Cyber Security

Cyber security

Stay in the know on cyber security at
Rolls-Royce

The Tools and Info You Need

Cyberattacks on supply chains are on the rise and are growing in sophistication. These attacks can disrupt business operations and inflict enormous financial and reputational costs. Efforts to prevent cyberattacks must match the intensity of those seeking to exploit our vulnerabilities. Rolls-Royce wants to provide tools and resources our suppliers need to tackle these threats.

Weather Report

How to Get Your CEO's Buy-In on Cybersecurity

An interview with Neil Cassidy, Rolls-Royce's Global Chief Information Security Officer.

Imagine your boss walking into the office one morning next week, and everything is down. No production lines. No marketing. No email. No finance or payroll.

What would happen? That's a thought experiment that those in charge of cybersecurity should run through with top leaders in their companies, says Neil Cassidy, Chief Information Security Officer at Rolls-Royce.

Read the full interview

Stay in the know on cyber security at
Rolls-Royce.

Resources

Rolls-Royce is committed to providing our partners with tools and resources to address cyber threats and stay current with best practices.
See a full list of resources here.

Guidance on personnel security requirements

What our suppliers need to know. Download a four-page guide for complying with Rolls-Royce personnel security requirements.

Incident response guidance

A toolkit and tabletop exercise introduction for suppliers.

Phishing test

Let’s see if you can find the malicious emails. Most of the malicious emails in this quiz are real attacks we have seen. Good luck.

Supplier Requirements

Rolls-Royce is committed to protecting our information and operating cyber safe systems, services and products for our customers. We depend on our suppliers to meet the same standard. Collaboration is critical to maintaining strong security and protecting our businesses and customers.

All Rolls-Royce suppliers must comply with baseline requirements contained in the Rolls-Royce Supplier Minimum Cyber Security Standards. Additional compliance measures may be required by national and local governments and regulators. Please contact your buyer if you require further information.

General

Basic cyber security requirement for all Suppliers

General

Standard requirements and best practices for all suppliers:

  • Best practices to help you maintain good cyber hygiene are supplied in the adjacent links.
  • The Third Party IT Acceptable Use Policy applies to third party users of Rolls-Royce IT systems. Your manager will provide instructions on how to acknowledge your acceptance of this policy.

US Defence

cyber security requirement for US-based Suppliers

US Defence

Additional requirements and best practices for US Defence Suppliers:

  • Most suppliers supporting US Defence contracts have requirements to comply with DFARS 252.204-7012 and 252.204-7020. Compliance to these requirements is captured via the annual PIB process.
  • You are recommended to begin planning for the Cybersecurity Maturity Model Certification (CMMC) developed by the Department of Defense (DoD). The model combines various Cyber Standards and best practices promoting basic cyber hygiene to detailing advanced measures to protect businesses.
  • To assist in planning for CMMC, the DIB SCC Industry Task Force has created a helpful resource known as CyberAssist to help suppliers with cybersecurity compliance.

Civil

cyber security requirement for Civil Suppliers

Civil

Additional requirements and best practices for Civil Suppliers:

  • An NPA concerning the Management of Information Security Risks (NPA 2019-07) will affect all aeronautical information systems used within civil aviation. EASA will issue a non-binding compliance standard known as an Acceptable Means of Compliance (AMC) to enable suppliers to fulfil these new requirements.
  • If you deal with or are certified to the following, CS-23, CS-25, CS-27, CS-29, CS-E, CS-ETSO, CS-P, Notices of Proposed Amendments (NPA) concerning Aircraft Cyber-Security requirements (NPA 2019-01) will affect you. An AMC document is available for you to follow.

UK Defence

cyber security requirement for UK-based Suppliers

UK Defence

Additional requirements and best practices for UK Defence Suppliers:

  • The Defence Cyber Protection Partnership (DCPP) is a joint Ministry of Defence (MOD) and industry initiative to improve the protection of the Defence supply chain from the cyber threat. The DCPP has developed the Cyber Security Model (DEFCON 658) which provides steps UK Defence Suppliers can take to ensure they are protected appropriately from attack.
    1. Determine cyber risk profile by completing risk assessment.
    2. Depending on profile, comply with DefStan 05-138, CE or CE+.
    3. Complete Supplier Assurance Questionnaire (SAQ) to demonstrate compliance.

    Alternatives to this model as well as supplier flow down of requirements are detailed on the MOD site.
  • If your business creates, receives, stores, processes or handles MOD data:
    • that is classified OFFICIAL-SENSITIVE (OS) or above, and/or
    • are deemed as operating your business ‘offshore’ and create, receive, store, process or handle data classified as OFFICIAL
  • then you must report the loss or compromise of MOD data immediately, and if applicable, comply with the additional handling requirements as defined within a Security Aspects Letter (SAL). (Note: the SAL shall be issued to you at the start of your contract, and may be updated from time to time, to comply with the Defence customer's requirements.)

Incident Reporting

To report a vulnerability, please follow the guidance issued within the accompanying Vulnerability Disclosure Policy.

If you identify, are notified of, or reasonably suspect a cybersecurity incident relating to services you provide to Rolls-Royce, you must notify your business point of contact and the Rolls-Royce Security Operations Centre (SOC). For more information on this process, please follow Section 1.7 of the Rolls-Royce Minimum Cyber Security Standard. The SOC will provide additional information as needed to address your concerns.


 

RESOURCE DOWNLOADS

pdf-icon Rolls-Royce Vulnerability Disclosure Policy

pdf-icon Report a Cyber Security Incident to Rolls-Royce SOC

Our cyber security team: Neil Cassidy

Neil Cassidy oversees all aspects of Rolls-Royce’s cyber security operations across the globe. His team is responsible for policy, information assurance, audit, security architecture, operations and delivering awareness training for all staff. Neil also leads the Enterprise Architects and the risk and compliance teams; his broad oversight means that Rolls-Royce technology and innovation decisions are focused on solving real business problems and risks.

Neil joined Rolls-Royce in 2015 from the UK national Computer Emergency Response Team (CERT-UK), a precursor to the UK National Cyber Security Centre (NCSC), where he was Deputy Director Operations.

Cyber Security Webinars

Watch these important updates from industry leaders.