Keeping critical defence information safe and secure is everyone’s job — not just the Government’s.
Cyberthreats constantly evolve in an increasingly complex world. For defence systems, the supply chain can be a weak link and needs to be strengthened.
“It’s how bad actors want to get in,” says Mark Parkin, head of cyber security for Rolls-Royce’s Defence business. “Foreign nations and threats are more likely to target the supply chain.”
That means the Government agencies buying and deploying the defense systems, like the UK Ministry of Defence (MOD), cannot be solely responsible for security. Still, the MoD sets the conditions and standards that contractors and suppliers must follow.
In response to evolving threats, significant security changes are underway.
Accreditation is no longer the norm
For years, the MOD evaluated the products it was buying, and then signed off, providing accreditation was typically valid and not revisited for several years.
The arrangement was less than ideal. Products and programs risked being evaluated after completion with security enhancements being bolted on to the finished product. Suppliers had little incentive to make any security improvements during the life of their accreditation.
“It was supposed to be joint risk management, but it was largely perceived by suppliers as a risk transfer exercise,” said Parkin. With the government signing off, they shouldered much of the responsibility.
Secure by Design has replaced accreditation
With cyber threats increasing, MOD has altered its security scheme. Secure by Design is the name of the initiative which has replaced accreditation for MOD-delivered projects, integrating cybersecurity and resilience into the development and procurement of defence systems from the outset.
The new model recognizes that security should not be an afterthought but a fundamental requirement throughout the lifecycle of defence technology.
Secure by Design is relatively new but is becoming the norm. Rolls-Royce has been incorporating the process into its work, and over time more subcontractors and suppliers will experience the process.
To be sure, there are growing pains. “When we think about the size and scale of the MOD, and the move from a small, centralized accreditation team out to every single program having to recruit and establish their own cybersecurity programs and then employ new ways of working and processes, that's going to take time to establish those new ways of working,” Parkin said.
More changes ahead
But wait. There’s more. MOD no longer accredits suppliers and a new standard in development — Defence Standard 05-138 (DefStan 05-138) Version 4 —will establish more robust requirements for Defence suppliers to protect sensitive MOD information and ensure supply chain cyber resilience.
The MOD is working to build a full suite of people, processes, and technology to deliver the new standard into the supply chain. “Then we'll see that released and then put out into contracts,” Parkin said.
The new standard will include expanded risk-management requirements, as well as stronger asset management controls and enhanced supply chain security measures.
What to do now to get ready
Suppliers must be prepared and aware and be ready for some of those growing pains but are urged to keep an eye on the result: building partnerships and sharing responsibility.
The Defence industry, Parkin says, needs to “continue to raise the bar, and mitigate the cyberthreats that are heading their way.”
Learn more by reading our toolkit for MOD cyber requirements.