Drone Security

Drone security is quickly coming the hot topic for Government, regulators and industry stakeholders. This week RUASRT Lead Dr Reece Clothier published an article in the inaugural SUAS Guide (Issue 1, January, pp.66-69). A version of the article is included below.

RUASRT is conducting world leading research into the identification, modelling, and management of security risks associated with drones. A conference paper was presented at the 2015 SAE AeroTech conference in Seattle (here).

Drone Security 

By Dr Reece Clothier,

A version of this article was first published in  “Drone Security” (2016) SUAS Guide, Issue 1, January, pp.66-69.

To date, industry, government, and regulator attention has been focused on addressing the safety and privacy issues surrounding the widespread use of drones. One equally important issue that has received far less attention is drone security.

We can speak about drone security in a number of contexts. Firstly, we can talk about the many beneficial applications for drones in civil and national security roles. Already there are numerous entrepreneurial companies exploring the use of drones as “autonomous watch dogs”. We can also talk about the security of drones themselves. More specifically the ability to hack, infiltrate, or otherwise disrupt the safe operation of a drone. The third and final context is the potential misuse of drones, which is the subject of this article. The number of reported security incidents involving drones is on the rise. From interrupting sporting or political events, smuggling contraband into prisons, to breeching exclusion zones around nuclear power plants – drones are starting to live up to their moniker of being a “disruptive technology”. Some notable incidents from last year are summarised below. These incidents highlight the diverse scope and nature of security issues that need to be addressed.

  • 26 Oct 15 – Oklahoma – A failed attempt to use a small commercial off the shelf (COTS) multi-rotor to smuggle drugs, a phone, and other contraband to prison inmates. The drone crashed into razor wire surrounding the prison. This follows similar attempts in the U.K. in 2015, Australia in 2014, and Brazil in 2012.
  • 3 Sep 15 – New York – A small COTS multi-rotor drone flew over courts at the 2015 U.S. Open, before crashing into empty seating within the stadium. The crash disrupted play on the court. The operator was arrested the next day. The incident follows an earlier security event in June when a small drone was own over tennis players in the lead up to the Wimbledon Grand Slam. Police seized the drone but at time of writing were still yet to apprehend the operator.
  • 18 May 15 – Suffolk, UK – Police in the U.K. are warning the public that small multi-rotor drone are being used by burglars to collect information on prospective properties. This follows the 2014 arrest of two burglars in the U.S. state of Pennsylvania who were suspected of using small multi-rotor drone to scout prospective targets.
  • 7 May 15 – Windsor, UK – A tourist wanting to capture video footage of Windsor Castle inadvertently caused a security scare. Operating a COTS multi-rotor drone, the tourist flew around the site for approximately 10 minutes before police apprehended the operator.
  • 29 Apr 15 – New York – A small COTS multi-rotor drone was used to graffiti a prominent advertising billboard. This is purported to be the first case of vandalism using a drone.
  • 22 Apr 15 – Tokyo, Japan – A small multi-rotor drone was found on the roof of Japanese Prime Minister Shinzo Abe’s office. The aircraft was carrying a small amount of radioactive sand, which was in an apparent protest against use of nuclear power after Fukushima disaster. The operator of the aircraft later turned himself in to authorities.

So how do we tackle this? It is first necessary to distinguish between the different types of perpetrators. It is expected that the vast majority of security-related incidents involving drones will be the result of ignorance; recreational users who are not malicious in their intent and are (or claim to be) unaware of the potential disruption or damage their actions cause. The smaller fraction of incidents will be due to intentional actors; those who are aware of the laws they are flouting when seeking to snap that unique holiday photo. An even smaller fraction of these intentional actors will have malicious intent; people out to cause significant damage or disruption through the misuse of a drone. Different strategies to manage the security risks posed by the different types of actors will be needed. In terms of risk mitigation, focusing on the drone yields few effective risk mitigating measures. Controlling access to the technology is not a viable option – that drone has already flown. Hardcoded geo-fence systems, like that being rolled out by DJI, and even universal “flight termination commands”, which can be triggered by approved government agencies, have been bandied about as possible solutions. The latter is likely to cause more safety and security issues than it is likely to address. However, software protection mechanisms like geo-fencing are useful but not a panacea to the security problem. A regulatory mandate for such software functions would be needed as there is little by way of incentive for drone manufacturers to implement them – they come at additional cost and can place a drone product at a potential competitive disadvantage to other “unrestricted” products. Drone-based security features would not be effective for threats posed by intentional actors, for home-built drones, or for those threats where the geographical location of the “target” is not known or mapped.

