UAV THREATS TO THE OIL AND GAS INDUSTRY PART 3: WHAT ARE OUR CHALLENGES?
The Global Drone Security Network #2
Streamed live on Sep 18, 2020
The Global Drone Security Network (GDSN) is the only event of its kind focusing on Cyber-UAV security, Drone Threat Intelligence, Counter-UAS, and UTM security.
View the full conference: https://youtu.be/vZ6sRr65cSk
FULL TRANSCRIPT: PART 3
What are our challenges, our being the energy infrastructure energy community, the counter-UAS community, the people who are doing UAV forensics research? What is it that we need to step up and take care of so that we can be better contributors to national security, to site security, to all of these things that protecting society against malicious UAVs? Senator Cory Gardner, Colorado, January 8, 2020, after this whole Colorado drone problem, publicly stood up and said something that is the most one of the most important things in this presentation. There’s a significant gap in the understanding and our personal understanding and the national security’s understanding of the threat that drones pose the United States. If we don’t understand the threat these drones pose to us, we cannot even have a rational discussion about how to defend against them, much less actually build those defenses.
So, problem one is understanding the threat. Problem two is downplaying the threat. I follow Kelsey Atherton on Twitter. I read his articles; he does some great stuff. He understands military, he understands regulatory, understands politics. Really good writer and I admire the heck out of him. However, in a Forbes article that had to do with nuclear reactor site security vis-à-vis drones, he concluded that there is no risk posed by small drones until they get the ability to carry larger, heavier payloads without losing much flight time and until those happen only then should we rethink our infrastructure hardening. I will stand up here or sit here and raise my hand and say those things are already possible and earlier in this presentation and other presentations we demonstrated that.
Saudio Ramco was probably a nation-state actor, so maybe not that, but the attack on the Russian air base was certainly something that demonstrates that you can get heavy payloads over long distances and that was in 2018. So, it’s beyond time for rethinking infrastructure hardening and this sort of thinking is downplaying the issue and not focusing time, attention, and resources on where the problems are.
Joseph Rivers hit this when it came out of the FOIA release from the Palo Verde incident. He makes two really good points here: putting regulations in place is not going to stop the motivated actor so restricted airspace is not going to stop anything and he asserts that detection systems, counter-UAS systems have limited success rates. I would generally agree with them. Unfortunately, there’s a low likelihood that law enforcement will arrive quickly enough to go find the operators. His take, I agree, we should focus our attention on getting federal regulations and laws changed to allow sites to defend themselves and get the resources required to identify engineering fixes that would mitigate the adversarial attack so that if a UAV does get in, how do we mitigate against that. Jacob’s presentation just prior to mine is spot on on this and that is incredibly important part of the conversation and we should not walk away from today’s wonderful presentations thinking that there’s only technical solutions. There are legal solutions, there’s information sharing solutions, there’s a lot of other things that need to be done in addition to technical solutions such as remote ID and UTM. There’s a belief that remote ID and UTM are going to solve a lot of this problem and we just need to wait. Well first of all they’re probably three years out. Second of all, and most of this comes from my cyber security background, these are likely to be federated solutions put together by commercial vendors who must make a profit who are then working with government entities who may be under-resourced, and they are all working together to collaborate to build these systems and those systems must have perfect cyber security or they are going to be part of the problem.
Some of the problems are there’s going to be a legitimate backdoor. We have seen this in other circumstances. We’ve seen the FBI asking or demanding that Apple create backdoors in their system. There’s not going to be a remote ID system and a UTM system that does not have legitimate backdoors in it for use for national security reasons. If they’re legitimate back doors, there’s a good chance those back doors will get compromised and used for non-legitimate purposes and then there’s pure exploits so it’s gonna be a complex cyber security system. There are going to be problems with it. People will exploit that. They will find ways of manipulating remote ID and UTM for their own purposes. There’s also a lot of “quote valid unquote” reasons not to disclose where drones are operating and why. Amazon’s not going to want anybody other than Amazon to have really detailed knowledge of where all their UAVs are going, how much payload they were carrying, what their flight times were. This is all business intellectual property – it’s competitive intelligence. Then there’s national security flights, there’s gonna be law enforcement flights. There’s gonna be all these carve outs where people are going to have some sort of reason to say hey, wait I should not be squawking some sort of remote ID and I should not be participating in the UTM system. We’re going to have to work through that and I’ll point back to Jacob and say hey, this is going to fall in your court because it’s going to be a legal issue and a regulatory issue. Malicious operators will hide in the gaps, in the noise. The gaps may exist simply because of flaws in the system. They may create those gaps themselves.
I love the FAA. I’m a manned pilot. Through the nature of how the national airspace has been managed over the decades it’s a remarkably safe space to operate and they are coming at unmanned vehicles from that same perspective of we’re looking for you know zero fault airspace. Unfortunately, they have a really poor track record of enforcing any sort of compliance and if somebody’s not complying with remote ID or not complying with UTM what are the consequences for not complying. We’re gonna have to work our way through that. Hobbyist open source activities, foreign ports will likely create a non-compliant noise floor to hide in as well. If you are trying to attack or surveil some facility and there’s a bunch of hobbyists flying in the area who are intentionally non-compliant that creates a noise floor for you to operate in or you could have some of your “friends” go be non-compliant hobbyists while you are tangentially working with them and flying inside their noise envelope. Other people mentioned this and I’m glad they did because I find it incredibly frustrating. There’s an enormous number of counter-UAS vendors out there in 2018. There’s 230 of them and I’m sure it’s increased by now. I’ve worked in the counter-UAS test and evaluation space and still am. I’ve been talking to people in the DOD and the government on the procurement side. They don’t know what works and what doesn’t, and this is where I think we as an industry need to get our act together.
If you are a site operator and you want to know what counter-UAS systems works best in your environment – close to an urban area, hot and humid because you’re down in Louisiana, no good lines of sight because their refinery is next door to you – which counter-UAS systems have been deployed in a similar environment. What sorts of flight profiles, what sort of threat profiles were flown against those systems, and when were those tests done. We need to have standardized testing of counter-UAS systems and multiple types of environments that we can do repeatability and we can do compare and contrast. Otherwise, as this counter-UAS researcher put it, we have no source of truth. Somehow, we’ve got to go solve that problem.
Take-homes from that one is we really don’t know what systems do or do not work and if they work in one environment. We don’t know whether they work as well in another environment and we don’t know what threats they work against or don’t work against. For example, if somebody changes the RF link, are they going to work against that. Just an example. The information is siloed. I’ll talk about how we might be able to solve that towards the end of this presentation but all of us need to be thinking about how we help inform other people in the space of protecting this infrastructure to do a better job of it. And the last one bothers me across the board. I see requests for proposals for counter-UAS systems or things like that that are addressing last year’s problems. You know what ISIS was using in 2018 or what is the cartel using in Mexico in 2020. Drone swarms exist, autonomous stone storms exist, jet turbine UAVs exist. All of these things are possible and we as a community and in collaboration with the governments that we’re working with and in collaboration with the people that we are trying to defend, need to start thinking actively and talking about it not just thinking about it but talking about it and saying okay what’s coming down the pike and how do we if not get ahead of that how do we catch up with it?