Cybersecurity Sessions #2: Drone Safety and CybersecurityWith drones now capable of massive cluster displays at events like the Olympics opening ceremony, and being used in sectors like healthcare, what role does cybersecurity play in making these devices safe?
With drones now capable of massive cluster displays at events like the Olympics opening ceremony, and being used in sectors like healthcare, what role does cybersecurity play in making these devices safe?
In this month’s episode of the Cybersecurity Sessions podcast, Andy talks to drone pilot and experienced cybersecurity expert Frank Morris about the emerging technology of drones, their growing list of use cases and how important security is in their wider adoption. Frank answers Andy’s burning questions about how IOT device security principles relate to the mobile and sometimes autonomous nature of drones, and their expanding applications in the real world.
Frank Morris, Head of Security Infrastructure, Capita
Frank Morris is Head of Security Architecture at Capita, with previous experience in cybersecurity management at KPMG. He specializes in cybersecurity architecture and operations. Frank is also a CAA approved drone pilot and is an advocate of considering the security implications of drones and autonomous devices.
- The current state of security measures and regulations for drones
- How CAA guidance documents such as CAP 722 aim to keep drones safe
- The differences and parallels between hobbyist and commercial drones
- The potential risks involved in using drones for businesses
Andy Still 00:06
Hello there. Welcome back to the Cybersecurity Sessions, our regular podcast talking about all things cybersecurity with myself, Andy Still, CTO and co-founder of Netacea, the world's first fully agentless bot management product. When we started this podcast, we wanted to try and talk about the full range of cybersecurity challenges from what people were actually facing in their everyday lives, to do some more kind of geek-outs about some of the emerging security challenges. And this episode is very much on the latter end of that spectrum. When brainstorming for topics, we came up with this topic and I was immediately fascinated by it. And the topic we're going to try and cover today is how we can effectively secure drones for their own protection and for the protection of others, which is something that's very new to me - it's very cutting edge parts of cybersecurity. So I'm very lucky to be joined today by a man who does know about this, Frank Morris, Head of Security Infrastructure at Capita. Frank, thanks very much for joining us today. Could you quickly introduce yourself to our listeners?
Frank Morris 01:09
Yeah, sure thing. My name is Frank Morris. As you mentioned, I'm Head of Security Infrastructure at Capita. I've been there for two years and prior to that I was a cyber consultant for one of the big four.
Andy Still 01:27
So,how did you get into the interest in the subject of drones? It doesn't sound like something that's a part of your day-to-day job?
Frank Morris 01:39
No, definitely not. So, what happened was, I saw drones as a sort of interesting subject. And I've sold some of these aerial videos. And I thought, wow, that's amazing. I want to try that. And it ended up with me trying to stick a camera to a model helicopter and failed dismally. And then I saw the DJI drones. And I thought I'll buy myself one of those and initially I was just interested in the photography side, the video videography side as well. And then I got interested in what's known as first-person view FPV. And this is where you strap a camera to the quad, and you basically fly it yourself fully on manually. And I also had a go at creating my own sort of hexacopter as well because my other interest is Raspberry Pi's. So I built hexacopter, with the Raspberry Pi as the flight controller, and suddenly realize that data links and everything else, this is, you know, this is a flying computer, basically. And obviously, with my background in cybersecurity, how does one start looking at securing this? And obviously, that was a few years back. Now we've got to the point where drones are more commonplace. And you start thinking, Hmm, these could be used for malicious purposes as well. So that got me thinking, and it's something I've been interested in. I've become a CAA, certified commercial pilot for drones as well. So you know, I do that. So I've done a small amount of work on the side. Just don't tell my employer that. Now they're good with it. And yeah, so it's there. Yeah. Because I do the security for the day job. I'm always sort of looking at how would you use this to protect these drones? What can you do with them? So yeah, that's essentially how it all started.
Andy Still 03:43
Right. So I guess there's a wide range of drones out there from the kind of personal, individual drones right up to military drones, and what would you say was the current state of security wires across the range of drone products, that they are...
Frank Morris 04:02
Very poor I would say. It's a fairly new up and upcoming market. I equate them to IoT devices, you know, Internet of Things. They're still in their infancy. You know, we've got a love-hate as well, we're between the public and drones and whether they're useful or not, we've got a lot of FUD around some of the videos out there about what drones can do. Just go and have a look at YouTube for some of the science fiction or maybe fiction that these things can do. And yeah, the CAA are currently catching up as well. The CAA I think it was back in about 12 months ago. They started introducing information security into their documents, there's a document called CAP 722, which is what all mundane aircraft systems have to abide by. And that now mentioned some security. And it's interesting as well that the CAA, they're also releasing now, a cyber assessment framework. So you can actually assess your drones against this to see how safe they are. But it takes a very risk-based approach, which is what CAA have don't tend to do anyway for normal flights. But I still think it needs to mature in terms of the detail perhaps and understanding how we secure everything from you know, the built drone, the hobbyist through to the commercial side, although the commercial side, they probably, yeah, they do have more security surrounding their drones.
