Cybersecurity for the Defence Industry
Published on : Monday 02-08-2021
Ravindra Benday presents an overview of cybersecurity threats for the Indian defence industry.
Today, the Indian defence manufacturing industry is a major sector for the economy. The industry is likely to accelerate with rising concerns of national security. Demand for defence equipment in India has been growing due to the ongoing territorial disputes with Pakistan and China over the ownership of the Northern State of Kashmir and the North Eastern State of Arunachal Pradesh, respectively.
Over the last five years, India has been ranked among the top importers of defence equipment to gain technological advantages over rival countries such as China and Pakistan. To modernise its armed forces and reduce dependency over external dependence for defence procurement, several initiatives have been taken by the Government of India to encourage ‘Make in India’ activities via policy support initiatives.
With rising national security, Cybersecurity has become a very big concern to the GoI, especially the Ministry of Defence. Since the start of the Covid-19 pandemic, the number of ransomware, malware, DDOS and phishing attacks have surged. A Chinese state-backed hacker group is targeting Indian defence research and other Indian organisations, according to the latest research from an American cybersecurity firm. In a report released on June 16, 2021, cybersecurity firm Recorded Future, headquartered near Boston, USA said it found links between a ‘suspected’ Chinese state-sponsored threat activity group and the People’s Liberation Army’s Unit 69010, a Chinese military intelligence unit. According to Recorded Future, RedFoxtrot has been active since at least 2014 and has been predominantly targeting sectors like defence, government, and telecommunications across Central Asia, India, and Pakistan. In the last 6 months, Recorded Future research detected RedFoxtrot targeting 3 Indian aerospace and defence contractors; major telecommunications providers in Afghanistan, India, Kazakhstan and Pakistan; and multiple government agencies across the region. As disclosed to Indian Website media – The Print – about the targeted organisations, Recorded Future revealed a couple of Indian defence contractors who were targeted. These are Walchandnagar Industries, a Mumbai-based Heavy Engineering Company engaged in defence and nuclear business; and Alpha Design Technologies (ADTL) – a Bengaluru based company licensed to develop, manufacture, and supply defence electronics, avionics, simulation, UAVs, AFV equipment and systems.
Security manual for Indian Licensed Defence Companies (ILDC)
The Ministry of Defence – The Department of Defence Production, New Delhi has released the Security Manual for Indian Licensed Defence Companies, their contractors and subcontractors in June 2014. This Security Manual provides the security architecture that needs to be put in place by the Indian defence companies in the private sector before undertaking the manufacturing of Defence products for which they have been issued industrial licence under IDR Act. The level of security will depend upon the category of the product; the company intends to manufacture. Under all circumstances, the companies with whom any classified information is shared by the Government as a part of the procurement contract or otherwise would come under the purview of Official Secrets Act, 1923.
In case the ILDC outsources/releases or discloses classified information/project to a sub-contractor, all provisions of the Security Manual as per applicability shall be followed. The security parameters between the subcontractor and the ILDC shall be included in the contract with the following additional provisions:
1. Outsourcing partners’ personnel and facilities would also be covered under the Official Secrets Act, 1923, whenever the ILDC is handling classification material, document, information, etc.
2. Persons working on such projects should be checked for character antecedents and police verification shall be obtained before inducting any person on such assignments.
3. All the relevant clauses of the Manual of Security are to be made applicable for the sub-contractor.
High risks for defence contractors
Risks are high for defence contractors and their affiliates who provide research and development, manufacturing, mission assurance, engineering, logistics and acquisition, and testing and integration services, etc. These affiliates are constantly innovating to produce technologically advanced products and the speed of innovation results in creating a significant amount of intellectual property (IP), which must be digitally protected by all participants in the supply chain. The risk of aggregated covered defence information and controlled unclassified information with respect to future defence capabilities or IP being exposed to cyber-attacks is a major threat to national security.
Defence manufacturing often involves a complex supply chain, involving tier-1, tier-2, and tier-3 contractors. This complexity introduces numerous cybersecurity risks as the involvement of multiple organisations places confidential information in environments with greater opportunity for compromise and exploitation. Moving further down the supply chain, lower tier suppliers generally face even more difficulties to secure sensitive data because of costly, inconsistent, or incompatible cybersecurity controls implementations or from a misinterpretation of the required regulations or requirements.
