Drones are increasingly making an impact on society and economy. Drones are used by the military for intelligence gathering, anti-aircraft target practice, and also for weapons platforms. They are also used for many civilian roles such as agricultural surveillance, mapping, tracking, search and rescue, traffic monitoring, firefighting, weather monitoring, engineering applications and photography.
In future, drones would be delivering food and goods to doorsteps, hovering around backyards for family fun or over highways for traffic monitoring. An estimated 700,000 unmanned aircraft systems, called UAS, but commonly referred to as drones, are expected to be roaming the sky by the year 2020. Many have questions about how such a big change to the airspace will affect our lives and safety.
Unmanned Aerial Vehicles(UAVs) have become indispensable to modern military for variety of missions; intelligence & reconnaissance missions like signal intelligence, image intelligence, penetration missions like suppression of enemy air defense; communications missions like radio relay; electronic warfare missions like electronic attack and electronic protection, NBC missions like monitoring of nuclear, biological or chemical (NBC) contamination; target acquisition, target designation, weapon attack missions by delivering various lethal and nonlethal payloads, battle damage assessment and target decoys.
With rising employment of commercial and military drones the cyber attacks on drones are also becoming common. In 2011, Iran claimed to have downed a sophisticated American stealth drone, and unveiled what it alleged was a reverse-engineered copy of the futuristic looking RQ-170 Sentinel UAV, produced by defense giant Lockheed Martin.”The drone was brought down by the Iranian Armed Forces’ electronic warfare unit which commandeered the aircraft and safely landed it,” Iran’s Tasnim News Agency announced.
“Many things have computers inside and those computers are networked to talk to other things. Whenever you have that situation, you have the possibility for remote vulnerabilities where somebody can use the network connection to take over and get the device to do what the attacker wants instead of what the owner wants,” according to Fisher.
“A lot of the ways attackers take over programs on machines and the Internet is by exploiting security vulnerabilities, and there are many kinds, such as the buffer overrun vulnerability, to which safe languages are just immune,’’ notes Andrew Appel, professor of computer science at Princeton University, who is considered an expert in the program verification field. Hardware and software technology, standards, and regulations combine to ensure the safety and security of current and future unmanned and autonomous vehicles and systems.
Drones can also be privacy and safety hazards, if there are no proper regulations, drones can be easily used for illegal purposes ranging from surveil-lance and unauthorized tracking to even criminal uses such as targeted assassinations and terrorist attacks.
Unmanned aircraft system (UAS) critical subsytems
Civilian UAV systems consist of three main elements which are the unmanned aircraft, the ground control station (GCS), and the communication data link . Moreover, the aircraft consists of an airframe, a propulsion system, a flight controller, a precision navigation system, and a sense and avoid system. Furthermore, the sub-systems that compose the UAS have specific responsibilities that represent important aspects of the whole system operation, such as:
- Ground Control Station (GCS): represents the control center of the operation. This component enables the operator to conduct the aircraft properly through specific interfaces. A ground control station is an on-land facility that provides the capabilities for human operators to control and/or monitor UAVs during their operations. GCSs vary in size according to the type and mission of the drone. In other words, for recreational mini and micro drones, GCSs are small hand held transmitters used by hobbyist. For tactical and strategic drones, a large self-contained facility with multiple workstations is employed as the GCS. A GCS communicates with the drone
through a wireless link to send commands and receive real-time data, thus creating a virtual cockpit
- The flight controller is the central processing unit of the drone. In addition to stabilizing the drone during its course, it reads the data provided by the sensors, processes it into useful information, and according to the type of control either relays this information to the GCS or feeds the actuator control units directly with the updated state. The flight controller implements the communication interface with the GCS. More precisely, commands from the GCS are processed by the flight controller which in turns affects the deployed actuators. Furthermore, the flight controller has a number of transmitter channels associated with the telemetric signals it can send to
the GCS. The flight controller can have multiple sensors integrated onboard or communicate with an external sensor unit. The UAV system sensors include accelerometer, gyroscope, magnetic orientation sensor, global positioning system (GPS) module, and
electro-optical or infrared camera.
