6 April 2021
The Dual-Use Conundrum: Game of Drones
Gerard Ward explores the dual-use risk presented by emergent technologies. Recent drone attacks illustrate this dual-use risk, and in particular the challenge confronting Critical Infrastructure (CI), the vital national assets that are cornerstones of the modern economy.
A decade ago, traditional security measures such as electric fences, guards, video surveillance and access control systems formed part of the physical protections designed to keep intruders out of a CI facility. However, the rapid growth of emerging technologies like drones gives rise to a new class of threat. If used maliciously, drones can deliver clandestine airborne payloads that inflict severe damage.
Traditional security measures can no longer control and neutralise threats from malicious drones, also known as Unmanned Aerial Vehicles/Systems (UAVs/UASs). Currently, few facilities around the world are equipped to detect and deter drone-related threats, and therefore address the level of threat exposure. If CI is targeted by drones effectively, the resulting business interruption, monetary loss and broader economic impacts could be devastating.
Drones as destructive weapons
In September 2019, the Abqaiq oil facility and Khurais oil field in Saudi Arabia were hit by 18 drones and cruise missiles. This was despite the area being protected by air defence systems installed by the Saudi Arabian government with US assistance. These facilities accounted for approximately 5% of global oil production, and closure in the aftermath of the attack sent shock waves through financial markets. Fortunately, disruption was short-lived, but the incident illustrates the threat that drones pose, given their ease of deployment, small size and low cost compared to conventional weapons.
Drones causing disruption
While the 2019 strike demonstrates use of drones as kinetic weapons, they can also create nuisance resulting in loss. A drone traversing Gatwick’s airspace in December 2018 caused the cancellation of over 1,000 flights and direct losses of over £50m. Travel insurers suffered losses as passengers sought recovery of rebooking fees and loss from forfeited flights due to the disruption.
Although the scenarios above describe malicious intent, in reality drones are used daily in a wide range of commercial settings. A recent Bloomberg article describes how Indonesian asset owners use drones in conjunction with AI-driven image analysis to map estates and count trees. But the malicious use of drones highlights the risks posed by emergent technologies when repurposed for malicious use.
Most cyber-related incidents encountered by Integra result from threat actors deploying technologies originally developed for security testing, but harnessed for malicious purposes. These dual-use technologies pose a growing risk as cyber and emergent technologies become democratised through lower capital investment, greater accessibility and enhanced capability. Off-the-shelf (OTS) drones and custom-home-built (CHB) drones can be equally damaging to CI if threat assessment and countermeasures prove inadequate. However, such countermeasures (see table opposite) are complex and often costly to maintain.
The examples above are instances of drones being controlled directly by bad actors. But the remote data carrying instructions between operator and drone can be compromised too. A compromised drone can represent a threat just as perilous as the drones that attacked the Abqaiq oil facility. Any drone compromised while inspecting CI could be forced to crash intentionally and cause significant damage.
Drone Detection and Defence Systems
|Electromagnetic perimeter fences||Drone gun (laser)|
|Electro-optical imaging system Visual detection||GPS jammers|
High Power Electromagnetic Pulse (HPEW)
|RF-based detection||Counter-UAV patrol|
|Magnetic detection||Cyber exploitation|
Threat actors can interrupt drone communications, fabricate or modify data and hijack critical networks. In 2011, Iran captured a US military drone by jamming its positioning control signals, then spoofing the GPS data so the UAV landed in north-eastern Iran.
While the use of encrypted communication between US UAVs and military command has prevented a repeat incident, bad actors are continually exploiting new vulnerabilities, often utilising dual-use technologies. Many civilian drones remain vulnerable to data-jamming, interception and manipulation because they rely on unencrypted communication links for transmitting instructional data.
More complexity, more vulnerability
The drone market is tipped to reach US$43 billion by 2025 (Statista, 2020), suggesting widespread deployment and dependency across many industries. While real business benefits exist, the operating landscape for these drones as an emergent technology is set to become more complex. Drones are effectively flying computers, so data is at risk and hacking or malfunction could cause physical damage or, in the worst case scenario, loss of life. The use of delivery drones by the likes of Uber Eats or FedEx creates data privacy issues and the need to comply with GDPR and the USA’s IoT Cybersecurity Improvement Act of 2020.
Given the complexities of these emergent technologies and the threat drones represent as dual-use technologies, the root cause analysis of accidents has to be exact, as with any data-driven process. Having the right claims management solution that can rapidly and accurately pinpoint root cause relies on specialist skills working within an organisational structure to attribute cause to data or electronic components. Integra has assembled a team of experts who can collectively investigate people, procedures, operations and information systems to accurately determine cause and consider policy response. Identification of the prospects for recovery and betterment form key parts of this root cause analysis.