In this brief, but thorough description of a well-planned cyber-security strategy for drone inspections, our VP of Corporate Affairs, Lance Lehman, sets out a systematic approach to help you understand the cyber risks to consider when designing your drone-based inspection program and how you can reduce your exposure.
The digital revolution is changing critical infrastructure. Operational technology is increasingly controlled and monitored remotely, using digital technologies to gather, transmit, process, and store data. The increasing use of aerial, underwater, and terrestrial drones to monitor and inspect infrastructure assets is one example of this trend. Given the benefits drones offer, from decreased costs to carbon emission reductions, using drones and digital technologies to improve inspection activities makes a lot of sense, but the move toward remote, drone-based inspections of critical assets also introduces a new risk in the form of increased susceptibility to cyber threats.
1. Know and Manage the Risks
The cyber threats to a drone-based inspection program are numerous and range from the risk that hackers will access video or other data as it is transmitted from the drone to a base station, to the risk that hackers will highjack a drone’s command and control system in order to steal the drone and its payload entirely. Similar data-security risks affect mobile devices and laptop computers used in the field. To manage these risks, a well-designed cyber-security strategy for drone-based asset inspection operations will include a careful review of the equipment to be used to ensure all data will be encrypted prior to transfer, that the number of devices that can connect to the base station is restricted to one, and that the drone has a “return to home” mode. In addition, the operator must be sure to make all regular firmware updates and to adopt a strong password policy for the base station and other applications. Laptops and devices used in the field must communicate only via virtual private network (VPN) and should be regularly updated with anti-virus software.
A policy to prevent unsafe apps from being downloaded and installed on company computers should also be followed. Once collected from the field, inspection data will be processed, analyzed, summarized, shared, and stored. Cyber security should remain in the foreground of the design and implementation in each part of this “last mile” of the inspection data flow. Along the with protective measures already discussed to protect data while being collected, transmitted, and stored, such as anti-virus software, strong password policies, virtual private network use, and encryption, attention must also be paid to the cyber-security capability and design of the software applications which are used to analyze, interpret, and share the data.
2. Respond at Every Level
With so many potential directions for cyber-criminals to attack from, managing cyber-threats requires a multi-part response, including physical barriers to access, software defences like firewalls and intrusion detection applications, and a network security program that addresses security concerns at every network access point, whether in hardware such as personal computers and mobile devices, or software provided by third-party vendors. In a drone-based asset inspection context, attention to cyber risk means managing multiple risk exposures with multiple layers of defences. This begins with the data acquisition equipment itself and continues through any mobile devices or laptop computers used in the field to consolidate or perform preliminary data reviews, to cloud servers and office desktop computers where the data will ultimately be processed, analyzed, reviewed, and shared.
3. Audit, Maintain, and Train
As in so many systems, it is often said of cyber-security systems that one is only as strong as its weakest link. Modern organizational IT infrastructure is complex and may involve dozens of different vendors within a single environment. As such, it is essential that in constructing a secure, drone-based asset inspection program, appropriate consideration be given to qualifying vendors properly for secure design and programming practices, including consideration of whether specific national or international cybersecurity standards should be required, and ensuring that any implementation will be secure by default, meaning the highest security settings will be the default settings. A final cyber-security review should be completed before finalizing the design of an inspection program and periodic cyber-security audits should be conducted to uncover any weaknesses as they develop.
Once your drone inspection program is operational, company policies should be in force to require regular and timely maintenance such as bug fixes, and that all employees are aware of and receive regular, appropriate training on cyber-security matters.
The benefits of drones and advanced camera technologies in helping to make inspections of critical assets and infrastructure easier and better are apparent, but with major hacks and ransomware attacks so often in the news these days, so now are the cyber risks that have emerged with the new technologies; risks that are serious, but also manageable. A well-designed and implemented cybersecurity program for your drone inspection program must be one of your highest priorities to ensure your organization realizes the promise offered by this wave of digitization without getting pulled under by the undertow of cybercrime.