Global Drone Security Network Event #2- David Kovar (URSA Inc)

This is the final post of GDSN #2 review, if you haven't read our previous reviews it is a good time to check out the great talks!

Mike Monnik (DroneSec)

Christopher Church (INTERPOL)

Kim James (DroneGuard)

Ulf Barth

Victor Vullard (Parrot)

Lucas Le Bell (CERBAIR)

Evangelos Mantas(Infili)

Jacob Tewes (Kutak Rock)

 

David Kovar (URSA Inc) - UAV Threats to the Oil and Gas Industry

 

Thank you for the opportunity, really appreciate it. I should have the full display up; I'm only running with one monitor. So hopefully, I've got everybody here. Thank everybody who's been here all day, whoever has joined us, I'm speaking on what UAVs may pose as a threat to oil and gas and the energy industry in general. But a lot of what I'm going to cover here really touches on things that you've been hearing all day. To set the stage, as was said, my name is David Kovar, our CEO and founder of Ursa Incorporated, I had a lot of help from a gentleman named Tim Wright on this. He's a very well-established aerospace journalist. And he has the ability to his experience to dig into places where I don't. So, it was really good collaboration. All this collaboration also resulted in some interesting stories to tell maybe over a drink sometime. But different agencies respond better to somebody who was a journalist. And not want to respond better to somebody who's not a journalist. And so, we didn't always get that right. It's been an interesting journey in that regard. Let me do the too long didn't read (TLDR) story here. The threat is real. You've been hearing that from various people throughout the day. Many organizations are underestimating or downplaying the threat. And that's not something that we've been hearing quite as much, but I'll give you some data to support that particular conclusion. The counter UAS community is part of the problem as well as part of the solution. This is a difficult thing to say I am part of that community. But I think that if we all sort of step back and look at what we're doing and how we're doing it, there is a certain kernel of truth of this particular statement. And this is a great opportunity, this particular group, Dronesec, other forums or other forums for collaboration, are opportunities for us to have discussions about how we can move what we're doing to be more firmly in the we're part of the solution part, part of that continuum. My conclusion, my belief, and I think you've been hearing it from other people today is that threat intelligence is important, we need to understand the threat, we need to understand the nature of the actors behind that threat, we need to understand what we're trying to defend against. So, we can align what our defences are with the threat. And sharing is and always will be a significant contributor to managing the risks associated with malicious SUAS. That sharing is crucial. This forum is a great opportunity for it. DroneSec has a platform and I'll talk about some other ones later in this presentation as well. But right now, a lot of really important information is stovepipe, or siloed in various places, some of that's behind national security concerns, some of its in competitive, you know, I don't want to share with my competitors, some of is tied up in intellectual property. Some of its just tied up in non-disclosure agreements. Some of its just tied up and we don't know whether we can share this stuff or not. But I believe that we're not doing the national security, any service by sort of keeping all that information about what is or is not going on to ourselves. And that applies. That's not just a US problem. That's a national problem for anybody anywhere in the world. To start off to frame the overall conversation. This is from Sandia National Labs, a paper that they wrote back in 2007. And it applies to kinetic and cyber-attacks. And by the way, I've got 20 years of doing cybersecurity, about five years of doing incident response, digital forensics, a bunch of things like that. So, I come from more of the cyber community, but I've got some kinetic experience security as well. So their statement is that to build the right defence and the right defence means and once and most effective, it also means that it's cost effective, there are a lot of definitions to what the right defences, but to build the defences capable withstanding or surviving, cyber kinetic attack, or a drone attack, we must understand the capabilities posed by those threats to the government to the function or to the system, we've got to understand who the threat actors are, what they're using to create that threat. And the only then can we really start building the right defences. This particular conversation is about energy infrastructure, you could be protecting pretty much anything. But I'm using this particular one I'm in. I'm live in New Hampshire. So, your upper right on this one.

