Securing UAS Fleets from Cyber Attacks

Executive Summary

As uncrewed aircraft systems (UAS) continue to proliferate in the National Airspace System (NAS) for commercial and public safety operations, the number of potential cyber vulnerabilities that malicious actors can exploit on these systems has also increased because of their networked communications. Many UAS vulnerabilities can be addressed easily through simple configuration changes, and UAS operators must harden their systems before flying. The “Securing UAS Fleets from Cyber Attacks” project addressed these issues by using the Brute Force Default Identification-Automated Prevention (BFDI-AP) system to prevent brute force attacks by identifying insecure default settings on selected UAS platforms that have been manufactured domestically or cleared by the Department of Defense’s Defense Innovation Unit “Blue List.” This automated solution is designed to secure UAS aircraft and fleets from cyber attacks and improve control protection during UAS operations.

CNA, in collaboration with RIIS, LLC, NUAIR, AX Enterprize, and the New York UAS Test Site, conducted research and analysis focused on improving the safety of the NAS by identifying and mitigating vulnerabilities that can be addressed easily through UAS configuration changes. To secure these aircraft from cyber attacks, an automated solution was developed and validated through a series of live-flight demonstrations focused on public safety and commercial delivery scenarios. These demonstrations confirmed the BFDI-AP system in an operational environment. The BFDI-AP identified default configurations that are risks, mitigated the vulnerabilities through a configuration change, and communicated the change to the UAS operator. The scope of work included a vulnerability assessment, prototype system update, and test and evaluation through flight demonstrations. This project culminated in the successful live demonstration of the BFDI-AP system and the live flights of three commercial UAS platforms.

In addition to the enhanced and validated BFDI-AP security solution for UAS, our research resulted in recommendations to improve broader awareness among the UAS community of cybersecurity threats, vulnerabilities, and mitigations to improve the safety and security of these operations. This report details the approach, results, data, and challenges that resulted in the completion of the live demonstration at the UAS Test Site in Rome, New York, on July 16 and 17, 2024.