Case Study

QinetiQ’s cyber-in-engineering approach in action on the Q40 GNSS receiver delivering Secure by Design as an outcome.

Secure by Design makes security part of the product’s DNA, not a bolt-on. At QinetiQ, this is how we do cyber-in-engineering: security embedded into architecture, trade-offs and verification from day one. Step by step, we show  how theory becomes practice and what those responsible for defence, critical national infrastructure and high-stakes commercial systems can take from it.

Positioning, Navigation and Timing (PNT) underpins finance, telecoms, logistics, energy networks and defence. Global Navigation Satellite System (GNSS) constellations such as GPS, Galileo, GLONASS and Beidou have made PNT ubiquitous and inexpensive but have also created widespread dependency and vulnerability to jamming, spoofing and wider RF and cyber disruption. The UK Government estimates an outage would cost more than £1 billion per day. For both defence and critical national infrastructure (CNI), the stakes are higher still.

Our approach: cyber in engineering

We don’t treat security as a parallel track. We embed cyber into the same requirements, design, assurance and supply-chain decisions as performance and SWaP-C. That cyber-in-engineering approach is what enables us to meet the Secure by Design expectations of the UK Ministry of Defence (MoD) and His Majesty’s Government (HMG) as a matter of course.

QinetiQ’s Q40 GNSS receiver was originally developed under the UK’s Resilient Global Navigation System (RGNS) programme to meet government requirements for assured, secure PNT. Those same needs resilience to jamming and spoofing, compact form factor, ease of integration and freedom from US ITAR constraints are shared across critical national infrastructure and high-stakes commercial domains. Q40 now provides a sovereign, assured receiver that serves defence, CNI and other mission-critical users alike.

Andrew Evans, QinetiQ Security Engineering:

“PNT isn’t just a convenience — it’s a backbone service. When it fails, the costs are immediate and the risks are strategic.”

Cyber in engineering and what Secure by Design means here

Secure by Design (SbD) is not a checklist. In MoD/HMG terms, it is an outcome of a threat-led, through-life approach. In our work, SbD is delivered in cyber-in-engineering — making security part of normal engineering from inception.

In practice, that means:

  • Threat-led, lifecycle-long security baked into engineering from the start.
  • Delivery-team ownership of security risk, with accreditors providing advice, not gatekeeping.
  • Regular, evidenced reviews of residual risk through life.

Evans:

“For us, Secure by Design means embedding security into the engineering process from the start — making it part of the product’s DNA, not a bolt-on.”

From accreditation to ownership

Two shifts shaped Q40’s delivery:

  1. No off-the-shelf assurance scheme could accommodate a GNSS receiver of this type. QinetiQ engaged MOD and the National Cyber Security Centre (NCSC)from day one to agree how assurance would 
    be earned: threat-led requirements, transparent trade-offs and 
    continuous evidence. This same model — early engagement with 
    regulators and security authorities — is directly transferable to CNI 
    projects, especially where existing assurance processes are lighter 
    or less formal.
  2. Accreditation model change. MOD moved away from end-stage accreditation as the primary gate. Delivery teams now own the security risk and maintain it through life, with security assurance teams providing independent advice.

Treating cyber as an engineering concern (not a parallel process) made adjusting to these shifts natural: the delivery team already owned the engineering risk; they also owned the security risk.

A joint Security Working Group (SWG) with MOD reviewed the design at key points, so confidence was built progressively rather than sought at the end.

Putting Secure by Design into practice.

The following steps show cyber-in-engineering in practice on the Q40. They map directly to MoD and HMG Secure by Design principles; they are not a new set of principles but the practical actions we took to implement them in development and delivery.

1

Understand the asset and threat landscape

QinetiQ started with a clear view of where and how Q40 would be used and what adversaries would try to do across its life. Protection focused on what matters most (signal integrity, jamming/spoofing resilience) within strict size, weight, power andcost bounds.

Evans:

“For us, Secure by Design means embedding security into the engineering process from the start — making it part of the product’s DNA, not a bolt-on.”