For these reasons it is not all that surprising to see a new industry in anti-drone technologies emerging. Passive acoustic arrays (e.g., DroneShield), radio frequency receivers, and electro-optical, infrared, and radar sensors have all been used as a means for drone detection and tracking. Intervention technologies range from simple handheld net guns through to comprehensive “drone defence” systems that utilise directed electromagnetic energy (e.g. Anti-UAV Defence System developed by Blighter Surveillance Systems, Chess Dynamics, and Enterprise Control Systems Ltd.) or lasers (e.g., Boeing’s High Energy Laser Mobile Demonstrator).

Electronic warfare technologies previously used by the military are now finding new applications in anti-drone systems. Such EW technologies include jamming and spoofing, which target command and control links and navigation systems most commonly used by commercial drones. Even anti-drone-drones, such as MALOU Tech’s Drone Interceptor, have been fielded. Anecdotally, the humble garden hose has also been said to be an effective, albeit short range, anti-drone tool. Wild birds of prey have been known to attack operational drones and this natural instinct has recently been harnessed by the Dutch Police, who have begun training falcons for anti-drone missions.

[embedyt] http://www.youtube.com/watch?v=HifO-ebmE1s[/embedyt]

These detection and intervention systems will vary in their effectiveness and cost. What is becoming apparent is that there is no one anti-drone system that will be suitable for all drone types, environments, and subsequent threats. Of particular note is that many of the currently available intervention systems are effective only for drones operating at lower altitudes. It is also worth noting that many of the commercially available anti-drone technologies have only been demonstrated in clear and controlled test environments. There are particular challenges to the safe and effective use of these devices in urban environments. Urban or built-up environments are high clutter environments (acoustic, radio frequency, etc.), which makes the reliable detection of drones all the more difficult, particularly smaller drones operating at low altitudes around tall structures. There are also some fairly significant safety issues associated with the use of intervention technologies in urban areas. A disabled drone falling from height can pose a credible hazard to people and property on the ground. The use of non eye-safe lasers also presents an obvious safety issue. Jammers and directed EM devices can disrupt other critical electronic and communication devices (e.g., health care equipment, signalling, radio navigation systems, etc.). Then there is the threat such devices pose to other legitimate airspace users.

Currently, there are no regulations and standards specific to anti-drone devices although there are general regulations, which would be applicable to some classes of anti-drone systems. Regulations and standards pertaining to the design and safe use of anti-drone technologies are needed, and until they are developed, let the buyer, and public, beware.

Detecting and neutralising the threat posed by the drone itself is only part of an effective security response. Apprehension of the offender is an entirely different problem. The offending operator could be anywhere within radio line of sight of the drone. At the other extreme are internet-enabled and remotely deployable drones, which can be operated from anywhere in the world. Mandatory registration and marking of drones will help but only in the apprehension of non-malicious actors. I’m fairly certain that those people who have malicious intent aren’t going to write their name on their drone.

The aforementioned strategies are all reactive security risk controls; proactive and preventative security risk controls are also needed. Education is perhaps the best strategy for reducing the number of security incidents caused by unintentional and non-malicious offenders. Whereas intelligence gathering and intervention will be key to mitigating the security threat risk posed by intentional actors. The threat-risk posed by drones is unique from that of manned aircraft, and as a consequence, existing security regulatory frameworks used for manned aircraft are unlikely to be effective in the management of the broad spectrum of drone-related threats. Responsibility for drone security regulations in the U.S. is likely to fall under the remit of the Transportation Security Administration (TSA). The TSA have not specifically addressed the security concerns relating to drones and any effort to develop new regulations will require close coordination with various other agencies within the Department of Homeland Security and the Federal Aviation Administration, to name but a few.

With all that said we shouldn’t be alarmed about the potential misuse of drones. All technologies have associated security issues; the challenge lies in developing effective strategies to manage these risks without loss of the many benefits drones offer society. It’ll take the collective and coordinated effort of industry, associations, and government agencies to comprehensively address the security issues surrounding this technology. Education of the broader community on the responsible use of drones will go a long way towards reducing the number of unintentional security incidents. Tackling the intentional and malicious actor will be a more challenging task that will require the implementation of both preventative and reactive security risk controls. Further research to objectively identify and assess the security risks associated with drones, and to explore the effectiveness of various risk controls is needed. This research will be key to informing the development of regulations and for ensuring security regulation does not come at unnecessary cost to the drone operators.

A version of this article was published in the inaugural SUAS Guide: