Businesses were warned today by the Department of Homeland Security that Chinese-manufactured drones purchased for everyday industrial uses like inspection or land surveys pose a potential risk to the security of sensitive information or intellectual property.
The industry alert, issued by the Cybersecurity and Infrastructure Security Agency (CISA), notes that U.S. intelligence officials have repeatedly warned about the risks associated with technology — be it cyber systems, telecommunications or unmanned aerial systems — that goes through any steps of the design, manufacture or sales process with a company held or influenced by an authoritarian government. China is notorious both for its aggressive collection activities and expectation that citizens of the communist country will support intelligence operations.
Chinese-made UAS, CISA adds, stoke “strong concerns” as American data could be taken into the territory of a state where it can easily be accessed by a hostile intelligence service. Made-in-China drones and connected devices could also reveal information about the devices’ operations and operators.
Businesses were warned about the ways in which a Chinese-made drone or connected device could exploit their data:
- Inexperienced operators who aren’t properly securing stored data before, during and after flight.
- Malware that could be installed on a purchased device that could automatically transfer data to a third party.
- Data theft from an unencrypted communications feed and unsecured network connected to the UAS.
- Network breaches that can originate from a compromised UAS.
Organizations were warned to be “cautious” purchasing UAS from Chinese manufacturers, vet their vendor, and find out if data is ever stored by third parties and for how long. Operators are also encouraged to limit UAS access to networks and integrate UAS assessment in overall physical and cyber security risk mitigation.
If a drone comes with an SD card, it should be removed; if it can’t fly without it, all data should be cleared from the card after each flight. The internet connection should be disabled on the UAS controller and caution should be exercised when doing software updates.
CISA Assistant Director for Infrastructure Security Brian Harrell told the Government Technology & Services Coalition’s Emergency Management 2019 event last month that the agency would be providing recommendations to the private sector to prepare critical infrastructure for the UAS threat.
In addition to the espionage threat, Harrell noted that off-the-shelf drones can be easily modified to carry an explosive, biological or chemical payload. “Private industry does not own the airspace above generation facilities, above a transmission substation, above a water plant — so the overhead threat for attack is absolutely real today,” he stressed.
Harrell also suggested that “if you are in industry, and you own a foreign-manufactured drone and it is operating in your system, you are potentially incurring and introducing risk into your system… as that drone is flying, it could be mapping infrastructure, it could be looking at very critical and key things on your system. So does it matter to you that that data is possibly going outside of your system or outside the United States? I’m sure the answer is yes.”