- Payload: is the extra mass the aircraft needs to carry, and is defined depending on the mission purpose. For example, in sensing applications, equipment such as cameras, sensors, and other payloads may be required, and the aircraft needs to operate such that it optimizes the process of gathering the desired data.
- Aerial Vehicle: represents the unmanned aircraft vehicle (UAV). This component is related to the aircraft operation characteristics, such as the speed and altitude at which it operates. The UAV performance may vary widely depending on the mission considered.
- Navigation Systems: this component plays the role of providing an understanding of the position of the UAV, at any moment in time, to the operator, during the flight, and to the UAV, in emergency procedures such as ‘‘return to base’’ capability.
- The Launch, Recovery and Retrieval Equipment: this component acts, with several available systems, in the most crucial phase regarding safety in the aircraft operation: landing and take-off.
- Communications and data links : it is responsible for establishing the communication between the operator and the aircraft. This component is divided into two links: the uplink, which represents the communication between the operator and the aircraft, and the downlink, which deals with the communication between the aircraft and the operator. Data Links. The data link refers to the wireless link used to carry control information between the drone and the GCS. The adopted communication link depends on the UAV operation range. Drone missions are categorized according to their distance from the GCS into Line-of-sight (LOS) missions where control signals can be sent and received via direct radio waves, and Beyond line-of-sight (BLOS) missions where the drone is controlled via satellite communications or a relaying aircraft which can be a drone itself
- Interfaces: define the manner the components of UAS interact with each other. For example, the protocol considered in the communication between the operator and the aircraft must be implemented in both systems in order to establish the data transference .
In terms of weight, UASs can be classified into three categories. Class one represents the small UASs, which have many applications in a smaller environments. Class two represents medium-sized aircraft, varying in weight up to 600kg. Finally, aircraft heavier than 600 kg are classified in class three.
UAS can be divided into two main categories concerning piloting: Remotely Piloted Aircraft Systems (RPAS) and Autonomous Aircraft (AA). RPAS stands for a system with an operator, i.e., the aircraft is not fully autonomous. The Autonomous Aircraft (AA) are piloted by intelligent software, i.e., intelligent algorithms pilot these aircraft instead of human pilots. The piloting process can employ different Artificial Intelligence (AI) techniques, such as Reinforcement Learning (RL). Although there are many advantages of using of this technology in the NAS (e.g., risk reduction and efficiency improvement, its interaction with other modules may lead the system to unsafe states. For example, the misunderstanding of instructions provided by ATCos and the lack of proper communication with other AAs in critical situations.
UAS Cyber threats and Vulnerability
Attacks on the Flight Controller and Ground Control Station. The operation of the flight controller is solely dependent on the information received from the ground control station via the data link and acquired by its sensors from the surrounding environment. Accordingly, attacks on both the flight controller and ground control station that do not involve the data link are possible only if the attacker
can access and manipulate the internal system communication or can fabricate the sensed physical properties in the surrounding environment.
Jamming or Spoofing the GPS Data. Navigation of UAVs depends on the GPS signals received and processed by the onboard GPS receiver. GPS broadcasts are freely accessible unencrypted and unauthenticated signals sent for civilian use. The open nature of the GPS signals enables spoofing attacks where fake signals can be generated and fed to the attacked UAV with the aim of altering the geographical coordinates calculated by UAV’s GPS receiver. Also, GPS signals can be easily jammed, thus cutting the external navigation feed to the UAV which renders the UAV in a disoriented state which can eventually lead it into crashing. GPS spoofing attacks on UAVs have been demonstrated in [Kerns et al. 2014], where a team from the University of Texas utilized a custom made GPS spoofing device located at about
0.3 mile from the UAV to generate a perfect replica of the GPS signals and feed them to the drone. Unable to verify the authenticity of the received signals, the drone started responding to the fake signals and was diving directly in to the ground.
