Drones as an attack vector: Vendors need to step up

Critical infrastructure operators, law enforcement, and every level of government are all busy incorporating drones into their day-to-day operations. Drones are being used to support an array of applications for traditional infrastructure as well as agriculture, utilities, manufacturing, oil and gas, mining, and heavy industries.

Drone makers and industry end-users are just now starting to recognize that all elements of their connected enterprises have what Jono Anderson, principal, strategy and innovation at KPMG, calls “robust capabilities that encompass individual drones, connected fleets of drones, cloud/enterprise capabilities, and all communications between them.”

Drones are “flying computers” and an attack vector

Despite their potential vulnerabilities, many drone systems don’t use higher levels of security architectures. According to Anderson, “In a connected system of drones, the growing ‘fog’ of communications within and around drones creates multiple attack vectors that could expose critical systems of an individual drone or the entire fleet and potentially the entire cloud and enterprise.”

Although drones offer proven benefits to operators, they also pose serious cybersecurity risks. A drone is essentially a flying computer, and just like computers they are rife with potential cyber threats.  Joshua Theimer, EY’s senior manager of technology consulting, says, “Much of what organizations are doing is focused on ensuring that drones are operating in compliance with external state-level and federal regulations.” Since many of the drones that are currently procured are proprietary to the manufacturer, Theimer argues that it’s critical to have a “foundational organizational security strategy” in place that provides the appropriate security around the ecosystem in which the drone is used.

Cybersecurity hasn’t historically been a major priority for drone manufacturers, nor for drone users. Theimer’s assessment is that drone vulnerabilities remain “quite well known to those who are knowledgeable in the space.” For example, those involved in drone reverse-engineering have a general awareness of vulnerabilities across a wide variety of drones and manufacturers.

When there was fear of malware delivery into the corporate environment, Theimer noticed that “organizations implement an air gap” between the drones and the devices associated with supporting those drones and the rest of the corporate network to ensure the device never connects to the corporate network.

“Drones present cybersecurity threats to an organization and carry the risk of data compromise,” says Samuel Rostow, an infrastructure security program specialist with the U.S. Cybersecurity and Infrastructure Security Agency (CISA). CISA issued an industry alert in 2019 to the critical infrastructure community warning of the threat that foreign manufactured drones could pose to an organization’s sensitive information. The information and guidance in the alert was re-affirmed last July by the Department of Defense’s Statement on DJI Systems.

How attackers compromise drones

David Armand, security expert for embedded systems at Orange, worries that, besides military drones, drone security investments “remain low compared to the cost of the product. Drones are juicy targets since attacks cost much less than the value of an entertainment or of a professional drone. Threats fall into two families: attacks on a drone and attacks performed using a drone.”

Information extraction from the drone itself is a point of vulnerability. Systems are vulnerable during communications between drone operator and the drone itself. Theimer points to “vulnerabilities which allow for the observation of, disruption, or takeover of the command-to-control link.”

Armand’s research shows that compromising a drone’s software or hardware, or even the controller (e.g., a cell phone) can be achieved through a supply chain attack. He offers two examples:

• Manipulating the propeller design file of a 3D printer allows the drone to fly at high altitudes before the printed propeller breaks apart.
• By gathering information gathered on the phone (cellular network ID and GPS location of the user and the drone) attackers can perform “forced updates” and execute of code without user control.

Theimer worries that “many manufacturers today inherit and utilize community-developed software packages that are not always designed for or scrutinized with security in mind.” As drones become more capable and complex, the opportunity for the proliferation of vulnerabilities will only increase.

As with most security considerations around the usage of emerging technology, a threat model and risk analysis associated with the usage of drones in alignment with organizational risk posture is generally the best approach. Theimer’s goal for the industry is “to ensure that the risk associated with utilizing drones and cyber preparedness are in alignment with the security posture of the organization.”

Drone vendors need to focus on security

The commercial market for drone-focused cyber-solutions is still nascent, since the number of reported attacks Is still relatively small. Thus, demand to prioritize drone security is low. “Few organizations are making significant investments in cybersecurity. While a few of the major drone manufactures have made significant and intentional investments, potentially as a result of publicized U.S. government scrutiny, many drones remain insecure,” says Theimer.

“Firms need to be focused on enhancing product security, specifically in relation to platform software on-board the drone, and communications to/from the drone to mitigate potential for drone takeover or loss of command,” says Rik Parker, principal, cyber security services at KPMG. “For example, potential vulnerabilities can extend into the supply chain where there are often various points of custody and can rely on open-source code. This can lead to a reliance on a third-party development process for secure code development for a critical piece of hardware that, if exploited, could lead to loss of sensitive data and intelligence or potential loss of life.” Given the sensitivity of drone deployment, he suggests vendors add a layer of coverage for access monitoring and behavior analysis to identify potential risks or threats. This would provide indicators of compromise either before or during a breach.

Orange performed a security assessment of a product from Parrot Corp. Armand disclosed that they “had an interesting technical exchange with them through the Orange Security Expert Community.” Parrot addresses cybersecurity at different levels for professional drones:

• Protection against GPS spoofing by using multiple satellite constellations
• Protection against jamming by calculating position through drift measurement using odometry techniques
• Use of cellular connectivity, rather than Wi-Fi, for a more secure radio protocol for drone management
• Drone authentication using a device-unique certificate stored securely in a secure element.

Armand cites companies such as Regulus, InfiniDome, and Septentrio that have commercial products available for detection, mitigation, and reporting of GNSS spoofing attacks. He notes that much bigger companies, including Thales and Intel, are also active on drone security.

Michael Robbins, executive vice president of the Uncrewed Vehicle Systems International Association, sees both commercial and defense focused on “ensuring data storage and transfer, data retention and disposal, securing the data link for drone operations, and monitoring for breaches or malware.” He points out differences between commercial and defense are in “The type of cyberattacks they defend against, the data and information they are securing, and legal requirements around security, operations, and reporting.” 

Regulations, control frameworks for drone security needed

A growing chorus of experts believe that better regulations are needed to address the drone cybersecurity challenge. For example, Parker thinks drone products “should be governed by stringent controls for cybersecurity that protect the software platform for expected services delivered by the drone product and the communications and controls mechanisms.” He sees a need for new control frameworks.

There is progress toward regulations and frameworks. The U.S. White House issued Executive Order 13981 in 2021, which directs federal entities to evaluate and limit federal use of “covered” drones (as defined in the E.O.). CISA has been recommending cybersecurity best practices to mitigate risks and is pushing industry to focus on Blue UAS-compliant drones, which are certified by the DoD to meet federal cybersecurity standards.

Most experts consulted for this article see an uptick of interest in drone cybersecurity. Speaking of the broader world of cybersecurity, KPMG’s Anderson believes that “It can no longer be viewed as solely an enterprise challenge. It’s a much broader and more complex engineering, production, and operational challenge. It requires new approaches that account for potential vulnerabilities including infiltration of software and electronics, modification of the communications sent to and from the drone, and its computing platform in the cloud or in the enterprise.”