Drones, also known as unmanned aerial vehicles (UAVs), are being adopted for various applications. Sometimes several drones are simultaneously controlled in a swarm via an Internet service provider, introducing a new paradigm called the Internet of drones (IoD).
The Ukrainian military, for instance, was using SpaceX’s Starlink satellite internet service to control military drones before Elon Musk decided to restrict its ability to do so in February 2023.
Drone swarms are also increasingly used for civil purposes, such as outdoor event filming, logistics or healthcare product delivery, Shadi Razak, CTO of smart city security provider Angoka, said during Infosecurity Europe on June 21, 2023.
“While they can be autonomous, regulation generally requires a pilot,” he added.
Because it’s a cyber-physical system, the Internet of Drones can pose physical hazards as well as risks in cyberspace. “Many drones are insecure by design. Some depend on simple, off-the-shelf virtual private networks (VPNs) and are thus easily compromised. Others are equipped with unhardened Linux operation systems. A lot of them are full of misconfigurations, as well.”
Therefore, drones can be used for malicious purposes, leading to the destruction of the material and its surrounding, or they can even be faulty, “as we saw in 2021 in China, where dozens of drones filming at a show and made them fall on people and vehicles,” Razak recalled.
Following three years of research on drone control systems, Angoka found 156 different threats, many of which were critical or of high priority.
The top 50 of them fall into four of the following categories:
- Reporting falsified data
- Denying access to real-time data
- Impersonation of UAS and its operator
- Tempering with telemetry data
“Because it’s a young industry, a lot of drone operators have only implemented the traditional wall-guarding cybersecurity approach, which has become insufficient to prevent modern cyber threats effectively,” Razak continued.
To improve the security of the drone control systems and move from perimeter security to a zero trust architecture, Angoka’s solution is built on what Razak called a security blueprint aligned with the US National Institute of Standard and Technology (NIST) 800-207.
This blueprint consists of five key processes:
- Generate immutable digital identities built in the root-of-trust microcontrollers of the drone
- Perform mutual device authentication to prevent drone identities from being easily compromised
- Micro-segment the communication infrastructure in-between drones and between the drones and the ground bases into a multitude of device private networks (DPNs)
- Generate DPN unique identities and session keys
- Always authenticate endpoints and messages
Angoka was selected as the 2023 Most Innovative Cyber SME by the UK Department of Science, Information and Technology (DSIT) on June 21, 2023.
It is currently involved in five multi-stakeholder projects involving drones across the UK, including Skyway, which aims to build the world's largest drone corridor in Europe – from the north to the south of England.