04 Nov UAV Threats to the Oil and Gas Industry PART 4: WHAT CAN WE DO?
- The Global Drone Security Network #2
- Streamed live on Sep 18, 2020
- The Global Drone Security Network (GDSN) is the only event of its kind focusing on Cyber-UAV security, Drone Threat Intelligence, Counter-UAS, and UTM security.
- View the full conference: https://youtu.be/vZ6sRr65cSk
FULL TRANSCRIPT: PART 1
So, what can we do? CISA is the Cyber Security Infrastructure Security Agency. As a US entity, I was somehow unaware of them before I started on this process. They are focused on cyber security infrastructure. They’ve got a very broad mandate and I was looking around for federal government agencies that understood that there’s a counter-UAS threat and we’re doing something about it. Enter CISA. Everything you see here comes from their website. They’ve got a lot of really good materials in terms of how to talk about it. They’ve got one-pagers, they’ve got placards, they’ve got all sorts of materials for educating different types of people about the nature of the threat and what actions can you take about it. If you are in the energy industry and you’re not hooked into CISA, I strongly encourage you that you do so. They’ve got representatives scattered throughout the country and they’re very happy to talk about this sort of stuff. They articulate things I’ve been saying in this presentation. The UAS related threats may include weaponized or smuggling payloads. They may include prohibited surveillance and reconnaissance. They may include intellectual property theft and they may include intentional disruption or harassment. This is the US government agency saying this thing is worth paying attention to and what actions can you take. As Jacob and others have said during this presentation, we’re somewhat hampered in the United States.
Their first bullet point is research and implement legally approved counter-UAS technology. They also then get into things that don’t require buying a counter-UA system, and I apologize to the counter-UAS vendors out there, but there’s a lot of things you can do without spending hundreds of thousand dollars on counter-UAS systems to help percent protect your facility and I’ll get into some of them here and on the next slide as well. Know the air domain around the facility and who has authority to take action to enhance the security. If you’re in with a bunch of other energy facilities, build a community whereby you’re getting advanced notice, you’re doing information sharing within your own community. Contact the FAA, consider UAS restrictions, we’re all working on that, update your emergency incident action plans. This is worth doing if only so people know what to look for, what data to gather, and this goes to Chris Church’s presentation way at the early part of the day. You know, figure out how to gather information about these incidents in a methodical fashion and report it in a consistent fashion so we can start understanding the problem. Build federal, state, and local partnerships and report the potential UAS threats to your local law enforcement agency. This is a great slide. If you take nothing else from my presentation, I would suggest taking this one.
This is an example of some of those season recommendations in action. I was doing a presentation of B-sides New Orleans two years ago now. I met this gentleman; his contact information is in the appendix. This is an example of collaboration between the Coast Guard and for guard and for those in the United States the infra guard is an FBI initiative for sharing information between the private sector and the FBI. It’s a collaboration between the Coast Guard, the FBI, and a lot of the energy infrastructure operators in the New Orleans area, particularly Port of New Orleans. They’ve established this relationship back in 2016 and one of the things they’ve done is have a mandatory requirement for saying “hey, I’m going to be flying a UAV in the area” so if you see a UAV over your facility you can call somebody and say “hey, I’m seeing a UAV” and they look at their list and say “nope, it shouldn’t be there.” Now you know you got some sort of threat or now you don’t. You can now make a much quicker decision. It’s not automated at the moment; well it may be, but it doesn’t have to be automated. It could be simple as a phone call and somebody looking at an Excel spreadsheet or pulling up a piece of paper. It’s simple to get started on this stuff, it costs you very little, it builds relationships, and it starts giving you a situational awareness of what is and is not going on in your airspace or the airspace that you’re sharing. They did automate a fair bit of this and how much of it I do not know. Reach out to them but they are bringing in a lot of information and making it available to all the people participating in this, such as safety exercises and training and things like that.
