Securing our airspace and the devices that pass through it is more critical than ever, with civilian and military drones now part of the mix. Securing piloted and autonomous craft, airspace infrastructure and communications is therefore critical to maintain safety and operational viability.
On the final day of ISC2 Security Congress 2025 in Nashville, Nathan Sweaney, CISSP, cyber innovation advisor at the Oklahoma Cyber Innovation Institute and his colleague, executive director David Keely, discussed the cybersecurity challenges of an intriguing area of technology: unmanned aerial vehicles (UAVs) – or as they are more commonly known – drones.
The University of Tulsa, where the Institute is based, has something of a reputation for innovation in the field of drones, securing upwards of $91million in research grants since 2022.
Taking a Drown Out of the Air
Keely began by describing the loss of an RQ-4 drone in Iraq in Afghanistan back in 2011. The important element was that it was not shot down: “They actually intercepted it in flight and landed it on their territory,” he said. As with many so-called modern attacks this was not even the first example of such an action – just the first well-known one. “That was not the beginning of the problem,” he said, “but that was the beginning of the high profile nature of the problem”.
Sweaney then extended the story outside the world of nation-sponsored military attacks, citing the example of Sami Kamcar. “[Kamcar] demonstrated an attack with consumer hardware. With a consumer drone that he just bought at a store, he was able to spoof a wireless controller and mimic that to take over another drone in flight. So, one drone came over, took over another drone and caused it to land wherever he wanted it to.” Acknowledging that this was cheap tech intercepting cheap – and presumably not very secure – tech, Sweaney then cited a further example of researcher Nils Rodday who used $40 of equipment to intercept a $40,000 police drone.
Keely made the impact of the threat against commercial drones very clear, noting that these devices are becoming increasingly important in our society and our dependence on them is only going to increase. He noted that the potential cost savings are immense, as are the potential increases in the capability of drones – we are moving to a world of what he termed “advanced air mobility”. Amazon was cited as a well-known example: “[Amazon’s trial drones are] ugly, but they are effective. That system will continue to grow. It lowers the amount of fuel that is burned in delivery trucks. it is not caught up in traffic jams and it's coming straight to the homes and businesses that are getting those deliveries.” “The sky is the new frontier,” proclaimed Keely. Along with commercial logistics, for example, the uses of drones in public services were touched on, too: drones that are launched as first-response vehicles to provide aerial surveillance to improve the quality of the overall response. Military applications have already been touched on, but even human transportation is not beyond belief.
Ensuring Aerial Systems Safety
Control over what happens in the sky is critical. “There's a lot of complexity and a lot of things that have to be figured out,” said Sweaney. “On top of that, there's a lot more automation. There's a lot more instrumentation. Things have to be able to know what's where, what's happening.” He also touched on a related concept, the field of self-driving cars: where people meet machines. “If you have self-driving cars, who gets the right of way? The human driver, the self-driving vehicle, you know, all that kind of stuff in the sky. It's the same type of situation. What happens if a human does something stupid and the automated system is no longer able to do what it was supposed to do?” The point is that the cybersecurity element is not about securing individual devices: as Sweaney put it: “It's all of these systems working in concert. It's a really large ecosystem that has to be considered.”
The answer is an automated approach, because as Keely noted: “There's just going to be too many objects in the air,” he said. Air Traffic Control (ATC) using people to make decisions is fine for aviation, but simply not enough in air mobility. Speaking of ATC, which is overseen by the Federal Aviation Administration (FAA) in the U.S., the “automated traffic management” systems have to work alongside the traditional ones. Sweaney noted that: “Anytime the FAA or local law enforcement or somebody issues a temporary flight restriction over an area and says, ‘Nobody's allowed to fly here’, all of those systems have to communicate with all of the other [unmanned aerial] systems”.
The Critical Role of Cybersecurity
Amid all this cybersecurity is, of course, absolutely critical. The duo cited six categories of cybersecurity concept that have to be considered.
First is dealing with interruptions to radio control – interference spoofing and jamming. What does a device do when hit with a radio attack, or when it loses touch with the control center? Then there’s the supply chain: can we even trust the radio hardware installed in the units if the microchips were manufactured in a country that is regarded as unsavory? Next are artificial intelligence (AI) attacks: the prevalence of AI means that some of it will inevitably be pointed at air mobility. Software flaws are another risk: good old bugs in the software of either the UAV or the ground control unit (or both). Then protocol hijacking: exploiting poor protocols or weak authentication to compromise the device. And finally good old physical interference: if an attacker can access the physical device before it embarks on its journey, an attack is a possibility.
In short, the duo cited a wide selection of applications in which advanced air mobility can and will bring benefits to society, along with an equally long list of threats and risks related to them. So, what do they consider to be the way forward?
First, the FAA is highly conscious of the concepts involved and has drafted rules for what it terms “Beyond Visual Line of Sight (BVLOS)” drones. It was observed that there is a fair amount of overlap between FAA proposed guidelines and established cybersecurity industry concepts from the likes of NIST and NASA, so an output is required in order to bring air mobility into the fold. Next is the need to align UAV management and security frameworks with the standard ones we know, whilst acknowledging that new approaches are needed for autonomous systems. Finally, the challenge of testing has to be addressed. As Sweaney pointed out: “You can give me a device, and I can take it apart, and I can explore the functionality and capabilities, and that's easy to do. But when that device is part of a larger ecosystem that interacts with lots of other production systems, it's a lot harder, because that device is getting input from sources that I can't control.”
Helpfully, the industry is already heading toward an accepted certification which is at least a starting point for commercial and other non-military UAV security evaluation. Learning from the U.S. Department of Defense (DoD) “Blue UAS”, standard, which vets and approves commercial Unmanned Aerial Systems (UAS) for government use, the “Green UAS” certification developed by the Association for Uncrewed Vehicle Systems International (AUVSI) looks at each device’s compliance with 100+ specific security requirements, applies penetration testing specific to that type of device and even goes as far as tearing the system apart to check that none of the components comes from an unsuitable (or even sanctioned) source.
Keely and Sweaney gave an intriguing introduction to a cybersecurity topic that most will not have considered, but which will inevitably become increasingly relevant over the next handful of years.
Coming Soon: ISC2 Insights sat down with Nathan Sweaney, CISSP and David Keely to learn more about the challenges posed by the increased use of our skies by technology and autonomous systems. We will update this article when that interview is live.