Jamming or Spoofing the UAV Transmissions. It is expected that civilian drones will be equipped with an Automatic Dependent Surveillance-Broadcast (ADS-B)-like system which broadcasts the position and velocity of the aircraft every second to avoid collision with other manned or unmanned aircraft. Similar to GPS signals and because the intended receivers cannot be predetermined, ADS-B signals are unencrypted and unauthenticated. Such signals can be easily jammed or replaced by fake ones, leading the drone into an imminent collision due to the inability to detect or verify the ADS-B warning. Also, spoofing ADS-B signals can be used instead of GPS spoofing to take control of the aircraft. More precisely, an attacker can continuously feed the UAV with malicious ADS-B signals to trick it into diverting its course in order to avoid collisions, and ultimately directing it to the desired territory.
These attacks can be avoided in manned airplanes because a pilot can visually verify, on a radar system, the proximity of other aircraft and whether they are on a collision course. Other UAV signals include the telemetric data and video feeds sent to the ground control station. Spoofing such signals can directly influence the op-erator commands which can possibly result in a drone crash. Verifying the authenticity
of the drone signals by the GCS can be achieved using Message Authentication Code (MAC) schemes. Also, secure distance bounding protocols may be used to determine the proximity of the source of the received signals and compare it to the last known location of the UAV.
Manipulating the Captured Footage. Autonomous low-altitude UAVs rely on the video captured by their cameras for navigation and collision avoidance. Normally, the process starts by the flight controller requesting the captured video from the kernel of the operating system of the flight controller computer by issuing a system call . An attacker who has knowledge of the system parameters and is able to gain access to the flight controller can intercept the system calls issued to the ker-nel and replace the genuine footage with a fabricated one. A direct consequence of this attack is the hijacking of the drone by intentionally landing it at a location other than the originally intended one. This attack can be coupled with a GPS spoofing attack to completely take control of an autonomous or even a human operated drone.
Injecting Falsified Sensor Data. The goal of this attack is to destabilize the UAV by compromising a set of sensors through injecting fabricated readings in the flight controller, thus undermining the secure control of the drone. All externally influenced sensors such as radar, infrared, and electro-optical sensors can be manipulated. As part of the electronic warfare directed energy can be used to control the electromagnetic spectrum which is not limited to radio and radar frequencies but also includes infrared, visible, and ultraviolet signals. A demonstration where an external source of audio energy was used to alter the output of a UAV Microelectromechanical gyroscope by interfering with its resonance frequency was performed in [Son et al. 2015], which led the drone to lose control and crash. Moreover, assuming an attacker with capabilities that enable access to the onboard flight controller procedures, sensors relying on an onboard
reference such as the barometer and gyroscope can also be attacked by altering their reported values when requested through system calls by the onboard flight controller.’
Attacks on the Data Link. An important class of attacks is the one aiming to violate the confidentiality and integrity of the communication between the UAV and the ground control station on the data link. Usually, sophisticated attacks aiming to take control of the drone combine one or more of the presented attacks on both the flight controller and the data link. For example, the Iranian acquisition cyber attack
carried out on the U.S. Lockheed Martin RQ-170 Sentinel drone allegedly started by attacking the communication on the data link and then carried on with an attack on the flight controller by spoofing the GPS signals.
GCS Control Signals Spoofing. Injecting false wireless control commands using the data link can be accomplished by a man in the middle attack. During this attack, the adversary blocks the legitimate communication between the UAV and the ground control station, and begins commanding the drone herself. A covert wireless injection is also possible if the adversary acts in both directions to trick both the drone and the ground control into believing they are communicating with each other. In other words, the attacker intercepts the genuine commands generated by the ground control station, sends her desired instructions to the drone, and then communicates the expected responses to the ground control. Confidentiality, integrity and authentication mechanisms can be used to mitigate such attacks but they are not usually implemented in mini UAVs .