This is a part of a larger deck from a gentleman – his contact information is later on in it – he was doing red teaming and found that essentially doing red teaming was frustrating and it really wasn’t a challenge. What he stepped back and did is start doing adversary modeling, so threat modeling, and this is one example of one of his tools where he looks at essentially a very compact kill chain. For those not familiar with it, a kill chain is basically the steps that an adversary must take to go from start to actually have an effect on the target. In the cyber security world, it was getting X filling the data out of our environment. In this per circumstances it’s actually gathering the intelligence or delivering the payload. The take home from a kill chain is that if you can stop the kill chain at any point before they finish their mission you have succeeded to some degree. So, this is sort of a very compact UAV kill chain for a threat actor and he goes through a bunch of the steps that they would have to get through to accomplish their mission and each one of these steps is an opportunity for you to deny them the ability to accomplish that step and to deny them their overall mission. He’s got a bunch of tools for helping you do this sort of stuff. One of the easiest ones is helping site operators figure out where somebody might launch a UAV from. You know why is this interesting. Well, you could just put a game camera out there and have it out there and check it once a day or do it wirelessly and see if there’s somebody launching UAVs from any of these locations that this model demonstrates if they are go talk to them. Why are you flying UAVs over my property? You’ve now with essentially a little bit of consulting work and a game camera or you know a little bit higher end security camera started implementing counter without having to worry about hacking into a data link or anything like that, so very much worth considering. This gentleman is great. There are other people out there. You can do it yourself. Very much worth considering if you’re in the United States and familiar with ICE. They are basically a private sector vertical information collaboration for sharing cyber security vulnerabilities and responses to it. The FSISAC is one I was most involved in – Financial Services ISAC. There are a bunch of others. I propose an AV ISAC for everybody who had anything to do with autonomous vehicles to join this organization and share information within a well-orchestrated lockdown environment. This is membership driven and there’s a bunch of issues with it. I never got it off the ground. I think I was a little bit too early and maybe it’s time to revisit it. If you’re interested in it, come let me know. This one is a solution that when I was doing cyber security was incredibly impactful. It requires trust, it requires a bunch of people to say a bunch of people and their organization that we understand why the needs of the many outweigh essentially our own competitive advantage. What was going on is that we had a very secure mechanism for sharing TTPS tactics, tools, and procedures as well as malware signatures and things like that.
There were people from opposing consulting firms, security vendors, malware vendors, malware protection vendors, all that sort of stuff. People that had a honest competitive interest in not collaborating with each other but they all came together because they understood that within the right model, within the right information sharing model, that they could still further their own company’s interests and possibly even benefit their company’s interest by getting this information from other companies and also help protect national security. The reason I think this is important and the reason I think that threat intelligence sharing, and development is important is this list of bullet points. I’ve said this other slide’s more most important. This is another one. We’re engaged in futuristic war. Things I read as science fiction even three years ago are now in the present. We’ve got to bring everything we can to bear to get caught up and get ahead of the threat actors. If we don’t do that we’re going to be under resourced and behind the curve and it’s going to get very frustrating which is one of the reasons I exited the cyber security space. We’re also often asked to fight last year’s battles, which I also find particularly frustrating. We need to be thinking ahead so that we have the right solutions in place when the threat actors catch up to us rather than vice versa. Our adversaries are similar to the cyber security adversaries. They range from activists to criminals to non-state actors to nation-state actors, which means that their motivations and their capabilities and their ability to show up in the country are wide-ranging. If it’s just one of these groups, it’d be much easier. There’s no just one potential threat organization. We have limited resources. The federal government has even more limited resources and with COVID sucking up a lot of budgets and increasing the national deficit and things like that, those resources may even be further challenged. We in the United States are hampered by a very challenging regulatory environment. Jacob and others have talked to that it really hamstrings our ability to respond so we need to think creatively, and we need to think collaboratively if we are working with limited intelligence. It is often due to our own inability or unwillingness to collaborate. We need to find ways of collaborating. The organization I was referring to for the cyber security staff operated with two rules. One was the Chatham House Rule and it’s the only one rule. Participants are free to use the information received but neither the identity nor the affiliation of the speakers nor that of any other participant may be revealed; so, don’t out anybody, don’t out their organization. It compromises this whole entire effort and then the other fundamental tool was the traffic light protocol. If something’s tagged TLP red you are not to disclose it. It’s restricted to people in the org in the conversation only. Amber is limited disclosure – restricted to participants’ organizations so you can take it back to your organization, but they cannot then go use it for public speaking or press releases. TLP green is restricted to the community. This is a framework and it’s a potential for how to create this sort of trusted sharing community among people who might otherwise not be able to collaborate. In the appendix to this presentation there’s a lot more details on it you can just reach out to me as well though another option is the organization that’s supporting this presentation. They are in the threat intelligence business and they have tools for doing this. There are a lot of opportunities for us to support each other and support the community.
I really encourage everybody who’s been in this conversation today to continue joining the conversation reach out publicly reach out privately join one of the organizations or mechanisms for sharing information. Tell us what your problems are and really help us help you.
