Cyber Security fact sheet

What cyber security risks does BAE Systems face, and how do you manage them?

Cyberspace is an increasingly contested environment with criminals, hacktivists and sub-threshold activity from nation states being a significant threat. As a major defence, aerospace and security Company, it is critical that our digital infrastructure, as well as the products and services we sell, are cyber resilient and the intellectual property and confidential information held and processed on them is appropriately secured.
 
We face threats to the operation of Information Technology (IT), Operational Technology (OT), systems and infrastructure. We are also aware that we may be the targets of hackers, unlawfully attempting to get access to information about the Company, its customers and suppliers. 
 
We have a broad range of measures in place to combat these risks. Many of our networks and systems have been adapted to meet government-level requirements for handling classified information. 
 
As a Company, we are at the forefront of security and technology, so we leverage our own skills and market knowledge to constantly re-evaluate our security and the threats that face us. 
 
Our Global Security Operations Centre continually monitors and analyses our infrastructure for signs of attack and insider threats. A formal assurance programme, audited internally and externally, ensures we adhere to Company standards and customer requirements. We also run a programme of continuous employee education to ensure our people are aware of threats, understand our policies, and know how to action them. 
 
Our Cyber Security risk is constantly reviewed and an agile, proactive, approach to mitigating the risk is taken. We do this by efficiently leveraging our core internal capabilities in cyber security, including our specialist threat intelligence service, to maintain a managed risk position as we digitally transform and the threat landscape evolves.
 
The Group’s internal Cyber Security Standards are aligned to the National Institute of Standards and Technology (NIST) framework and a formal, three layers of defence assurance programme, which is reviewed both internally and externally is operated to check adherence to these standards and customer requirements. Additionally, many of the Group’s IT environments are formally accredited and/or assessed as compliant by its government customers.
 
For our internal networks, our NIST-based Global Cyber Security Standards and our three lines of defence assurance model, supported by a more real time view given by our Security Operations Centres and reporting dashboards, together ensure that the effectiveness of cyber security controls are closely monitored.
 
To further increase our cyber resilience, our Security Operations Centres in the UK and the US perform continual protective monitoring of our core networks. In the event of a cyber incident, we have a Cyber Incident Response plan which feeds into the Group’s Crisis Management plan if required. Regular exercises are conducted across the business to test the Cyber Incident Response plan including up to the Executive Committee.

Explain the governance of your cyber security strategy at a Board and executive level.

Cyber security is covered by two group level policies, which are part of our Operational Framework – our Information Management and Technology Policy; and our Security Policy. Compliance with these policies is reviewed every six months, via the Operational Assurance Statement (OAS) process, by sectors and Group functions.
 
Our approach to identifying and assessing cyber security risks is embedded within our approach to risk management.
 
Our Cyber Security Steering Committee, held quarterly, is a BAE Systems Plc meeting and is attended by our Chief Technology and Information Officer (CTIO) who is a member of our Executive Committee, as well as senior leaders across IT, legal, procurement, engineering and manufacturing.  It’s purpose is to direct and track cyber security risk reduction priorities, escalate any significant risks or control gaps, and to oversee the execution of cyber strategy.
 
Cyber security is reviewed as part of the Quarterly Business Review and Chief Executive’s Business Review Process and is reviewed by the Executive Committee. In addition two detailed security briefings are delivered to the Executive Committee per year.
 
The Board level Audit Committee is responsible for oversight of cyber security controls and risk management. The Chief Executive attends the Audit Committee meetings and is responsible for our cyber security strategy.

Do members of your Board and Executive Committee have cyber security experience?

Julian Cracknell, Chief Technology and Information Officer (CTIO) and member of our Executive Committee, has a first class degree in computer science.  As former Managing Director of the BAE Systems Digital Intelligence business he has a strong understanding of cyber security and digital transformations.  

Do members of your Board and Executive Committee have cyber security incident recovery experience?

All of the Executive Committee have been thorugh a number of Incident response exercises as well as 1-1 cyber security awareness training.  The Board has also received 1-1 cyber security awareness training.

Which role or function has responsibility for cyber security within the Company?

The Chief Information Security Officer reports directly to the CTIO, who is a member of the Executive Committee. The CTIO reports directly to the Chief Executive. 
 
The CTIO develops and leads the Company’s overall technology strategy, which includes cyber security.

Do you have a cyber security strategy?

The cyber security strategy is overseen by members of the Board and Executive team with relevant experience in cyber security.  
 
