In November 2019, the U.S. Department of Interior made the decision to ground its 531-strong drone force, with the exception of drones being used for emergency purposes such as fighting wildfires and conducting search and rescue missions.

The move came as the result of growing concerns that espionage technology was embedded in the drones. This is part of a broader based concern that drones and other computing components have the potential of gathering information, spying on domestic activities, and releasing harmful malware. The Department of Interior’s concerns were that drones could be used to transmit data, including topography and video, of sensitive U.S. infrastructure that may be the subject of future physical or cyberattacks.

Drone cyberattacks and espionage are not limited to above-ground drones, either.

Forrester, in an April 2019 drone report, discusses the rise of underwater drones that are capable of filming underwater infrastructure and pursuing attack scenarios such as cutting, disrupting, or tapping communication cables.

The hackable drone

The concerns about drone cyber threats are real. In December, 2018, a drone operator managed to shut down London’s Gatwick Airport for 36 hours, and stranded 100,000 people.

The Gatwick drone attack highlighted how easy it was to disrupt infrastructure and vital services, and served as a wake-up call to nations around the world. It also had the markings of being a mission that was carefully planned and executed, perhaps by multiple individuals.

“There is no silver bullet technology,” said Geoff Moore, business development manager at UK-based Blighter Surveillance Systems, a supplier of anti-drone technology to the U.S. military.

“Drone technology is evolving quickly, the levels of autonomy are increasing, [and] the ease of flight is increasing to the point where they can be almost ‘fire and forget,’ one-button launchable,” said Moore

How hacking happens

Just how is drone security hacked?

Hacking is defined as “an attempt to exploit a computer system or a private network inside a computer.”

A drone “hack” can involve compromising software, spreading malware, and collecting and transmitting information. It can just as easily include other elements of the drone, such as hardware.

As an example, drones are equipped with heavy lithium-ion batteries that are capable of puncturing the skin of an aircraft wing, or smashing the blades in a jet engine. In Syria and Iraq, drone exploiters have already used modified remote control aircraft such as drones as flying bombs.

Most commonly, however, drones used for nefarious purposes are deployed for information harvesting and infrastructure disruption.

To combat the situation, technology controls are in place that equip drones with geofences that automatically enforce “no fly” restrictions over certain areas. After the Gatwick incident, leading drone companies like DJI have responded with tougher geofencing software that prevents the incursion of drones into no-fly areas like airports.

Unfortunately, there are also online sellers of drone hardware and software modifications that disable these geofences so a drone can be flown manually, with no geofencing policing.

“[This geofence circumvention] equipment is now available to hack drones so they can bypass technology controls,” said James Dale, a cybersecurity expert at PA Consulting, an aviation and cybersecurity firm. “The threat from these hacks will only grow as regulators make more use of geofencing-based no-fly zones.”

Anyone can do it

Human behavior is a major contributing factor to drone cybersecurity.

Almost anyone can learn to fly a drone — and there is information on the Web that tells them how to hack.

One step survey and geospatial companies can take if they use drones in their operations is to provide guidance to employees who work with drones. Companies can do this by establishing firm security policies and practices, and by providing training. Companies can also implement encryption of their data onboard drones, and into and out of drones. Additionally, companies can identify business cases where it isn’t necessary for the drone to transmit or receive data. In these cases, data collected can be stored onboard the drone and then transferred to in-office servers when the drone returns from flight.

Drone planning considerations

Companies that want to deploy drones in their business operations are well advised to consider the costs, deployment, and regulatory implications of drone security. Here are eight key areas that deserve serious planning:

Drone tracking and lock downs – Drones should be equipped with durable IoT (Internet of Things) sensors that use GNSS and continuously track drone locations, whether the drones are airborne or on the ground. As part of monthly maintenance, drones, their sensors, and their onboard equipment should be checked and tuned by company personnel.

Data and security protections – Ground control stations are used to control drones in flight. These stations can be an elaborate server or a handheld device. In either case, the ground control station needs anti-virus, intrusion detection, and malware detection. Network monitoring software should be able to monitor drone and data breaches from the geographical standpoint of a GPS system and also from the standpoint of providing a log of where network and/or data breaches by unauthorized sources are detected, along with the times that the breaches occurred.

Development of a security response team – If there is a detected breach to your drone or network data, you need a security response team to mitigate the situation. Smaller companies deploying drones don’t have the luxury of a dedicated in-house security team to do this work. An alternative is to find a cloud provider who can monitor your drone security and immediately intercede when a breach occurs.

Business continuation and disaster recovery planning – If a drone goes down or malfunctions, whether from a dead battery or a security breach or drone takeover, a business continuation and disaster recovery plan should be in place to recover from the incident.

In military operations, one business continuation and disaster recovery technique is to “self heal” formations of flying drones so that when one drone from a formation goes down, the remaining drones detect the takedown, communicate with each other, and immediately regroup into a new formation to continue their mission.

Domestic drone operations may not be this elaborate, but there should be a backup and recovery plan if a drone goes down or is suddenly unaccounted for.

Purchasing decisions – Security should be a foremost concern in any drone purchasing decision. Include security as a category on your RFP, and see what your vendor has to offer in terms of security technologies and guarantees. The same attention to security applies to interviews of potential cloud service providers if your drones are using cloud-based data storage and other services.

Flight best practices – Logistically, if you can regularly alter routes and be less predictable with your drone flight plans, your drones and your drone data will be less likely to be hacked or intercepted.

Employee training and credentials – Employees in the drone operations center should be thoroughly trained in security policies and practices. This training should not be a one-time exercise, but should be given as a refresher each year, with employees being brought up to date on new security threats. Commercial drone operators should also be credentialed by the FAA as remote pilots.

Insurance – Insurance companies offer drone liability insurance. If you don’t have drone liability insurance in place and you are planning to operate drones, talk with your insurer about securing coverage for your drones — and carefully review the coverages pertaining to drone loss, security breaches, and data loss.

Editor’s Note: Dick Wolf, producer/screenwriter behind the Law & Order television franchise, provides a chilling account of what drones are capable of in his novel, The Ultimatum. His fictional crime story resonates with many of the concerns discussed here.