This is just all the power plants, the United States, there's an awful lot of them. And there's a surprising number of nuclear reactors in here, including one that's 20 minutes away from my house, which I often times forget. There are an enormous number of oil and gas refining and processing facilities scattered around the country, you'll notice there's a lot of the Midwest, I used to drive between Washington, DC and New Hampshire all the time. And so, I'd see the ones in New Jersey, of the bunch down in Southern California. There's a lot of it down around the Gulf Coast. And we'll get to that in a minute. There's an all-natural gas pipeline. Thankfully, a lot of these are buried, but not all. There's also oil pipelines and other transmission systems on the surface that are potentially vulnerable. Crude oil, petroleum, etc. What's left out of these graphics is high transmission lines, which are getting a lot more attention after the fire in Northern California last year that was caused by poorly inspected high transmission lines, those are becoming much more of an area of concern. So, if the energy infrastructure is the thing that we believe is at risk, what is creating that risk? In the context of this conversation, we've been talking about UAVs and so let's get down into some specifics. Any sub $2,000 drone, and I'd even say any sub $1,000 drone can pose a risk for energy infrastructure. They can be used for intelligence, surveillance, and reconnaissance. All you got to do is get up there and take pictures with it. That can be used as a distraction. Right now, a drone flying over any sensitive facility is going to get some attention. And so, you can use a $200 or $500 FPV racer or whatever it is, you want to draw the attention of the security forces away from something else that you're doing, or just to see how they're going to react. And similar distraction, you can use it for confusion, you can use it to create the perception that something's occurring, that's not occurring. Getting down to specifics, DJI Mavics, DJI has somewhere between 75 and 85% of the consumer commercial market. A very popular platform. And they've been really popular with hacking community, people that want to modify these things to get around no fly zones and to do other things that they were not originally designed to do. In the context of posing threat, some of the things that are getting done with these are making them fly much longer ranges, and they're intended. And so there used to be these hacked battery attachments so you can get out have two batteries attached. Now people are using 3d printers to make have more professional ability to add a battery to these platforms. A couple years ago, somebody put a Raspberry Pi with a cellular modem on one and use that for flying longer ranges. Now you can do that with off the shelf stuff for non DJI products. And we've seen coming out of Mexico and presumably other places that they're being used for delivering malicious payloads. There's a photograph of one pound of C4 attached to a DJI Mavic. I think that most of us understand that the motivated threat actors are going to be moving away from commercial off the shelf products and moving towards homebuilt. There are variety solutions or reasons for this. On the DJI front Aeroscope is becoming somewhat prevalent and if you're going to fly a DJI product, there's a good chance that you can be picked up by an Aeroscope. So easy way to avoid that problem, fly something else. There’re some concerns about serial numbers. If you use it for malicious purposes and its captured, serial numbers on the UAV could be used for tracing the person who purchased it back and then showing up their house. So, home built, there has some really good capabilities that come along with using them. You can make it fully anonymous using Pixhawk or some other flight controller, you can make it shut off the radio the RF link. So now it's not allowing any counter UAS system, as this component is dependent on the RF link, it is going to be blind to them. It can fly on autonomous flight, it can do certain steps during that flight, take pictures, drop payloads, things like that. And then it can turn that RF link back on if necessary, at certain points during his flight. It's much easier to use a custom Datalink. There's are a variety of counter UAS systems out there that are looking for specific what I would call fingerprints on specific types of communication on specific frequencies. If somebody uses a cellular modem, obviously, you're moving your data link from 915 megahertz well up into the spectrum. But there's plenty of other parts of the spectrum that you could use, where somebody wouldn't see it on the RF. So that's certainly an option that comes along with homebuilt. Also, you can control what your radio radar cross section looks like. If you're using an EPO phone, fixed wing, your biggest radar reflector is going to be the battery. So that gives you control over that. More on the commercial side. We're there are some really powerful platforms out there and we've seen some of them earlier today. The Avartek Boxer Hybrid, this is a gas electric hybrid, commercially available has a five-kilogram payload and a two-hour flight time. There's a lot you can do that with that had a long range. FireFly 6 is made here in New Hampshire. DoI was flying it for wildfire purposes before that fleet was grounded. EPO foa, VTOL, 50 minutes endurance, 1.5-pound payload, $8,000, ready to go. It's also got a really nice sensor that you can say, watch this particular location. And no matter what you're doing with the aircraft, the focus of the EOIR sensor will be on that location. So really powerful platform. And again, for $8,000, pretty much any motivated attacker could go acquire one. I mentioned the Syrian home builds just I get tired of people saying what you're proposing is impossible. Syrian home build attack on the Russian airbase and I think was 2018 – balsa plywood, gas engine, they supposedly flew about 50 kilometres, there were no GPS units on them as far as I could tell. So, these things were flying fully autonomously. If there were GPS units on there, there were certainly no radio links, and so, they were not being manually flown from launch all the way to their target. So, if this could be done in 2018, in Syria, what can be done 2020 in the United States, I mentioned jet turbine fixed wings in here. I think they were mentioned in an earlier presentation as well. These things are amazing, very high speed. There were some components of a jet turbine found in the ISIS drone factory a couple years ago, nothing functional, but you could tell that threat actors were starting to think about this particular platform. If you've got a jet turbine fixed wing coming at you, by the time that your counter UAS system detects it, and make some sort of decision, even if it's automated in terms of how it's going to respond to that incursion, it is most likely going to be on target. So, the speed is one really interesting characteristic of it. Another characteristic of it is that the explosive payload is the fuel that it is using already. At that speed. If it impacts a solid surface, that fuel is going to aerosolize and then the motor the impact is going to detonate that fuel. How big is that explosion? It all depends. Um, Raspberry Pi plus OpenCV plus ISR. So, ISR is intelligence, surveillance and reconnaissance again, OpenCV is an open-source image recognition platform. And we know what Raspberry Pis are. The combination of these three things gives you the opportunity to do all route terminal guidance without a GPS just using optical recognition. And the reason I mentioned ISR is not just because of that all routes. But if you think about what a petroleum refinery looks like at night, it's got this beautiful colour spectrum and all these lights on and things like that. And I suspect you would find that those are very unique fingerprint. You can, given a certain pattern light, say, oh I'm coming in from this angle, and I'm this far away, so that's where you get your terminal guidance. And then one of the other things is creating risk and opportunity is software defined radio (SDR). We're using it on the counter UAS side. But malicious actors are going to use it as well. It gives them the opportunity to change their data links to encrypt them.