Andy Still 05:55
So if you start thinking of it, just initially from the hobbyist side, is this something that if you're buying a drone, you need to be thinking beyond the levels of security that are put in place by the manufacturer, as is this a serious concern that your drone could be taken over by a malicious actor, if they put their mind to it?
Frank Morris 06:21
We've already seen that with the some of the DJI products in fact that they can be hacked. I think as a consumer, a hobbyist drone pilot, I don't think you need to be as concerned. The CAA have a whole load of requirements about how far you can fly from people or uninvolved objects, etc, they reduce the risk of these devices potentially being taken over. And, you know, one of the things at the moment is the battery life, you know, that that's a limiting factor, especially, you know, for the smaller quads, battery life is getting better, you're now looking at well over 30 minutes for some of these DJI products. For the FPV ones, though, in comparison, they tend to be three or four minutes tops. So there's that, you know, you can't really fly far with those. And there's a lot of restrictions in place as well. So, you know, if they lose the signal, the DJI products will return to home, which is typical of the sort of consumer drones, and you also get limited in how high and how far away you can fly them. So they've got these ideas around security. And one of the things the CAA doing at the moment they have restricted the weights and stuff as well. So the harm they can do as well is, you know, less due to kinetic energy.
Andy Still 07:56
Okay, so basically, from a CAA point of view though, what they're doing to mitigate the risk? The security of these drones is actually… Are they trying to minimize the damage that can be done if control were to be lost? So you know, thinking about it, you know, a few years ago, the entire of Gatwick being closed down because it was a drone, allegedly flying in the area of it would only take someone to be taken over a few drones to be imposing chaos in those. Has any other action been taken by the CAA to kind of prevent that from happening again?
Frank Morris 08:38
Yeah, so we're now looking at things like all future drones will have beacons on so the other aircraft can see them, you can see where they are, etc. And that's what we're doing. There's companies out there that are looking at anti-drone techniques, which, you know, if the drone comes within a certain distance of the airport, or, you know, controlled airspace, it will stop it entering. But, you know, for me, it's the more dangerous ones, I mean, we're now getting to a point where we're looking at using drones more commercially, we're looking at using them for... Well, I don't know if you've seen the there's a recent article regarding the Orkney Islands where they're using it for delivering mail. And we've also seen use cases where they used for light displays at night, where you've got hundreds of drones. Now, for me that started to represent more of a threat. Because it's not just one drone. It's many drones. And if you can take control of a swarm of drones, that's a lot more of an impact against infrastructure, people, etc.
Andy Still 10:02
I mean, it strikes you as a very effective potential weapon if hundreds of drones are under your control. Yeah. And when you're talking about the commercial drones? How is the level of security on those compared to that? You would expect it to be better than that in the obvious, but in your experience? How is it?
Frank Morris 10:27
Not much better. A lot of them aren't as robust, shall we say, as the commercial products out there, they're still made from hobbyist parts. And this is why the CAA have taken the step of sort of producing a cybersecurity oversight document, they're a framework and sort of forcing companies to go down this route of looking at how they are protecting themselves against a cybersecurity attack.
Andy Still 10:59
Okay, and from the point of view of companies. We've heard a lot of, pardon the pun, pilot schemes, using drones as delivery mechanisms. So the likes of Amazon and other companies, you mentioned the one about the Royal Mail using them. And in your experience, or your knowledge, other companies using this, are they taking the security of the drone itself seriously enough to keep those services safe for themselves and for others?
Frank Morris 11:38
I'll equate that to what we typically see in cybersecurity, some companies are better than others. As I said earlier, for me, this is still an immature area of growth. And we haven't seen yet in the press, about, you know, drones being taken over and, you know, sort of used maliciously, or hijacked, etc. But, again, my view is that, that will probably happen. And we'll get an extra focus, the same way we did with WannaCry. And that brought, you know, sort of cyber to the attention of everybody else. But obviously, the danger is that with drones and being able to take them over, you've got something in the air that can potentially do a lot more damage.
Andy Still 12:25
Yeah, I mean, that. Well, I thought it was interesting, when I was thinking about this, the challenge of this for eCommerce type companies. I mean, if there's any kind of fraudulent buying, going on the high-risk point for any, anyone doing that is, is last to be at some point, a handover of goods. And generally speaking, when you're asking for delivery, you know where that's going to go. So, there's a point at which you can follow the person. As soon as you've got a drone involved in that you can essentially order your product to be delivered anywhere, you then hijack the drone and deliver that to a point at which is untraceable. So it's a whole, you know, a new way of getting hold of the last point of the high-risk, large-scale fraud that's going on. Yeah, it feels like it's a whole new avenue for fraudsters. And I was just wondering how much that is a consideration for these companies who are running these pilot schemes of drone deliveries.
