This month’s Shepard Unmanned Vehicles magazine has an informative article on cyber security for UAS. There were some statements made in the article that commercial UAS developers and operators should take with a grain of salt though.
“On the small commercial UAS side, Clayton said there was unlikely to be a particularly high cyber security threat. This is because the nature of much of the work, and the fact that it would likely be easier for someone to buy their own small UAV than it would be to hack into another one. For example, one major reason to hack into a system is to steal the data it is collecting: ‘A spectral analysis of a large wheat field is not overly sensitive, and if I really felt that desperate to have a spectral analysis of that wheat field then I can go and take my own.'”
While I agree wheat field surveys are unlikely targets of industrial espionage, there is at least one commercial application with highly sensitive data that does come to mind: security. If a facility/person is important enough to have a UAS patrolling its fence line, then the video and other data onboard would be valuable to a variety of bad actors.
As an adversary, I would want
- real-time access to sensors and UAS position
- mission plans
- and any information that would allow me to commandeer or disrupt the UAS.
If the UAS is networked into a larger security system, then I’m really going to get excited. A badly protected UAS could be my backdoor to the whole facility. I could turn off sensors, disable counter-UAS systems, grant remote access, or simply see what the defender is seeing.
“Another motivation might be to use the UAS to inflict physical damage, for example in a terrorist operation. Many of the lower end systems are so small that they would not be able to cause a great deal of damage, Clayton said, unless they hit something particularly sensitive. Again, even if someone did want to use a small UAV for such purposes, it would once again be cheaper and easier for them to buy their own.”
This statement has a couple of problems. First, some lower end systems can carry a lot more payload then most people know. One kilogram of C-4, Semtex, or TATP can cause quite a bit of damage (and cause fear which is the point of terrorism). Second, I do have the choice to build, purchase, or steal a UAS. And yes, most of the time I will purchase one if possible because it’s just easier and lower risk. But there are some circumstances that may dictate stealing a drone:
- I need an exact physical copy for a contextual attack
- I need a specific capability, such as a multirotor able to carry 10 kilograms
- I’m low on Bitcoin.
My first choice would be to steal a complete UAS from an operator. I don’t want to deal with potential aircraft and ground control station integration problems on top of attempting a commandeering operation. If I can’t get physical access to the UAS, though, and I know of a potential vulnerability in that model, then I’m more likely to steal one in-flight.
The bottom line is developers and operators can’t assume a one size fits all cyber security model. Some applications clearly require more precautions than others. If you’re having problems identifying hazards, give us a call.
l.
PS. I’ll save commandeering cargo drones for another day. It’s difficult to decide on pilfering Amazon Prime Air or targeting medical drones transporting opiates to rural communities.