It also gives them the opportunity to use SDR for gathering intelligence about a site. And I'll get to that in a little bit as well. We're familiar with the group one, group two, group three, group four, group five classification for you UAVs. US DoD uses this and NATO uses that as well, some others, is a good way of thinking about capabilities in terms of size, weight, payload, endurance, and altitude. But as we're trying to really figure out what's creating or posing a threat to us or toward the sites we're trying to protect, I really suggest that you think about a sort of broader range of capabilities. This comes from a NASA paper; I think was done back in 2010. And it was it had nothing to do with counter UAS, it was really just thinking about what their capabilities are for UAV. What some of the interesting ones are here, all weather conditions. So, you know, if you are out of based in the Arctic, and you're concerned about UAVs, you're going to need to have something coming at you, it's going to need to be all weather capable. One of the interesting things in here, particularly given swarm technologies are the monitoring control, multi ship operation, mother daughtership operations. So, it just gives some examples of some things to think about in terms of capabilities that might be brought to bear on you, on your system, on your facility. So, we've talked about what's at risk, and about what creates a risk. Here are the things that those UAVs pose as risks. Well, we talked about ISR intelligence, surveillance and confidence. A lot of people when I've talked to them about, you know why somebody might use drones around security site, and they say, hey, all this imagery is in Google Earth, you can just go do it. Well, first of all, Google Earth, the images are taken when they're taken, you have no control over it. Second of all, all those images are straight down or as close to it as they can get. That doesn't give you some really valuable information in terms of what the physical layout is, looking at it from all angles. It doesn't give you examples of what the lighting changes when it's sunset, or sunrise. It doesn't give you information about how people are moving around the facility and things like that. So yeah, Google Earth is wonderful for doing remote surveillance and reconnaissance. But sometime at some point in time in your desire to go effect upon this facility, you're going to want to get eyes on and drones provide a really good eyes on capability. They can also fly some sensors other than optical, LIDAR can be used if you really want to get into looking at how the facility is constructed down to a very, very fine level of detail. And if you're trying to put a precision trike strike with a small explosive payload on then having that sort of knowledge could be very helpful. IR gives you information about where heat sources are obviously, that could be people movement, it could be where generators are, it could be where cooling plants are, all sorts of things. RF collection: this is something doesn't come up too often, but it's why I mentioned SDR earlier. If you are trying to attack a facility or attack a site, you really want to understand what's going on with the defence. What are they capable of, what what's their operational tempo like? What are they doing? And so, RF collection is one of the things that you would want to do again. So what frequencies are they using? What are they using those frequencies for? And can you capture and collect some comms traffic, you may fly by capturing that traffic find out what their shift changes are. If you're not getting a via other means. You may use this for deciding what to jam when you decide you're actually going to take action upon the site, things like that. There are passive risks created we talked about - distraction and intimidation. Response analysis, And I'll talk about the Palo Verde site in a little bit. But these drones were over the site for two days running. So, the first day drones are over it, you get one sense of what the response looks like, you come by a second time or later, it's like have they changed their response. And understanding how the defender is going to react to your various moves you're going to make is a really important part of preparing yourself and your team for the action you're about to take. And then there's obviously payload delivery.

