The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Agency (CISA) released important cybersecurity guidance associated with Chinese-manufactured unmanned aircraft systems (UAS).

Chinese-manufactured UAS, commonly known as drones, pose a significant threat to critical infrastructure and U.S. national security, the two government agencies announced. The People’s Republic of China (PRC) has enacted laws that grant the government extensive legal authority to access and control data held by Chinese firms, increasing the potential for data theft and network compromises.

Using Chinese-made UAS requires careful consideration and possible mitigation to minimize risks to networks and sensitive information. CISA and the FBI advise critical infrastructure owners and operators in the U.S. to opt for UAS that adhere to secure-by-design principles, particularly those produced by U.S. companies. Additionally, CISA and the FBI recommend following the principles and cybersecurity suggestions outlined in their guidance for any organization procuring and operating UAS.

The guidance follows the White House’s 2023 National Cybersecurity Strategy and the Annual Threat Assessment from the Office of the Director of National Intelligence, recognizing the PRC as the most advanced, active, and persistent cyber threat to the United States.

UAS Vulnerabilities Overview

The PRC’s potential acquisition of sensitive information and network access through Chinese-manufactured UAS could have severe implications for critical infrastructure security and resilience. Gathering such data or network access can further the PRC’s strategic goals and adversely impact U.S. economic and national security. The document states, “The use of Chinese-manufactured UAS in critical infrastructure operations risks
exposing sensitive information to PRC authorities, jeopardizing U.S. national security, economic security, and public health and safety.”

As UAS are information and communication technology devices (ICT), they can receive and transmit data. Each connection point is a potential target that could be exploited to compromise sensitive information. Potential vulnerability points include:

  • Data Transfer and Collection– UAS are often controlled by smartphones and other internet-connected devices that provide a path for UAS data egress and storage, allowing intelligence-gathering on U.S. critical infrastructure.
  • Patching and Firmware Updates- Data collection capabilities can be introduced to any ICT device without the user’s awareness.
  • Broader Surface for Data Collection- Survey data, sensitive imagery, facility layouts.

UAS Cybersecurity Recommendations

Public and private sector organizations utilizing UAS to collect sensitive or national security information are advised to acquire or transition to systems designed with security in mind. This suggestion is particularly important for the federal government, as outlined in Executive Order 13981 – Protecting the United States from Certain UAS, mandating departments and agencies to formulate plans addressing risks associated with UAS manufactured by foreign adversaries. Organizations can refer to the Department of Defense’s Blue UAS Cleared List to identify UAS that comply with federal cybersecurity policies.

  • Plan/Design– Ensure the secure and comprehensive development of goals, policies, and procedures for the UAS program across the organization.
  • Procure– Identify and choose UAS platforms that align most effectively with the operational and security needs of the organization.
  • Maintain– Conduct routine updates, analysis, and training in adherence to the organization’s plans and procedures.
  • Operate– Ensure proper operational and security policies are followed during operational usage.

For the full guidance provided by the FBI and CISA, please see the attached document below.

Post Image Credit: envatoelements by Graphico_