Russia’s invasion of Ukraine and the imposition of sanctions by the U.S. and European countries has raised the cyber risk profile of aerospace and defense companies. Amid continued financial and economic fallout, there are concerns about an escalation in cyber-warfare that is fueling worries among western companies of a large-scale retaliatory cyber attack. Several Ukrainian government websites have already been taken offline. Recent ransomware and other attacks against U.S. and European firms ranged from logistics (Expeditors International) to mobile communications (Vodafone Portugal) to fuel distribution (Marquard & Bahls) and food products (KP Snacks). All of these incidents caused severe services and supply chain disruption.
Authorities have attributed these attacks to cyber-criminals rather than nation states. Still, the Cybersecurity & Infrastructure Security Agency (CISA) recently posted a “Shields Up” warning to U.S. organizations. It urges them to take steps to protect critical assets against possible Russian government attacks. The UK’s National Cyber Security Centre also advised British companies to ensure their cyber defense measures are up to date.
Interos Insight on Cyber Risk
In addition to energy and critical infrastructure providers, companies in the aerospace and defense (A&D) industry are obvious targets for such attacks, both for denial of service and intellectual property theft. Their strategic importance to national security is one obvious reason, but another is high levels of concentration risk in the sector due to specialized products A&D firms rely on.
Concentration is a well-understood, but vitally important and often ignored risk in supply chain security. It refers to a cluster or a shared supplier within a supply chain. A cyber attack against Western companies could have disastrous effects.
If a shared prime A&D supplier were disrupted by a Russian cyber-attack, it could have a strong ripple effect across the entire sector – much as the shutdown of Taiwanese chip makers during Covid-19 ground U.S. automotive production lines to a halt.
Looking Inside the Numbers
To gauge the extent of concentration risk in A&D, Interos took the 2021 top 100 list of defense contractors published by the industry publication Defense News and used our global relationship data graph of more than 350 million entities to map their extended supply chains.
We found that this group of top defense contractors have 1,755 suppliers in common. This included six of the top 20 suppliers to the industry. One of these six suppliers had 27 separate connections to the top defense contractors. And the list doesn’t only include component and material suppliers, but also banks and financial institutions. Indeed, 29 of the A&D companies use the same bank, according to our proprietary data. The over-reliance of many defense companies on a limited number of suppliers makes them vulnerable to disruption if those shared suppliers are compromised. That compromise could come in many forms: a cyber attack, operational failure, or other unforeseen event. Most of the top defense contractors’ shared suppliers had strong cyber and financial risk scores, based on the Interos i-Score model. However, those scores began to weaken further down the list.
This does not mean that these top defense contractors are currently impacted by a new cyber threat from Russia. But the existing level of concentration risk revealed in the data, which is not atypical, could magnify the damage of a large scale cyber attack.
Because CISA’s “Shields Up” warning was directed to US companies, suppliers based outside of Western Europe and the U.S./Canada may not be responding in the way that is necessary. Criminal hackers pose a significant threat to companies with inadequate cyber security measures. State-sponsored hackers can draw on vastly bigger resources. They are therefore likely to be more successful in disrupting critical supply chains.
During this time of war, companies should make taking care of any employees affected by the devastation their first priority. And regardless of how the potential cyber threat posed by the immediate crisis plays out, companies need to monitor their supply chains for cyber risk and other sources of supply chain risk. Software supply chain attacks grew by more than 300% in 2021 compared to 2020. We expect them to increase even further in the coming years. A careful and continuous assessment of a supplier’s security posture, and their overall risk profile, will be critical to helping insulate organizations and their stakeholders from supply chain cyber attack or other disruptions.
Continue to follow the Interos blog as the crisis evolves in Russia and Ukraine. We will continue to post supply chain information and insights as they become available.