How Safe is Your Data?

There’s no doubt unmanned aircraft systems (UAS) offer a better way for businesses to collect information that can improve their operations. The data is so valuable, in fact, that the companies deploying drones aren’t the only ones interested in getting their hands on it—with some people even willing to steal it.

While many operators might not think about data theft while they’re in flight, drones are vulnerable to this threat just like any other technology, said Kevin Finisterre, senior software engineer at the firm Department 13. Not only can UAS become compromised while they’re in the air, the data they collect and the derivative products created from that data also can be stolen, giving hackers (and possibly competitors) access to telemetry data from the drone’s flight as well as any sensitive information it collected.

“When markets haven’t been exposed to people with a security mindset, they wind up being half a decade or more behind the curve of what’s considered best practices in the security industry,” Finisterre said. “I’m seeing things now I saw 10 years ago or more that are 101 junior level security vulnerabilities. Basically the biggest problem at this point is the drone companies are thinking about making things fly and how to make sensors work. They’re focused on bells and whistles and market differentiators. Security isn’t a big market differentiator right now.”

It’s unclear exactly how common cybersecurity issues are when it comes to UAS and the information they collect. Not every industry is required to report and investigate breaches, so many don’t—and oftentimes companies don’t even realize they’ve been hacked. But cybertheft is a threat drone operators and service providers should be aware of so they can take the proper steps to protect valuable data, both on and off the drone.

“A drone’s data collection capabilities make it an attractive target for malicious actors who, like the individuals and companies operating drones, seek to harness the value of data stored or collected by drones,” said Brian Kennedy, who is an associate at the Hogan Lovells law firm. “Meanwhile, the complexity of the data chain provides several potential sources of vulnerability, each of which may be exploited by a savvy hacker.”

The Threats

There are three types of drone-related data that companies need to protect: telemetry data, such as where the drone was launched and its flight path; the actual information the drone collected while in flight and any subsequent products created from that information; and management data, such as who bought the drone, who flew the drone and when maintenance was last performed on the drone, said David Kovar, president and founder of Kovar & Associates, a data and cyber forensics company that develops the software Unmanned & Robotics Systems Analysis (URSA).

Those charged with protecting this data need to understand its value, where it resides and how it moves, experts said. Data collected from the cameras and sensors, as well as management data, are typically stored and protected just like any other information gathered for business operations, Kovar said. Most businesses likely already have processes in place for identifying, tracking and securing sensitive information; these same processes should be used for drone-related data. The telemetry data is where it gets a little trickier. While this information can be protected via typical processes, many businesses aren’t aware of its value or that it even exists.

“Most UAS have an onboard black box, just like commercial airliners, that contains a lot of the telemetry data,” Kovar said. “Companies need to make a decision about whether they’re going to preserve that information and if so, how they’re going to preserve it. That could mean extracting it and putting it in an archive like other forms of data. It also means making a decision on whether to leave the data on the aircraft or to take it off the aircraft. You have to understand where the data is, the value of the data to the company itself and the value of the data to an attacker or a business competitor or somebody with malicious intent. This will help businesses make informed decisions about how to manage that data.”

How Hacking Can Happen

The data drones collect, whether it’s in the form of high-definition images, video, infrared thermal data, audio recordings or precise GPS coordinates, often passes through several “links” in the data chain, Kennedy said. After it’s collected by a drone’s cameras or sensors, data can be stored on a hard drive on the UAS or it can be transmitted wirelessly to a cloud-based data storage system, to one or more remote ground stations, or to data processing or storage facilities.

Because of the absence of built-in security controls on these systems, this data chain opens up several opportunities for hacking, Kennedy said, making it important for operators to conduct careful due diligence on any software or hardware integrated into the UAS data chain.

There are many other factors that contribute to attacks, Kennedy said, including unencrypted transition links and software applications that aren’t regularly patched to protect against security threats. Using multipurpose command and control platforms, such as smartphones and tablets, that store data collected from the drone as well as other data, also can open the door for hackers to cause problems.

“There’s very heavy use of tablets, Android and iPhone devices to control these drones,” Finisterre said. “In my mind, you need to look back at the past five years’ worth of cell phone vulnerabilities and demonstrations of exploitations and consider the fact it’s very possible the device you’re using to control your drone may be compromised by some other nuance in your cell phone’s operating system. You’re brushing different worlds together—cell phone security, traditional computer security and the fact you’re flying something.”

Many of the same cybersecurity threats that apply to Internet of Things devices generally apply to drones, Kennedy said. For example, information transmitted to or from a drone may be “spoofed,” meaning a hacker may send incorrect GPS signals, operational data, or commands to the UAS. A hacker may spoof signals to cause the system to crash or to violate sensitive airspace. Drones may also be vulnerable to a process called “packet sniffing,” or “snooping,” where a software program is used to access, intercept, or log data without the UAS operator ever knowing.

Ransomware, a major threat for health care organizations, also may be used to encrypt valuable data collected by drones, Kennedy said. Mercenary hackers often charge a ransom to be paid in cryptocurrency in exchange for the decryption key.

Protecting Data In-House

Operators should consider the security of data collected via drone a critical part of their risk management program, Kennedy said. That means implementing a framework to reduce the risk to data an operator collects, stores or transmits.

Keep in mind many companies already have safeguards in place to protect sensitive data, so you probably won’t need to start from scratch, Kovar said. It is important, however, to ensure those existing practices are sufficient. Find out how your company handles cybersecurity. If data is simply tossed onto a standard file server that everyone has access to, it’s probably time to make some changes.

