Editor’s Note
This article highlights a critical vulnerability in the aerospace sector’s cybersecurity: the supply chain. While major firms have fortified their own systems, the interconnected nature of modern manufacturing creates new risks. The piece examines the collaborative AirCyber initiative as a potential model for industry-wide defense.
Cyber threats represent a major challenge for French giants in the aeronautics and aerospace sectors. While large companies have increasingly secure systems, a weak point remains within their cyber defense posture: their supply chain. Facing this challenge, BoostAeroSpace launched the AirCyber program in 2019.
The AirCyber program, developed by BoostAeroSpace since 2019, was born to ensure the cyber security of the aeronautical supply chain by establishing a “cybersecurity approach,” according to Romain Bottan, Director of the AirCyber program. Indeed, the supply chain is particularly vulnerable to cyber threats, as stated by Pascal Andrei, CSO of Airbus. It was in light of this observation that the four major companies in the sector, Airbus, Dassault, Safran, and Thales, came together to create BoostAeroSpace.
This initiative fits within the specific context of the industry. On one hand, the French aeronautics and aerospace sector represents 4.3% of French GDP. It is the leading export item in the French trade balance, with €23.5 billion exported in 2022 by the sector’s over 1000 companies and 250,000 employees. On the other hand, it is a sector with major sovereignty stakes: human expertise, developed cutting-edge technologies, sensitive markets (notably Defense)…
According to Pascal Andrei,
Four major players dominate the sector. Airbus is the world leader in aircraft manufacturing (civil and military). Safran specializes in aeronautical and space propulsion. Dassault Aviation is known for its military aircraft (Mirage, Rafale) and business jets. Thales specializes in aerospace, defense, and security. Each of these players invests in its cybersecurity. Airbus Protect and Airbus Defence and Space Cyber focus on risk management and develop cybersecurity solutions. Safran strengthened its cybersecurity policy in 2020 and then in 2021 via a Cyber plan. Dassault also invests in its cyber defense, and Thales also offers services to secure its information systems. Thus, the four major players are resilient, capable of defending themselves and responding to an attack on their information systems.
However, according to these same players, their own suppliers and service providers do not sufficiently consider these cyber risks. This presents a weak point in the respective cybersecurity postures of the four major companies in the sector. Indeed, a leak of sensitive data at one supplier implies, to a minor or major extent, consequences for other suppliers in the supply chain. It opens an attack surface on these other suppliers and thus provides a means, in fine, to attack the four major companies in the sector. This attack surface corresponds to all the vectors through which attackers can penetrate a company’s information system (IS).
Small and medium-sized enterprises (SMEs, 20-249 employees) and very small enterprises (VSEs, 0-19 employees) are naturally less well-equipped than large groups to face cyber threats due to their smaller size, even though they constitute the majority of the supply chain. Indeed, La Grande Consultation des entrepreneurs notes that only 28% of small business leaders said they were concerned about cybersecurity in 2022. This is due to several factors: lack of strategic consideration for the value of data, lack of short- and long-term investment in cybersecurity, absence of trained and dedicated personnel within SMEs (Chief Information Security Officer – CISO). This can lead to problems where responsibilities around the information system (IS) are dispersed among several departments, diluting the effectiveness of a cybersecurity policy, assuming such a policy exists. The lack of a strategic vision for the company’s data is also at the root of the lack of a resilience mindset within supply chain companies.
Furthermore, the interconnection of older and newer systems in the production apparatus is also a risk factor. The French aeronautical industrial base was definitively structured with the creation of the Aérospatiale group in Toulouse in 1970.