Inside Unmanned Systems

AUG-SEP 2017

Inside Unmanned Systems provides actionable business intelligence to decision-makers and influencers operating within the global UAS community. Features include analysis of key technologies, policy/regulatory developments and new product design.

Issue link: http://insideunmanned.epubxp.com/i/866795

Contents of this Issue

Navigation

Page 39 of 67

CYBER RISK REDUCTION 40 unmanned systems inside August/September 2017 mal data, audio recordings or precise GPS coordi- nates, often passes through several "links" in the data chain, Kennedy said. After it's collected by a drone's cameras or sensors, data can be stored on a hard drive on the UAS or it can be transmitted wire- lessly to a cloud-based data storage system, to one or more remote ground stations, or to data processing or storage facilities. Because of the absence of built-in security con- trols on these systems, this data chain opens up several opportunities for hacking, Kennedy said, making it important for operators to conduct care- ful due diligence on any software or hardware in- tegrated into the UAS data chain. There are many other factors that contribute to attacks, Kennedy said, including unencrypted transition links and software applications that aren't regularly patched to protect against se- curity threats. Using multipurpose command and control platforms, such as smartphones and tablets, that store data collected from the drone as well as other data, also can open the door for hackers to cause problems. "There's very heavy use of tablets, Android and iPhone devices to control these drones," Finisterre said. "In my mind, you need to look back at the past five years' worth of cell phone vulnerabilities and demonstrations of exploitations and consider the fact it's very possible the device you're using to control your drone may be compromised by some other nuance in your cell phone's operating sys- tem. You're brushing different worlds together— cell phone security, traditional computer security and the fact you're f lying something." Many of the same cybersecurity threats that apply to Internet of Things devices generally ap- ply to drones, Kennedy said. For example, infor- mation transmitted to or from a drone may be "spoofed," meaning a hacker may send incorrect GPS signals, operational data, or commands to the UAS. A hacker may spoof signals to cause the system to crash or to violate sensitive airspace. Drones may also be vulnerable to a process called "packet sniffing," or "snooping," where a software program is used to access, intercept, or log data FINDING THE RIGHT FRAMEWORK ALTHOUGH THERE ARE SEVERAL RECOGNIZED FRAMEWORKS, the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST) has become a widely-recognized model, said Brian Kennedy, associate at Hogan Lovells law fi rm. The NIST Cybersecurity Framework is process-based and fl exible. It is straight forward to implement and adaptable to a wide range of organizations. More Information: nist.gov/cyberframework THE NTIA UAS PRIVACY AND SECURITY FRAMEWORK is also a good place to start. This is a multi-stakeholder, best-practices document that sets forth voluntary commitments for privacy, transparency and accountability practices around the use of drones, Kennedy said. It provides high-level guidance on the essential elements of a cybersecurity risk management program without imposing rigid requirements or exposing operators to signifi cant additional legal risk—although any organization that publicly states that it adheres to the framework must do so. More Information: ntia.doc.gov/fi les/ntia/publications/uas_privacy_best_ practices_6-21-16.pdf THE BEST AND QUICKEST WAY TO START YOUR FRAMEWORK is with SANS critical security controls, said David Kovar, president and founder, Kovar & Associates. These controls are well established, easy to understand, and can generally be implemented fairly quickly without standing up a huge project and spending a lot of money. More Information: sans.org/critical-security-controls/guidelines AT THE OTHER END OF THE SPECTRUM IS THE INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO), Kovar said. These standards take a lot of time to understand and implement. Most organizations with the resources available to implement ISO standards are at least familiar with them if not already doing them. More Information: iso.org/isoiec-27001-information-security.html 2 3 August/September 2017 August/September 2017 unmanned s ystems unmanned s ystems ystems unmanned s inside unmanned s inside inside unmanned s August/September 2017 August/September 2017 August/September 2017 August/September 2017 2 3

Articles in this issue

Links on this page

Archives of this issue

view archives of Inside Unmanned Systems - AUG-SEP 2017