Font Size: A A A

Home > Blogs > ST16 Heathrow drones talk

Mike Gillespie

ST16 Heathrow drones talk

I had the pleasure of speaking at ST16 Heathrow recently on the topic of ‘Drones and the Emerging Security Threat’.

It was well attended and it was gratifying to feel the interest not only in drones, but in cyber aspects to drone use and how this may develop and affect all of us, regardless of our security function or discipline. I wanted to re-visit some of the points from the presentation and underline some of the areas we need to be thinking about.

Drones or Unmanned Aerial Vehicles, as they are sometimes called (UAVs) are appearing in many areas of life; military, commercial, public and domestic uses have all grown over the last five to ten years. The news and mainstream media has carried many stories of the military use of drones, mainly strikes against remote targets and the elimination of terror threat to the UK from specific targets, as well as bombing campaigns in dangerous regions. But they are also used for surveillance; limiting the risk to human life and resources. Border control and patrol are also military applications for drones and once again we see this limiting the exposure to humans, while carrying out vital work. The need for quality intelligence in warfare will always be high and finding ways to use technology to limit the number of times you risk people in order to get it, is good. They can be used in highly dangerous places but the loss of equipment is always a risk. For reasons I will come on to shortly, losing a military drone is a serious matter.

The commercial use of drones in the UK has grown considerably and we only have to look at news, natural history, sports and music events to see how widespread and transformational they have been … and will continue to be. The Civil Aviation Authority (CAA) issued 1,684 commercial licences in 2015 and all indications are that 2016 will see a huge rise by film-makers, artists, crop-sprayers and internet-based delivery carriers. Amazon for instance, have been testing drone delivery for some time and given its move into fresh food delivery, looks likely to widen its drone use. Given that most people will order fresh, knowing they will be there to receive it when the drone arrives should make for a seamless (famous last words) process and limit the opportunity for theft, though this would be a risk that would need addressing by both Amazon and the consumer. Commercial uses for drones however, go way beyond what they can transport. If you look, for instance at what Facebook is hoping to do with drones, you start to see the huge applications for these vehicles. Covered with solar panels, Facebook drone will be the size of a 747, and effectively orbit the Earth for the intention of delivering internet access to remote areas of the world. This is a massive undertaking and though privacy watchers will probably have a field day when it comes to picking apart their motivation, Facebook will be providing coverage to places that badly need it.

Public uses for drones or UAVs include policing and traffic control, both difficult areas traditionally and the use of aerial capability is remarkably useful in increasing the effectiveness of things like pursuit, surveillance and traffic monitoring. There are some incredible uses of drones coming from health, as we see drones being used to fly into remote or epidemic-ridden areas to provide medical equipment to provide testing, medical relief or vaccination, while limiting the exposure of health workers to contagion and sickness. It also allows for an accurate assessment to be made of the level of contagion and general health of an area or community to establish what other needs there may be. Drones are also used in environmental monitoring, for instance in places that are inhospitable or downright dangerous for people. Yet these places still need to be monitored, think of things like volcanoes; the risk to people is great and yes, we do have accurate scientific information from things like seismic monitoring equipment, but it helps scientists understand even more to be able to couple this quality information with visual feeds from UAVs, designed to be flown near these forbidding landscapes. They can also be used in cases of environmental disaster to establish the state of play, without risking human life. Think of the risks posed from things like radiation that could be avoided in the event of a disaster.

Domestic drone sales have also taken off, if you’ll forgive the pun, like a rocket too. The CAA stated that between January and October 2014, domestic drones numbers were 80pc up. It will be interesting to see the growth rate this year, given the regulation of the use of domestic drones was rolled out in January, which limited use and placed restrictions on practice for drones. Part of the regulation states that domestic drones with cameras may not use the footage they capture for commercial gain, they would need commercial licences for that. Drones under 7kg do not need to be registered with the CAA. All drones however, are restricted in terms of how they can be flown. For instance they must never be ‘out of sight’ of the pilot. In real terms this means 400 metres away or 500 metres up. They must not be flown within 50 metres of people, buildings, vehicles and structures, if fitted with a camera (regardless of whether it is filming or not) and any images captured will be subject to the Data Protection Act 1998.

However, we have already had instances of a drones being used nefariously including a man who was fined flew and lost control of his drone over a nuclear facility, another who flew his over the Manchester City stadium during a game against Tottenham. A man also flew his drone over Buckingham Palace, Parliament, HMS Belfast and The Shard, he also frightened horses at a football match, which really was going too far. My favourite so far was the drone that was disguised as The Grim Reaper for Hallowe’en and flown through a graveyard.

Disturbingly, we have also had incidents of offenders hovering over children’s play areas and sunbathers and at least one ‘sexual offence’ incident, no details thankfully. At least one UK domestic drone has been shot at. We know they have been used extensively to drop contraband into prisons; that’s the thing about criminals, they rarely worry about the law or regulations! This brings us to the emerging threat. As you can see the drone area is vast and the opportunity for criminals is huge.

We have seen weaponisation of domestic drones by enterprising journalists and teens alike, one managed to modify a drone to carry and remotely fire a semi-automatic weapon, another turned one effectively into a flying flame thrower and wrought havoc in a wooded area. The weaponisation of a domestic drone, which if bought under the 7kg limit, might not even be registered is unnerving to say the least. We need to factor this area threat into our threat assessments. Think about mixed events like festivals. Not only do you have a risk of theft, violence or sexual crimes, you also have a captive audience who not just a static audience but are resident for three or four days in one place, which is easy to get into and hard to leave in a hurry. A lobster pot, if you will.

We also know that old headline grabber, hacking is also a possibility. We know that a group of hacktivists attempted to hack a military drone to disable it, they rarely give up easily. A police drone in the US was hacked using a $40 kit bought online from 2km away. DEF CON 2015 featured a live drone hack and we also know IS are making concerted efforts in this area too, as it is across the cyber-attack landscape. Hacking a drone that has a perfect right to be in a sensitive area and so would not immediately raise suspicion, must also be considered as an attack vector.

The rise of the machines looks set to continue and a huge amount of good can be achieved with it. We as security professionals need to be factoring in the threat from drones, both accidental and criminal. We also need to make sure if we are using them, that they are well protected and licenced properly.

You can access guidance from the CAA via