Gatwick: attack of the drones

Authors – French Caldwell and Richard Stiennon

Key takeaways –

  1. Air transportation infrastructure is particularly vulnerable to non-lethal attacks by drones
  2. Regulatory controls alone will not stop drone attacks
  3. Attacks like the one at Gatwick this week are a serious reputational blow to the drone industry and rapidly growing drone control software and analytics vendor ecology

For two nights in a row, people living along the flight path of London’s busy Gatwick airport have slept soundly.  Thanks to a drone attack that started at 9p.m. GMT on 19 December 2018, all flights have been grounded.  Sussex police have been playing whack-a-mole with whomever is controlling the drone or drones – every time they think they may be getting close, the drone disappears, only to reappear later.  Meanwhile Gatwick’s neighbors are experiencing life without jet noise, while tens of thousands of holiday travelers have been stranded. 

 Hacking geofencing.  This incident demonstrates in spades the fragility of critical infrastructure and the challenge posed by emerging technologies.  Drone pilots are required to follow rules that should prevent interference with airport operations, and the rules are enforced through the control system software for the drones.  Geofencing built into the software should shutdown drones that stray into restricted airspace.  The geofencing is built into either the application software on a smartphone or laptop external to the drone, or into the firmware internal to the drone – the former being the case for toy or hobby drones and the latter usually being the case for industrial drones used by businesses or government agencies.

 However, the mobile or laptop application software is most likely not un-hackable, and regarding industrial drones, former Gartner analyst Jeffrey Vining who has followed drone technology for over a decade stated, “The firmware is potentially hackable over the wireless connection from the operator to the drone,” enabling the operator to disable the geofencing.

 Drones have proven to be an effective means of disruption. The General Atomics MQ-1 Predator,piloted from remote workstations in Nevada, have wreaked havoc on suspected insurgents throughout the Mideast. In July, Houthi rebels claimed a drone attack against Abu Dhabi airport.  A Houthi military source said the armed drone flew 1,500km.  That claim of attack has been discredited but there have been drone attacks by Houthi in Yemen, most recently in April 2018.

There is no question that commercially available drones for hobbyists should have built-in systems that help reduce their ability to interfere with airports, freeways or stadiums, and perhaps avoid power transmission lines.  However, it will always be possible for hackers to circumvent those built-in controls or build their own flying devices with no controls at all.

Fragile infrastructure.  The infrastructure that is the network of airports around the world has proven to be fragile. Any frequent traveler knows that a major backup at a large hub like Dulles, or Heathrow, can have repercussions felt around the world as flights are diverted or delayed. The cause is usually weather, but the specter of a coordinated series of drone attacks that leverage this fragility calls for more robust defenses than regulatory-imposed controls alone. 

 Counter-drones and contingencies.  Counter-drone systems are already under development. The Silent Archer system from SRC combines drone sensing and targeting capabilities. ()Most counter-drone systems rely on radio frequency jamming to disable drones.One commercial venture, Apollo Shield,has a handheld device that looks like a futuristic rifle for taking out drones. Counter-drone laser and microwave systems such as those being developed by Raytheon for the U.S. military also offer a solution to interference by drones in restricted airspace.  However, intentionally crashing drones could introduce new problems, particularly for large drones where the hazardous materials from batteries or fuel may need to be dealt with following a crash. 

It would be easy to criticize Gatwick Airport for not recognizing their vulnerability to rogue drone flybys and investing in counter-drone technology. But, as always, the first victim is the test case for new attacks that illuminate threats. Now would be a good time for the U.K. Home Office and the U.S. Department of Homeland Security to work with air traffic authorities on drone attack contingency plans and start educating airport administrators on the need to invest in counter-drone technology.

Recommendations

  1.  Public and private sector operators of airports,railroads, highways, stadiums, and other high traffic infrastructure should develop and practice contingency plans for drone attacks
  2. Governments should accelerate drone air traffic control system projects, and include defenses and drone attack contingency plans in those projects
  3. Commercial drone manufacturers like DJI, Yuneec, GroPro, and the rapidly emerging drone geofencing and analytics software ecology, including vendors like Airmap, PrecisionHawk, sensefly, Airware and others, should develop common standards that support drone air traffic control and non-military counter-drone defenses

When to treat family and friends like acquaintances

Key takeaway

Third party risk management is not just for suppliers, IT vendors and service providers.  In many cases, subsidiaries or other organizations within your enterprise, and even well-known business customers should be brought into the third party management program.

See the source image

The problems at Deutsche Bank and Danske Bank reminded me of an inquiry I had with a CISO at a large high tech equipment manufacturer.  We were discussing best practices in third party risk management.  I asked him  what types of companies he was monitoring and he told me they were subsidiaries.  He was putting these subsidiaries through the same hoops as he would any other third party vendor, classifying them into three risk categories, doing deep dives and continuous monitoring on the higher risk ones, and documenting certification and accreditation on all of them.

The Financial Times today recounted Deutsche’s current regulatory rows — money laundering by a former subsidiary Regula that it had acquired in the British Virgin Islands and Deutsche’s role as a corresponding bank processing over €160billion in suspicious payments for Danske Bank Estonia.  And of course Danske Bank Estonia was a subsidiary acquired by Danske.

Being “in the family,” it is apparent that Regula and Danske Bank Estonia did not get enough scrutiny by their parents.  Had they been treated as high risk third parties, the risks and lack of effective controls to prevent money laundering may have been discovered earlier, avoiding the heavy supervisory presence and regulatory investigations that the parents now enjoy.

Also, Danske Estonia’s use of Deutsche Bank instead of its own parent to transfer money out of Estonia could have helped to bypass parental scrutiny.  Should Deutsche have raised a red flag — like a neighbor who lets the neighbor kid smoke pot in her backyard?  Deutsche didn’t raise a red flag, instead stating they weren’t the ones responsible for validating the source of the funds — that was Danske’s problem. 

Yet, now it’s all come back on Deutsche, and the lesson learned for the rest of us — when a lot of money is on the line, treat your family and your friends as acquaintances.

Recommendations

1 — Bring high risk subsidiaries into your third party risk management program

2 — High risk customers should also be included in your third party risk management program

Originally published on blog.frenchcaldwell.com