Cybersecurity Considerations for Operation of Commercial Drones
Usage of unmanned aircraft, or drones, in commercial applications is on the rise, thus consideration must be given to the cybersecurity aspects thereof. As with any other device that transmits, collects, stores, and shares data and has an operating system, risks associated with software installation and usage, operational security, data sharing and storage, and emerging threats and vulnerabilities should be addressed when incorporating drones as a component of business operations.
Drone software installation precautions
The following precautions are recommended when downloading and installing these applications:
• Before downloading and installing the software, isolate or remove from the organization’s internal network any devices onto which the application will be downloaded or installed. This will prevent propagation of any malware embedded within the application or inadvertently downloaded from the site.
• Carefully and thoroughly review the terms and conditions and licensing agreements associated with the software. If the organization is large and/or subject to regulatory requirements or data privacy standards, it may be necessary to have the agreements reviewed by an attorney prior to application installation.
• Research the application vendor and verify that their download site is secure. Review any complaints posted by other users regarding the site, software, or vendor. If the software will be installed on a mobile device, check the device maker app store’s verification process and make sure that the software has been reviewed and meets the verification requirements.
• After download and prior to installation, scan the downloads with an up-to-date antivirus/anti-malware application. After installation, scan the device onto which the application was installed. If the device has a firewall application, ensure that it is operational so that it can block any potentially malicious traffic resulting from installation of the application. • Choose the manual installation process when performing the installing. This will allow for review and deselection of unwanted bloatware that would have been installed by default.
Drones can be hijacked if communications between the authorized operator’s device and the drone are not properly secured. Simply searching the phrase “how to hijack a drone” will return results from numerous sites offering instructions, DIY device plans, and hardware devices specifically intended to facilitate the takeover of drone operations mid-flight.
Following are recommendations for securing communications between the controller and drone:
• Avoid purchasing inexpensive drones. Their manufacturers likely focus less on security, leaving them more vulnerable to attack than their higher-end counterparts.
• Ensure that your controller devices (laptops, tablets, and phones) are free of malware and viruses that may provide access to hijackers. Scan your devices regularly and keep your security applications updated with the latest virus definitions.
• Use a virtual private network (VPN) application to communicate with the drone. The VPN will protect your communications via a secure tunnel using encryption. The communications between your controller and drone cannot be deciphered by a hacker attempting to take control. VPN applications are available for laptops and desktops as well as Android and iOS phones and tablets.
• If possible, change the drone’s settings to prevent it from broadcasting its Wi-Fi SSID. If the SSID is broadcast, change it to something that does not indicate it is the SSID of a drone, does not include the drone’s make or model information, and does not provide the name of the organization operating the device.
• For an extra layer of security, use dedicated devices for drone controllers that are not running apps sharing data with external systems.
• Ensure that your drone’s software and that of the controllers are updated regularly to install operating systems updates and patch any vulnerabilities.
Secure transmission and storage of data collected
If confidentiality of the data collected during drone operations is important, consider encrypting it. Using the VPN previously recommended will protect the data in transit between the controller and drone, but, perhaps depending on the nature of the information, regulatory requirements, or organizational policies, it may be necessary to encrypt stored data as well.
Using dedicated devices that do not maintain external connections, as was also previously recommended, will help ensure confidentiality of the data because it is stored only on that device and the drone.
Once it has been confirmed that the data is securely stored on the controller device or elsewhere, deleting it from the drone’s storage is another step that can be taken to maximize security.
Periodically check bulletin boards, forums, and safety notices
Although it is growing, commercial drone usage is still in its infancy. Identifying and periodically reviewing credible sources of up-to-date information regarding operational issues encountered, security threats, regulatory changes, and safety-related incidents is recommended. These sites are easy to locate online. The drone manufacturer may also maintain a user forum or bulletin board to address user issues, post notices of pending updates and upgrades, and notify customers of emerging technologies or threats.
Drones are currently being utilized by organizations ranging from real estate firms to police agencies. More businesses are exploring the potential benefits of incorporating them into their operations. The technology is still evolving, as are the threats. Devices are openly offered online with the promise that they will enable their users to hijack drones in flight. There are DIY kits and instructions available to potential hijackers and hackers as well. This considered, implementation of drones as a component of an organization’s operations would not be complete without a comprehensive security policy that includes technical controls along with safe usage and maintenance procedures.