So, some examples. Most of these are familiar. We spent a lot of time digging into this. And then we realized that there are more examples and are really necessary. I mentioned Palo Verde, if you've been following the drive, they've been doing some interesting articles on Palo Verde and some other issues and that's where a lot of our information comes from. To summarize, Palo Verde is the largest nuclear reactor in the United States as an Arizona. On September 29, and 30th of 2019, five or six UAVs, two feet in diameter, were on site for 80 minutes. They were hanging out, they were looking around for 80 minutes, and nothing could be done about them. The NRC ILTAB, their intelligence and liaison threat assessment branch, and the FOIA requests, recovered documents, let's hold the site operators and the NRC in general, please stop calling us during off hours. Some people took this to mean, some things that are sort of not favourable of this particular group. They're not a response organization, I think was a fairly reasonable response on their part, hey, you know, there's nothing we can do at 2 o'clock in the morning, we’re asleep so we can do our job when we get up in the morning. But the take home here is that they were probably being called because no one knew who else to call to say, Hey, we got drones of our facility. What are we supposed to do? The NRC Nuclear Regulatory Commission does not require a counter UAS at nuclear plants, asserting the small drones could not damage reactors. A small drone might not be able to damage the actual reactor itself. If you look at the picture on the right, there's a lot of other infrastructure around that reactor that makes it function that is potentially at risk. And even if there was no damage the cause reactor to be shut down. Simply the knowledge that a US nuclear reactor or nuclear power plant was attacked by some sort of explosive carried by a drone is going to have a financial impact and a terrorist type of impact as well. At this particular site, there was previous UAV overflights on December 21 of 2017. And to an earlier point, there was another overflight in December 2019. And there may have been a counter UAS system deployed on the site at that time. So, somebody may have come back, you know, they figured, okay, we're coming back, you know, two, three months later, has anything changed? To find out whether it did or did not? As part of, you know, the got the information about Palo Verde, there's a reporting system. Turns out that there are 57 new UAV incidents over US nuclear sites, from December 2014 through October 2019. Three are still open, five are closed resolved, Hey, only we know what was going on. 49 cases are still closed, unresolved. They do not know who was operating over the site. They don't know what was going on. Three were Palo Verde, five were at Limerick in Pennsylvania, Six were at Perry and seven of them were at Diablo Canyon in California. That's a lot of UAV overflights. Eastern Colorado most of us are familiar with this. In late 2019, there was a lot of observations of UAV's over Eastern Colorado. I'll get through this as quickly as I can. I'm quoting the FAA multiple highly credible official reports from trained observers. So, people who supposedly understand what they're looking at or not looking at and who are not going to confuse a satellite for example, with a UAV. These trained observers articulate that there was a unique arrangement in which a large drone seems to have been accompanied by a fleet of smaller ones. The number of UAVs range from two to 16, approximately six feet in width. So sizable aircraft, flight time between two and three hours, night-time operations flying grid-like patterns. That's a significant operation. So, who was doing it? Military? Commercial? The answer according to the FAA, it was neither military nor commercial. All the military commands that they asked said nope, was not us. And they went through I presume all the open waivers, they reached out to all the commercial operators in the region said, “Hey, was this you?” and according to the FAA, it was not commercial or military. So, we still don't know. But another take home here is that and, I'll get to this in more details, that if you're a malicious actor, there's a lot of sort of noise going on in the environment that you might be able to hide within.