GCS Control Signals Jamming. An adversary who is trying to take control of the drone will first attempt to disable the reception of control signals from the ground control by the drone. The loss of control signals forces the aircraft to go into a lost link state. Drones are often designed to enable their operators to upload a lost link protocol , which once the ground control communication is lost for a spe-cific period of time, the drone is supposed to follow a fail-safe autonomous procedure that can, for example, instruct the UAV to return to its base. However, this fail-safe protocol assumes that the lost link state is the result of a malfunction in the data link and that the drone is able to navigate itself autonomously using GPS signals to return to its base. Usually, this is not the case if the drone is under attack, because the adversary is also likely to jam the GPS signals as well, which leads the UAV to fly aimlessly with no control. A case when the fail-safe protocol did not function as predicted was shown in 2010 when the military Fire Scout unmanned helicopter wondered into the no fly zone of the U.S. capital Washington DC.
Malicious Hardware/Software. Both the flight controller and ground control unit are vulnerable to hardware and software trojans. Such trojans can be either discretely designed in the system or transfered to it. Hardware trojans can be intentionally designed in the UAV’s
chips to disable some security mechanisms and when triggered can have catastrophic consequences. An example of such backdoor is the Actel ProASIC chip [Casals et al. 2013] in the new Boeing 787 passenger jet that was designed to allow the chip to be accessed through the Internet. Such trojans can be mitigated by managing the security of the supply chain to avoid the use of corrupted components which grants financially capable criminal groups or adversarial nations physical access to the hardware used in the drone.
There are many functional systems each having many vulnerable subsystems each of which affects operational and functional capability of UAV differently thus affecting the mission of UAV to varying degree. One of the most critical UAV subsystems is Command Datalink system which links it with Ground Control System for guidance, telemetry and sensor information. The disruption of command links would lead to disruption of the remote control and mission failure. Similarly the disrupted or /damage of UAV Optical/ COMINT payload subsystem / payload links would lead to degradation of Optical Tracking/ COMINT Capability. The disruption of Flight control and Navigation systems will lead to loss of UAV guidance and stabilization, changes in its flight trajectory and thus mission failure. The vulnerability of UAV also depends on the level of autonomy programmed in it. Remote controlled UAVs are more vulnerable to disruption of control link than autonomous UAVs.
Drone Safety and Security Solutions
Researchers are develoing many technologies being applied and developed within the industry to help keep operations safe.
Parachutes have been a part of the aviation world for decades for pilot safety. In the case of a commercial drone, the emphasis switches to the safety of people and structures below, as well as the preservation of valuable payloads. Airobotics announced it had been granted a waiver from the FAA for BVLOS flights over people with the adoption of ParaZero’s safety systems. Indemnis and DJI announced that the Nexus parachute system for the Inspire 2 drone had been validated as compliant with the new international standard for drone parachutes following testing in December 2019.
Geofencing technology has been around for a while. DJI first introduced its system in 2015 and several drone manufacturers have similar software in place. Effectively, geofencing tech creates virtual, location-based barriers that prevent drone flights and take-offs in sensitive areas: usually around airports and one-off locations where crowds will be present, like festivals and sporting events. Applied in conjunction with the capability offered by LAANC service providers, the system is there to reassure authorities in sensitive locations that any drones flying have permission and aren’t up to no good. Remote ID is another technology that requires manufacturers to build-in software that effectively broadcasts identifying information for the drone and its pilot in real time, officials are kept in the loop.
Computer vision and AI has allowed companies like Movidius, DJI, Intel and Skydio to provide drones with the visual awareness required to avoid obstacles and, in some cases, navigate around them completely. some of the major obstacle avoidance systems are DJI Phantom 4 , Yuneec Typhoon H – Intel’s RealSense technology and launch of the Skydio R1.
