Drones are increasingly being used for commercial purposes but this brings cybersecurity risks as drones can be vulnerable to cyber attacks. The document discusses regulatory compliance requirements for commercial drone use including FAA's Part 107 rules. It also outlines potential drone uses and privacy/data concerns when collecting information. The document provides tips for mitigating cyber risks to drones such as keeping software updated, encrypting communications, and implementing network security practices.

1. CYBERSECURITY & THE
COMMERCIAL DRONE
INDUSTRY
THREATS AND MITIGATION OF RISK Kathryn Rattigan, Esq.

2. Overview
• What is a Drone?
• Drone Uses
• Regulatory Compliance
• Part 107
• FAA Drone Zone
• LAANC (Low Altitude Authorization and Notification Capability
• Penalties for Violation
• Privacy & Security Implications
• Vulnerability to Cyber Attacks
• Mitigation Tips
• Conclusion
• Questions

3. Introduction
Drones are becoming increasingly important for businesses of
all types and sizes. Many drone applications already exist, but
many more will certainly arise as drone technology continues
to evolve and advance.
Unfortunately, this means that the cyber threats will also
continue to evolve and advance, so we must protect the
transmission and storage of data collected through drones.

4. What is a drone?
• Unmanned aerial systems (UAS), also known as drones:
• Four, six, or eight rotary blades
• More blades, more lift
• Often connected to Wi-Fi and GPS
• Lightweight
• Hand-operated/remote-controlled
• High-resolution cameras and recording devices
• Share information in real-time (better informed decision-making)
• Navigate independently via location intelligence services

5. Drones can collect valuable data and increase
productivity, safety and efficiency across all industries.
Drone Uses

6. Drone Uses (cont’d)
• Law Enforcement
• Search and Rescue
• Traffic Collision Reconstruction
• Investigative Active Shooter/Suspect
• Crime Scene Analysis
• Surveillance
• Crowd Monitoring/Safety
• Filmmaking and Media/News Outlets

7. Drone Uses (cont’d)
• Real Estate/Construction
• Increase Productivity
• Track progress
• Conduct site surveys on job site
• Generate aerial images, maps and 2-D and 3-D models
• Provide construction project managers, general contractors and survey managers with
up-to-date reporting to:
• Track construction progress
• Manage resources
• Reduce downtime
• Keep projects on schedule and under budget
• Reach ‘hard-to-get-to’ locations
• Monitor the site for trespassers/thieves
• Identification of aggregates, materials, equipment, temporary roads and structures
• Calculation of stockpile and excavation volumes
• General employee conduct monitoring

8. Drone Uses (cont’d)
• Healthcare/Medicine
• Deliver medication to rural areas
• Drop contraceptives over sub-Saharan Africa
• Transport blood samples to labs for swifter HIV testing
• Get Google Glass (i.e. telemedicine capabilities) to disaster victims
• Deliver AED for a heart attack victim
• Get medical supplies and/or medications to disaster areas, mass casualty
scenes and even offshore to ships with seriously injured passengers or crew
• Deliver expensive and rarely used drugs, such as anti-venom for snake bites

9. Drone Uses (cont’d)
• Agriculture
• From automated planting to crop management with real-time monitoring,
drones have a vital role to play in the future of farming.
• Precision agriculture is a farming management concept that uses drones to
measure, observe, and respond to variability found in crops.
• Deliver water or fertilizer to large areas
• Determine soil quality, size/status of crops
• Commercial Package Delivery

10. Drone Uses (cont’d)
• Energy/Environmental
• Replace conventional inspection techniques which involved workers climbing
rigs, pylons and cooling towers etc.
• Assess powerlines/repair powerlines and restore power
• Monitor oil rigs
• Keep an eye on energy distribution (by looking for “hot spots”)
• Protect wildlife populations through monitoring
• Monitor erosion or other changes to land over time
• Monitor water supplies and other infrastructure

11. Drone Uses (cont’d)
• Insurance
• Reduce fraud
• Collect valuable data to reduce losses
• Identify high-risk areas for customers (e.g., property at greater risk of flood with
nearby waterways; volcanic eruptions; forest fire)
• Evaluate and monitor risks (that can’t currently be assessed efficiently)
• Personalized premiums
• e.g., whether to insure the contents of an unlocked garage against theft; whether
to cancel a homeowner’s policy with an undisclosed pool
• e.g., confirm the existence of features that make a property less risky to insure,
i.e., storm windows, sloped rooftops or neighborhood gate
• Capture details of a location or building
• Underwriting assessments

12. What are the challenges to
implementing drones into the
National Airspace?
Major Challenge –
REGULATORY COMPLIANCE

13. Laws Up in the Air
• Federal Aviation Administration (FAA) has regulatory authority over
use of drones
• FAA Modernization and Reform Act of 2012
• On April 13, 2018, the U.S. House Transportation and Infrastructure
Committee leadership introduced a five-year FAA reauthorization
bill, FAA Reauthorization Act of 2018 (H.R. 4).
• This bipartisan Act focuses on stabilization of the FAA with
consistent funding instead of efforts to reform the air traffic
control system.

