Drones, known formally as Unmanned Aircraft Systems (UAS), are being adopted for commercial use at a rapid rate. The FAA estimates that by 2023, there will be a fleet of 835,000 "non-model" (commercial) drones in the United States, an increase of more than 300% from the 277,000 drones registered in 2018.
The potential and actual benefits of drones are many, from filming to aerial inspection of industrial, environmental, agricultural and utility projects and facilities, as well as for monitoring real estate and construction activities and even delivery of goods to consumers.
As the use of drones becomes more widespread, organizations will be well-served to consider how to integrate these devices and their applications into existing networks and systems, and adopt appropriate controls to limit security and privacy risks.
While assessing the benefits of UAS utilization, one must also weigh security and privacy risks in the balance. Consider the following facts:
- A drone operates using software or firmware, which must be downloaded and installed
- Drone operators often use computers, tablets, and phones to run drone applications, software or firmware
- A drone stores data and often communicates with ground stations and operators
In other words, a drone is connected to computers and computer networks, stores information and transmits information.
Because of these characteristics and others, if an organization does not take the appropriate steps to safeguard against cybersecurity threats, its implementation of a drone program may subject the organization to various attacks:
- Bad actors can exploit drones software or firmware vulnerabilities to take over the UAS and gain access to other networks and systems of the organization
- Malware embedded in drone software could compromise the device where it is located, and allow data from the drone to be exfiltrated (removed)
- Data sent to and from the drone could be intercepted and reviewed
Being mindful of these risks, the Cybersecurity and Infrastructure Security Agency (CISA) has issued Cybersecurity Best Practices for Operating Commercial Unmanned Aircraft Systems (Best Practices) to help organizations utilizing drones identify some of the security and privacy risks and address them.
Fundamentally, this guidance underscores that a drone must be treated in the same way a business treats any mobile device — a powerful storage and transmission vehicle that may be connected to the organization's enterprise network.
Here are some highlights of CISA’s Best Practices.
Safe Installation and Use of Software/Firmware. Because software downloads can contain malware, organizations should consider practices that separate the software installation process from the enterprise network. Moreover, organizations should be careful to access software from trusted sites, authenticate software downloads, and run malware scans on all such software.
Secure UAS Communications in Flight. Implement appropriate encryption to secure transmission through Wi-Fi connections and all other data links, and make sure that all devices running drone applications are secured.
Secure Storage and Transfer of UAS Data. A UAS typically has a removable storage device, for example, an SD card. When connecting a removable storage device to another computer, ensure that the firewall or anti-malware software checks for malicious traffic. Apply appropriate policies to encrypt drone data at rest and in transit, particularly if that data is sensitive. Employ multi-factor authentication as an additional security layer.
Share Knowledge with Others. As with all nascent and rapidly evolving technologies, drone use will reveal new vulnerabilities and cybersecurity threats. By participating in information sharing and collaboration programs (the Cyber Information Sharing and Collaboration Program, CISCP, is one example), organizations can leverage lessons learned in order to improve security and increase resilience.
In conclusion, drones are being utilized in various industries to reduce risks, lower costs, and improve productivity. As with any new technology, an organization should anticipate the risks that accompany the benefits of using the technology. By implementing the above protocols and adopting a standardized process that takes into account the cybersecurity risks, a company can maximize the benefits obtained from drone use while avoiding or mitigating the risks.