CISA, FBI Urge Critical Infrastructure Owners to Bolster UAS Security Measures
The U.S. Cybersecurity and Infrastructure Security Agency is sounding the alarm on the mounting popularity of Chinese-manufactured unmanned aircraft systems, warning that Sino drones could pose serious risks to American critical infrastructure sectors.
The nation’s cyber defense agency published joint guidance Wednesday with the FBI detailing how “the use of Chinese-manufactured UAS in critical infrastructure operations risks exposing sensitive information to PRC authorities.” The guidance highlights that Chinese law compels prominent Chinese-owned UAS manufacturers operating in the United States to collaborate with Beijing’s intelligence services and engage in foreign data collection operations.
Critical infrastructure owners and operators across the country “are increasingly relying on UAS for various missions that ultimately reduce operating costs and improve staff safety,” CISA Executive Assistant Director for Infrastructure Security David Mussington said. Organizations use drones to enhance operations and reduce costs, including by inspecting power lines or inspecting offshore oil rigs without the need for thrusting humans into danger.
Chinese-manufactured or other insecure UAS devices in or near critical infrastructure facilities can potentially provide foreign adversaries with sensitive imagery and a broader surface for data collection, the guidance says. CISA urged organizations using UAS in critical infrastructure settings to transition to secure-by-design systems that have incorporated robust security measures.
“Without mitigations in place, the widespread deployment of Chinese-manufactured UAS in our nation’s key sectors is a national security concern,” Bryan Vorndan, assistant director of the FBI’s cyber division, said in a statement. “It carries the risk of unauthorized access to systems and data.”
UAS platforms and their components should be included in organizational cybersecurity frameworks for internet of things devices, CISA recommended. The guidance also urged organizations to implement a zero trust framework for the UAS fleet and a supply chain risk management program for all information and communications technology devices.
CISA has previously published guidance for critical infrastructure operators, law enforcement and the public on UAS cybersecurity best practices, as well as privacy and data protection guidance for all drone users.