Northrop Grumman’s [NOC] cybersecurity strategy has focused on embedding cyber protections into its products during their development phases, company officials said.

“The value of embedded cyber means that it allows our customers to cyber harden their platforms up front by building in good systems engineering, good architectural approaches and designing cyber in from the very start,” said Mike Papay, Northrop vice president and chief information security officer, at a briefing at the National Press Club.

The company said the strategy increases efficiency and decreases costs as it expands the long-term lifecycle of platforms and systems. Papay said the company did not yet have a way to quantify savings, but it can apply the cyber embeddedness concept across all of its products.

“You can approach the same embedded cyber methodology on an aircraft, or a ship, or an Army vehicle,” he said.

Greg Schmidt, vice president and general manager of Northrop Grumman’s Training Solutions division, said embedded cyber protections will also help systems that are not within the confines of a military establishment and may be operating in an degraded environment. 

"As these systems are deployed, they’re protected," he said.

Papay described embedded cybersecurity as an “all of the above” approach, meaning that the company addresses vulnerabilities from the infrastructure’s perimeter down to its networks, applications and data. This includes creating secure code and other defenses from the beginning of a project’s development.

Papay used the Navy’s tactical afloat network–Consolidated Afloat Network and Enterprise System (CANES)–as an example of a system to which Northrop Grumman has applied the embeddedness concept.

The company also plans to embed cybersecurity components into any upgrades or sustainment processes that it performs for existing systems.

“I think this is one of the issues that the defense community is coming to grips with just now,” Papay said.

He said he supports the president’s February Executive Order on cyber preparedness and the development of standards on cybersecurity from the National Institute of Standards and Technology (NIST). However, Papay said the evolving cyber threats require risk-based assessments that may not be able to follow across the board rules.

“You can’t just look at the entire NIST standard…and say I’m going to do all of that,” he said. “It’s a negotiation process and an education process with your customer about these [standards] are important to do, these we’ll do next and these are not important because they don’t make sense in our environment.”