India drafts framework to tackle drone security vulnerabilities amid rising threats

With unmanned aerial systems (UAS) being integrated across hierarchical levels in military operations, the Ministry of Defence (MoD) has drafted a ‘Framework for Testing Security Vulnerabilities in Drones’ as UAS security has become a major area of concern, necessitating a practical and implementable regulatory framework of testing and certification.

“Recent conflicts and global incidents have indicated the significance of drone and counter-drone systems, which are now playing a transformative role in warfare. Insecure drones, however, will pose a significant risk to national security, the framework, a draft of which was released by MoD on March 25, states.

“Drones could have vulnerabilities that enable data theft or facilitate network compromises. Vulnerability identification and mitigation therefore, requires careful consideration to reduce potential risk to operations, networks and sensitive information,” the draft adds. Security concerns have been raised recently over foreign manufactured drones or their components, especially of Chinese origin, being used in India.

As India seeks to strengthen its defence capability, developing a secure drone eco-system is paramount for enhancing the operational capability of the Armed Forces and reducing dependency on foreign suppliers, according to the document.

“The ideal solution lies in procurement of drones that follow ‘secure-by-design’ principles to proactively avoid the vulnerabilities and emerging threats. To ensure secure drone systems which can prevent data theft and adversary to take over the control, the solution lies in design, development and manufacture of critical drone components domestically, wherein all vulnerabilities related to hardware and software aspects of the drone system are addressed in entirety,” the document states.

The ministry has, however, pointed out that since the industrial eco-system in this regard will take time to mature and deliver, during the interim period it is essential that software and hardware testing of critical components of drones by quality assurance/quality control/product evaluation agencies are undertaken to ensure that there are no security vulnerabilities.

Security vulnerability in this context refers to a security flaw, weakness or error within the drone system that can be leveraged by an adversary, thus compromising its operational performance. Such insecure drones are vulnerable to cyber threats and physical risks.

The avenues of potential compromise listed in the document include interception of communication links, GPS jamming and spoofing, control hijacking, data exfiltration and manipulation, and data transfer and collection on the internet.

The critical components that are vulnerable include the electronic speed controller, flight controller, flight control firmware, transmission and reception unit, sensors unit, ground data terminal and ground control station software.

Procuring departments and agencies should have a plan that addresses risk from drones or their components manufactured by a foreign firm. Therefore, comprehensive analysis to understand in detail the component level vulnerabilities and its mitigation measures was undertaken.

The framework defined by the ministry involves assessing system level vulnerabilities and earmarking critical components and identifying avenues for exploitation of drone systems by adversaries.

Correlating the desired capabilities with the present eco-system, involving the required state of the secure drone system and the present indigenous capabilities, followed by hardware component level validation, and vulnerability and penetration testing of software are other elements of the framework.