Drones are good… aren’t they?
Yes, when used by responsible people. But established criminals and opportunists are exploiting a drone’s ability to bypass your perimeter security – you know, that little gap above your fence, where the birds hang out. Jeremy Fitton explores the risk from drones to business and developments in countering this threat.
Guard your air
A PwC research document claims that the world drone market will be worth $127 billion by 2020. Of that, 10% will be costs associated with security – bad drones. So, are drones really a threat to your security?
As a security professional you are repeatedly reviewing risks relating to the assets under your protection. The advent of drones has enabled your land-based troublemakers to fly. So, if you have any sort of perimeter, access control security, or air gap, be aware that a drone can simply fly over your fence or bridge your air gap. And how would you know? Are your CCTV cameras and your guards looking upwards?
The risk from drones
What is the likelihood of a drone causing you a problem, and what would be the negative financial impact of that?
The answers to these two questions depend upon the asset you are protecting, and its relative location and environment. If you are a prison in the UK, then the likelihood is a certainty (we read about it in the mainstream media) and the impact can be measured by the increased violence in the prison population due to a delivery of contraband. This then negatively impacts the staffing and medical budgets, hence a business case for investing in mitigation of the threat.
If you are a financial organisation, a drone could look through your boardroom windows to see who you are meeting with, and that knowledge in the wrong hands could directly impact your share price! The current likelihood of it happening is probably low but the impact could be high.
Categories of threat
As a drone security expert, I define the drone threat into five categories:
Recreational: people flying ignorantly, without intent to harm, but just getting in the way and disrupting your operations – think airports;
Activists: again, no aim to cause physical damage, just a desire to intentionally disrupt operations – think the flying of a protester flag at a televised sporting event;
Terror: drones on a one-way trip;
Smuggling: for example, into prisons, or ship to shore deliveries of contraband around seaports; and
Stealing: diamonds from the mine, smart phones from the warehouse, or any small item of high value.
The Smuggling and Stealing threats need two criminal collaborators: one at either end of the flight. They use the drone to connect themselves while bypassing your physical security checkpoints, simply over the fence and unseen by your CCTV.
Links with cyber
But the threat doesn’t have to be a disposable payload on a hook; it can be Cyber. Most drones have an integrated high-resolution camera to record images. An additional small payload could be a cyber-attack device, a wi-fi sniffer, GPS spoofer or whatever corporate espionage device your competition wants to use to steal information from you. This is a privacy threat. The drone gets the assailant past your physical barriers, looking over your wall to monitor guard positions and movements. A drone could land on your roof with a cyber listening device and quietly sit there for a week, sniffing your data. And the device doesn’t even have to look like a drone, so how will your roof patrols spot the threat?
Perhaps that is a far-fetched thought, but how much is your data worth when in the wrong hands?
The terror threat is obviously intent to cause threat to life. Drones are easy to buy and relatively easy to fly, but they miss the human element that makes terror, terror. Activists aim for the news media.
Which leaves us with the most likely threat we face today. There are no official figures but drone security personnel we interviewed said it would be fair to assume that 95% of problem drones come from recreational fliers.
Before the common quadcopter drone, serious enthusiasts built and flew their expensive RC aircraft in a responsible manner, having to control every aspect of flight by their own hand. But modern drones stabilise automatically by themselves. The pilot only gives RC commands to move the drone. That makes them more accessible to everyone, including the criminals, who are now realising they can distance themselves from the scene of the crime by getting the robot to do the dirty work.
Risk analysis
Does the potential threat to your organisation warrant investing in full-time detection and counter measures; is there a business case?
All bad-drone activity has a cost: a negative financial impact. You could ignore the issue, but the driver for your business case is the obligatory duty of care. Whether you are a corporate or government entity, duty of care – to your employees, stakeholders and patrons – is at the forefront of your mind and drives your decisions. At the very least, it is wise to have some form of ‘drone defence strategy’, even if it is only to assess if you actually have a problem and check the potential impact.
As a basis for your strategy you could use the OODA methodology: Observe, Orientate, Decide, Act.
Measuring and reporting
Starting with Observe, the security risk can be measured and historical benchmarks can be created by sensing for drones that come close to your assets.
Drones can be detected and tracked using hardware sensors – namely cameras, Radio Frequency (RF) receiver scanning, audio and radar – and software analytics to fuse the data together and collate reports.
For your business case to justify an investment in 24/7 automated detection and mitigation, you will be wanting to start with a report of recent activity; how many drones, what time of day, where did they fly. There are several companies that can be commissioned to deploy sensors and generate reports.
However, the drone-sensing market is evolving in a similar way to the mobile phone market in the early days. At first there were private wireless networks with their own infrastructure, then, as infrastructure
became commonplace, owners could utilise the capacity of each other and share the data space.
So today you can buy your own drone-sensing solution, but in the near future you will be able to buy sensing-as-a-service, effectively sharing the cost with your neighbours who have the same need.
Bright future
There’s more to come: changes to legislation; policing will need to differentiate between good and bad drones; insurance policies will need drone clauses, and more.
For security, the elephant in the room today is ‘Okay, I see the drone, what next?’ And that leads to the realisation that the bad-drone issue is not about the drone: it is about the pilot, and specifically the intent of the pilot. Locating the pilot in real time would be useful in many situations, as would sending the drone away. Technology is available for both options but it’s relatively new to the market, and it needs a business case to justify the cost.
There is more to explore on the good side too. Remember, according to the PwC report, 90% of our drone future is about enabling the commercial activity of good drones.
Jeremy Fitton
L3 ASA
