Trust and Security in the world of Drones
Unmanned Aerial Systems (UAS) or drones, as Internet of Things (IoT) devices, present security challenges and vulnerabilities for unintended data distribution. Safety is critical for the unmanned aircraft industry, similar to the manned aviation industry as both operate within a digital aviation ecosystem. With rapidly scaling operations and increasing integration between manned and unmanned operations in a sensitive airspace, addressing new and emerging cyber threats is of utmost importance in maintaining operational viability.
The aviation industry is built upon a trust framework including the: identification of communicating parties and the integrity of the information exchanged among them. Without an onboard pilot to communicate with air traffic services, interoperability has become the foundation of a viable UAS Traffic Management (UTM) framework. This is the same foundation that future systems will be built upon to ensure a trusted stack for increasingly more autonomous systems.
In addition to information exchange, data collected by drones can be operational mission data in the form of telemetry, as well as acquired data such as photogrammetry, LiDAR, and live video feed etc. This data is secured by enterprise level data sharing controls which require sophisticated infrastructure and advanced security measures to combat the growing number of cyberattacks. In this article, we will discuss data security downstream of the mechanism that controls the drone, often known as the Ground Control Station (GCS).
Utilizing a UTM system such as ANRA Technologies ANRATM CTR, ensures in-built internal defenses for protecting data. Our UTM platform, designed with elasticity in mind, minimizes the number of internal and external facing connectivity interfaces. Resilient identification, authentication, authorization, integrity and permissions-based system access are the foundations of a secure UTM platform. We have accepted that our controls and standards applied to this system will have to constantly evolve to meet changing global threats.
The ANRA ANRA CTR platform connects to existing and future air traffic control
systems. In addition, the platform can exchange data with other UTM systems and airspace participants with application programming interfaces and authorization services. ANRA is constantly looking to make the platforms more secure, agile, scalable, and transparent when it comes to data security. This is true for all participants within the aviation digital ecosystem, as threats evolve, new controls will be needed to ensure trust framework entities continue to operate within their role.
The ANRA ANRA UTM is hardened to tampering and false data injection, manipulation and repudiation. It also reduces the attack surface and eliminates certain classes of attacks by monitoring access to interfaces based on authorization and authentication mechanisms. The platform’s audit logging capabilities ensure operational transparency both from an internal operational and a regulatory compliance perspective. Hardening the system starts with focusing on creating a secure environment.
Security Focus Areas
We can group the security focus into the following top level areas that warrant review and collaborative solutions with input from the stakeholder community.
- Message security
- Key management
- Denial of service (DoS) protection
- Identity management
Let’s review each security focus area in more detail.
The major security objectives in the exchange of operational messages within the UAS Service Supplier (USS) Network include:
- Message integrity
- Message authentication
To achieve these three goals, UTM takes the approach of having USSs digitally sign the messages that they send. NASA published a white paper that covers these aspects in fairly great depth. UAS Service Supplier Framework for Authentication and Authorization (NASA/TM–2019–22036)
Successful key management is critical to the security of a system. It is the more challenging side of cryptography in a sense that it involves aspects of social engineering such as system policy, user training, organizational and departmental interactions, and coordination between all of these elements, in contrast to pure mathematical practices that can be automated. To create a secure environment, the nodes that participate in this architecture are provisioned with cryptographic material that supports confidential, authenticated and integrity protected communications amongst actors and to/through the gateway(s). The underlying cryptographic material and services required depend on the protocols that are being used (both communication and messaging) and the security objectives of each. In addition to keys required for communication protocols, messaging protocols (e.g,. MQTT, CoAP, DDS) also levy cryptographic algorithms and key material. Although some messaging protocols only support username/password, many provide options for using symmetric keys, key pairs, and certificates to secure communication between devices.
With the introduction of next generation broadband technologies and their evolution to 5G, IoT drone solution developers will be able to redesign their products with broad, direct access to the cloud and new capabilities for peer-to-peer communications. This requires flexible key management capabilities that support a variety of use cases.
Denial of Service Protection
Mission critical services provided to drones, vehicular networks or industrial systems in particular require highly available, low-latency, and highly reliable communication systems. In the new connected world, the influx of low cost drones and other IoT solutions has and will introduce a large number of devices that are low cost and less sophisticated than wireless connected devices such as smartphones. As more devices are connected to the wireless broadband networks, the networks will be exposed to denial of service (DoS) threats, targeting the limited resources of specific services, much like botnet-driven distributed DoS attacks in the Internet. Drones operations need to account for this possibility and plan for mitigation of such attacks by having redundant interfaces, including extensive fail-safes integrated in the solution.
Identification systems for drones need to provide more information than just a few details about the drones. The established identity can be the basis to accomplish further security goals, such as policy-based access control decisions for personnel within that system or recording of actions mapped to their actors to establish an auditable transaction history (e.g., through blockchain-based transaction integrity preservation).
A wide range of identities are involved in a typical commercial drone ecosystem and should not be limited to identification of the drone by itself. Identification needs to exist at every layer of the stack and in every segment of the architecture. For example, drones might need to be identified as hardware trust anchors, while other areas will require identification such as IP endpoints, cloud service instances, network services, virtualized network function instances, subscribers, and administrators and more.
All of those identities need to be defined, provisioned, maintained, validated, revoked, etc., requiring a robust Identity Management solution that captures the entire life cycle of this management task.
International Aviation Trust Framework (IATF)
There are some initiatives in place already that are looking at these aspects from the aviation industry point of view. The aim of the International Civil Aviation Organization (ICAO) Global Aviation Trust Framework (IATF) is to provide a high-level, globally inter-operable architecture to manage the vast number of new aviation entrants – such as drone operators – while helping to protect communication links between UTM and air traffic management (ATM) systems from cyber threats. Below are some highlights for the IATF framework.
- IATF participant Identities are trustable:
- Common IATF Master Trust Framework agreement
- Common Identity Policies audited through IATF
- Information flow between IATF participants are attributable to the IATF identity source of the information by digitally signing the information
- IATF compliant networks called Global Resilient Aviation Information Networks (GRAIN)s are trustable:
- Trusted Network addressing
- Trusted Domain Naming Services
- Trusted Network Operations through IATF audited Information Security Management Systems (ISO 27000/NIST)
International standards provide a foundation for mutual understanding, and can be used as best practices to facilitate performance measurement and reliability. It is one approach to help address drone data security.
ISO/IEC 27001 is an international standard on how to manage information security. It details requirements for establishing, implementing, maintaining and continually improving the information security management system (ISMS), in order to help organizations make their information assets more secure.
Obtaining an ISO27001 certification demonstrates that an organization has identified risks, assessed implications and has put in place systemic controls to limit any damages to the organization. ISO27001 benefits include increased reliability and security of systems information as well as improved customer and stakeholder confidence.
Trust and security in the world of drones is a complex, multifaceted problem. We can decompose it by looking at security by design principals as the ecosystem will continue to evolve.
Interoperability and a global trust framework is the basis of secure UAS operations and the foundation for Next Generation Airspace Management Systems. We at ANRA are working towards global interoperability by participating in various standards organizations, such as ASTM, the ICAO Trust Framework Working Group, and the Global UTM Association (GUTMA) to prevent industry fragmentation and achieve a safe, secure, scalable, interoperable solution for tomorrow’s airspace management.