On Dec. 19, 2018, over 100,000 holiday travelers at London’s Gatwick Airport found themselves stranded as 1,000 flights were canceled and aircraft were grounded for three days. The airport closure resulted in millions of dollars in lost revenue to the airport and airlines, as well as almost $500,000 in costs to police. The cause of the chaos? A drone incursion. Over the course of three days, numerous drone sightings were reported across the airport complex, including over a perimeter fence and by the runway. There was a peculiar cadence to these reports; as sightings were reported, the airport shut down the runway to prevent a potential collision. Once the runway was closed, there would be a lull. When the airport was about to reopen the runway, more drone sightings would be reported. This pattern repeated several times. It became increasingly apparent that this may have been the work of someone who knew the airport’s operational procedures, accessed or intercepted its communications systems, and knew how to work around them.[1] Almost three years later, the operator is still at large.
Prior to the Gatwick incident, drones were largely viewed as a benign technology. After all, how much damage could a store-bought quadcopter inflict? Over the past few years, the realities of the impact that drones can have on security has expanded as the technology’s capabilities have advanced. With each generation, drones are becoming more intelligent, compact, foldable, lighter, faster, and able to fly longer and carry heavier payloads. For these reasons, drones have become a valuable addition to critical infrastructure owners, state and local entities, and recreational operators. Critical infrastructure owners are increasingly relying on commercial drones to reduce risk to employees and improve operational efficiency. Likewise, municipalities are leveraging drones to support security, response, and recovery operations. Hobbyist usage of drones has also risen significantly, with over three million drones sold in the United States to date.
Despite these numerous benefits, the Gatwick incident placed an international spotlight on a new reality: the nefarious or careless use of drones poses a significant threat to public safety and national security. The drone threat is a particularly complex advancement due to its cyber-physical nature. A drone is a physical device with cyber capabilities – and consequences.
When analyzing the drone threat environment, it is important to identify the threat actors. The Cybersecurity and Infrastructure Security Agency (CISA) organizes the drone threat environment into three groups of threat actors: the careless and clueless recreational drone user; intentional operators and activists; and terrorists and paramilitary users. Based on CISA’s analysis of drone incident reporting, careless and clueless users represent the most prominent threat actors in the United States. These users generally operate commercial off‐the‐shelf (COTS) multirotor platforms and, as their name suggests, may commit witting or unwitting violations of the national airspace. Among other areas, intentional and activist users are suspected to operate across international borders and prisons. These users also operate COTS drones, but modify them to carry/drop payloads, such as drugs, money, cell phones, and weapons. As with most threats, terrorists and paramilitary users typically have greater resources, more advanced tactics, and intent to harm. Unlike the previous two groups, these users operate customized fixed-wing drones that are larger, faster, longer-range, and can avoid detection through autopilot. Drones are particularly attractive to this user group because they present a low-cost, high-yield method for sending a political message, conducting a standoff attack, or circumventing ground-based force protection measures.
There are several tactics all three groups of threat actors can potentially employ using drones. A CISA study of the threat landscape and incidents identified five primary tactics; these can be split into physical and cyber vectors. Physical tactics include weaponization, smuggling, disruption/harassment, and surveillance/reconnaissance. Weaponization is the most obvious tactic when considering the drone threat. Weaponization involves the intentional use of modified or unmodified drones as part of an attack to cause casualties, physical damage, or psychological harm. A common or intuitive method is to simply use a drone to deliver or drop an explosive. Smuggling involves the use of a drone to deliver illicit or contraband materials to bypass security measures. The most-common recorded instances of this tactic include the smuggling of restricted items into federal, state, and local prisons, as well as the smuggling of narcotics over the U.S.-Mexico border. Disruption is the intentional use of a drone by an adversary to harass, hinder, or inhibit security and infrastructure operations or special events. Although Gatwick is a textbook example of this tactic, drone-based disruptions have also occurred during critical wildfire-fighting operations and large-scale sporting events. Disruption is often accompanied by harassment, which is the use of a drone to harass individuals or manned aircraft. Finally, reconnaissance and surveillance include the use of a drone’s video capabilities to monitor security procedures at sensitive sites, law enforcement and emergence responses, or to engage in economic or industrial espionage. The drone could also be used to conduct reconnaissance around critical infrastructure or a target in advance of a physical attack.
An oft-overlooked dimension of these tactics is the cyber threat. There are two types of cyber threats from drones: external and internal. Externally, adversaries may use the drone as a platform for other devices to launch a malicious cyberattack. In this use case, the drone can be programmed to use location to gain local network access and install malware that provides remote users access/privileges. Internally, the use of foreign-manufactured drones may compromise the security of sensitive operations and data collection. The United States government has strong concerns about certain foreign-manufactured drones that can collect and transfer potentially revealing data about the user’s operations and the individuals and entities operating them.
An added nuance and complexity of the drone threat is that its consequences can be intent-agnostic. A careless or clueless user improperly flying a drone can crash into power lines, causing the same effect as a user intentionally seeking to cause a power outage. For this reason, security professionals should incorporate drone-related security into their planning regardless of their location, status, or posture. Although federal and, depending upon jurisdiction, state law may prohibit or hamper the use of many commercially available “counter” drone technologies, there are a number of legal security options available:
- Know the airspace around the facility, including existing flight restrictions and who has authority to act on security issues.
- Engage in layered detection for drone overflights and intrusions. This can range from visual observations to technical detection.
- Utilize “No Drone Zone” signage to deter careless and clueless drone activity.
- Partner with other critical infrastructure owners/operators as well as hobbyist groups and retailers to address risks, reporting pathways, and response options.
- Engage the general public through social media to raise public awareness of any flight restrictions around the facility.
- Establish render safe and handling procedures in the case of a crashed drone.
- If an organization is operating drones commercially, incorporate the CISA Cybersecurity Best Practices for Operating Commercial Drones.
Drones are emerging as a permanent aspect of the national airspace. Although the technology provides multiple potential benefits, it also presents the opportunity for harm. It is incumbent upon security professionals to recognize those potential harms and prepare accordingly. CISA provides several drone security capabilities to the infrastructure community to inform risk mitigation decision-making. CISA develops resources that focus on evolving uses of the technology, implications to the operations of infrastructure, and actions organizations can take to mitigate risks. To assist with incorporating these recommendations, CISA also maintains a cadre of security subject matter experts, the Protective Security Advisors, who are located across the country and conduct site assessments, deliver training, and advise on effective ways to enhance security. Finally, CISA maintains a public-facing website dedicated to providing resources on drone security, which can be found at: https://www.cisa.gov/uas-critical-infrastructure.
[1] “Gatwick Job Possible Inside Job, Say Police,” BBC, 14 April 2019, https://www.bbc.co.uk/news/uk-47919680.
