Drone-mediated threats and how to protect against them
Drones are now a common sight after the explosive growth of the consumer market in the last five years. There were approximately 1.1 million hobbyist drones in the United States in 2016 according to the Federal Aviation Administration (FAA), and this number is predicted to rise to as high as 4.5 million by 2021. Competition between manufacturers has resulted in large improvements in reliability, capability, and cost. These developments have attracted the eye of industry, and we are now at the start of the commercial drone revolution. Drones are quickly being used for activities like agricultural assessments, infrastructure inspections, and the delivery of goods. Unfortunately, there are also darker consequences of recent advancements in technology. Drones are emerging as a cheap, effective way to deliver a variety of physical and cybersecurity threats.
Types of drone-mediated threats
Weapons for terrorism
There is no better example of the danger posed by drones than their battlefield uses by the Islamic State. In Iraq and Syria, the Islamic State has been using off-the-shelf drones for surveillance for over two years. Over the last year, they started weaponizing these drones. Grenades and other small explosives are often attached and rigged to drop during flight with a high degree of accuracy. Unfortunately, this tactic has been successful and the frequency of attacks has increased. U.S. authorities are becoming increasingly concerned about Islamic State-inspired terrorist drone attacks on public events and critical infrastructure like nuclear power plants. This risk will grow as the payload capacity of drones increases. Currently, most battery-powered hobbyist drones can only lift about 5 lbs. However, a new gas-to-electric hybrid drone from Top Flight Technologies can carry over 30 lbs. for 1 hour.
A new medium for smuggling
Beyond the threat of terrorism, many industries are seeing drones used as a new channel to transport traditional threats. For example, correctional facilities across the world are struggling to adapt to smuggling via drones. They are being used to sneak in drugs, cellphones, weapons and other contraband that were conventionally difficult to get past security. For example, two months ago a drone crashed into an Arizona state prison complex. The crash site was discovered by correctional officers who found that the drone was carrying 2 cellphones and several bags filled with marijuana. In a more extreme case from July, an inmate was able to escape from a South Carolina prison using tools secretly delivered using a drone. Investigators believe wire cutters were flown into the prison, and the inmate used them to cut through at least four fences.
Overcoming obstacles for hacking
Drones are also helping hackers overcome physical barriers. Drones can easily and covertly reach areas that seem hard to reach and/or well-protected. The recent growth of IoT devices and their reputation for vulnerability make them perfect targets. Now, don’t expect drones to fly over apartments and hack into smart refrigerators any time soon. However, imagine a scenario where a drone is used to penetrate the perimeter of an electrical distribution station and disrupt a smart grid. The “hacker drone” scenario may seem like science fiction until a maintenance crew finds a drone outfitted with a Raspberry Pi lodged in the air duct above your data center – a true story and real threat.
Surveillance and espionage
I am continually surprised by the drone concerns and anecdotes I hear from customers. For example, I did not expect financial services organizations to be worried about drones, but I am hearing quite the opposite. They fear drones could be used for surveillance and espionage. The same drone equipped with a 4K video camera that I bought off-the-shelf to record my friend’s wedding could be used to gather intelligence about merger and acquisition activity, results shared at board meetings, or how cash is transported between bank branches.
Risks of drone accidents
In addition to intentional threats, the rapid growth of hobbyist and commercial drones is increasing the risk of accidents. We have already witnessed a number of high profile collisions. Last year, a drone crashed into the 40th floor of the Empire State Building, only a few blocks east of World Wide Technology’s office in Manhattan. Incidents like this have increased. The NYPD’s Aviation unit now gets as many as 10 calls per day about rogue drones in New York City, most of which is a no-fly zone. 2017 marked the first instances of drones colliding with traditional manned aircraft. In late September, a civilian-operated drone hit a U.S. Army Black Hawk helicopter flying near Staten Island. Fortunately, no one was injured, although the helicopter’s rotor system was damaged. The very next month, a drone crashed into a commercial plane in Canada.
Drone collisions with utility infrastructure are also making headlines. In June, 1,600 PG&E customers in Mountain View, California lost power after a drone crashed into a high-voltage wire. Earlier this year, a drone smashed into a Con Edison power plant in Brooklyn. Feedback from utilities across the country suggests that events like these are not uncommon. I would not be surprised if every major utility in the U.S. already has a drone crash story or two.
How to protect against drone-mediated threats
Detect the threat
So, how can organizations protect their people and assets from these diverse deliberate and inadvertent drone-mediated threats? The first step is discovery. The threat must be detected before it can be mitigated. Drones can often be identified by the method used to communicate with their remote control. However, the industry lacks design standards.
In October, DJI, the world’s largest drone manufacturer, released AeroScope, a system to track and identify airborne drones by reading the data they broadcast to their controllers. Although all current DJI models work with AeroScope, DJI does not have access to the communication protocol used by other manufacturers. Thus, unless others are willing to configure their existing and future drones to transmit data in the same fashion, AeroScope will be unable to detect all drones.
Take a multi-sensor approach
Another challenge for detection is preprogrammed flight. Drones are capable of flying autonomously along a designated path via GPS waypoint navigation. If autonomous drones are not broadcasting information that can be intercepted, how can they be detected? The answer is a multi-sensor approach. Radio frequency data can be combined with video (visible or infrared), radar, or even acoustic information.
Deep learning techniques can be used to pull the signal from the noise (e.g. Does the image contain a dove or a drone?). The right combination of sensors depends on the use case and environmental factors of the site. For example, if a correctional facility determines drones are being used to smuggle contraband over the walls at night, augmenting radio sensors with infrared cameras could be a reasonable approach.
WWT use cases
World Wide Technology (WWT) has indeed taken this multi-sensor approach to detect and classify drones intruding on the airspace of our Advanced Technology Center in Missouri, where we demonstrate and deploy innovative architectural solutions for our customers and partners. We are using radio frequency sensors combined with fixed cameras to gather data, which we feed into Dedrone's DroneTracker™ platform to identify drones and alert us of intruders. Dedrone can not only locate the drone, but also the drone’s operator by aggregating data from multiple radio frequency sensors. This is important because today in the U.S., catching the drone operator is perhaps the most active response permitted by law.
The FAA considers drones to be aircraft, so they are considered to have the same federal protections as manned aircraft. It’s a crime to shoot down drones. It’s also illegal to interfere with a drone’s GPS or communication with its controller via radio frequency jammers. Until the regulatory environment changes, the safest response policy is passive countermeasures (e.g., locking down a correctional facility or closing the blinds of a bank’s board room) followed by searching for and identifying the drone operator.
As the drone threat continues to grow and evolve, so will the law, and so will WWT’s capabilities to protect our own employees and infrastructure, as well as those of our customers.