- Why Sharetru?
- Learning Center
Cybersecurity is a widespread concern, the aerospace industry being no exception. In fact, in 2016 only 40% of aerospace and defense companies said they have a comprehensive set of security policies in place. That’s a surprisingly low number when you consider the major ramifications that could result from a data security breach.
As cybersecurity threats grow more common and more sophisticated, it’s vital that aerospace and defense companies understand the government recommendations in place related to data security and how to comply with those recommendations.
In this article, we’ll explore the guidelines provided by the United States government to mitigate the risk of cybersecurity threats, primarily NIST SP 800-171 and the National Aerospace Standard (NAS9933), and the relationship between these guidelines.
For many organizations, complying with security regulations can be complicated and overwhelming. There are countless rules and regulations provided by the government. Some apply to specific industries while others apply to specific types of data security solutions. Untangling all of these compliance measures and applying the appropriate ones to your organization are two major challenges.
Two specific sets of guidelines apply to aerospace and defense companies: NIST SP 800-171 and NAS9933. Let’s take a look at what these two sets of guidelines cover and where they overlap.
In 2015, the U.S. government released the National Institute for Standards and Technology (NIST) released NIST Special Publication (SP) 800-171. This special publication includes 110 security controls that organizations should have in place to adequately protect their data. These controls are the minimum security requirements needed to keep data out of the hands of unauthorized parties.
NIST SP 800-171 applies to any organization that uses or transmits Controlled Unclassified Information (CUI). This could mean any number of government contractors and subcontractors, including those in the aerospace and defense industries. Companies must demonstrate that they have aligned with these 110 controls, or supply a plan and timelines for meeting all the controls, prior to earning a control to work with the government.
NAS9933, the National Aerospace Standard, is a little more tailored to this industry's specific needs. These standards are aligned with the standards offered by NIST SP 800-171. NAS9933 is also accepted by the Defense Department. While they are useful standards to have in place, they are not as comprehensive as NIST SP 800-171. In fact, an aerospace or defense contractor can still be awarded government contracts without having these standards in place. They just have to demonstrate which requirements they’ve already met and how they plan to meet other standards in the future.
Let’s take a closer look at what NAS9933 standards cover in terms of aerospace security. NAS9933 was established by the Aerospace Industry Association to fulfill two goals:
To accomplish these two goals, NAS9933 recommends 22 control families (20 provided by the Center for Internet Security (CIS) and 2 provided by Exostar) to be applied across companies in the aerospace industry. Each control family has sub-controls that are categorized into five different capability levels. Level 3 is the minimum required capability level, while Levels 4 and 5 contain high-level objectives for organizations to meet.
So, what’s the point of all these data security measures? For organizations like banks or healthcare providers, the threat is pretty easy to understand. Hackers want to access the sensitive data these organizations protect for monetary gain, breaking into bank accounts to steal money or stealing healthcare information for identity theft purposes. However, the cybersecurity threat is far more nefarious and dangerous for the aerospace and defense industries.
Consider the ramifications of an electronic hijacking of an aircraft, potentially using the plane for a terror attack. Whether the crime is committed by state-sponsored espionage groups or criminal organizations, hundreds of thousands of lives could be at risk.
It’s easy for airlines, the FAA, and TSA to focus on the physical threats facing the aerospace industry, but it can be a greater challenge to prevent against digital threats. One approach many airlines have taken is to use “closed systems,” like separating their operational flight systems from their entertainment systems, for example. While this has been an effective strategy up until this point, it may not be enough to protect against threats of the future. As cybersecurity threats grow, security measures to protect against those threats must strengthen, as well.
To avoid a tragic loss of life or even lower-level consequences of damaged reputations or non-compliance fines, aerospace organizations must take action before an inevitable data breach occurs. So, in the face of so many threats, you should take steps to align your data security measures with the controls outlined by NIST SP 800-171 and NAS9933.
Start by assessing your current security controls. What measures do you have in place and where should improvements be made? If you want to make broad changes to a sweeping scale, the best step to take is to adopt a secure FTP solution. When you choose a top FTP solution to house your most sensitive data and facilitate secure transfers, you can trust that hackers will be kept at bay. Through measures like dedicated firewalls, network intrusion detection, in-transit, and at-rest encryption, and more, your data is protected from even the most skilled hackers. In fact, you can even find FTP solutions that comply with NIST standards, having all the appropriate security measures in place. This is your best defense against the growing cybersecurity threat facing the aerospace industry.
Want to learn more about the government standards impacting the aerospace and defense industries? Download this comprehensive compliance guide now.
Founder of Sharetru (Formerly FTP Today) and a respected voice in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.
Get industry-leading thought leadership content to stay informed, delivered to your inbox.