Airbus CSO on supply chain blind spots, space threats, and the limits of AI red-teaming
Pascal Andrei, CSO at Airbus, knows that the aerospace and defense sector is facing a threat environment that is evolving faster than most organizations can track. From sub-tier suppliers quietly becoming entry points for state-backed attackers, to satellites emerging as targets in an increasingly contested space domain, the risks are real and growing.
In this interview with Help Net Security, Andrei addresses the blind spots that defenders are underestimating, the gap between compliance paperwork and actual security outcomes, and why current AI red-teaming models fall dangerously short. His answers reveal a security leader who is thinking in systems, and pushing Airbus toward a more collaborative, intelligence-led approach to protection.
How have recent geopolitical realignments changed the threat calculus for Aerospace and Defense (A&D) organizations in ways that aren’t yet reflected in mainstream threat reports?
There is a dedicated team in Airbus monitoring and creating security intelligence. It provides up to date information concerning the evolutions of the different threats (cyber, physical or geopolitical) which could harm Airbus. The team deals with main critical and strategic topics for the company, so that Airbus business can transform this intelligence into security risk management.
Aerospace and defense supply chains are notoriously complex and globally distributed. Where do you currently see the most exploitable blind spots that defenders are underestimating?
While Prime contractors (Tier 1) have hardened their perimeters, the most exploitable blind spots have migrated deep into the sub-tiers and the ‘digital threads’ connecting them. Using the instability of the current geopolitical context, threat actors target smaller, resource-constrained firms as ‘jump points’ to disrupt global aerospace and defense delivery. In response to this statement, we have tightened the integration between corporate security, procurement and business units to define security expectations from our supply chain.
Furthermore, we are pivoting toward a collaborative industry model to collectively mature both upstream and downstream supplier selection. This proactive stance, combined with our early adoption of regulations like Part-IS and NIS 2, serves as a critical lever in securing our end-to-end supply chain.
Cyber-physical attacks on spacecraft are still rare. What early-stage signals should security teams watch for that a threat actor is probing satellite command-and-control systems?
It is true that space is becoming a new cyber-battlefield. Like all products, satellites are targets; however, Airbus has established a dedicated product security organization to protect satellites against threats throughout the entire product lifecycle, ensure regulatory compliance, and meet customer requirements.
At the same time, of all Airbus products, space systems have their own specificities, as security needs to be ensured from inception, through design to space operation. With Space being a new battlefield, Airbus is analysing and anticipating all the new threats to ensure the best possible resilience of these spacecrafts.
Where are DIB contractors struggling the most with translating compliance-centric frameworks (CMMC, NIST 800-171, ITAR) into actual operational security outcomes?
The most significant struggles DIB contractors face are in the transition from “paper compliance” (written policies) to “operationalizing security” i.e. making those policies a verifiable, continuously monitored part of daily business and IT functions. This gap is often concentrated in three main areas:
- Sustaining basic cyber hygiene and automating continuous security monitoring
- Accurately defining the scope / the Controlled Unclassified Information Boundary (i.e. the precise systems, components, and personnel that process, store, or transmit CUI/ITAR data) and producing auditable objective evidence
- Incorrectly treating compliance as a one-time IT project, lacking continuous executive support.
But beyond these difficulties, we see how complex it is for DIB contractors to comply with different (and sometimes not harmonized at international level) cybersecurity frameworks.
Do you think defense organizations have appropriate validation and red-teaming models for AI systems used in targeting, navigation, or threat detection? If not, what’s missing?
Ensuring AI safety in defense systems like targeting and threat detection is limited by the lack of maturity of current validation models; despite widespread use of the term “red team,” there is a fundamental lack of standardized, systemic methodologies required to test the entire operational architecture against sophisticated threats.
We generally focus on individual models, not the system: current red teaming often focuses narrowly on the Machine Learning (ML) model in isolation (e.g., testing for adversarial inputs like prompt injection in a vision model). What is frequently missed is the broader “system of systems” context—the complex interplay between the model, the sensors, the data pipelines, the communication links, and the human operator interface. A vulnerability in any one of these elements could lead to systemic failure.
Read more:
- United Airlines CISO on building resilience when disruption is inevitable
- Southwest Airlines CISO on tackling cyber risks in the aviation industry
- Cyber turbulence ahead as airlines strap in for a security crisis
- What makes airport and airline systems so vulnerable to attack?