Protecting sensitive data
As drones enter the mainstream of commercial usage, concerns have arisen about the safety and protection of sensitive data they gather from theft by hackers. There isn’t a week that goes by without news about hacking attacks against companies and technologies. As the application of drones increases, the question needs to be asked: are drones safe from hacking?
One company, Sharper Shape Inc., based in Grand Forks, North Dakota uses drones to monitor the health of critical national infrastructure, including the electric grid, transmission lines, solar and wind power installations and oil and gas transmission and distribution and providing that sensitive data to utilities securely in the Cloud.
Utility concerns about drone data safety
If a company is using commercial drones manufactured in China or elsewhere, should utilities fear potential data leaks? Do some utilities, used to having old school internal data protection systems, not trust modern cloud based solutions used by drone software companies?
Ilkka Hiidenheimo, CEO of Sharper Shape Inc., is an acknowledged expert on drone cybersecurity. Previously, he was the founder of Stonesoft, a cybersecurity company acquired by Intel MacAfee.
In the words of Mr. Hiidenheimo: “Cybersecurity is very important in the drone/drone software industry. Naturally for drones the number one issue is aviation regulation. For example, nowadays commercial drones support “no fly-zones”. What size drones are flown also affects how they are regulated.”
Of course, not all drones are subject to cyberattacks. If you have only a radio link to your drone, which you are flying manually, there is no connection to the cyber world. If your system is connected to the Internet then, yes, you are vulnerable.
Comparing drone data protection today and a few years ago
The current situation is extremely challenging. Earlier it was enough to maintain good software policy and keep your anti-virus protection up to date. And of course you have to train your people. Now if you have valuable information in your possession, or your system can be used as a way to hack other systems (if you are, for example, a subcontractor of an interesting company) you will be hacked one day. This is inevitable. You need to think early on how you build your defenses and split your network, so you can limit and isolate your damages. This is also the way to minimize your recovery costs.
Military drones are logical targets for hackers, but that is really a different ball game and subject to change. To date, drone hacking has not been a big issue. Using anonymous drones to collect information for terrorist purposes, like from a nuclear power station, or using drones to deliver explosives are thought to be the biggest security risks related to drones.
Preventing “data leaks” in the drone industry
There have been discussions about the safety of drones sending information to manufacturer’s servers. There are questions about what kind of data and how much is sent. That represents a risk. Sharper Shape’s priority is protecting information and preventing unauthorized use of data. Today, it is one of very few companies with real experience of performing commercial autonomous drone flights beyond an operator’s visual line of sight.
Belaboring the obvious, but it needs to be said: control systems must be properly protected. Your communications should be encrypted and protected against hijacking. Physical security is also important. Drones should be protected against theft or physical changes to the system or components.
Local vs. Cloud data processing
Sharper Shape processes captured data in the cloud. This includes the data that is processed and used for drone flight planning. Cloud protection is a different animal than normal company data protection. Sharper Shape’s cloud only runs our software, which is used to deliver our solutions. There’s nothing extra used inside the server where our services reside and only way from application servers to database information is through application, which means that hacking application server is not enough. Cyber security is a mentality. Either you try your best and you accept the always evolving security landscape or you think that business comes first, and if something happens I will fix the issues at that point. There are two problems with the latter approach. Firstly you take unacceptable risks, and secondly, sometimes implementing security to a poorly designed system is almost impossible or at least very demanding.
Security is something Sharper Shape regularly analyzes and benchmarks against known best practices. Nobody can promise 100% security. If someone claims that, you know that he or she does not understand what he or she is talking about, or he or she is purposely lying to you. You need to have protection based on what you are protecting, and who are your opponents. One thing we learned from Stuxnet is that protection against state level hackers is a difficult task.
Cyber security is no longer an Information Technology or Computer Department task
You basically can divide threats and solutions into two categories. Those are threats and solutions which are related to the platform provider (in our case Amazon Web Services) and others which are related to the business software that is run using this platform.
Unfortunately, security usually comes as an afterthought. The drone industry is part of the aviation industry, which, based on its knowledge, keeps safety as a number one issue. Part of the safety is to have proper protection for your systems, including having security as one of the design principles.
Cyber security is no longer an Information Technology or Computer Department task. This work should start at the board level. This also requires thinking of the need for never ending learning and humbleness. If someone with enough resources makes you a target, preventing that is an almost impossible task. You need to create defense in depth with multiple different protection methods, including honeypots, etc.
The biggest challenge is that the bad guys’ knowledge and capabilities are growing faster than our capabilities to protect us; especially if you keep your security in-house, with limited resources.