14. Commercial Use of UAS
• Follow the requirements of the Small UAS Rule (Part 107)
• ALL UAS flown for commercial purposes must be registered by the
individual owner ($5 each)—name, address, e-mail address, make,
model and serial number
• Taylor v. FAA –but President Trump’s National Defense Authorization Act of
2018 establishes express authority for the FAA to collect hobbyists’ fees and
information

15. Small UAS Rule (Part 107)
• Became effective August 29, 2016

16. Small UAS Rule (Part 107) (cont’d)
OPERATIONAL LIMITATIONS
• Weigh 55 lbs. or less
• Visual line-of-sight (VLOS) only
• May not fly over any persons not directly participating in the operation

17. Small UAS Rule (Part 107) (cont’d)
• Daylight-only operations
• Must yield right of way to other aircraft
• Maximum groundspeed of 100 mph (87 knots)
• Maximum altitude of 400 feet above ground level or, if higher than
400 feet AGL, remain within 400 feet of a structure

18. Small UAS Rule (Part 107) (cont’d)
• Minimum weather visibility of 3 miles from control station
• Operation in Classes B, C, D, and E airspace are allowed with the required
permission
• Operation in Class G airspace are allowed without permission
• No person may act as a remote pilot in command or VO for more than one
unmanned aircraft operation at one time
• No operations from a moving aircraft
• No operations from a moving vehicle unless the operation is over a sparsely
populated area
• No careless or reckless operations
• No carriage of hazardous materials

19. Small UAS Rule (Part 107) (cont’d)
• Requires preflight inspection by the remote pilot in command
• No operation by person who knows, or has reason to know, of any physical
or mental condition that would interfere with the safe operation of a small
UAS
• External load operations are allowed if the object being carried by the UAS
is securely attached and does not adversely affect the flight characteristics
or controllability of the aircraft

20. Small UAS Rule (Part 107) (cont’d)
• Most of the restrictions are waivable if the applicant demonstrates that his
or her operation can safely be conducted under the terms of a certificate of
waiver (Part 107 Waiver)

21. Small UAS Rule (Part 107) (cont’d)
• To qualify for a remote pilot certificate, a person must:
• Demonstrate aeronautical knowledge by either:
• Passing an initial aeronautical knowledge test at an FAA-approved knowledge testing
center; or
• Hold a part 61 pilot certificate (other than student pilot), complete a flight review within
the previous 24 months, and complete a small UAS online training course provided by the
FAA.
• Be vetted by the Transportation Security Administration.
• Be at least 16 years old.
• Temporary Certification within 10 business days (final certification
granted upon successful TSA vetting)

22. Small UAS Rule (Part 107) (cont’d)
• A remote pilot in command must:
• Make available to the FAA, upon request, the small UAS for inspection or testing and
any associated documents/records required to be kept under the rule.
• Report to the FAA within 10 days of any event that results in at least serious injury,
loss of consciousness, or property damage greater than $500.
• Conduct a preflight inspection, to include specific aircraft and control station systems
checks, to ensure the small UAS is in a condition for safe operation.
• Ensure that the small unmanned aircraft complies with the existing registration
requirements
• A remote pilot in command may deviate from the requirements of this rule
in response to an in-flight emergency

23. Small UAS Rule (Part 107) (cont’d)
Aircraft Requirements
• FAA airworthiness certification is not required. However, the remote
pilot in command must conduct a preflight check of the small UAS to
ensure that it is in a condition for safe operation.

24. Part 107 Waivers
• As of September 14, 2018 FAA granted 2,059 Part 107 waivers
• Completed through FAA’s online portal
• Waiver Application asks how you intend to safely conduct your
operation.

25. Part 107 Waivers (cont’d)
• The ‘waivable’ sections of Part 107 are:
• Operations from a moving vehicle or aircraft (§ 107.25);
• Daylight operation (§ 107.29)
• Visual line of sight aircraft operations (§ 107.31)
• Visual observer (§ 107.33)

26. Part 107 Waivers (cont’d)
 Operation of multiple UAS (§ 107.35)
 Yielding right of way (§ 107.37);
 Operation over people (§ 107.39)
 Operation in certain airspace (§ 107.41)
 Operation limitations (i.e., visibility) (§ 107.51)

27. The FAA's DroneZone is a "one-stop shop" for all UAS information and
resources. Within the DroneZone Portal, you can also register a drone,
apply for a Part 107 waiver, request a waiver or authorization, check the
status of a waiver/authorization request, or submit a UAS accident
report.
https://www.faa.gov/Dronezone/

28. LAANC
• What is LAANC?
• The Low Altitude Authorization and Notification Capability
• Enables drone pilots access to controlled airspace near airports below approved
altitudes through near real-time processing of airspace authorizations in controlled
airspace
• Drone pilots can use applications developed by approved UAS Service Suppliers to
access the LAANC capability
• South Central USA — April 30, 2018
Western North USA — May 24, 2018
Western South USA — June 21, 2018
Eastern South USA — July 19, 2018
Eastern North USA — August 16, 2018
Central North USA — September 13, 2018
• If you want to fly in controlled airspace near airports not offering LAANC, you can
either use the manual process to apply for an authorization, or wait until the LAANC is
available.

