Cybersecurity for drones

February 1st, 2017, Published in Articles: EE Publishers, Articles: PositionIT

 

While the many benefits of unmanned aerial systems (UAS), or remotely piloted aerial systems (RPAS) as they are also known are regularly professed, the accompanying complexity that these systems introduce into workflows, especially when it comes to cybersecurity, is often neglected.

As unmanned aerial systems are fundamentally digital systems – from their sensors to their flight systems and their data – they are prone to the same threats as traditional computers, in some cases even more so.

Not only damage to the expensive equipment itself is at stake when a security breach occurs, but more often highly-sensitive company data is too, not to mention the reputational damage a company could suffer from such a breach. For some operators, the most serious damage could be in the form of delays in critical operations.

Skyjacking is one of several cyber threats.

Discussions around cybersecurity usually oscillate between paranoia and complete carefreeness, and users easily justify their inaction by citing that no system is impenetrable.

Threats

Despite cybersecurity appearing to be a daunting task at the outset, a rational security approach is often enough to fend off most common threats. Indetifying the most likely attacks or potential attackers could be the best starting point to inform such a security plan.

Braam Botha from UAV Industries, whose company specialises in risk documentation, emphasises physical security measures as a primary concern. Taking suitable precautions with regard to how and where a system is stored, how it is transported as well as on-site security can help mitigate many obvious forms of theft.

Other attack vectors typically include the communication links between the UAS and ground control stations, the ground control station itself, and the computers on which the captured data is stored.

UAS hi-hacking (or sky-jacking if you prefer) has received media attention since at least 2012. In 2013 already, publicly available software named “SkyJack” made it possible to commandeer another UAS mid-air by intercepting its wireless network connection to the ground control station, and so take over its flight control and camera systems.

These attacks can even be executed from ground stations without the need of a UAS, and surprisingly often by using cheap, off-the-shelf products. Hacks like these can be executed by curious pranksters for example, and are not always attacks with malicious intent.

Mitigation

Ensuring that your hardware supports basic security protocols (e.g. protected Wi-Fi) when you purchase it is an important starting point.

Employing existing technologies where possible is another relatively easy means of risk mitigation. Operating over secure (encrypted) wireless networks, in the same way you use a password to protect your Wi-Fi router at home, should already be standard practice.

The same applies to protecting ground station computers and data storage: Ensure the system and software you use is up to date, set up a strong password on the computer, protect against viruses by installing antivirus software, and make sure you are operating and storing your data behind a firewall.

Operating offline could significantly improve your security, but don’t forget that computers can still be stolen, and threats such a viruses, malware and ransomware can still be distributed to offline systems through flash disks and other media.

Since UAS data is usually the main product, maintaining a good backup and data management strategy is essential, as is aligning it with your organisation’s existing security practices.

Botha believes that security practices and procedures can be standardised to a great degree, with minor tweaks to accommodate specific operating environments. In many cases, security practices are procedural – such as ensuring waypoints are reset after each project etc.

Concepts under development

A number of organisations are working on solving UAS security and safety weaknesses. Two companies are jointly working on issuing digital identification certificates for UAS for digital authorisation, with the hope that the same certificate can also be used to encrypt communications between a craft and the ground station.

In the US, the Massachusetts Institute of Technology (MIT) is also steering an initiative to help establish a cybersecurity policy for driverless cars, delivery drones, and health and financial data (note the relationship between these technologies).

Signal strength awareness and blockchain technology hold further potential as methods to radio-frequency security.

Beyond material damage

UAS operators will understand the harm posed to human life and to critical operations when systems fail, but the reputational damage from failures such as data losses and operational delays are easily underestimated.

Good security measures can help limit and avoid many common risks, and constitute professional operational practice.

Finding a middle ground between a care-free and a paranoid security approach is important for effective security and efficient operations. A rational approach is generally a suitable approach, and it starts by analysing potential threats and attacks, bearing in mind that different environments pose different risks.

Once in place, most security measures become procedural, and these can be standardised for further operational efficiency.

Send your comments to engineerit@ee.co.za

Subscribe to our leading email newsletters

FREE-OF-CHARGE

CLICK for other EE Publishers information products