One often overlooked safety feature for drones is adequate lighting. The standard lights that come with consumer models are rarely bright enough to meet the night flight requirements of national aviation bodies. Lume Cube is one company that offers seriously bright 1,500-lumen lighting attachments; DJI’s new dual, 2,400-lumen M2E Spotlight for the Mavic 2 Enterprise is another great example. Both can be used to improve vision in low-light areas and make drones more conspicuous when operating after dark.
DJI AirSense: In October 2019 DJI announced AirSense, a feature in the DJI Pilot application that displays warnings to Mavic 2 Enterprise or Matrice 200 Series pilots when a signal from a nearby aeroplane or helicopter is detected. irSense alerts drone pilots of Automatic Dependent Surveillance-Broadcast (ADS-B) signals to lower the risk of collisions and disruption, providing an extra level of safety in congested airspace.
Drone Software safety and security
One of the well known problems caused by civilian drones is their interference with aviation systems.With no human pilot onboard, the control software is chiefly responsible for maintaining UAV safety and security. And, with no mandated standards in place to govern the safety and security of UAV systems, the proliferation of drones increases the overall risk to our safety and security. The 2011 crash of a CIA drone in Iran underlines that unless a system can withstand hacking, safety remains at risk. In that incident, local authorities claimed that they had diverted the vehicle by hacking its GPS.
There are two kinds of standards to consider for UAV safety and security. Process standards describe the development processes to be followed to ensure that the finished product is written in a safe manner (DO-178) or a secure manner (ISO 14508). Coding standards describe a high-level programming language subset that ensures the software is written as safely (MISRA C) and securely (CERT C) as possible.
ISO 14508 (also know as the “Common Criteria” with reference to the merged documents from which it was derived) is an international process-oriented standard that defines IT security requirements. These requirements are categorized according to seven Evaluation Testing Assurance Levels (EALs), with EAL 7 representing the most secured system. Security functional requirements include audit, communications, cryptography, data protection, authentication, security management, privacy, and protection of Targets of Evaluation (TOEs). Professor Humphreys’ spoofed GPS signals demonstrated just one resulting vulnerability when these general principles were not applied to UAV communications.
Software developed for use in UAVs falls under the guidelines of DO-178, “Software Considerations in Airborne Systems and Equipment Certification.” Both DO-178B and the recently ratified DO-178C provide detailed guidelines for the production of all software for airborne systems and equipment, whether safety-critical or not. As part of these guidelines, DO-178B/C defines Design Assurance Levels (DALs) with Level A involving the most rigorous safeguard against failure. DO-178 translates these DALs into Software Levels. Each software level has associated objectives that must be satisfied during development.
DO-178 recognizes that software safety must be addressed in a systematic way throughout the development life cycle. To help developers do this, the standard outlines needed processes such as requirements traceability, software design, coding, and the validation and verification that ensure confidence in and the correctness and control of the software. Robust software validation and verification processes enable developers to detect and correct errors introduced during software development.
With respect to software, the overlap between the two standards is considerable, especially with configuration management, software development, quality assurance, verification, and planning. However, DO-178 focuses solely on the safety of the software in the airborne system, while ISO 14508 focuses on system security.
Both standards require that high-level requirements are traceable to design documents, that design documents trace to code, and code traces to test – and back up again, from tests through to requirements to gain “bidirectional requirements traceability.” If requirements could be static and fixed from the outset, then traceability would be relatively straightforward. However, that is rarely the case, and consequently the maintenance of a matrix to show traceability at any particular time becomes a very labor-intensive task.
To help manage this matrix of relationships, requirements-traceability tools link system requirements to software requirements, from the software requirements to design artifacts, and then to source code and the associated test cases. The automated bidirectional tracing of requirements ensures that the developed UAV does exactly what is specified by the final set of requirements – no more, no less, and no matter how often those requirements change