Yesterday, CISA and the FBI published a new guidance document for uncrewed aircraft systems (UAS): Cybersecurity Guidance: Chinese-Manufactured Unmanned Aircraft Systems (UAS). According to the release notice the document was designed “to raise awareness of the threats posed by Chinese-manufactured UAS and to provide critical infrastructure and state, local, tribal, and territorial (SLTT) partners with recommended cybersecurity safeguards to reduce the risk to networks and sensitive information.”
While the guidance document does not point at any known
instances of data transfer from Chinese made UAS to the Chinese government, it
does make the point that:
“While ensuring that network-connected devices are up to date with the latest patches and firmware is critical for the secure operation of any ICT device, updates controlled by Chinese entities could introduce unknown data collection and transmission capabilities without the user’s awareness.”
The document goes on to recommend:
“Public and private sector organizations using UAS to collect sensitive or national security information are encouraged to procure, or transition to, secure-by-design systems.”
Commentary
It would be interesting to see what UAS systems that CISA and the FBI consider to be ‘secure-by-design systems’. This still requires that inevitable updates and security fixes will have to be uploaded and installed in drones. The vast majority of organizations are not going to have the expertise to determine if those updates include changes to the operational software provide for unapproved transfer of information back to the vendor. Even if the vendor is trustworthy (and Chinese companies have a tough time convincing folks that they are not more beholden to the Chinese government than their customers) chances remain that a company’s development team could be hacked to allow for easter eggs in software updates.
Just a reminder, no system is completely safe from hacking,
so measures have to be put into place to take reasonable cybersecurity and
operational security controls in place. And then monitor the systems for
unusual communications or behaviors. And figure out what you are going to do
when you see indications of a breach.
No comments:
Post a Comment