The use of an unmanned aircraft system (UAS) designed, manufactured, or supplied by foreign companies could create increased cybersecurity risks and opportunities for network exploitation and collection by foreign threat actors.
Potential security risks can arise when UAS manufacturers require users to register online and agree to store sensitive data on overseas or even domestic computer servers. These servers are typically maintained by the manufacturers, but can be accessed by third-party application vendors. In addition, online services offered by UAS manufacturers could create opportunities for the theft or seizure of sensitive information and the monitoring of user activities. Foreign threat actors could exploit:
- Flight log data, including information about network layouts and the locations of inspections and critical assets;
- Organizations’ computer network data and systems;
- Images or recordings captured during flights, including physical security assets, vulnerabilities, and transportation networks;
- Corporate proprietary information or intellectual property;
- LE-sensitive information;
- Sensor data collected during critical infrastructure inspections;
- Emergency response operations and mission-planning information;
- Sensitive facility locations and assets; and
- Customers’ personally identifiable information (PII).
Here are a couple of suggestions to reduce the potential data risks and vulnerabilities associated with UAS use and mitigate the loss of sensitive information.
- During initial UAS activation, use a department or lab name, email address, and password to reduce a UAS manufacturer’s ability to track the owner/user through association with this identifier. Note: It should be assumed that the current GPS location will be transmitted during UAS activation, which could reveal the true owner.
- Do not connect personal social media accounts with devices used for University business. Disable any sharing of imagery or video with social media accounts.
- Use a new mobile device without a SIM card installed or set up previously and never used for other activities for that will contain limited to no PII collectable by a foreign UAS company. For previously used devices, performing a wipe and factory reset of the mobile device prior to using it as a controller is advisable.
- Periodically wipe or clear sensitive data from the system, including information stored on onboard or removable digital storage devices—such as SD and memory cards—and on connected flight controllers and mobile devices. Sensitive data should also be cleared before returning borrowed or rented UASs.
- Avoid connecting the UAS to internal or private networks with sensitive data. Use a known secured network to register the UAS, and use a local backup device to store footage and data.
- Before applying UAS patches and upgrades, consider their impact on operations.
- Review user agreements to verify who has access to data collected by the UAS.
- Inquire or review user agreements for information about third-party access to UAS data.
- Maintain awareness of third-party collection and retention of data collected during UAS operations and develop appropriate policies to ensure the protection of intellectual property and sensitive operations.