So where should you start? By reviewing existing standards for data protection and cybersecurity. Kovar recommends following SANS, NIST or ISO standards (see Finding the Right Framework on preceding page), just keep in mind the standards in these documents aren’t one-size-fits-all. Every company is different and has unique needs. Make sure your processes fit your firm’s circumstances.

There also should be a documented organization structure that outlines exactly what you’re trying to accomplish with data protection and cybersecurity and who is responsible for it, Kovar said. Too often, companies document what they plan to do but never act on those plans, leaving their data vulnerable. This step helps plan implementation.

Kovar suggests hiring one person and giving him or her the budget and resources necessary to stay informed. This person should have a deep understanding of cybersecurity threats and mitigations as well as the authority to develop and implement an effective program.

The cybersecurity expert in your organization also should have the authority to go to the UAS group and say “stop using this product” or “we must take steps to ensure vulnerability is mitigated” when a problem is discovered, Kovar said. This might mean changing the way the drone is operated or switching out a piece of software.

“The most important things for a cybersecurity program are people, processes and technology. People should come first, but unfortunately a lot of corporations figure out the technology first,” he said. “They spend a million dollars on some really cool cybersecurity technology and then because they didn’t invest in the people and processes, the technology sits on a shelf or is deployed but isn’t managed or used properly. So the perception is the company is secure when it really isn’t. Once you have the people and processes in place, then look at investing in technology to match.”

It’s also important to ensure the program you put in place works properly, Kovar said, and one of the best ways to do that is through an audit.

A security audit serves as the cornerstone of a cybersecurity risk assessment program, Kennedy said, because it evaluates security controls, identifies risks and vulnerabilities regarding sensitive data and provides a structure for managing that risk.

Audits or assessments generally are mapped to a recognized framework, such as the NIST standards, which enables operators to validate their security practices against others in an industry.

Finisterre suggests bringing in an outside subject-matter expert not only to perform these audits, but also to help you develop your cybersecurity program if you don’t have an expert on staff. These security specialists also can help manufacturers develop and implement more safeguards into their systems.

When a Service Provider Is Involved

Knowing how to protect your data in-house will help reduce your vulnerabilities, but what if you opt to hire a drone service provider to perform the flights? How can you ensure they keep your information safe?

Before hiring a third party, whether it’s a firm that will collect the data and store it or a data analytics company that will provide valuable insights, make sure the company you plan to work with has the proper safeguards in place, Kennedy said. Their protections should be at least as robust as your own and consistent with any legal obligations the company has to protect the data. Review contracts to ensure they represent and warrant that the vendor has implemented an appropriate information security program. The vendor should also commit to disclose any security breaches, and comply with applicable laws and regulations.

Be critical of the vendors you use, Finisterre said. Push them to be public about their data policies and what they do with their data, or to openly make a statement that they won’t use your data for their own purposes.

Ask these companies how they’re protecting your data and where it will reside, Kovar said. If it’s in the cloud, ask which one. Microsoft? Amazon? Something the company built itself? Is the server in the U.S., China, Russia or somewhere else? If data is stored on a server in another country, you have to figure out whose laws apply to accessing that data, how you’ll be notified if the data is accessed illegally and your rights to the data. Find out what the notification requirements are if the company is hacked and how often they’ll keep you up to date as they work to determine who attacked and what data was taken. You might want to have a lawyer review the data protection agreement before you sign.

“If a company is outsourcing UAVs and flying pipelines and crops, they want to get as many flight hours in as possible so they can bill and grow the company,” Kovar said. “They may not be taking the time to develop internal data protection. So instead of flying your property, taking all the data off the UAV and putting it into an encrypted folder that’s only available to the client and the company, they may put it all on a thumb drive and put it in the back of a car, where it stays until the next flight.”

Remember, your organization is only as strong or as secure as your supply chain, Kovar said. If you’re buying unsecure equipment and not taking steps to secure that equipment, it puts the entire organization at risk. The same applies for software as a service. If you’re using an external site for processing image data and the company’s servers are not secure, your data could be stolen—and the vendor might not even know it.

Secure From the Start

As the technology evolves and manufacturers rush to get the latest and greatest out the door, most, while they have good intentions, aren’t investing as much time and effort in security as they should, Kovar said, whether it’s hardware, software or operational products.

“You can’t bolt security on after the fact. You have to design it in from the start,” he said. “If you’re trying to build a new UAV business and you’re rushing to put code out there that works and gives new features, you may not pay as much attention to good security practices. Security isn’t a profit center. It’s a cost center. It’s difficult to convince shareholders or people who control the budget to invest in security.”

But security breaches can be very costly. To develop your cybersecurity program, have an open discussion in your company about what you’re doing to safeguard data and be willing to use tried and true solutions that are already available, Kovar said. Do research to make sure your cybersecurity program is as robust as possible. Read articles and attend conferences that focus on cybersecurity. Perform audits—on both your company and any service providers you use. Make sure cybersecurity policies are implemented and expert advice followed.

Part of this effort involves staying on top of the latest news and determining what developments mean for your business, Kovar said. If a system you’re using was recently compromised, you want to know about it as soon as possible. Hold vendors and service providers accountable and find out what they’re doing to correct a hacking problem.

Bottom line: Understand the value of the data your drones collect to your company and others, recognize the source of threats and how thieves might gain access and then take the necessary steps to protect your valuable property.

“No matter what you’re trying to defend or what conversation you’re having about data security, you need to know who your attacker is,” Finisterre said. “It really helps to be able to visualize what your attacker’s motives could be and what the extent of damage or exposure they might cause by accessing the data.”