 

2

Embed security in system requirement

Security was embedded in the same requirements set used by all engineering teams. This made it traceable, tradeable and part of the normal change-control process. Like performance or cost, security could be balanced, tracked into the design and verified, rather than treated as a bolt-on.

Evans:

If it’s in the system requirements from day one, it’s part of the trade-off — not a nasty surprise.”

 

3

Verify early and continuously

Security was embedded in the same requirements set used by all engineering teams. This made it traceable, tradeable and part of the normal change-control process. Like performance or cost, security could be balanced, tracked into the design and verified, rather than treated as a bolt-on.

Evans:

“We didn’t have an isolated ‘security lane’ — we ran security in the same lane as the rest of engineering.”

4

Treat the supply chain as part of the attack surface

The microchip was custom-fabbed in Europe following a foundry study that considered certification, location and ownership; a key UK SME was uplifted with penetration testing and hardening. Need-to-know was applied across suppliers; incoming software components were controlled for provenance and monitored for publicly disclosed vulnerabilities. This is cyber-in-engineering at supply-chain level: recognising criticality, uplifting where 
appropriate and adding controls where limits exist.

This approach also works in CNI sectors, where high-assurance component sourcing and supplier uplift can reduce operational risk and regulatory exposure.

Evans:

“We treated suppliers like parts of the system — some needed strengthening, all needed boundaries.”

 

5

Balance security with performance, SWaP and cost

Security was applied proportionally to threat and impact, not everywhere at maximum level.

Evans:

“The aim was a sweet spot: secure enough to beat the threat, light enough to fit the mission.”

 

6

Build assurance through engagement, not paperwork

  • A shared, threat-led approach agreed with MoD/National Cyber Security Centre (NCSC).
  • Security Working Group reviews saw trade-offs land in real time.
  • Evidence that requirements were met, not just written down.

Evans:

“When MoD watch the whole film, they don’t need a snapshot at the end."

 

7

Design for through-life security

QinetiQ planned for:

  • Monitoring vulnerabilities in third-party components.
  • Secure update paths where customers accept them.
  • Notification routes and mitigations where updates are not possible.

Evans:

“Security isn’t a one-off; it’s a commitment for the whole service life.”

 

Together, these actions show how SbD moves from principle to practice, mapping directly to the formal MoD and HMG principles set out below.

Why this matters to CEOs and CISOs

Q40 demonstrates what cyber-in-engineering delivers in practice with Secure by Design as the outcome.

The results are as relevant to CNI and commercial systems as they are to defence.

  • Risk aligned with delivery — cyber risk was owned by the Q40 delivery team throughout development, showing how risk management works best when embedded with those who build and support the product.
  • Cost/schedule protection by “shifting security left” — embedding security requirements early avoided expensive redesign late in the programme.
  • Cyber-aware supply chains by design — supplier assurance was part of down-selection from the outset. Where needed, suppliers were uplifted through collaboration; where limits existed, additional controls were applied in QinetiQ’s own processes.
  • Operationally grounded and usable — products are secure because they fit user constraints: designed within strict SWaP-C limits and mindful that some contexts may not allow for software updates. Security worked because it respected those realities, not because rules were blindly followed.
  • Sovereign and export-ready — by designing outside ITAR constraints, Q40 demonstrated how security assurance can be delivered in a way that supports both UK sovereignty and wider international customers.
  • Proven in defence, ready for CNI — the same SbD approach can protect PNT-dependent and other mission-critical systems in sectors such as energy, transport, and telecoms.

Five key takeaways for CEOs and CISOs.

Apply this on your programme – what Q40 showed in practice can be applied to any product or system — in defence, CNI or regulated sectors:

1. Threat-led from day one

2. Bounded, testable security requirements

3. Continuous assurance in-flow

4. Supply chain hardening as design activity

5. Plan for security through-life

For a full description of our key takeaways and more information about how Q40 meets our Secure by Design principles, register for the full case study here.

By submitting my contact information, I confirm that I have read and agree to the QinetiQ Privacy Policy, which explains how QinetiQ collects and processes my personal data. I understand that I can opt-out at any time via the privacy preferences.