There are multiple ways of going about sharing information. The AV ISAC is the above the board loud and proud mechanism for doing that. It has full-time people running the organization to catalog and organize the information, it’s got a director who’s out there bringing in new people to participate in it so there’s membership fees for it and for some of the existing ISACs that’s $25,000 a year for the larger organizations. It’s a very good mechanism, it’s a very well-established United States mechanism for doing this sort of thing. The other solution is the sort of the other end of the spectrum it’s very on the quiet. It’s almost like fight club – you don’t say that you are part of this particular organization. It costs essentially nothing, or it costs very little. We were using secure email with PGP encryption. We had a very secure minimal wiki. Just a bunch of open source tools that somebody took the time to secure really well and then it was a trust-based relationship where you a couple people got together and it started working for them and they started bringing more and more people in. The odd thing is that the hacking community already has this. I’m a member of one of the hacking org groups and I’m one of the few people in there that uses my full name. You can go find me but I’m a trusted member of that organization now and it’s got the classic hacking community thing where you sort of work your way in through the levels. There’s a wealth of information in there and they are a model of how people can share information and do so in a secure fashion. The AV ISAC and the other model are worth doing. I think it’s much faster to go stand up the sort of trusted relationship between peers model and the AV ISAC is likely unless one or two large companies – Air Map, Precision Hawk, something like that – says we understand the value of it and we’ll be founding charter members of it. In terms of what you were mentioning about some of those hacking groups, you really did fill that in in one of your threat matrix there where, for example, you had the drone hobbyists with the compliance and all the way down but the uninhibited is quite interesting because that’s almost like your drivers who go a little faster, do some burnouts, do some donuts, but they’re really experienced drivers and they are doing it in controlled manners. Sure, sometimes that can reflect a bad name on the industry, but they are controlled and sometimes they’re in a safer position than those who maybe don’t know the rules and are acting unskilled. Quite an interesting concept that you talk about there and I think when it comes down to that you want to look at what’s the actual threat to infrastructure. As you said is it the uninhibited or is it actually the threat actors who want to do that with their motivations and their goals. I think that’s really quite important.
Moderator: the first question said how on earth is there no result for the Eastern Colorado incident? Was the army not involved? What would it take to trigger military intervention and how was the FBI not involved in this?
David: To answer the last question first, I think every single possible federal agency that might have had some bearing on the problem got involved: sheriff’s department, FBI, there are nuclear missile silos in that region as well so strategic command got involved, everybody was involved at some point. How was it not resolved? One hypothesis is that somebody was out there essentially red teaming something. The community could certainly go hire some of the appropriate people to go operate those sorts of UAVs in a covert fashion. There’s plenty of spaces out there to hide in and what that really illuminated for all of us is that the mechanisms are not in place for identifying this sort of activity and as long as the operators are practicing good OPSEC and not talking about what they were doing. It’s relatively easy to go do that and similarly and that’s where Palo Verde comes in. How on earth did somebody fly for two nights, running for 80 minutes in time over the largest nuclear reactor in the United States and no one knows what happened. It’s the same sort of thing that’s quite interesting and when it comes to one of these next questions and ties into that you speak a lot about the different and typical issues to infrastructure but what are your actual recommendations for infrastructure hardening and does counter-US actually fall into that. Counter-UAS is one of many things that you need to consider about how to protect your site. I used to do executive protection, so we were protecting homes. The first thing we did was threat intelligence and figure out what sort of people might be coming at us and what sort of resources it might be brought to bear on us and how to start mitigating all the risks that they posed for a site. Counter-UAS is certainly going to be part of the answer and it may not be counter-UAS with neutralization turned on; it may just be counter-UAS with just pure detection turned on.
So, you understand whether there is or is not a problem if you have a UAV over your site. There may be certain steps you would want to take. Other things will be thinking about your OPSEC, are your radio links encrypted so if you’ve got somebody flying a drone over there to pick up your radio traffic, can they actually get anything? You’re gonna need to look at if you’re thinking about it from a drone perspective, can you push back your sight lines so if you have woods or anything encroaching on your fences, can you push that back a quarter mile or half a mile? You now extend the amount of time that a UAV needs to fly to get over your site that gives you more response time. It makes it more difficult for the operator and all those sorts of things that make it more difficult for the potential threat actor to have their desired effect upon you or things you can do or many other things you can do without actually deploying a counter-UA system. That said, counter-UA systems do bring value simply knowing that something is overhead is very helpful and eventually you will get that neutralization capability.
Moderator: There was another question that came in and it said, “What is URSA specifically as a company doing about this and how are you involved?
David: URSA is Unmanned and Robotic Systems Analysis. We fundamentally focus on extracting telemetry data from a variety of unmanned systems, applying advanced analytics to that machine learning statistical analysis if appropriate and developing visualization tools to help a variety of different types of people understand what is going on with unmanned systems. It could be regulators wanting to know how close UAVs are getting to manned aircraft. There’s a lot of reports of that but we don’t have any hard evidence to say here’s how close they really were getting. We’re working with the FAA to help understand that we’re working with counter-UAS industry by helping do some of these tests. We’re the system of record for some of these test and evaluation exercises so that there is a single source of truth. All the information about how the aircraft and the counter-UAS were behaving are in one spot and so now you can say the UAV was here, the counter-UAS thinks it was here, why is it a discrepancy. Finally, we’re helping operators understand how their systems are behaving and starting to do some predictive analytics for operators so that they can help reduce the potential of in-flight failures. So, it comes down to we’re not doing imagery analysis, we’re doing telemetry analysis and we’re really doing it to help people understand the who, what, when, why, where, and how of unmanned systems.