Inside Unmanned Systems

AUG-SEP 2017

Inside Unmanned Systems provides actionable business intelligence to decision-makers and influencers operating within the global UAS community. Features include analysis of key technologies, policy/regulatory developments and new product design.

Issue link:

Contents of this Issue


Page 41 of 67

CYBER RISK REDUCTION 42 unmanned systems inside   August/September 2017 WHAT TO ASK SERVICE PROVIDERS: • What types of data do you collect? • Where do you store data? • Do you share any data with other third parties? If so, for what purposes? What due diligence activities have you conducted with respect to these third parties? • Can you certify that you have a reasonable and appropriate cybersecurity risk management program in place? • Have you adopted appropriate organizational, technical and physical security policies and procedures? • Have you implemented incident response and business continuity plans? • Do you have a program for regularly assessing risks to information security assets and managing those risks to an appropriate level? • Is your staff trained on appropriate security practices? • Have you suffered any information security incidents that may have exposed sensitive data? • If so, what steps were taken to remediate any vulnerabilities that may have contributed to the incident? • Do you encrypt data at rest and in motion? • Do you implement secure software development practices? • Do you have a process in place for scanning software for vulnerabilities and providing regular security updates as necessary? Source: Brian Kennedy, associate at Hogan Lovells law firm without the UAS operator ever knowing. Ransomware, a major threat for health care organizations, also may be used to encrypt valuable data collected by drones, Kennedy said. Mercenary hackers often charge a ran- som to be paid in cryptocurrency in exchange for the decryption key. Protecting Data In-House Operators should consider the security of data col- lected via drone a critical part of their risk man- agement program, Kennedy said. That means implementing a framework to reduce the risk to data an operator collects, stores or transmits. Keep in mind many companies already have safeguards in place to protect sensitive data, so you probably won't need to start from scratch, Kovar said. It is important, however, to ensure those existing practices are sufficient. Find out how your company handles cybersecurity. If data is simply tossed onto a standard file server that everyone has access to, it's probably time to make some changes. So where should you start? By reviewing ex- isting standards for data protection and cyber- security. Kovar recommends following SANS, NIST or ISO standards (see Finding the Right Framework on preceding page), just keep in mind the standards in these documents aren't one-size-fits-all. Every company is different and has unique needs. Make sure your pro- cesses fit your firm's circumstances. There also should be a documented orga- nization structure that outlines exactly what you're trying to accomplish with data protec- tion and cybersecurity and who is responsible for it, Kovar said. Too often, companies docu- ment what they plan to do but never act on those plans, leaving their data vulnerable. This step helps plan implementation. Kovar suggests hiring one person and giv- ing him or her the budget and resources neces- sary to stay informed. This person should have a deep understanding of cybersecurity threats and mitigations as well as the authority to de- velop and implement an effective program. The cybersecurity expert in your organization also should have the authority to go to the UAS group and say "stop using this product" or "we must take steps to ensure vulnerability is miti- gated" when a problem is discovered, Kovar said. This might mean changing the way the drone is operated or switching out a piece of software. "The most important things for a cyber- security program are people, processes and technology. People should come first, but un- fortunately a lot of corporations figure out the technology first," he said. "They spend a mil- lion dollars on some really cool cybersecurity technology and then because they didn't invest in the people and processes, the technology sits on a shelf or is deployed but isn't managed or used properly. So the perception is the compa- ny is secure when it really isn't. Once you have the people and processes in place, then look at investing in technology to match." It's also important to ensure the program you put in place works properly, Kovar said, and one Photo courtesy of AeroVironment.

Articles in this issue

Archives of this issue

view archives of Inside Unmanned Systems - AUG-SEP 2017