Cyber Attacks on UAVs: How Should Aerospace Respond?

Nation states both big and small are increasingly turning to cyber attacks as a strategy for both offensive and defensive warfighting. As a consequence, it is only a matter of time before unmanned aerial vehicles (UAVs) become a target of opportunity for attackers. While secure development practices and countermeasures like strong encryption, anti-tamper, and anti-reverse engineering provide more protection for military UAVs than is available for most commercial drones, no system is completely invulnerable. UAV developers and integrators need to be prepared to respond effectively and decisively even as threats continue to evolve.

Part of this response is to engage in continuous security threat modeling and assessment of existing UAV systems. While systems are generally subject to long development, operations, and maintenance cycles, the security threat landscape is dynamic, and attackers, including advanced persistent threats (APTs), change strategy over time. In addition, operational changes like mission upgrades, foreign military sales, and theater compromise can have far-reaching consequences for the system’s overall security. Capabilities to ensure efficient, continuous testing, including virtualized components and fault injection testing, can aid in the rapid evaluation of threats and remediation of potential security vulnerabilities at any point in the system lifecycle.

Effective diagnostic and software measurement tools are even more important in the event of an actual attack. Unlike the “bug bounty” hackers of commercial software systems, nation-state attackers don’t provide detailed instructions for reproducing potential security compromises. Instead, the development and operations teams must not only “think like the enemy,” but also have the tools to act aggressively on their own systems. This is especially critical in embedded and special purpose software applications, where there are few open source security testing tools, but well-funded attackers might undertake considerable investment. Maintaining the capability for high code coverage of security-relevant systems and features, as well as system-of-systems security testing, is critical in responding to suspicion of a security compromise.

Finally, efficient and timely release of maintenance and security patches can considerably narrow the window for an attacker who learns of a vulnerability to affect system security. Most commercial software vendors now patch monthly, or continuously, to deny attackers the ability to exploit development latencies. Achieving this level of patch productivity, which will be essential when UAV attacks become more common, requires a shift to Agile and DevOps engineering methodologies.

Even a single UAV vulnerability can deny operators strategic and tactical capability, undermine mission effectiveness, and drive cost control and customer satisfaction concerns for integrators. Early adoption of next-generation cybersecurity assessment, measurement, and virtualization capabilities is an important step in managing the risks of cyber attacks against UAVs.

To learn about JETS’ cyber defense and assessment capabilities, contact Performance Software.