Fortunately, tragedies in the aerospace industry are few and far between, but remain a serious threat to national security.
The good thing is that the industry has taken security into its own hands and designed the Aerospace Cybersecurity Standard.
Formally known as the NAS 9933, let’s explore the standard and how it might affect you.
Before The Aerospace Cybersecurity Standard
The cybersecurity landscape in the aerospace industry was rather lackluster before the development of formal frameworks. Most of the existing frameworks could, and can still, work well.
The lack of a comprehensive security policy specific to the industry has resulted in low security adoption. Some reports show that only 40 percent of businesses within the industry have a security policy.
Due to an aerospace information system’s sensitive nature, this opens up cyberattacks that could have potentially devastating effects and pose massive national security issues.
The Aerospace Industries Association (AIA) took note of this security gap. It worked closely with cybersecurity professionals and governmental bodies to develop a security standard for the industry, which we will explore in this article.
Challenges in the Aerospace Industry
The AIA has outlined challenges for the security standard’s long-term success. These are:
- There is a growing need for organizations within the industry and government to collaborate on joint security projects. Ultimately it will foster a positive security environment while also alleviating overburdening regulations on aerospace providers.
- Tailoring existing frameworks to come in-line with the needs of the aerospace industry, such as the NIST 800 171 and the CIS CSC (which we will discuss a little later):
- To enhance and highlight the Department of Defence’s responsibility on marking Covered Defence Information (CUI).
- Elevate the CUI to a tiered system of importance to create adequate protection for specific types of information.
- Improve the understanding of the threat-landscape so that the aerospace community and cybersecurity professionals can develop a threat-based defense framework.
It’s also important to mention that the aerospace industry is already heavily regulated. Bringing existing frameworks into the fold addresses some of the challenges faced by the industry. Combining the need for a security standard and all the quality assurance and quality management frameworks needed can birth a comprehensive framework.
CMMC, NIST, CIS CSC, and NAS 9933
The security standard developed by the AIA is known as the National Aerospace Standard 9933 (NAS 9933). Before going into more detail about the standard, it would be beneficial to look at the roots of its creation.
The standard itself is not stand-alone; it is a companion framework to two existing cybersecurity frameworks, and those are the NIST 800 171 (SP) and the CIS CSC.
The NIST 800 171 is already in use by many organizations within the industry. The framework deals with information security for organizations operating in Controlled Unclassified Information (CUI). As mentioned previously, the sensitivity of the data processed in the industry can pose risks to national security and require a robust and specific framework.
If you have been keeping up to date with our blog, you’ll know that NIST 800 171 will soon be defunct and replaced with the Cybersecurity Maturity Model Certification (CMMC). This framework is now moving away from self-certification to a third-party certification mandatory compliance model.
There are implications for the aerospace industry if they deal with DoD contracts. However, the NIST 800 171 frameworks will still exist in tandem with the CMMC, but the changes organizations will face are yet to be seen.
Uncertainty aside, the NAS 9933 is a voluntary standard that works in companionship with the NIST 800 171. The transitive property will work as a companion standard to the CMMC if your organization falls under the aerospace industry.
The second framework mentioned previously was the CIS CSC (center for internet security critical security controls). The NAS 9933 suggests an extra two controls, combined with the existing 20 controls of the framework, to achieve a security standard with the industry.
In terms of which framework to combine with, will be decided by the type of information which your organization processes. . When processing CUI, then the NIST 800 – 171 should be used in conjunction with the NAS 9933. At the time of writing this article, it is unlikely that the CMMC will be in full swing for another 2-3 years, and it’s unclear how the NAS 9933 works in conjunction.
But as a precautionary measure, it’s best if your organization begins the migration as soon as possible, especially if you wish to continue any contracts with the DoD.
In all other cases, the CIS CSC is a globally recognized framework. The AIA has mentioned its use within the industry on multiple occasions, even supplying two extra controls specific to the industry itself; discussed in the next section.
Aerospace Cybersecurity Standard NAS 9933
The AIA created the NAS 9333 in response to a lack of uniformity across the industry. The AIA has stated the goals of the standard as:
- “To provide industry partners an indication of a company’s cybersecurity profile, as a way to measure a company’s cybersecurity risk.”
- “To enable reciprocity across industry and critical infrastructure sectors, so that a company’s level of cybersecurity is universally accepted by all whose work supports national interests.”
As mentioned previously, the standard itself is an addition to the NIST 800 171. Secondly, the AIA has adopted the Exostar Questionnaire Standard as a baseline for the NAS 9933 and combined it with the control families within the CIS CSC.
Certification to the framework is entirely voluntary, and your organization will need to purchase the complete list of controls from the AIA standards store.
However, because the framework is a companion to the NIST 800 171, any cybersecurity provider with framework implementation experience might be a better fit for you.
RSI Security and Framework Compliance
If you are looking for NIST 800 171 framework compliance or are unsure of the recent changes coming in the CMMC, don’t hesitate to contact us today.
The aerospace industry is not the only industry hit with sweeping changes in the cybersecurity ecosystem.
The trends show that the regulatory landscape is still catching up with the changes to the business environment. Disruptive tech means disruptive threats. With the constant changes, regulators are continually having to update and review laws and legislation.
Critical infrastructure industries like the aerospace industry have done the right thing and have enacted a security framework upon themselves.
Although it’s voluntary, it is only a matter of time until a dramatic event causes a change in industry regulation.
In a best-case scenario, regulators catch up with the trends and design a regulatory framework before disaster strikes the industry. The aerospace cybersecurity standard is a step in the right direction.
However, the safest approach is to stay one step ahead. Build your security resilience and be an example to the rest of the industry. Contact us today, and let’s work together to reach your security goals.