Step Up Security on Unmanned Aerial Vehicles (UAVs)
By 2020, Goldman Sachs is forecasting a worldwide drone market of $220 billion. What started as a largely military and recreational industry is now establishing itself in major industry sectors like agriculture, construction, real estate, traffic management, mining, oil and gas, retail, surveying, and other commercial areas.
So when concerns began to surface regarding potential security breaches by Chinese mega-company Huawei, repercussions rippled throughout the technology sector, which has increasingly relied on Chinese manufactured hardware and hardware components.
One major story reported that China’s military allegedly snuck “spy chips” onto U.S. military equipment that included drones. Since then, there have been pro and con opinions voiced on the matter, but one thing is clear: companies using equipment like drones in their operations must vet for security as well as for capability.
DJI is a leading drone manufacturer in the marketplace because its drones have consistently been ranked as some of the best in the industry. However, it has also been accused of spying on U.S operations.
The company has responded to business concerns by offering “no Internet mode” drones that are incapable of transmitting any data anywhere.
“While there are concerns that have been sparked by Huawei, Chinese hardware and the threats of data theft, it’s also important for companies that invest in drones to understand the full stack of the drone, from the underlying hardware through the software and communications,” said DroneDeploy VP of Engineering Eric Hauser. “Most drones are not Internet-connected devices. In order to equip drones for Internet communications, the business must make that decision and perform the implementation. What drones are capable of doing is storing vast troves of images that they store on on-board solid [state] disk drives. Drones also have access to GPS signal technology, because it’s vital to know where images of structures, land, etc., were taken, and vital for air- controlling functions like the FAA to know where drones are flying.”
The GPS function on drones works by selecting a random point within one kilometer’s distance of the drone. It then sends this random point to an air space monitoring service. The service monitors the signals to ensure that the drone is not flying in restricted air space.
Companies like DroneDeploy, which uses DJI drones, take drone security seriously.
Recently the company achieved ISO-27001 security certification, one of the most robust, and the only internationally accepted, security standard.
“It took us over a year to certify, and we invested heavily in the effort,” said Hauser. “ISO-27001 requires that all departments within your company that have access to data have security policies in place that are rigorously followed. Examiners for ISO also verify that you are following these policies as a best practice. ISO-27001 covers cloud, IT, how you interact with third parties, and even HR functions that ensure that you conduct background checks on employees.”
It is likely that other commercial drone firms will follow DroneDeploy’s lead and get certified. Meanwhile, it is important for companies deploying or planning to deploy drones that they include a comprehensive set of questions for prospective drone vendors on their RFPs.
What drone security best practices can companies adopt to ensure that their drones and their drone vendors meet corporate security requirements?
- Ask your drone vendor for a security certification certificate or a copy of a recent security audit. Part of the RFP process should be a verification that the drone vendor has comprehensive security policies and practices in place. This can be achieved by requesting an ISO certification document or a copy of the vendor’s most recent security audit.
- Ask your vendor about future security initiatives that it plans. Security threats and practices continue to evolve. Ask your vendor about its future security plans, and how it plans to be proactive as new security threats emerge. What you want to see is a continuous improvement plan, a dedicated internal security function, and a firm commitment from your vendor that security will be a frontline focus.
- Ensure that your own security standards are robust. “If I were an enterprise and I were just getting started with drone deployment, there are a number of organizations like the Cloud Security Alliance that can really help you get started in defining a sound set of security policies,” said Hauser. “These organizations can help you define security requirements and the questions about security that you should be asking your vendors. This is especially helpful for smaller firms that don’t have dedicated internal security teams in place.”