Cybersecurity is seen as an increasing threat to critical infrastructure and national security, and UAS (drones) have been identified as a potential area of vulnerability to foreign hacking and data breaches.
The United States Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recommend the following best practices to reduce risk to networks and sensitive information.
Purchasing
Choose "secure-by-design” UAS. Because laws in some countries compel manufacturers to cooperate with state intelligence agencies and share data with the government, it is recommended U.S. public and private sector organizations transition to devices manufactured under secure-by-design principles, a set of standards for tech companies prioritizing security in product development.
Research where UAS are manufactured and the laws under which the company operates as part of any pre-purchase risk assessment.
Review privacy policies including how and where data collected by the UAS is stored. Look for adherence to secure-by-design standards to be a part of any company's declaration of privacy practices.
Individuals or departments at Princeton looking for assistance with UAS purchasing can contact Procurement Services in the Office of Finance and Treasury.
Planning
Incorporate UAS and components into an organizational cybersecurity framework. In other words, build in the same level of security for data collected on drones as you would for a laptop, smartphone or any other network-connected device.
Isolate, air gap or segment networks to prevent any malware or breach from spreading. Set up separate networks, such as virtual private networks (VPNs) or virtual local area networks (VLANs), to minimize the potential for a cyberattack to infect the entire network.
Set up continuous verification and authorization procedures, such as two-factor authentication, in order to minimize unauthorized access.
Operations
Verify current software and firmware versions are installed before each use. Ensure firmware patches and updates are obtained exclusively from the UAS manufacturer or a trusted third party.
Delete collected data from the drone after it has been downloaded and stored elsewhere.
Remote and separately store SD cards and other portable storage when drones are not in use.
Do not broadcast or live stream to the internet in real time during drone operations.
Resources
CISA Cybersecurity Guidance: Jan. 2024 (PDF)
The Department of Defense Blue UAS Cleared List includes manufacturers vetted for DoD contracts.
Questions about information security at Princeton can be directed to [email protected]. Questions about procurement should go to [email protected].