CIOInsider India Magazine
The Curious Case of Cyber Vulnerability of Drones
Venkatesh is an entrepreneur and technocrat with expertise in technology leadership roles, and is renowned as a thought leader in the Indian Drone ecosystem.
17th September 2024 changed the way electronic devices were perceived forever. A simple, dated communication device like a pager was transformed into a weapon by the Israelis to strike fear into the hearts of the Hezbollah cadres. Thanks to this incident, the world over, every electronic device, starting with the Omni present mobile phone to TVs and washing machines, started being looked at as potential security threats.
Hacking was always associated with software or an app on their phone or laptop, and no one really associated it with taking over the device itself and commanding it to explode and kill. The fact that a pager could be remotely detonated has got national security pundits across the world going deeper into understanding why and how it happened. In the case of dual-use technologies like drones, the risk is much higher as drones, unlike pagers, are mobile vehicles capable of carrying significantly larger explosive payloads.
The majority of the connected electronic devices we use today as part of our daily activities are, in fact, Cyber-Physical Systems (CPS).
What is a Cyber-Physical System?
Cyber-physical systems (CPS) are engineered systems that combine physical components with computation, sensing, control, and networking. Hence, it is critical to understand the core elements of a CPS to understand and map the vulnerabilities of the electronics we use daily.
At the very core of every electronic device that is connected or otherwise lies its motherboard, around which its CPS is built. The Software/Code elements of the CPS are where its vulnerability lies.
All of us, young or old, have heard the term “Hacking,” which is essentially an act of modifying an existing code, i.e., software, APP, OS, or firmware, to achieve an outcome desired by the hacker. Hence, the vulnerability of any CPS lies in its code elements, which execute a range of tasks to achieve the desired outcomes for the bonafide user.
Cyber Threat Analysis of Drones in India
Pagers and Drones have the same vulnerable code layers. When the device is hacked, the same code elements that were earlier working for the bonafide user are commanded to execute tasks to achieve the outcome the hacker desires. Hence, denying access to the firmware, normally through UI software or codes in the wireless system, is the first line of defense.
The use of proprietary codes at every level of the CPS’s software/code elements places multiple small locks at each layer rather than a single large lock when encrypting the wireless channel and vulnerable open source layers within.
Drones have been widely used in the Ukraine-Russian Conflict, and their use cases and deployments are closely watched by Military planners and security experts around the world. Thanks to this, the awareness of the need for drone cybersecurity has grown rapidly.
This war has also turned the standard military doctrine on its head by showcasing the huge benefits of using commercial off-the-shelf Drones and components to facilitate the mass deployment of application-specific drones at low costs while
still maintaining their cyber integrity.
The shock wave of the Hezbollah Pager attack has had a far deeper impact on the Indian security agencies on account of the Hacking and takeover of the Indian Army’s premium tactical drone on multiple occasions in the past, with the most recent being just before the pager attack in August 2024.
The cybersecurity vulnerability caused by Chinese-origin electronics was further compounded by the discovery of rampant use of Chinese components in the so-called “Made-In-India” drones supplied to the Army by leading Indian Drone OEMs. This discovery led to the Army suspending deliveries against all orders and working on a framework to ensure the Cybersecurity of all defense drones.
In addition to implementing the Cybersecurity policy, the Government should work in parallel to facilitate the on-boarding of domestically developed and manufactured drones into DGCA’s type certification program, which is a huge entry barrier for the indigenization of drones in the country today.
The Government's urgency in addressing the Cyber vulnerabilities of drones, both in the Civil and Defense domains, is a key requirement from the country's National Security perspective, given the current geopolitical landscape.
The critical initiatives are being seriously hampered by the failure of the Director General of Civil Aviation (DGCA) to effectively implement the Civil drone regulations, coupled with the failure of the Director General of Foreign Trade (DGFT) to impose its own Ban on the import of Chinese Drones into the country.
Chinese DJI drones whose imports have been banned (DGFT’s notification No. 54/2015-2020 dated 9th February 2022) constitute 23 percent of the drones officially registered with the issue of Unique Identification Numbers (UINs) by DGCA are banned, i.e., smuggled Chinese drones.
Additionally, the majority of the 88 OEM Drones Type-Certified by DGCA are assembled using Chinese components, including critical open-source electronics, rendering them vulnerable to Cyber-attacks and takeovers. Further, DGCA does not have a system in place to track and monitor any of the drones for which it has issued Type Certificates.
Hence, every one of the 27728 drones for which it has issued UINs at the time of writing this article has the potential to compromise National Security. Further, it is estimated that India has a population of unregistered drones three times the size of the registered ones.
In light of the above contextually, from the perspective of the pager attack, which claimed around 40 lives with 3000 + casualties, India’s Chinese drone threat is estimated to be over 50,000 drones spread across the country, which can largely be attributed to DGCA’s failure, to implement the Civilian Drone regulations.
In fact, the drone threat today is far more tangible and significant than before the promulgation of the Civilian Drone regulations in August 2018 and the launch of the drone rules in July 2021.
Shockingly, today, we have more unmonitored imported Chinese drones capable of carrying an explosive payload of over 10 kg operating in the country than there were before the promulgation of the drone regulations.
While this will continue to remain a challenge for implementing MeITY’s much needed initiative, the Government should pursue implementing the cybersecurity policies for both civilian and defense drones quickly. It would be a huge shot in the arm that could potentially shift the Drone Supply chain a level inward from assembly of imported components to manufacturing of components and sub-systems in the country. This will go a long way in fast-tracking the National ambition of evolving into a global drone hub by 2030.
In addition to implementing the Cybersecurity policy, the Government should work in parallel to facilitate the on-boarding of domestically developed and manufactured drones into DGCA’s type certification program, which is a huge entry barrier for the indigenization of drones in the country today. DGCA’s rigid type certification rules favor importing components over those manufactured within the country.
In conclusion, while the Government, having realized the potential Cyber Risk associated with drones post the Hezbollah pager attack, is moving fast to address the problem. Additionally, it also needs to factor in the failure in the implementation of the Civilian drone regulations by DGCA and its potential collateral impact and initiate steps to address that issue in parallel.
.jpg "Education In Technology ERA")