October 18, 2019

We’ve talked about the increasing sophistication of cyberattacks at length. But, did you realise that a cyberattack could reach your business via a drone?

Dronelife’s Mirium McNabb reports on the DroneDeploy 2019 Conference where a cybersecurity expert, Rhea Naidoo, warned hackers are attacking business infrastructure with drones.

A threat of surveillance, data theft, system attacks and even physical damage

Naidoo is co-founder and Director of Automated Solutions at Cambrian Cyber Group, she says the attack risk from drones has never been higher and that drones can carry out surveillance, capture data, and even cause damage by colliding with buildings and other infrastructure. Drones are cheap, simple to use, and are hard to detect without the right preparation and equipment, which can be expensive.

Drones can be used to approach businesses, power plants, and other infrastructure, carrying cyber attacker’s technology close enough for direct attacks on an organisation’s network.

Attackers can manipulate or disable systems when in close proximity

Naidoo says cyber attacks which target operational technology (OT) networks are growing and there have been multiple attacks on the US and EU energy sectors. Attackers are able to steal confidential data, manipulate controls or disable alarm systems, and even take systems offline.

Cybercriminals can conduct GPS spoofing from their drones, use Bluetooth to steal data and RFID scan access or credit cards. Drones can even be used to setup malicious WiFi networks imitating, and in close proximity to, an organizations legitimate network and allow cybercriminals to monitor WiFi traffic. Or, drones can be used more simply, just to crash into their targets.

Malware can be passed from drone to drone

It’s even possible for one drone to pass malware to another during flight. Gartner data estimates that 170,000 commercial drones will be sold in 2019. This is 58% increase since 2016 and points to the increasing usage of drones in today’s workplaces.

Goldman Sachs also predicts that businesses and the public sector will spend $13 billion on drone technology between 2016 and 2020. Though military use is the greatest today, the commercial and civil sectors will be the biggest growth areas for the technology.

PwC estimates that worldwide, drones could replace $127 billion worth of business operations and labour costs across a range of industries, but especially in infrastructure, agriculture and transportation.

Delivery drones could reach our skies in what could be a matter of months, rather than years. Energy companies themselves already use drones, putting them at even greater risk.

You don’t have to use drones to be at risk

Though the cybersecurity risk from drones is arguably higher if you use the technology within your own business it’s clear that as an attack vector every business with a physical location a drone could approach is theoretically at risk.

Europol’s latest cybercrime report points to a growing boldness of cybercriminals, the threat to data, and the increasing targeting of high-value victims. Cyber criminals are targeting businesses and are not afraid to attack using multiple steps and methods.

Artificial intelligence (AI) is already also being used in attacks. One unsuspecting CEO was tricked out of thousands after cybercriminals used AI to impersonate the voice of his boss and give him instructions over the telephone.

Infrastructure can be protected from drone attacks

Naidoo, according to Dronelife, says there are cybersecurity and technology tools which can protect infrastructure from attack. Organisations, of course, need to assess their threat risk and action as part of an overall cybersecurity strategy. Geofencing can be used, as well as SoundWave detection like radar. Existing counter drone solutions have scanning methods to keep drones away.

For drone owner the solutions are similar to keeping corporate networks safe. Naidoo says “good security hygiene” is needed. Drone systems should be kept up to date and the built-in solutions which come with more expensive drones utilised.

OT networks should have protection from drones or other proximity attacks if there is likely to be such a risk to a business. Many businesses of size may choose to employ this anyway. McNabb of Dronelife writes that though the idea of drone attacks may seem “farfetched,” Naidoo says it needs to be considered in a good cybersecurity program adding:

“We’re living in a world where it used to be OK for companies to live with an ostrich approach, and put their heads in the sand.”

Today that’s not possible. Cyberattacks can come in any shape or form companies need adequate protection from any realistic risk to their business or industry and must asses this accurately. Cybersecurity is not only essential to protect systems and data and from costly rectification expense. Consumers lose trust in businesses that have been attacked and regulators look increasingly harshly at why and how any cyberattack is successful, especially when it leads to a data breach.

Here at The Defence Works we don’t miss a trick, and neither should you. Start with awareness of every cybersecurity threat your business could face.

Share this: