Best practice to improve aerospace and defence cybersecurity

This article originally appeared in the June'23 magazine issue of Electronic Specifier Design – see ES's Magazine Archives for more featured publications.

With software becoming increasingly integral to electronic systems in military and aerospace applications, cybersecurity has become an even greater priority than ever before. And one of the main ways security vulnerabilities are created is during the software development stage, through errors when source code is written.

For instance, when an SQL statement is created using unvalidated input, an attacker can craft the input in a form allowing the attacker to execute arbitrary SQL statements. With this sort of opportunity, an attacker could read confidential data, modify data, or execute arbitrary commands such as deleting all the information in the database.

This is why ensuring that software development processes in aerospace and defence are rigorously managed and as secure as possible is essential. Furthermore, for compliance purposes, firms involved in these markets must provide evidence that they have adopted best-practice security techniques.

And there is growing awareness of the need for security. Perforce’s State of Aerospace survey in 2020 found that security was the number one priority of respondents. However, the growing complexity of software and the fact that there are often multiple organisations involved in creating an electronic system can make security a challenge. That said, there are some steps that organisations can take to improve safety within software development.

See the bigger picture

First, looking at the bigger picture is essential, examining all software sources, both internally and across the supply chain. Legacy code can present issues, especially in the absence of prior testing or lack of current technical support. Open-source software has significant benefits, but its easy accessibility makes it a target for malicious attacks.

Similarly, unless commercial off-the-shelf software (COTS) is supported with strict requirements and proper testing, integrating COTS software may also present security risks.

Once the software landscape is understood, it is then vital to prioritise cybersecurity within software development processes. In practice, this includes alignment between the development and other business teams and finding strategies that can adapt to emerging threats and market dynamics. A useful resource is the US government’s Defence Innovation Board (DIB)’s Software Acquisition and Practices (SWAP) report, which includes some example processes to follow.

Lean on standards

In addition, a vast pool of industry-wide knowledge is available, such as the community-led Common Weakness Enumeration (CWE) Top 25 list of the most widespread and critical vulnerabilities. Likewise, the Open Web Application Security Project (OWASP) Top 10 covers critical security risks for applications based on analysing exploits most used by hackers and the level of subsequent damage.

A further resource is the Security Technical Implementation Guide (STIG) from the Defence Information Systems Agency (DISA) which shares guidance on how organisations should manage security software and systems.

Coding standards also have a role to play here, which act as sets of rules or guidelines that essentially say ‘do this’ or ‘do not do that’. Returning to the earlier SQL example, a coding standard might instruct users to use only constant strings when creating SQL statements.

In aerospace and defence, relevant coding standards include MISRA and MISRA C:2012, which ensure that code created in C and C++ programming languages is safe and secure. Furthermore, the MISRA C:2012 addenda include guidance on mapping to the secure coding rules within ISO/IEC TS17961:2013 and CERT C. Perforce’s survey found that 76% are required to comply with at least one security, quality, or functional safety standard.

Automation

All these resources help mitigate the impact that getting up to speed on security can have on software developers, who are individuals typically stretched for time. A further way to reduce the workload is to automate security-related processes as much as possible. For example, coding standards would be time-consuming to apply manually, so they are increasingly implemented using static analysis tools. These tools examine source code for vulnerabilities and gaps in compliance while it is being written, in background mode and giving developers confidence that they are developing securely.

Visibility

Beyond in-house teams, building security risk management into development processes across the supply chain is vital. That needs to be based on visibility, enabling newly procured software to be validated and existing code to be audited. By using a continuous security and code compliance platform, aerospace organisations can have a single pane of glass and a centralised store of analysis data, trends, and information for codebases. Consequently, developers can view trending data or project quality and compliance purposes, as well as create supporting reports.

Putting all these measures in place helps create a foundation ready for the increasing complexity of software alongside the likely growth of cyberattacks. While software development is just one element of security, it is an important one and needs to be prioritised. Ensuring that vulnerabilities or compliance issues are detected and remediated as early as possible, without slowing down software development time, goes a long way to addressing the security challenges that aerospace and defence face.