Assessing the Current Drone Threat Landscape
Facility security personnel must be aware of potential threats that come from small unmanned aircraft systems (sUAS). They can rely on experts to bring them up to speed and guide them through the process of ensuring their facility is ready for this threat. Daryle Hernandez is Chief of the Interagency Security Committee within the U.S. Department of Homeland Security (DHS). He is responsible for implementing Presidential Executive Order 12977 to enhance the quality and effectiveness of security in and the protection of buildings and non-military federal facilities in the United States. Sarah Jacob is Program Manager, Small Unmanned Aircraft Systems Security within the Cybersecurity and Infrastructure Security Agency (CISA). She develops and provides resources and capabilities dedicated to mitigating the cyber-physical risks associated with sUAS.
ISC News recently spoke with Hernandez and Jacob to gain an understanding of how facility security personnel can recognize the current sUAS threat landscape and implement basic sUAS countermeasures.
ISC News: How are small Unmanned Aircraft Systems defined?
Sarah Jacob: Small Unmanned Aircraft Systems are a subset of Unmanned Aircraft Systems. They are defined by the FAA as weighing less than 55 pounds and are operated without the possibility of human intervention. When you think about aircraft in totality, sUAS is the most likely type encountered in the U.S. because they are the most available commercially. We consider the threat to and from the aircraft and associated elements such as the ground control station.
ISC News: What are the main threats sUAS pose to facilities or mass gatherings?
Daryle Hernandez: It’s most important to keep in mind that the majority of threats come from careless and clueless non-malicious use. Of those that are malicious there are four categories:
- Hostile Surveillance—these could compromise security or are a precursor to future attacks.
- Smuggling or Contraband Delivery—these bypass security measures and are most often seen around the border and prisons.
- Disruption—these threats come from the sUAS’s presence. For example, they could shut down airport operations or drop flyers.
- Weaponization—these have the intent to cause physical harm to people, assets, or facilities.
ISC News: What should security personnel look for in order to recognize a threat and how can they distinguish a threatening sUAS from a non-threatening sUAS?
Jacobs: There are several layers to recognizing a threat and they involve looking at your airspace in general. First, know your airspace. Having air domain awareness is understanding the pattern of life above your facility. Most sUAS flights are authorized. When it comes to threat discrimination you need to understand whether the sUAS is allowed to be there, so you must establish a baseline of normal to understand what is not normal. Then train security personnel to look into the airspace. If they see a drone, they should report it in order to establish data points. They should note its size, color, frame and how many arms it has. Beyond human visuals, organizations that can invest in technical detection should do so. It is more reliable and adds more details. The CISA website has more information on this topic.
Second, know whether your airspace is restricted in any way. Places like national parks, airports and military installations have restrictions. To know for sure, view the FAA temporary flight restrictions map. A violation of a flight restriction can carry civil and criminal penalties, which incorporates federal authorities into your site security plan. Third, partner with other facilities and local law enforcement to understand what their airspace is like and the activity they see. And fourth, distinguish whether the sUAS is flying according to FAA regulations. If it isn’t, you could be dealing with something suspicious, if not threatening.
ISC News: What preparedness plans should be in place to protect against this type of threat?
Hernandez: We recommend the organization or facility conduct a sUAS-focused vulnerability assessment to develop a response and recovery plan. Then, the response and recovery plan should include the following:
- Take a holistic approach and include all stakeholder perspectives: building owners/lessors, tenants, legal counsel and any other relevant stakeholders.
- Identify a sUAS emergency response team; establish training and allocate resources to be successful.
- Develop actual threat response procedures that would be employed. The procedures should include steps to preserve forensic physical and cyber evidence (sUAS are also flying computers).
Ultimately the plan is only as good as the extent of its distribution and how often it is exercised. Consider what the average person needs to know.
ISC News: Can you describe some basic sUAS countermeasures?
Hernandez: Many protective measures designed to mitigate other risks can help mitigate sUAS risks, so a number of countermeasures already out there can be applied. Existing countermeasures may exist in the following four categories:
- Security administration and countermeasures
- Environmental countermeasures (merv filters, HVAC shutoff)
- Employee awareness and training
- Communications and planning protection activities
After considering what you are already doing, you may consider other mitigation options specific to sUAS using the principles of deter, detect, protect and respond. For example, post no drones signs, publish deterrent communications on websites and social media, conceal and reposition assets to reduce their vulnerability (be aware of sightlines from the air and move cyber assets away from windows) and increase your organization’s ability to identify and respond.
Jacobs: As Daryle mentioned earlier, we encourage organizations to undergo a vulnerability assessment to understand the lay of the land. This will help you identify critical assets and decide where to position the detection equipment. You also want to regularly conduct training exercises. There are several tabletop exercises that test existing security and response plans and identify gaps.
ISC News: What resources are available to security personnel to help them assess the risk to their facilities and establish the right protocols to protect against the threat?
Jacobs: CISA has various resources on security and response strategies. They include best practices and other analytic information. The website, https://www.cisa.gov/uas-critical-infrastructure, has ready-to-use templates and ways to connect with CISA’s regionally-based Protective Security Advisors (PSAs) to coordinate larger scale tabletop exercises. They can also conduct vulnerability assessments that will supplement self-assessments as well as interpret results and offer recommendations. In addition to the publicly available website, and for those with access to the Homeland Security Information Network (HSIN), CISA has a UAS critical infrastructure community of interest to share information that requires more restricted access. Examples include cybersecurity industry alerts related to the beneficial use of UAS and comprehensive studies on the UAS threat to critical infrastructure and trend analysis.