At the DroneDeploy 2019 Conference, an expert on cybersecurity and automated tools explained why hackers are attacking infrastructure with drones – and how to stop them. Rhea Naidoo, co-founder and Director of Automated Solutions at Cambrian Cyber Group, came from a mining background: combined with her current expertise in cybersecurity she has a broad perspective on the potential risks of hackers using – or attacking – drones.
Why are industrial organizations being targeted – and who is targeting them?
Naidoo says that the appetite to attack critical infrastructure, and possibility to pivot into the operational technology (OT) or the information technology (IT) networks, has never been higher. Hackers can deploy “attack” drones – low cost, easy to use, and hard to detect – to carry out surveillance, capture data or cause damage by collision. Meanwhile, the availability of tools to hack drones used by companies for legitimate purposes is increasing rapidly: “Widespread use of militarized drones in global warfare has results in the proliferation of tools and methods to attack them. And industrial drones have lower security controls than military drones,” says Naidoo.
What is the risk to the business?
Since 2010, says Naidoo, cyber-attacks targeting OT have escalated – resulting in multiple attacks on the US and EU energy sector, sabataged operations at Saudi petrochemical plants, and rumors of Russian spies targeting U.S. Nuclear facilities. Attacks fall into 3 general categories:
- Confidentiality attacks: stealing confidential data;
- Integrity: manipulation of controls to cause inefficiencies, or the disabling of alarms and fail-safe logic to mask problems;
- Availability: taking a service offline,or slowing or stopping operational processes.
What kinds of drone attacks are hackers using?
Using drones to attack industrial businesses can be subtle and sophisticated – or not. Naidoo says that there are a wide variety of ways that hackers are utilizing drones: and they range from WiFI or GPS spoofing to just crashing a drone into a piece of equipment to damage it.
Those are “attack drones”: and in addition to crashing into a piece of equipment they might crash into another drone or aircraft, or hack another drones in flight, either to take control of it or embed malware. (Note: Naidoo says this is more of a worry when you aren’t dealing with standard industrial drones, but the homemade type – your off-the-shelf product is probably safe.). “Malicious drones” carry a payload to conduct surveillance or capture data. There is bluetooth sniffing to steal data from a device; RFID scanning of access cards, credit cards, or other sensitive information; and GPS spoofing – sending a drone to the wrong address. “Carrier drones” can set up a malicious WiFI network that imitates an organization’s WiFI network, allowing a hacker to see all of the traffic.
What can companies do to protect themselves?
There are a number of technology tools available to protect industries from malicious attacks. Geofencing, SoundWave detection like radar, or other scanning methods common in counter drone solutions can be used to keep drones away from a property. More importantly, however, is what Naidoo calls “good security hygiene”. Drones used by a company for inspections or other purposes need to be kept up to date: high end drones come with built-in protections against hijacking. Data transfer from the drone to the network must be unidirectional and protected. OT networks must have necessary controls. Most importantly, companies should assign responsibility and accountability for the protection of the OT network. “The OT network is at the perimeter of the organization – that’s something that IT departments have moved away from.”
While the idea of hackers using drones to attack an operational technology network may seem farfetched, it’s still something that Naidoo says needs to be considered in a good cybersecurity program. “We’re living in a world where it used to be OK for companies to live with an ostrich approach, and put their heads in the sand,” says Naidoo. “With the current push from regulators for more transparency into the network, any problems get revealed.”