And that gets to what is normal. If you're not keeping up with the sort of evolution of counter UAS, and sorry, the UAS industry in the United States, it's been quietly, excusing the language, taking off. People are getting beyond visual line of sight waivers, people are now effectively, and have been for months, using UAVs for inspecting pipelines, the dirty dull and dangerous, as well as tracks and all sorts of other things. The literature on the left side of the screen is from a vendor that sells UAVs into this space. They assert that some of these operations are better done at night. And so, there's an excuse for having UAVs over critical infrastructure at night. Their VTOL UAV that they provide can fly up to 40 kilometres beyond visual line of sight and flight endurance of 88 minutes. Pretty powerful aircraft. And it operates in a variety of weather conditions. On the right, there's a quote that says “more often than not, operators hire contractors and subcontractors who often hire their own subcontractors.” If you're trying to figure out who's actually flying over a site, and you got to work through all those legal layers of contracts. Good luck getting that done in a timely manner. And it may be difficult to do even if you've got more time. Elsewhere, Louisiana, three Spanish males and so on the graphic I showed you about where energy infrastructure is, I mentioned there's a density down around Louisiana. Mississippi River drains out there. There's a lot of energy infrastructure in the Gulf itself, a lot of shipping coming in there. There's a lot of density, there's a lot of energy infrastructure down there. I'm including some apparently very rare chemicals coming out of it. After the area was devastated by Hurricane. There was a lot of pressure to get certain refineries back up online as quickly as possible because some of the chemicals coming out of that region are apparently incredibly important to national security. And that was the only source of it. So, looking at what's going on in Louisiana makes a lot of sense if you're trying to get a sense of what's at risk and what's creating that risk. Three Spanish males were arrested for flying UAV over Valero back in 2018. The second quote is a detective, who while they were on site at a Dow Chemical facility, observed a small UAV that was remaining stationary and rotating 360. So not just flying through not fly away something was in there intentionally and doing what we would consider a surveillance sort of activity. One of the guys working on a different site, had a UAV crash right in front of his truck could be fly away. Incident reports don't get beyond the fact that this happened. France 2014, overflights of seven nuclear reactors, 2018, Greenpeace flew a drone dressed up like Superman into a nuclear reactor. So, demonstrating a there's a security problem here. In the United States, there was a Mavic found next to a non-bulk electric substation with some ropes, and then at the end of the ropes was copper wire, presumably could have been used for shorting out transformers and things like that. I've been asking for the picture of this, I have been told by multiple credible sources that exists. No one's shared the picture of that with me, if you have a copy of it, feel free to send it to me anonymously, or take credit for it one way or another. I'd love to see that one. We talked about Saudi Arabia, previous presentations, you can go look this up. It was the most significant attack on energy infrastructure to date. And I think it's reasonable assume that it's not going to be the last. So, What's the risk? What's creating the risk? What are the risks? What's going on the United States? We wanted to sort of categorize you know, how big is the problem based and what are they doing on the upper right. And this is something that I then, the hobbyist, you know, get all bent out of shape about for good reason, most people are compliant. The vast majority of people flying in the United States we believe are compliant. They're staying below the thresholds. They're flying in the approval locations that are getting the right waivers they're getting; they're registering and things like that.

So, let's just wait. And, unfortunately, there's not sufficient amount of data to prove any of this. But it says these are all reasonable assumptions, I think. So that's majority, these people are compliant. Below that there's a small number of people are just careless, they kind of know what's going on, but they're not paying attention, they go too high, they fly over somebody's property, these people are still not a real big threat. It's just, they're going to create attention. And that's not good for any of us, particularly the people who are being compliant. There's the clueless, these people haven't registered with the FAA, they don't know that there are regulations in place, and they're just going to do whatever they want. The risk, that the threat they're creating, the threat they're creating is still relatively small, they're not flying with malicious intent. They're just being stupid. Now we're getting down to the people who create some amount of risk. These are the thrill seekers who are continuously pushing the boundaries, intentionally flying the restricted airspace. They don't mean harm, but they don't understand that the harm that they're doing, they can potentially do by what they're doing. But also, the harm they're doing to the entire industry. There are videos of people flying Mavics above the clouds, and the cloud deck at that location was 8000 feet plus. So they are well out of visual line of sight. And it's beautiful picture. And they keep doing this and they keep pushing the envelope, this sort of activity, we need to clamp down on unfortunately, and fortunately. But they're still not the people that are going to pose a threat to the energy infrastructure. Now we're talking criminal and terrorist. These are the smallest number of actual operations, but they are posing the greatest threat, you can produce your own threat matrix, and I encourage you to do so if you're responsible for protecting a facility.

Um, one other take home from this threat matrix is, again, the getting lost in the noise. The terrorists and the criminals are going to be the very small number of overall flights. And if those terrorists and criminals can look like a legitimate flight, or just somebody who is clueless and careless, that gives them additional cover that they can use for accomplishing their particular goals.

What are our challenges? Our being the energy infrastructure, energy community, the counter UAS community, the people who are doing UAV forensics research, what are our challenges? What is it that we need to step up and take care of so that we can be better contributors to national security, to site security, to all of the things that protecting society against malicious your UAVs? Senator Cory Gardner, Colorado, January 2020, after the whole Colorado drone problem, publicly stood up and said something that is the most one of the most important things in this presentation. “There's a significant gap in the understanding personal understanding and the National security's understanding of the threat that drones pose the United States.” If we don't understand the threat, these drones pose to us, we cannot even have a rational discussion about how to defend against them, much less actually build those defences. To problem one, is understanding the threat. Problem two is downplaying the threat. Kelsey Atherton, I follow on Twitter, I read his articles, he does some great stuff. He understands military, he understands regulatory, he understands politics. Really good writer, I admire the heck out of him. However, in a Forbes article that had to do with nuclear reactor site security, Vis a vis drones, he concluded that there is no risk posed by small drones until they kept the ability to carry larger heavier payloads without losing much flight time. And until those happen, only then should we rethink our infrastructure hardening. I will stand up here or sit here and raise my hand and say we those things are already possible. And it earlier in this presentation and other presentations, we demonstrated that. If Saudi Arabia, Saudi Aramco, was probably a nation state actor, okay, so maybe not that, but the attack on the Russian airbase was certainly something that demonstrates that you can get heavy payloads over long distances. And so, and that was in 2018. So, it's beyond time for rethinking infrastructure hardening. And this sort of thinking I feel is downplaying the issue and not focusing time, attention and resources on where the problems are.

