Cyber Security

Alert

Close
Home
Sustainability
Cyber Security

Cyber security

Stay in the know on cyber security at
Rolls-Royce

Sign up for email updates

The Tools and Info You Need

Cyberattacks on supply chains are on the rise and are growing in sophistication. These attacks can disrupt business operations and inflict enormous financial and reputational costs. Efforts to prevent cyberattacks must match the intensity of those seeking to exploit our vulnerabilities. Rolls-Royce wants to provide tools and resources our suppliers need to tackle these threats.

Must-Read Cyber News

Assessing the Current Threat Landscape

An interview with Muhittin Hasancioglu, Rolls-Royce's Chief Information Security Officer.

What are top cyber security issues confronting Rolls-Royce and its supply chain?

“In the past six months, we’ve seen a shift in behaviour from organized crime and possibly even nation-states," says CISO Muhittin Hasancioglu. "Instead of immediately trying to make money, they are increasingly focused on disrupting manufacturing and supply chains.”

“We need to be alert.”

Read this and more interviews

Shining Stars

How are Rolls-Royce's suppliers battling cyber threats? Our "Shining Stars" — real-world examples of Rolls-Royce suppliers protecting their businesses and our supply chain — share insights from the frontline.


Read more "Shining Stars" interviews

Stay in the know on cyber security at
Rolls-Royce.

Sign up for email updates

Resources

Rolls-Royce is committed to providing our partners with tools and resources to address cyber threats and stay current with best practices.
See a full list of resources here.

Guidance on personnel security requirements

What our suppliers need to know. Download a four-page guide for complying with Rolls-Royce personnel security requirements.

Download

Incident response guidance

A toolkit and tabletop exercise introduction for suppliers.

Download

Phishing test

Let’s see if you can find the malicious emails. Most of the malicious emails in this quiz are real attacks we have seen. Good luck.

View

Supplier Requirements

Rolls-Royce is committed to protecting our information and operating cyber safe systems, services and products for our customers. We depend on our suppliers to meet the same standard. Collaboration is critical to maintaining strong security and protecting our businesses and customers.

All Rolls-Royce suppliers must comply with baseline requirements contained in the Rolls-Royce Supplier Minimum Cyber Security Standards. Additional compliance measures may be required by national and local governments and regulators. Please contact your buyer if you require further information.

General

Basic cyber security requirement for all Suppliers

General

Standard requirements and best practices for all suppliers:

  • Best practices to help you maintain good cyber hygiene are supplied in the adjacent links.
  • The Third Party IT Acceptable Use Policy applies to third party users of Rolls-Royce IT systems. Your manager will provide instructions on how to acknowledge your acceptance of this policy.

US Defence

cyber security requirement for US-based Suppliers

US Defence

Additional requirements and best practices for US Defence Suppliers:

  • Most suppliers supporting US Defence contracts have requirements to comply with DFARS 252.204-7012 and 252.204-7020. Compliance to these requirements is captured via the annual PIB process.
  • You are recommended to begin planning for the Cybersecurity Maturity Model Certification (CMMC) developed by the Department of Defense (DoD). The model combines various Cyber Standards and best practices promoting basic cyber hygiene to detailing advanced measures to protect businesses.
  • To assist in planning for CMMC, the DIB SCC Industry Task Force has created a helpful resource known as CyberAssist to help suppliers with cybersecurity compliance.

Civil

cyber security requirement for Civil Suppliers

Civil

Additional requirements and best practices for Civil Suppliers:

  • An NPA concerning the Management of Information Security Risks (NPA 2019-07) will affect all aeronautical information systems used within civil aviation. EASA will issue a non-binding compliance standard known as an Acceptable Means of Compliance (AMC) to enable suppliers to fulfil these new requirements.
  • If you deal with or are certified to the following, CS-23, CS-25, CS-27, CS-29, CS-E, CS-ETSO, CS-P, Notices of Proposed Amendments (NPA) concerning Aircraft Cyber-Security requirements (NPA 2019-01) will affect you. An AMC document is available for you to follow.

UK Defence

cyber security requirement for UK-based Suppliers

UK Defence

Additional requirements and best practices for UK Defence Suppliers:

  • The Defence Cyber Protection Partnership (DCPP) is a joint Ministry of Defence (MOD) and industry initiative to improve the protection of the Defence supply chain from the cyber threat. The DCPP has developed the Cyber Security Model (DEFCON 658) which provides steps UK Defence Suppliers can take to ensure they are protected appropriately from attack.
    1. Determine cyber risk profile by completing risk assessment.
    2. Depending on profile, comply with DefStan 05-138, CE or CE+.
    3. Complete Supplier Assurance Questionnaire (SAQ) to demonstrate compliance.

    Alternatives to this model as well as supplier flow down of requirements are detailed on the MOD site.
  • If your business creates, receives, stores, processes or handles MOD data:
    • that is classified OFFICIAL-SENSITIVE (OS) or above, and/or
    • are deemed as operating your business ‘offshore’ and create, receive, store, process or handle data classified as OFFICIAL
    • then you must report the loss or compromise of MOD data immediately, and if applicable, comply with the additional handling requirements as defined within a Security Aspects Letter (SAL). (Note: the SAL shall be issued to you at the start of your contract, and may be updated from time to time, to comply with the Defence customer's requirements.)

Incident Reporting

To report a vulnerability, please follow the guidance issued within the accompanying Vulnerability Disclosure Policy.

If you identify, are notified of, or reasonably suspect a cybersecurity incident relating to services you provide to Rolls-Royce, you must notify your business point of contact and the Rolls-Royce Security Operations Centre (SOC). For more information on this process, please follow Section 1.7 of the Rolls-Royce Minimum Cyber Security Standard. The SOC will provide additional information as needed to address your concerns.

 

RESOURCE DOWNLOADS

pdf-icon Rolls-Royce Vulnerability Disclosure Policy

pdf-icon Report a Cyber Security Incident to Rolls-Royce SOC

Our cyber security team: Muhittin Hasancioglu

Muhittin Hasancioglu oversees all aspects of Rolls-Royce’s cyber security operations across the globe. His team is responsible for policy, information assurance, audit, security architecture, operations and delivering awareness training for staff and suppliers. Muhittin also leads the security risk and compliance teams; his broad oversight means that Rolls-Royce technology and innovation decisions are focused on solving real business problems and risks.

Muhittin joined Rolls-Royce in 2025.  Formerly he was the Chief Information Security Officer (CISO) at Shell and Petronas.

Cyber Security Webinars

Watch these important updates from industry leaders.

WATCH

MxD Cybersecurity Marketplace

27 December 2023

MxD Cybersecurity Marketplace

MxD Cybersecurity Marketplace

Webinar

27 December 2023

WATCH

Supply Chain Incident Response

30 November 2023

Supply Chain Incident Response

Supply Chain Incident Response

Webinar

30 November 2023

WATCH

Cybersecurity Roadmap

6 October 2023

Cybersecurity Roadmap

Cybersecurity Roadmap

Webinar

6 October 2023

WATCH

Lucas Kello - CTRN Conference 2024

6 November 2024

Lucas Kello - CTRN Conference 2024

Lucas Kello - CTRN Conference 2024

Video

6 November 2024

A force for progress;
powering, protecting and connecting people everywhere.







© Rolls-Royce plc . All rights reserved.

Follow Us
Stay in Touch

Sign up to get the latest news

Contact us

Vulnerability Reporting