The aerospace manufacturer ASCO has shut down all operations “indefinitely” after the company succumbed to a ransomware cyberattack which locked employees out of its systems. ASCO was taken over recently by Spirit Airlines.
Boeing and the FAA announced that an unnamed Spirit Airlines supplier may have sold potentially defective slat track mechanisms to Boeing, which control the forward flight surfaces on the wings of the aircraft, due to hydrogen embrittlement problems. The website Airframer.com lists ASCO as the manufacturer of slat tracks for Boeing, through Spirit Airlines. Representatives from ASCO have insisted to Oxebridge that they were not notified of any defective products shipped to Boeing.
UPDATE: Oxebridge has learned that ASCO is not the supplier in question; see full report here.
The decision to shut down an entire company due to a ransomware attack is unheard of, and points to the severity of the problem. Ransomware attacks typically occur when users click links in emails that appear to be legitimate, but which actually trigger malware created by hackers or other bad actors. Prevention of ransomware is typically accomplished by training employees not to click links inside emails, something which appears not to have been effective at ASCO.
Over 1000 employees are affected, as well as customers to ASCO, such as Boeing.
The attack is likely the most significant cyberattack on an aerospace company in history. The attack exposes Spirit and ASCO to violations of the International Traffic in Arms Regulation (ITAR) which aims to ensure that sensitive aerospace data does not fall into hands of those who could transfer the information to enemy actors.
AS9100 would require the company to have addressed the possibility of ransomware attacks under the “risk-based thinking” requirements of clause 6.1. Oxebridge has argued that the language around “risk-based thinking” in AS9100 is so vague that it does little to help prevent large-scale problems such as the cyberattack, despite language by the standard’s developers suggesting otherwise.