Joseph Rivers, this came out of the FOIA release from the Palo Verde incident. He makes two really good points here. Putting regulations in place is not going to stop the motivated actor. So restricted airspace is not going to stop anything. He asserts that detection systems, counter UAS systems, have limited success rates, I would generally agree with them, unfortunately. And there's a low likelihood that law enforcement will arrive quickly enough to go find the operators. His take, I agree, we should focus our attention on getting federal regulations and laws to change to allow sites to defend themselves and get the resources required to identify engineering fixes that would mitigate the adversarial attack. So, if a UAV does get in, how do we mitigate against that? Jacob’s presentation, just prior mine is spot on on this. And that is incredibly important, important part of the conversation. And we should not walk away from today's wonderful presentations, thinking that it's only technical solutions. There are legal solutions, there's information sharing solutions, there's a lot of other things that need to be done in addition to technical solutions. Remote ID and UTM: there's a belief that remote ID, UTM are going to solve a lot of this problem, we just need to wait. Well, first of all, they're probably three years out. Second of all, and this most of this comes from my cybersecurity background, these are likely to be federated solutions put together by commercial vendors, who must make a profit, who are then working with government entities who may be under resourced. And they are all working together to collaborate to build these systems. And those systems must have perfect cyber security, or they are going to be part of the problem. Some of the problems are: there's going to be a legitimate backdoor, we have seen this. In other circumstances, we've seen the FBI asking or demanding that Apple create backdoors in their system, there's not going to be remote ID system and a UTM system that does not have legitimate backdoors in it for use, but for national security reasons. If there are legitimate backdoors, there's a good chance those backdoors will get compromised and use for non-legitimate purposes. And then there's a pure exploit. So, it's going to be a complex cyber security system, there are going to be problems with it, people exploit that they will find ways of manipulating remote ID and UTM for their own purposes. There's also a lot of “valid” reasons not to disclose where drones are operating and why. Amazon's not going to want anybody other than Amazon, to have really detailed knowledge of where all their UAVs are going, how much payload they were carrying, what their flight times were, this is all business, intellectual property, it's competitive intelligence. And then there's, you know, national security flights are going to be law enforcement flights are going to be all these carve outs where people are going to have some sort of reason to say, hey, wait, I should not be squawking, some sort of remote ID and I should not be participating in the UTM system. We're going to have to work through that. And I'll point back to Jacob and say, hey, look, this is going to fall on your court, because it's going to be a legal issue and a regulatory issue. Malicious operators will hide in the gaps in the noise. The gaps may exist simply because of flaws in the system. They may create those gaps themselves; the exploits. I love the FAA, I'm manned pilot through the nature of how the National Airspace has been managed over the decades. It's a remarkably safe space to operate. And they are coming at unmanned vehicles from that same perspective of we're looking for, you know, zero fault airspace. Unfortunately, they got a really poor track record of enforcing any sort of compliance. And if someone's not complying with the Remote ID or not complying with UTM. What are the consequences for not complying? We're going to have to work our way through that. Hobbyists, open-source activists, foreign tech imports will likely create a “non-compliant” noise floor to hide in as well. If you are trying to attack or surveillance some facility and there's a bunch of hobbyists flying in the area who are intentionally non-compliant, that creates a noise floor for you to operate in. Or you could have some of your “friends” go be non-compliant hobbyists, while you are tangentially working with them and flying inside their noise envelope. Other people have mentioned this and I'm glad they did. Because I find it incredibly frustrating. There's an enormous number of counters UAS vendors out there. In 2018, there was 230 of them. I'm sure it's increased by now. I've worked in the counter UAS testing evaluation space and still am. So, I've been talking to people in the DoD and the government about on the procurement side. They don't know what works and what doesn't. And this is where I think we as an industry need to get our act together. If you are a site operator, and you want to know what counter UAS system works best in your environment, you know, close to an urban area, hot and humid because you're down in Louisiana, no good lines of sight because they're refineries next door to you, which counter UAS systems have been deployed in a similar environment? And what sorts of flight profiles what sort of threat profiles were flown against those systems. And when were those tests done, that we need to have standardized testing, of counter UAS systems and multiple types of environments that we can do repeatability, we can do compare and contrast. Otherwise, as this counter UAS researcher put it, we have no source of truth. Somehow, we've got to go solve that problem. So, take homes from that one are, we really don't know what systems do or do not work. And if they work in one environment, we don't know whether they work as well in another environment. And we don't know what threats they work against or don't work against. For example, if somebody changes the RF link, are they going to work against that? Just an example. Threatened information is siloed. I'll talk about how we might be able to solve that towards the end of this presentation. But all of us need to be thinking about how we help inform other people in the space of protecting this infrastructure to do a better job of it. And the last one bothers me. Across the board, I see request for proposals for counter UAS systems or things like that, that are addressing last year's problems, you know, what was ISIS using in 2018? Or what is the cartel using in Mexico in 2020. Drone swarms exist, autonomous drone swarms exist, Jet turbine UAVs, exist, all of these things are possible. And we as a community, and in collaboration with the governments that we're working with, and in collaboration with the people that we are trying to defend need to start thinking actively and talking about it, not just thinking about it, but talking about and saying, okay, what's coming down the pike and how do we, if not get ahead of that? How do we catch up with it?