The cyber security strategy states that we will enable digital transformation, have a strong cyber culture across our workforce, be threat and risk led, demonstrably reduce risk, have a clear cyber security posture and demonstrate collaborative leadership internally and externally.
 
Our cyber security strategy is delivered through six work streams with the following aims:   

• Improve the Cyber Security Delivery Engine – Aim: Consistent and effective  organisation, operating  model and governance. Enhance delivery agility and cyber skills;
• Strengthen Governance, Risk & Compliance – Aim: We have robust and efficient Cyber Security Governance Risk &  Compliance (GRC)  functions modelled on industry best practice and supported by well understood standards aligned to our customer and business requirements;
• Improve Cyber Resilience – Aim: We are well rehearsed at detecting and responding  to different types of attack and can act faster with more confidence to mitigate the impact. Where a major impact is experienced, we have rehearsed processes to recover critical data,  capabilities and services;
• Strong Controls and Cyber Hygiene – Aim: We have deployed a full baseline of cyber security controls and anticipate the need for change and evolution. Where exceptions to baseline controls occur, risk is contained and carefully managed with additional compensating controls; 
• Embed Security Culture & Awareness – Aim: Like Safety, Cyber Security becomes engrained in all that we do and is routinely discussed and called out at all levels of the organisation. High risk users receive additional support and emerging threats are understood and widely communicated; and
• Secure the Supply Chain – Aim: We understand the cyber security risk in our supply chain, manage areas of higher risk with additional controls and can respond effectively when new threats arise.

 

These work streams have launched new global Cyber Security Standards for IT and OT, as well as publishing a ConOps and new governance model. We have launched a new evidence based, continual, assurance methodology and significantly enhanced our cyber reporting.  
 
We have published a three tiered governance framework. The top-tier enables effective oversight by BAE Systems Plc senior business leadership keeping risk management in line with Board appetite across the Group. The middle-tier governs risk management and change across BAE Systems Plc by integration of management with risk management leadership for effective oversight. The bottom-tier ensures effective collaboration and engagement for risk management operations.

Explain your incident response systems.

We have a Group Incident Response Plan and more detailed plans, which are aligned to the overall Incident Response plan, in each of the business units. The Cyber Security Incident Response plan describes the key areas and processes that need to be followed. In the event that a major incident is declared a ‘Crisis’, it would be escalated in line with the Crisis Management plan. 
 
We regularly test these plans with table top exercises. We also have Business Continuity plans in place that are tested at least semi-annually. 
 
We conduct third party vulnerability analysis and regular penetration testing including full red teaming. 
 
We have a multi-channel approach for security incident reporting. Employees can either complete an incident report form on the intranet, which contacts the relevant teams, or telephone Site Security. Contact numbers are well communicated. We also have an Ethics Helpline that allows anonymous reporting. 
 
We regularly remind staff how to recognise an incident and stress the importance of fast reporting.
 
We make use of various security awareness and reporting tools – for example, we've embedded a button in Outlook that reports phishing emails. All external emails are tagged with a warning banner indicating the email has originated outside of the organisation, and that extra care should be taken.

Who do you report incidents to?

We rigorously collect all incident data. We also report in line with the regulations of the country we are operating in as well as our contractual obligations to our government customers, including the UK MOD, the US DOD and the Australian MOD.

Do you conduct internal or external security audits, vulnerability assessments or penetration (pen) testing?

We perform continual vulnerability assessments across all our Enterprise networks and perform regular pen testing using CREST certified pen testers. The pen tests include full red teaming exercises to thoroughly assess our systems against the latest threats. We perform evidence based assurance against our Global Cyber Security Standards ensuring both 1st and independent 2nd line assurance is completed.  
 
We continually run and monitor an external scan of our estate using BitSight, as well as using independent CREST approved pen testers. An external consultant performs an independent audit of our financial IT systems and our Internal Audit function also performs independent 3rd Line audits on areas of concern or risk. In addition, due to the classified nature of our work a large number of our networks, including our main enterprise networks, are accredited by our customers independently (UK MOD, Australian Signal Directorate, and UK intelligence agencies).

Do you have a dedicated team to manage cyber security?

