Understanding the evolving landscape of cybersecurity in the drone industry

What does it mean for a system or network to be “secure?” It’s a simple question with countless answers, especially in the drone industry, where “drone security” can entail specifics related to data encryption or best practices when it comes to password sharing. However, those examples demonstrate the limitations with thinking of “security” as a given tool or process, when it’s really more of an approach and mindset.

Kip Gering, Chief Revenue Officer (CRO) at SpiderOak

That approach and mindset to security is something Kip Gering understands on multiple levels. Starting his career in the US Air Force gave him a unique perspective on communication challenges in space that allowed him to help roll out the first large-scale, million-point wireless networks for utilities in California and Texas for advanced metering infrastructure and other smart city applications. He's helped industrial enterprises to enable remote and local access controls while also protecting operational technology software and devices for a variety of critical infrastructure companies in the utility, oil and gas and defense sectors.

This experience in providing cybersecurity protections in Industrial IoT environments is foundational to his current role as Chief Revenue Officer (CRO) at SpiderOak, where he’s focused on outlining what it means to engineer solutions to address the compliance, security, and usability needs of today’s environments. The company is rooted in a data-centric approach to cybersecurity, which is connected to a more significant shift that Gering has witnessed firsthand over the past few years.

“The way people think about cybersecurity has definitely changed,” said Gering. “Not too long ago, you might say your systems were ‘secure’ if your operational networks weren’t connected to the Internet via a term called air gapping (where your secure computer network is physically isolated from outside networks). The problem is that there are too many other ways to breach the perimeter of these networks, intercept, or interfere with operations whether the communications were transmitted wired or wirelessly. That’s compelled a new way to think about cybersecurity by moving away from a network-centric mindset to an approach that includes both a zero trust concepts and secure by design principles, which is our specialty”.

Gering explained the concept behind zero-trust architecture as being a paradigm that shrinks defenses from a perimeter to one of individual digital interactions between resources that should ‘never trust but always verify’. Even when a resource has access to the network, in a zero-trust architecture, that resource must be authenticated and authorized to exchange information with another resource regardless of the location within a network. It’s distinct from a resource authenticating to a network, where once inside, access and lateral movement are not well controlled. This results in unfettered access to unprotected resources within the network.

SpiderOak’s zero-trust security at the edge is built on these zero-trust principles, but the approach that Gering mentioned around secure-by-design principles also makes it distinct. It’s an approach that asks companies that build software and hardware to do so in a way that makes them less vulnerable to cyber-attacks. Their adoption of secure-by-design and secure-by-default principles enable the creation of inherently more capable systems that exchange digital interactions with authentication and fine-grained authorization as part of every message without relying on other network security controls. This approach enhances their customers and end users’ security position against emerging AI-driven threats and strengthens their defenses against sophisticated attacks targeting network infrastructure vulnerabilities.

In a world where Malware-as-a-Service (MaaS) exists, that concept isn’t one to think about in the abstract but prepare for on every level.

Building from that place of capability is where the connection to the drone industry comes in, as this security mindset is one that drone hardware and software manufacturers need to think through. SpiderOak has a development platform that enables technology providers to achieve secure-by-design principles to reduce future vulnerabilities and provide their customers with the security and communication reliability they need in the present and will soon expect in the near future.

“With drones, you’re going to see more and more malicious actors try to jam communication signals, so there's a real need to operate when those communications are being denied or degraded, or just when you’re dealing with low bandwidth,” Gering said. “That's where we really shine, because we're completely decentralized while also offering guaranteed eventual delivery to increase communication resiliency. That makes us very attractive to companies who build systems operating where you may have intermittent connectivity or the interaction between systems spans multiple networks or requires peer to peer interactions at the austere edge.”

This level of reliable communication is the exact thing needed to ensure a connection is maintained with autonomous swarm applications that have pre-programmed flight paths or adjust to changing conditions. It can also ensure that interactions with crewed aircraft are completely maintained and understood, the stakes of which can’t be higher. Additionally, the capability to improve communication resilience is literally built into their software.

The decentralized nature of their approach is also beneficial when it comes to controlling who gets to see the data associated with a given operation. For specific public safety operations and on certain surveillance projects, data segmentation between the technology operators and the operational data subscribers itself is critical. Clear data sharing protocols, where precisely what information is accessible to whom, must be established.

Gering prioritizes establishing cybersecurity details like these from the initial design phase of a project rather than attempting to bolt them onto an existing one. This proactive approach ensures security is a fundamental part of the solution, allowing for technology providers to reduce system development costs while their end users require less additional security controls for a lower cost of operation and less single points of failure. It’s an approach that further helps with challenges related to communication intercepts and spoofing, as their embedded software authenticates and authorizes every message from mission payload delivery to the transmitting of command functions. These fundamental security features set their solution apart and are a key reason why drone technology providers are choosing to partner with them.

“With SpiderOak, software developers can focus on writing code for operational functions and features instead of logic to implement network communication protocols, re-try logic and security controls to meet their customer requirements. Our solution automates the creation, application, and implementation needed for secure messaging as part of our platform” Gering said. “Building that in from the beginning is essential for drone solutions because most depend on network or data link encryption and shared credentials. We can give you an easy button that allows you to check multiple cybersecurity boxes. That allows users to deploy a higher level of security including authentication, access control, data integrity and confidentiality.”

That sort of security offering is one drone companies want to be able to provide to their clients as missions get more and more complex. With security threats evolving alongside the underlying technology, robust data protection and verifiable assurances against unauthorized access or modification will be a critical differentiator for drone companies across the industry.

Such considerations are connected to issues that aren’t specific to the drone industry, and Gering mentioned the importance of not having to make tradeoffs when making these decisions. It will always be easier to go with a simpler cybersecurity option or rely on security measures built into RF or the network technology. However, that approach leaves users vulnerable to incidents like a network breach or spoofing where everything changes.

Preventing data breaches and worse requires more than just a secure system or solution. Staying informed about the evolving threat landscape and emerging attack vectors is equally crucial. That understanding underscores the importance of a wholistic approach to security that never really ends, but instead evolves along with the people, technology, and processes that are required to defending against attacks that will continue to advance.

“Cybersecurity is a journey,” Gering said. “It’s always best to practice cyber safe engineering to ensure it’s part of your overall system development process and product lifecycle. It’s also important for technology providers to stay abreast of vulnerabilities and attack techniques and tactics against the types of system you offer. That kind of vigilance is important, because the treat and attack techniques are always evolving.”

Want more stories like this? Subscribe today!

Jeremiah Karpowicz

Jeremiah Karpowicz is the Editorial Director of Commercial UAV News. He has spent over a decade cultivating communities of all different types, both in-person and online. He has created articles, videos, newsletters, ebooks and plenty more for these communities as a contributor and editor. He has also shaped and defined various conference programs. Today, he is focused on defining what it means to take the engagement that happens in both the physical and digital worlds to the next level. You can get in touch with him on Twitter: @jeremiahkarp