So, what can we do? CISA is the cybersecurity infrastructure security agency, is s a US entity. I was somehow unaware of them before I started on this process. They are focused on cybersecurity infrastructure. They got a very broad mandate. And I was looking around for federal governments agencies that understood that there was a counter UAS threat and we're doing something about it. Enter CISA. Everything you see here is comes from their website. They've got a lot of really good materials. And in terms of how to talk about it. They've got one pager, they've got plaque cards, they've got all sorts of materials for educating different types of people about the nature of the threat, and what actions can you take about it. If you are in the energy industry, and you're not hooked into CISA, I strongly encourage you that you do so they've got representatives scattered throughout the country. And they're very happy to talk about this sort of stuff. They articulate things I've been saying in this presentation. The UAS related threats may include weaponized smuggling payloads. They may include prohibited surveillance and reconnaissance. They may include intellectual property theft, and they may include intentional disruption or harassment. This is a US government agency saying this thing this is worth paying attention to. What actions can you take? As Jacob and others have said, during this presentation, we're somewhat hampered in the United States. So, their first bullet point is research and implement legally approved counter UAS technology.

They also then get into things that don't require buying a counter UAS system. And I apologize to the counter UAS vendors out there. But there's a lot of things you can do without spending hundreds or thousands of dollars on counter UAS systems to help protect your facility. And I'll get into some of them here and next slide as well know the air domain around the facility and who has authority to take action to enhance security. If you're in with a bunch of other energy facilities, you know, build a community whereby you're getting advanced notice while you're doing information sharing within your own community. Contact the FAA can consider UAS restrictions, we're all working on that. Update your emergency incident action plans. This is worth doing. If only so people know what to look for what data to gather, and this goes to Chris Church’s presentation way in the early part of the day, you know, figure out how to gather information about these incidents in a methodical fashion, and then report it in a consistent fashion. So, we can start understanding the problem. Build federal state and local partnerships and report the potential us threats your local law enforcement agency; this is a great slide. If you take nothing else from my slide of my presentation, I would suggest taking this one. This is an example of some of those CISA recommendations in action. I was doing a presentation of B’sides New Orleans, two years ago now, met this gentleman, his contact information is in the appendix. There's another slide down there. This is an example of collaboration between the Coast Guard and InfraGard. And for those not in the United States, the InfraGard is an FBI initiative for sharing information between the private sector and the FBI. And so is a collaboration between the Coast Guard, the FBI and a lot of the energy infrastructure operators in the New Orleans area, particularly port of New Orleans. They've established this relationship back in 2016 and one of the things they've done is they've got a mandatory requirement for saying, Hey, I'm going to be flying in UAV in the area. So, if you see a UAV over your facility, you can call somebody and say, Hey, I'm seeing UAV, they look at their list and say, Nope, it shouldn't be there. Now, you know, you got some sort of threat, or now you don't, you can now make a much quicker decision. Its not automated at the moment, well, it may be, but it doesn't have to be automated, it could be simple as a phone call, and somebody's looking at an Excel spreadsheet, or pulling up a piece of paper. It's simple to get started on this stuff, it costs you very little, it builds relationships and starts giving you a situational awareness of what is and is not going on in your airspace or the airspace that you're sharing. They did automate a fair bit of this and how much of it I do not know, reach out to them. But they are bringing in a lot of information and making them available to all the people participating in this such as safety, exercise and training, and things like that. I'm just making sure I'm not out of time. I'm good. This is a part of a larger deck from a gentleman his contact information is later on in it. He was doing red teaming and found that essentially doing red teaming was frustrating. It really wasn't a challenge. When he stepped back and did his start doing adversary modelling. So, threat modelling. And this is one example of one of his tools, where he looks at essentially a very compact Kill Chain. And for those not familiar with it, kill chain is basically the steps that an adversary must take to go from start to actually have an effect on the target. And the cybersecurity world, it was getting exfiltrating the data out of our environment, in this circumstances, it's actually gathering the intelligence or delivering the payload. The take home from a kill chain is that if you can stop the kill chain at any point before they finish their mission, you have succeeded to some degree. So, this is sort of a very compact, you UAV Kill Chain for a threat actor. And he goes through a bunch of the steps that they would have to get through to accomplish their mission. And each one of these steps is an opportunity for you to deny them the ability to accomplish that step and to deny them their overall mission. So, he's got a bunch of tools for helping you do this sort of stuff. One of the easiest ones is helping site operators, figure out where somebody would might launch a UAV from, you know why is this interesting? Well, you could just put a gain camera out there and have it out there and check it once a day or do it wirelessly. And see if there's somebody launching UAVs from any of these locations that this model demonstrates. If they are, go talk to them, like why UAVs over my property. You've now with essentially a little bit of consulting work and a gain camera or you know a little bit of higher end security camera started implementing counter UAS without having to worry about hacking into a data link or anything like that. So very much worth considering. This gentleman's great while there are other people out there you can do it yourself. very much worth considering.