In order to have a coordinated capability with sufficient scale we have a central cyber security team in Head Office, as well as a Sector cyber team and teams embedded within our programmes and geographies. Our conops and goverance model ensures we have clarity of role and coordinated capability. We have invested in our in-house Security Operations Centre since insourcing it over two years ago. We have state of the art tooling as well as a team of expert cyber analysts who triage and investigate alerts. We also have threat hunters in addition to a team who ensures that the detection content is up to date with the threat landscape. We have a market leading threat intelligence team in our Digital Intelligence business along with CREST approved incident response team and pen testing team. These capabilities from our Digital Intelligence business are used extensively within the Company, as well as by our government and defence customers around the world.

Is your IT infrastructure certified to ISO 27001, NIST or similar?

Our internal Cyber Security Standards, applicable to all Company IT and OT networks are aligned to National Institute of Standards and Technology (NIST) framework and controls and a formal, three layers of defence assurance programme is operated to check adherence to Company standards and customer requirements, which is reviewed both internally and externally. Additionally, many of our networks are formally accredited by our government customers. 
 
For more information:
See our SASB Disclosures.  
 
For NIST Standards, please see https://www.nist.gov/cybersecurity
 
For a mapping of ISO 27001 standards to relevant NIST controls that has been compiled by NIST, please see 
 
https://csrc.nist.gov/CSRC/media/Publications/sp/800-53/rev-5/final/documents/sp800-53r5-to-iso-27001-mapping.docx

What is your cyber security policy for suppliers?

It is imperative that our suppliers recognise the critical importance of cyber security and ensure they have the appropriate controls in place to protect the information that they hold and generate in the work they do for us and our customers.
 
We include clauses within our supplier contracts and Standard Conditions of Purchase. For example, we flow down cyber security clauses within contracts relating to US Federal Acquisition Regulation (FAR) and the US Defense Federal Acquisition Regulation Supplement (DFARS). These clauses have clear requirements for how information is to be protected and how cyber incidents are to be reported. 
 
Our UK Standard Conditions of Purchase require suppliers to meet ‘Cyber Essentials’. Suppliers that handle more sensitive information are required to implement controls equivalent to Cyber Essentials Plus.  Cyber Essentials is a UK government backed scheme that helps organisations guard against cyber-attacks and certifies companies levels of preparedness. Further information can be found here.
 
Additionally, where suppliers aren’t yet governed by the regulations and contractual requirements, our cyber risk management processes will incorporate our own supplier cyber assessment model that parts of our business will use to scope the extent to which nominated suppliers are, or have, implemented cyber security measures.
 
Each business line is responsible for identifying risks stemming from suppliers in their supply chain. They conduct regular due diligence and risk reviews including specific reviews of cyber, IT and product security. The process is set down in our Supplier Principles document. 
 
The document states that BAE Systems expects its suppliers to develop, implement and maintain appropriate security measures to protect the information they create, collect, handle, store or are responsible for, in accordance with applicable laws, regulations and contractual requirements, regardless of whether such information belongs to the supplier, BAE Systems and/or its customers. We also expect our suppliers to address any security issues proactively and to notify and support BAE Systems in responding to and remedying any security breaches.  More information is available in our Procurement Policy. 

How do you engage and train employees on cyber security?

All employees must complete our comprehensive, risk and threat-based programme of security. The programme is designed to make us less vulnerable to attack and to enforce the security policies and processes we have in place to protect our data and systems. 
 
Our current Cyber Security Education Programme includes mandatory eLearning (as required by our Operational Framework), supervisor-led cyber security scenario workshops, targeted training for employees in specialist or high-risk roles, and awareness activities to drive engagement. All training content is tailored according to roles and responsibilities and is regularly reviewed and updated in line with the evolving threat landscape, policies, processes, technologies and ways of working.
 
Educations and awareness to embed a strong cyber security culture across all employees and staff is another vital part of our activities.  We take a holistic approach providing training coupled with events and activities to drive better engagement and learning outcomes. We strive for the training to be relatable, both on a professional and personal level, to ensure that hybrid working staff maintain a strong sense of cyber awareness whether at home or in the office. Employees and staff are subject to annual mandatory training which, depending on role, covers cyber security, physical security, document marking, security of export controlled information, and personal data protection. As many cyber attacks still involve email, we run a programme of phishing exercises for all email users across the enterprise. Phishing training occurs for all employees at least four times a year. Users that click on the phishing test emails receive targeted training, and repeated clickers may be subject to disciplinary proceedings.
 
The information contained in this fact sheet is for PLC managed businesses and is accurate as at the date of its publication.
 
Publication date: 02/05/24