Frank Morris 13:30
So I'm currently working with a company called Skyfarer. In Coventry, they are very concerned about less, and I've got a meeting next week with them to discuss that very subject. Not so much about the fraud, but how they do the overall security approach to stop these kinds of attacks. So that the likes of fraud can happen, because what they are looking at doing is delivering medicines, you know, they're looking initially at the UK, but Africa is one of the other countries they're doing. And obviously, if you look at countries, like wider Africa, then medicines are items that are probably of high value to other people, you know, worth trying to hijack, basically. So you know that this is one of the things they can need to consider. So yes, that's a conversation next week. But again, what I'll be talking about is, you know, this similarity between sort of drones and IoT devices, I mean, for me, as I say, I treat drones as basically a computer in the sky. It communicates, it's got its own sort of, you know, operating system. It still requires software updates, and it has links back to a computer. There's a protocol called MAVLink, which connects the drone typically with a computer backup base and provides telemetry. But you can also control the computer, the drone from the computer. And again, you think, okay, if I can take over that computer as well, or take over that link, that communications link, then you've got control of the drone completely.
Andy Still 15:20
Yeah. And is that a connection that can be initiated from the computer? Or does it have to be initiated from the drone back to the computer?
Frank Morris 15:31
It's initiated by the telemetry devices that you put on, you initiate the connection between them, it is encrypted, but my understanding is not that well. So again, this is something that needs to be looked at, in terms of, you know, is it going to be suitable? Long-term, anyhow? Is it something you need to consider? Likewise, you can have Wi-Fi on the drones as well. One of the areas I considered doing a bit of testing, when I built that hexacopter, was putting a Wi-Fi hotspot as well. A Pineapple, Wi-Fi Pineapple, which emulates other networks. And the thought was, well, could we use that, put that near a building, you know, top floor with the execs and capture all that information. So you know that, as I say that, that's just for using it from a sort of pen testing point of view. But again, I mentioned, the drone swarms earlier, you've also got to look at machine-to-machine connections as well, because with the swarms, they have a certain amount of AI in them to know where they should be in relation to the others. So again, that needs to be secured as well. So it's, you know, it's very much like the approach we take for IoT and general cybersecurity, you look at the different layers or different attack vectors and what can be done.
Andy Still 17:09
Yeah. So I mean, the swarm aspect is really interesting, you could potentially take over a swarm there with one-row machine. Is that something that's theoretically possible?
Frank Morris 17:25
Theoretically, I've not looked into drones enough to comment on that, I'm afraid.
Andy Still 17:30
Okay. So, if you were to give any pieces of advice to particularly, I guess, companies looking to get into this area thinking of trying drones for part of their business. And maybe slightly worried after this conversation, what piece of advice would you give to them?
Frank Morris 17:54
So look at the CAA documents for a start, you can just scan this CAP 1753, CAP 1850 and CAP 1849, which are particularly good as a starting point. But in terms of the hardware and thinking about what you need to look at OWASP, do an Internet of Things security verification standard. And a lot of the stuff in there can be applied to your drone ecosystem, you might want to call it, and if you look at all the areas within that, that would give you a good idea of how to perform risk assessments, how to look at your entire, you know, sort of drone infrastructure, from a security perspective and look at how to mitigate the risk of it being compromised. IoT security foundations, another one, they do a very good sort of framework for, you know, IoT in terms of how to secure it and what to consider. That's where I'd start.
Andy Still 19:01
Okay. And before, before we wind up, is there anything that you think the authorities should be doing at this point, to, improve the general safety for drone operators and people in general, in this area?
Frank Morris 19:26
I think continue doing what they're doing, as I say, for me to say I do really well, they're getting involved with the NCSC, they are working with various, you know, sort of companies out there to further you know, the maturity and, you know, it's I think it's a likely a CIA case, they typically work in partnership with people and they are pushing this and as I said, it's still immature, but it's heading in the right direction. So, you know, for me, it's companies will need to be involved or people involved should read those documents or you know, just find out what's going on or get in touch with me.
Andy Still 20:08
Know, thank you very much, Frank. And thanks for sharing that. Hopefully, everyone has found that as fascinating and slightly worrying as I have today. So thank you very much, Frank, for joining us today.
Frank Morris 20:23
You're welcome. Thank you.
Andy Still 20:24
Hopefully, everyone has enjoyed that. If you have, please subscribe, leave a review and tune in to our other editions of this show, or followers at @cybersecpod on Twitter. Thank you very much and we will see you back on the next edition of the Cybersecurity Sessions.