contributors: Dawn M. Beyer, Stephen Blanchette, Gabriel Elkin, Preston D. Frazier, Margee Herring, Jeremy Jacobsohn, Steve Lee, Jimmie McEver, Bryce Leonard Meyer, Gerald L. Ourada and Virginia Stouffer

Digital breaches heighten awareness of cybersecurity needs