Top 5 cybersecurity threats to defence contractors
Here are the top 5 threats facing defence contractors in India today:
1. Malware and Ransomware
The first and foremost prominent threat to defence contractors is that of ransomware and other malware. Hackers have been installing malware on large networks for years, often with the intent of using malicious software to facilitate future unauthorised access to the system. Ransomware is the latest form of malware that is starting to hit defence contractors today.
2. Phishing and Social Engineering
Social engineering, typically in the form of phishing and spear-phishing attacks, is a significant threat to both public and private defence organisations. In the past it has been seen that 91% of all cyber-attacks start with social engineering attacks, where individuals within an organisation are targeted with phishing or spear-phishing emails. In the USA, a group of defence contractors was targeted by the infamous Russian hacking group known as Fancy Bear. 87 individuals, working for both large and small firms, were targeted with phishing emails and 40% of them clicked on the phishing links, putting their companies at risk. The hackers appeared to be seeking classified information about military programs involving missiles, drones, and stealth fighter jets.
3. Data Breaches
Data breaches continue to be a significant cyber threat to government agencies and contractors alike. In December 2020, critical and classified data of a Noida-based private company, ELCOM Innovations P Ltd, providing technology solutions to the country's defence forces, was allegedly hacked, leading to theft of confidential information which has caused an estimated loss of Rs 50 crore.
4. Insider Attacks
Finally, defence contractors need to be on the alert for hacks from their own employees. The inside access that employees have makes them capable of imposing tremendous damage if they choose to abuse their access privileges for illicit gain. A holistic approach is mandatory for efficient and effective cyber-risk management. Ultimately, organisations will have to integrate business, operations, security, and risk teams for efficient intelligence-sharing and collaborative responses to insider threats.
5. Third-Party and Supply Chain Attacks
Another very real threat to defence contractors is third-party and supply chain attacks. In this type of attack, the contractor’s systems are hacked as a means to access the systems of a government agency or supplier. The hackers gain access to high-value government assets through the less-secure systems of the contractor. As an example, in September 2019, European aerospace company Airbus was the target of a series of data breaches through the company’s subcontractors. The subcontractors had their systems compromised in an attempt to obtain commercial secrets from Airbus. The hackers were not able to gain access to Airbus directly but could do so via the company’s subcontractors.
Important Mitigation Strategies – Best Practices I
To protect information provided by or developed for the GoI, the contractors should implement following important mitigation strategies to mitigate Cybersecurity Incidents:
a. Patch applications, e.g., Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications.
b. Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
c. Application control to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g., Windows Script Host, PowerShell and HTA) and installers.
d. Patching operating systems. Patch/mitigate PCs including network devices with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
e. Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
f. User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g., OLE), web browsers and PDF viewers.
g. Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
h. Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least 6 to 9 months. Test restoration initially, annually and when IT infrastructure changes.
Additional Mitigation Strategies – Best Practices II
Perform Vulnerability Assessment & Penetration Testing (VAPT) regularly. In addition to implementing above mitigation strategies, systems should be regularly reviewed for security vulnerabilities, particularly after significant changes. VAPT can be done by an independent security services provider using both automated and manual methods.
Implement an education program for employees within the organisation. An education program will provide employees with a better understanding of common cyber threats such as socially engineered emails, malicious websites and the danger of poor password policies and many more.
Beware of malicious insiders. Adversaries will often attempt to influence contractors’ employees in an attempt to gain access to critical information or to have them perform actions on a system to benefit their strategic goals. By conducting ongoing vetting of employees, especially for those with privileged access, controlling the ability to remove critical information from systems, and implementing a comprehensive audit program, this risk can be lowered.
Report cybersecurity incidents early and often. This includes informing CERT-In (The Indian Computer Emergency Response Team) is a government-mandated information technology (IT) security organisation. The purpose of CERT-In is to respond to computer security incidents, report on vulnerabilities and promote effective IT security practices throughout the country.
It is very important to the strategic priorities of GoI, ensuring that both industry and defence are working on the same page to build the robust cybersecurity. Of course, it takes time and money to implement an effective cybersecurity program. Defence contractors and subcontractors should act sooner rather than later to get up to speed with the Ministry of Defence’s cybersecurity requirements if they wish to continue to do work.
Ravindra Benday is the Founder and Managing Director, Chief Mentor, Chief Motivator and Chief Drill Sergeant at Benelec Infotech P Ltd, Pune, with 30+ years’ experience in building great teams and successful service business models. Under his leadership, the company has grown at a rapid and profitable clip with revenues having grown substantially over the years. Mr Benday oversees the company’s business strategy aiming to redefine how the IT Services industry delivers the solutions to the mid-market.