Drones are becoming ubiquitous. They are sold as toys, used in industry, and as weapons of war, so the possibility of one becoming co-opted by a threat actor could result in severe damage, disruption of services, or data theft.

In response, CISA and the FBI released a notification and guidance on Chinese-manufactured unmanned aircraft systems (UAS) aka drones, that could have vulnerabilities enabling data theft or that could facilitate network compromises.

The People’s Republic of China (PRC) also recognized this possibility so back in 2015, it passed data privacy laws and regulations that require companies operating in China – including state intelligence services, to disclose any known vulnerabilities to the government prior to the service or device being released to the general public. However, this disclosure was only to be made to the PRC, and herein lies the problem.

This regulation applies to Chinese-owned UAS companies such as Shenzhen DJI, High Great, Shenyang Aircraft Company, and Shenzhen Damoda and essentially gives the PRC access to any data stored on these devices. This may also include complete unlimited access to customer data including possible sensitive recorded video and flight data (date, time, latitude and longitude, flight duration, pilot-in-command information, and more).

“The PRC’s collection of sensitive information and potential network access obtained from Chinese-manufactured UAS may result in significant consequences to critical infrastructure security and resilience,” the CISA document said, adding, “Acquisition of such data or network access has the potential to advance the PRC’s strategic objectives and negatively affect U.S. economic and national security.”

This can include:

• Exposing intellectual property to Chinese companies and jeopardizing an organization’s competitive advantage.
• Providing enhanced details of critical infrastructure operations and vulnerabilities increasing the PRC’s capability to disrupt critical services.
• Compromising cybersecurity and physical security controls leading to potential physical effects such as theft or sabotage of critical assets.
• Exposing network access details that enhance the PRC’s capability to conduct cyberattacks on critical infrastructure.

The Growing Drone Problem

As demand increases for commercial UAS have also grown, so have the requirements. In just the past 10 years, improvements in batteries, drone design, increased speed, distance, flight duration, and useful load have made UAS much more viable in the field.

This makes the UAS a practical platform for operations such as oil/gas pipeline patrols, agriculture, public safety, environmental protection, entertainment, building inspections, search and rescue, or even shipping of goods in and around cities and neighborhoods.

However, there are now legitimate safety concerns regarding the flight of commercial and hobby use of UASs that are developed and manufactured in China. It was discovered data from some drones are not encrypted, including serious vulnerabilities in the software that could allow bad actors to capture flight data, ‘live’ stream your video, and take flight control of the UAS.

Much like many Industrial Internet of Things (IIoT) devices, some UAS platforms have ‘built-in’ vulnerabilities that may never be patched, allowing bad actors access to the platform when the UAS is in-flight. These vulnerabilities can have serious consequences including jeopardizing a mission, to a kinetic attack leading to possible loss-of-life.

CISA’s Guidance on Securing Drones

Cybersecurity diligence must be taken when operating an UAS.

CISA recommends a mitigation plan that includes:

• Ensuring secure, organization-wide development of the goals, policies, and procedures for the UAS program.
• Identify and select the UAS platform that best meets the operational and security requirements of the organization.
• Perform regular updates, analysis, and training in accordance with the organization's plans and procedures.
• Ensure proper operational and security policies are followed during operational usage.

Not taking proper precautions may lead to possible FAA, NTSB, and legal consequences. Trustwave’s (AMS CPS) can assist with developing the following:

• UAS Operational Usage policy that will assist with where and how the UAS is maintained and operated. Defining proper storage of the UAS, software/firmware updates, UAS connectivity options, pre-flight/in-flight/post-flight, and emergency checklist.
• Develop a Zero-Trust model throughout all aspects of operation of the UAS, from Vulnerability Risk Assessment program to understanding where the UAS data is stored and shared.
• Co-Managed SOC to help protect and monitor suspicious network activity within your UAS fleet.
• Supply Chain Risk Management (SCRM) program to ensure integrity, security, and reliability of the UAS firmware and software updates.

As drone usage expands, it's imperative that organizations implement robust cybersecurity measures, including those outlined by CISA, to mitigate these risks and protect critical infrastructure. Ultimately, the future of drone technology hinges on addressing these security challenges and fostering trust in the supply chain.

Latest Trustwave Blogs