29. Penalties for Violation
• Failure to register violations
• Regulatory and criminal penalties
• Civil penalties up to $27,500
• Criminal penalties up to $250,000 and/or imprisonment for up to 3 years
• Operational violations
• There is no one-size-fits-all enforcement action for violations. All aspects of a
violation will be considered, along with mitigating and aggravating
circumstances surrounding the violation. In general, the FAA will attempt to
educate operators who fail to comply with registration requirements. However,
fines will remain an option when egregious circumstances are present.

30. Privacy + Security Implications
• Although Part 107 does not specifically deal with privacy issues, and
the FAA does not (and has not agreed to) regulate how UAS gathers
data on people or property, the FAA “strongly encourages all UAS pilots
to check local and state laws before gathering information through
remote sensing technology or photography.”

31. Privacy + Security Implications (cont’d)
• Recommended privacy guidelines issued in May 2016
• Privacy groups and industry stakeholders that were participating in the
National Telecommunications & Information Administration (NTIA) Multi-
Stakeholder process released a set of best practices for commercial and private
drone use. Participants included Amazon, AUVSI, Center for Democracy and
Technology, Consumer Technology Association, CTIA, FPF, Intel, X (formerly
Google X), New America’s Open Technology Institute, PrecisionHawk, SIIA,
Small UAV Coalition, and many media organizations

32. Privacy + Security Implications (cont’d)
Voluntary best practices:
1. Inform others of your use of drones (i.e., where reasonable, provide prior notice to
individuals of the general timeframe and area where you may anticipate using a
drone to collect identifiable data);
2. Show care when operating drones or collecting and storing personally identifiable
data (i.e., retain only information that you must retain and de-identify information
when possible);
3. Limit the use and sharing of identifiable data;
4. Secure identifiable data; and
5. Monitor and comply with evolving federal, state and local drone laws and
regulations.

33. Drones are now being looked upon as
an emerging security issue –
both as targets for cyber-attack, and
as potential attack vectors
for malicious actors, themselves.

34. Vulnerability to Cyber Attacks
• According to Gartner report from 2016, there will be 10 times more
commercial drones than manned aircraft by 2020.
• By 2020, several million commercial drones will be flying missions worldwide.
• Thriving community of ‘drone hackers’ already exists
• Susceptibility to Compromise
• Vulnerable links streaming data to and from a drone via serial port connections and
the ground station interface (whose data could be spoofed, enabling hackers to
assume complete control of the vehicle)
• Protocols implemented on the ground station applications enabling communications
with the drones are unsecure, allowing hackers to install malware on the systems
running the ground stations

35. Vulnerability to Cyber Attacks (cont’d)
• Feeds used to monitor drones and facilitate information transfer through
wireless transmission are vulnerable to interception, malicious data
injection and alteration of pre-set flight paths
• Used to stage man-in-the-middle cyber attacks over guest and short-range
WiFi, Bluetooth and other wireless connections
• Threat to sensitive data collected by drones –e.g. critical infrastructure like
electric gird, transmission lines, solar and wind power, oil and gas
transmissions

36. Vulnerability to Cyber-Attacks (cont’d)
• Particularly vulnerable to jamming, interception and manipulation (and
equipment for this is relatively low cost)
• GPS vulnerability/spoofing
• Software changes during maintenance –could corrupt programming or
introduce malware

37. Vulnerability to Cyber-Attacks (cont’d)
• Threats are evolving rapidly
• After market models pose threat to security
• Current UAS designs have different threats than future designs
• No set FAA standards for security
• FAA recommends using the NIST (National Institute of Standards and Technology)
framework as a primary standard
• Also look to RTCA (Radio Technical Commission for Aeronautics) for security standards
• NOTE: National Airspace is classified as a national critical infrastructure
• Of course, not all drones are subject to cyberattacks –if the drone only has a
radio link, and is flown manually, no connection to the cyber world exists;
but if the drone is connected to the Internet, then, yes, it is vulnerable

38. Mitigation Tips
• Good software policy
• Keep anti-virus protections up-to-date
• Train employees
• Split your network to limit and isolate sensitive data
• Communications should be encrypted
• Protect the drone against theft
• Protect against physical changes to the system

39. Conclusion
Unfortunately, security usually comes as an afterthought. The drone
industry is part of the aviation industry, which, based on its knowledge,
keeps safety as a number one concern. Part of that safety is having
proper protection for your systems, including
security as a fundamental design principle.

40. Kathryn M. Rattigan
krattigan@rc.com
QUESTIONS?
Subscribe to Robinson + Cole’s privacy and security blog at
www.dataprivacyandsecurityinsider.com
Robinson + Cole
One Financial Plaza
Suite 1430
Providence, RI 02903
401-709-3357