Consumer and commercial drones are hot – they are changing the way we farm, they are crashing on the White House lawn, they are leading to $50 million VC investments, and they are firing the imagination of Amazon, Google, and Facebook. And they’re not even legal for most people or companies to operate in the U.S.
They are also vehicles for malware, mischief, and cyber mayhem.
Let’s take a look at the cybersecurity landscape around non-military drones. And remember, a drone is really part of a sUAS – a small unmanned aerial system. (See my earlier post on this topic.)
First off, why might I want to launch a cyber attack against a drone?
- I could steal the entire aircraft – a DJI Phantom can go for $1,000 on eBay. Or just sell it for parts – a DJI camera and gimbal goes for $650, some cameras used for film making go for $20,000 and a LIDAR sensor can go for $50,000.
- I could steal the data, possibly without physically touching the aircraft and without the operator’s knowledge. Releasing film of a breaking news event would garner valuable attention while film of a private celebrity wedding would be worth tens of thousands of dollars. Crop data from a research farm would be valuable to competitors while data from a research track would be of great interest to a competing automobile manufacturer or race team. This data could be captured from another operator’s drone with little investment or risk on the part of the thief.
- I could hijack the aircraft and use it as a weapon or use it in a way that would generate bad publicity for the vendor or operator.
- I could disable, DDOS, the drone thus affecting the business operating it or the vendor. This could cause short and/or long term financial impact, even going so far as to put a competitor out of business.
- I could use the drone to inject malware into the ecosystem supporting it.
All of these are potential cyberattacks on someone else’s drone to affect the operator, the vendor, or an unrelated third party. If you use, develop, or support drones, you should consider your flight operations program, your critical assets, the possible effects on your sUAS, and very quickly start developing your risk management strategy.
There are some simple, classic, steps you can take:
- Insure your equipment and operations. Hull and liability insurance is available for sUAS.
- Physically secure your equipment. Someone with physical access can remove or compromise your sUAS.
- Operate using Visual Line of Sight guidelines. If your sUAS starts going off course, have a response plan in place to track and recover it in a timely manner
- Stay current on firmware updates. Unfortunately, the security measures implemented by the vendors are minimal or non-existent, but you should still try.
- Lacking firewalls in the sUAS environment itself, construct firewalls or air gaps around it. Use dedicated hardware to support it rather than using your personal mobile device for flight operations, for example. Be aware of opportunities for an attacker to remotely access it. Do not connect sUAS components to your corporate network.
- Configure your sUAS to fail safe. Ensure that the return to home feature is engaged and the home point is set for each flight.
- Choose sUAS solutions with inherent security. One popular vendor uses wifi for the data and control link, exposing their system to a wide variety of attacks. Using something other than wifi or bluetooth for the data link would greatly reduce the attack surface.
There are also some long term solutions, some of which benefit the entire community:
- Get involved with policy making. The US is on a road towards a very confusing patchwork of regulations at the state and federal level with respect to sUAS operations and cybersecurity in general. Advocate for clear, actionable regulation in both areas.
- Develop an in house cybersecurity program and ensure that it takes sUAS operations into account.
- Analyze the security of various sUAS offerings, share your findings, and encourage vendors to build security into their products.
sUAS, aka drones, are here to stay. We need to start securing them now, before they become embedded in our businesses, society, and lives.