Drones Cybersecurity: Beyond the Standards and Regulations

• Denial of Service (DoS) Attacks: Drones have been subjected to DoS attacks, where their communication systems are overwhelmed, rendering them inoperable. For instance, there have been reports of drones being used in North America and Europe, where cyberattacks have disrupted their operations. You can read more about the rise of DoS attacks in this F5 Labs report.
• Access to Restricted Areas: Unauthorized drones have been spotted near airports, causing flight disruptions and posing significant security risks. For example, mystery drones have been detected in restricted air spaces, shutting down operations at an Air Force base and an airport. More details can be found in this Newsweek article.
• Illegal Use of Commercial Drones: Commercial drones have been used for illegal activities, such as smuggling contraband into prisons or conducting unauthorized surveillance. For instance, there have been discussions about banning new sales of popular Chinese-made drones due to their misuse. You can read more about this in the AP News article.

These examples underscore the importance of robust cybersecurity measures to protect connected devices like drones from malicious attacks. 

EU Drone Regulations 

In the EU, drone regulations are categorized into three main categories: Open, Specific, and Certified. Each category has its own set of requirements and considerations, including aspects of cybersecurity: 

• Open Category: Intended for low-risk operations, divided into three sub-categories (A1, A2, and A3) and five classes (C0 to C4). Cybersecurity requirements are generally minimal, focusing more on operational safety.
• Specific Category: Covers medium-risk operations and includes classes C5 and C6. Requires an operational authorization from the National Aviation Authority, with more prominent cybersecurity considerations.
• Certified Category: For high-risk operations, such as transporting people or dangerous goods. These drones do not follow the requirements of UAS regulations as they are considered a type of aircraft and follow the same certification rules. Cybersecurity requirements are defined as part of the certification process. 

US Drone Regulations 

In the United States, the primary compliance requirement for drone manufacturers is ensuring that drones are compliant with the National Airspace System (NAS). This includes incorporating Standard Remote ID capabilities, which act as a "digital license plate" for drones, allowing authorities to identify and track drones in real-time. 

Applus+ Laboratories Services 

Applus+ Laboratories offers comprehensive testing and certification services for drones, supporting manufacturers in meeting both EU and US regulatory requirements. Their services include:

• Testing and Certification: For all categories of drones, including Open, Specific, and Certified categories. We are a Notified Body for drone certification under EU Regulation 2019/945 and offer services for CE marking and compliance with Remote ID requirements.
• Operational Support: For high-risk operational evaluations, helping manufacturers navigate complex regulatory frameworks and ensure compliance with safety and security standards. 
• Cybersecurity Evaluations: Ensuring that drones meet the necessary standards for secure operation, including assessments of communication protocols, data protection measures, and secure boot processes. 

While Applus+ Laboratories can help manufacturers meet existing regulatory requirements, they also offer additional cybersecurity services to go beyond these regulations. Given that current regulations are weak on cybersecurity requirements, Applus+ Laboratories provides advanced cybersecurity evaluations to ensure drones are resilient against various cyber threats. 

Lack of Cybersecurity Regulation on Drones 

While drones are increasingly integrated into various sectors, they lack the stringent cybersecurity regulations that other IT products, such as payment terminals, modems, and operating systems, must adhere to. These IT products are often required to be certified using robust certification schemes like Common Criteria (CC) or FIPS 140-3, which ensure a high level of security. For instance, payment terminals must be certified against vulnerabilities such as unauthorized access, data breaches, and tampering. Modems and operating systems are evaluated for secure communication protocols, data integrity, and protection against malware. In contrast, drone regulations do not comprehensively cover these cybersecurity aspects, leaving drones vulnerable to various cyber threats. 

Some specific cybersecurity vulnerabilities that other IT products must be certified against, but drone regulations do not cover, include: 

• Reverse Engineering: Physical access to the device (box opening) and side-channel attacks (SCA) to extract sensitive information.
• Open Information/Misconfigurations: Software attacks, operating system vulnerabilities, service misconfigurations, third-party component flaws, and firmware integrity issues.
• Updates: Exploitation of the update process, including boot processes, software updates, operating system patches, service updates, third-party component updates, and firmware integrity.
• Communication Issues: Fuzzing attacks, protocol vulnerabilities, and information disclosure during communication.
• Denial of Service (DoS): Fake GPS positioning attacks and network attacks, disrupting drone operations.

Vulnerability assessments and penetration testing campaigns can help identify and mitigate these vulnerabilities, ensuring that drones are better protected against cyber threats. 

In the context of drones, a Threat and Risk Assessment would analyze various threats, assets, and key categories, such as: 

• Threats: Cyberattacks like Denial of Service (DoS), spoofing, and data interception. 
• Assets: Critical components like the drone's control system, communication links, and onboard sensors. 
• Risks Based on Likelihood vs. Potential Damage: Evaluating the probability of different threats occurring and the potential impact they could have on the drone's operation and safety. 
• Potential Attackers Identification: Identifying who might be motivated to attack the drone, such as hackers, competitors, or malicious insiders. 

Existing cybersecurity standards like Common Criteria (CC) can address these issues by providing a framework for evaluating the security of drones. CC certification involves rigorous testing and assessment of the product's security features, ensuring that it meets specific security requirements. This includes evaluating the drone's ability to protect against unauthorized access, ensure data integrity, and maintain secure communication.

By adopting such standards, drone manufacturers can enhance the cybersecurity of their products, ensuring they are resilient against various cyber threats and providing greater assurance to users and regulators. 

Security by Design

Another crucial approach that manufacturers can adopt to enhance the cybersecurity resilience of drones is implementing Security by Design principles. This approach ensures that security is integrated into every stage of the drone's development, guaranteeing confidentiality, authenticity, integrity, and availability. Key aspects include: 

• Box Security: Ensuring the physical security of the drone's hardware to prevent unauthorized access. 
• Default Component Security ICs: Utilizing secure integrated circuits (ICs) by default to protect sensitive data and operations. 
• RoT/CoT (Booting Process): Implementing a Root of Trust (RoT) and Chain of Trust (CoT) during the booting process to verify the integrity of each component. 
• OS/TEE: Using a secure operating system (OS) and Trusted Execution Environment (TEE) to provide a protected area for executing sensitive operations. 
• Robust Protocols: Employing robust communication protocols with encryption, authentication, and integrity checks. 
• SOGIS/NIST Accepted and Well-Implemented Crypto: Utilizing cryptographic algorithms and implementations accepted by standards bodies such as SOGIS and NIST. 
• Bad Configuration/Misconfiguration: Addressing issues related to default passwords, configurations, and software security. 

By incorporating these Security by Design principles, manufacturers can significantly enhance the cybersecurity resilience of drones, making them more robust against various cyber threats and ensuring their safe and secure operation.