By Jeffrey A Newman
The Cybersecurity and Infrastructure security Agency and FBI have issued a special warning about the threats posed by Chinese made drones on US critical infrastructure. This guidance was issued to warn critical infrastructure owners and operators that Beijing could use drones to obtain sensitive information from critical infrastructure sites including energy, chemical and communications.
The concern raised included the fact that critical infrastructure sites are becoming more reliant on drones to monitor and evaluate facilities and that many of these drones are made in China. The guidance warns about the potential information collection threats due to regulations in China that require companies to hand over data. Such data, the guidance warns, is “essential to the [People’s Republic of China’s] Military-Civil Fusion strategy, which seeks to gain a strategic advantage over the United States by facilitating access to advanced technologies and expertise.” The guidance warns that such devices could help China spy on critical infrastructure facilities. The concern over drones led to the passage of the American Security Drone Act in the annual National Defense Authorization Act, which prohibits federal entities from purchasing or using drones made by foreign entities.
The new guidance is meant to “safeguard our critical infrastructure and reduce the risk for all of us,” Vorndran added.
Urging U.S. companies to follow “secure-by design principles” even for drones manufactured domestically, the guidance made clear that the potential threat extends beyond Chinese-made drones.
Organizations must ensure they are using up to date patches and firmware and recognize that when they incorporate drones and docking stations into their networks “data collection and transmission of a broader type — for example, sensitive imagery, surveying data, facility layouts — increases,” the new guidance document said. That kind of data collection could give China “previously inaccessible intelligence.”
The guidance includes additional detailed instructions for how to mitigate the threat, including by:
- Placing drones in an organization-wide cybersecurity structure like all other Internet of Things (IoT) devices
- Creating separate networks to silo threats posed by drones
- Using a zero trust framework
- Understanding nuances for how the drone works such as how data is stored and secured
- Establishing a “vulnerability management program” to ensure security fixes are current
- Performing periodic “log analysis” to look for anomalies
- Using strong “data-at-rest and data-in-transit procedures” for encryption and storage
- Erasing collected data, imagery, GPS history and other data once it has been transferred
- Using a virtual private network (VPN) to establish a strong connection with the drone during operationNS
- Cybersecurity Guidance: Chinese-manufactured UAS VULNERABILITIES UAS are information and communications technology (ICT) devices capable of receiving and transmitting data.7 Each point of connection is a potential target that could be exploited to compromise sensitive information.8 Avenues of potential compromise include: Data Transfer and Collection: UAS devices controlled by smartphones and other internet-connected devices provide a path for UAS data egress and storage, allowing for intelligence gathering on U.S. critical infrastructure. Patching and Firmware Updates: While ensuring that network-connected devices are up to date with the latest patches and firmware is critical for the secure operation of any ICT device, updates controlled by Chinese entities could introduce unknown data collection and transmission capabilities without the user’s awareness. That data might be accessed by the PRC through legal authorities. Broader Surface for Data Collection: As UAS and their peripheral devices such as docking stations are incorporated into a network, the potential for data collection and transmission of a broader type—for example, sensitive imagery, surveying data, facility layouts—increases. This new type of data collection can allow foreign adversaries like the PRC access to previously inaccessible intelligence.
Here is a copy of the report:https://www.documentcloud.org/documents/24362988-cybersecurity-guidance-chinese-manufactured-uas-final
Jeffrey Newman Esq. is an attorney whose law firm represents whistleblowers under the SEC, CFTC and FINCEN whistleblower programs. Persons providing original information to these agencies through counsel may receive rewards totaling up to 30 percent of a successful recovery made by the SEC, CFTC OR FINCEN and the names and identification of the whistleblowers are kept confidential. His firm also represents whistleblowers in healthcare fraud cases relating to Medicare of Medicaid. Attorney Newman can be reached at Jeff@Jeffnewmanlaw.com or at 617-823-3217
