Protecting defence platforms: ‘engineering in’ cyber security

AtkinsRéalis’ Technical Director - Cyber Security, Matt Simpson, proposes that complex and costly defence programmes need to engineer solutions to achieve cyber resilience.

The recent UK Strategic Defence Review (SDR) highlights the ‘intolerable levels’ of cyber risk carried by defence, and recommends that legacy systems are retired to reduce risk and enable robust cyber security. With malicious entities poised to attack platforms’ and systems’ digital security, aiming to prevent them from fulfilling their mission to protect national security, strong cyber protection is crucial for defence.

But security cannot be considered in isolation. Every defence asset, whether a legacy system or a new innovation, forms part of a ‘system of systems’, with its operation and functionality often reliant upon the other systems with which it interacts. Each asset has a role to play in the overarching mission goal. As part of the interconnected system of systems, key information technology (IT) capabilities may depend upon operational technology (OT) legacy systems to deliver their purpose. So, before embarking on a wholesale replacement of legacy systems, defence needs to understand each system’s role, and the impact of its failure on mission-critical operations.

While many legacy systems make a valuable contribution to defence outcomes, not all are of equal criticality of course. The failure of a jet fighter’s systems, for example, will have a higher impact than a building’s facilities’ systems. Rather than pre-judging all older systems as insecure, and launching an expansive replacement programme, defence needs to take an engineering approach: a quantitative assessment of their vulnerability, which evaluates whether the impact of their failure is above a threshold defined as unacceptable.

Understanding the risk

A key part of understanding systems’ vulnerability is to understand how operations would be affected by their failure. If there was a cyber security incident on a platform, or involving its underlying infrastructure, how quickly would operations be able to recover? Reverse engineering can help defence understand what it needs to protect, by asking ‘what does the system do?’ and ‘how would I break it?’, but it’s essential to look beyond the obvious, to the issues that will affect the platform’s availability, reliability and maintainability. What would happen, for example, if fuel couldn’t be provided to the vehicles supplying a platform and its enabling dockside or airbase infrastructure?

An incident – whether cyber or physical – isn't just about the failure. It's about the response to that failure and how quickly operations can be restored. By understanding how a system will fail, defence can understand how it can rebuild it, allowing it to manage the risk until it can upgrade the technology and build in better security. This will require both people and process controls: making people aware of the vulnerabilities in the equipment; and showing how their interactions with it can better protect it, through providing a human firewall.

Securing the supply chain

Central to this human firewall is the supply chain – including anyone who has access to the digital platforms, tools and applications used to design, deliver and operate the platform and its infrastructure. A recent letter from the UK Second Permanent Secretary of Defence, DG Chief Information Officer and DG Commercial, to defence industry CEOs and leads, laid out the cyber security actions the UK Ministry of Defence (MOD) requires of its supply chain. This will include implementing a new Cyber Security Standard for Suppliers in the coming months.

Just as the proposed UK Cyber Security and Resilience Bill will increase the accountability of providers of essential services, with this new approach defence will require increased accountability of its suppliers. Liability for engineering systems damaged by a cyber security attack now sits jointly with the operator, e.g. the MOD, and the supply chain, e.g. equipment manufacturers and maintainers. Understanding the systems of systems, and how a cyber failure can result in the loss of mission-critical systems, or impact upon military operations is crucial, in identifying and targeting weaknesses – enabling the improvement of both system and operational resilience.

Pockets of engineering excellence

“There are pockets of [cyber] excellence in Defence,” the SDR notes, “but they risk being less than the sum of their parts.” The review goes on to recommend the establishment of a new Cyber and Electromagnetic Command (CyberEM Command) to spearhead defensive cyber operations; as well as the establishment of a dedicated ‘Digital Warfighter’ group that exploits technology to achieve a decisive advantage.

This offers an opportunity for defence to re-assess its current cyber security operating model and expand key cyber responsibilities into engineering and delivery teams.

Engineers understand the key risks in the operational technology of systems, with knowledge often built over decades. Epitomising these ‘pockets of excellence’, engineers are best placed to design out weaknesses from the outset – making a platform’s systems secure by design. This approach has the dual advantage of alleviating defence’s acute recruitment shortage of cyber professionals.

But ‘secure by design’, in the defence environment, goes beyond the cyber security concept of making something secure at the design stage. It requires that everyone who is operating in, and around, a site or vessel understands the risk that they pose, as individuals, to its systems. Essentially, everyone needs to understand their role in delivering resilient operations and protecting the mission. Defence must make security everyone’s problem: in any organisation people are the biggest security risk, but education and awareness help mitigate that risk. A ‘challenge’ culture will empower people to call out others’ risky cyber behaviours, reminding them of the potential effect upon the overall mission.

This cultural shift should see not only engineers, but all those involved in business and mission critical resilience and tactical operations across the defence capability – including the supply chain – understanding the importance of the element that they are designing or managing, and how it fits into successful mission delivery. Cyber can feel highly technical to many people, but this needs to be challenged – as AtkinsRéalis did with Ministry of Defence personnel in an interactive training programme. Through this understanding, everyone can recognise how the system comes together, what could potentially damage it, and where investment in protection is essential.

A cyber security force to be reckoned with

By embedding cyber security expertise throughout its engineering workforce and supply chain, defence can transform how it addresses the ‘intolerable levels’ of cyber risk identified in the Strategic Defence Review. This engineering-driven approach creates a distributed capability, where thousands of professionals contribute to cyber resilience as part of their daily work. Rather than relying solely on specialised cyber teams, defence will build systemic protection that matches the interconnected nature of its ‘system of systems’ – delivering robust cyber security without the prohibitive costs of wholesale system replacement.

This article originally appeared in The Engineer in August 2025.