If you're in the United States and familiar with ISAC, they are basically a private sector vertical information collaboration for sharing cybersecurity vulnerabilities and responses to it. The FS-ISAC is one I was most involved in, Financial Services ISAC, there are a bunch of others. I propose AV-ISAC for everybody who had anything to do with autonomous vehicles to join this organization and share information within a well-orchestrated lockdown environment. This is membership driven, there's a bunch of issues with it. I never got it off the ground, I think I was a little bit too early. You know, maybe it's time to revisit it. If you're interested in it, come let me know. This one is a solution that when I was doing cybersecurity was incredibly impactful. It requires trust, it requires a bunch of people to say, and a bunch of people in their organization say, yeah, we understand why the needs of the many outweigh essentially our own competitive advantage. What was going on is that we had a very secure mechanism for sharing TTP, tactics, tools and procedures, as well as malware signatures and things like that. And there were people from opposing firms consulting firms, from security vendors, from malware protection vendors, all that sort of stuff. People that had honest, competitive interest in not collaborating with each other but they all came together because they understood that within the right model, within the right information sharing model, that they could still further their own company's interests, and possibly even benefit their company's interest by getting this information where other companies, and also help protect national security. The reason I think this is important, and the reason I think that threat intelligence sharing, and development is important is this list of bullet points. So, I've said this other slide more most important, this is another one, we're engaged in a futuristic war on. Things I read a science fiction, even three years ago, are now in the present, we've got to bring everything we can to bear to get caught up and get ahead of the threat actors. If we don't do that, we're going to be under resourced and behind the curve. And it's going to get very frustrating, which is one of the reasons I exited the cybersecurity space. We're all often asked to fight last year's battles, which I also find particularly frustrating, we need to be thinking ahead so that we have the right solutions in place when the threat actors catch up to us rather than vice versa. Our adversaries are similar to the cybersecurity adversaries they range from activists, to criminals, to non-state actors to nation state actors, which means that their motivations and their capabilities and their ability to show up in the country are wide ranging. If it's just one of these groups, it'd be much easier. There's no just one potential threat organization. We have limited resources, the federal government has even more limited resources. And with COVID, sucking up a lot of budgets, you know, and increasing the national deficit and things like that those resources may even be further challenged. We in the United States are hampered by a very challenging regulatory environment. Jacob and others have talked to that. It really hamstrings our ability to respond. So, we need to think creativity, creatively, and we need to think collaboratively. If we are working with limited intelligence, its often due to our own inability or unwillingness to cooperate. We need to find ways of collaborating. My proposal, the organization I was referring to for the cybersecurity stuff operate with two rules: One was the Chatham House rule, and by the way, it’s Chatham House rule, there's only one rule, participants are free to use information received, but neither the identity nor the affiliation of the speakers nor that of any other participant may be revealed. So, don't out anybody.

Don't out their organization compromise his whole entire effort. And then the other fundamental tool was the traffic light protocol. If something's tagged TLP red, you are not to disclose it. It's restricted to people in the org in the conversation only Amber, limited disclosure, restricted participants organizations, so you can take it back to your organization, but they cannot then go use it for public speaking or press releases. TLP green, you know, restricted to the community; and TLP white. So, this is a framework, its potential for how to create this sort of trusted, sharing community among people who might otherwise not be able to collaborate. In the appendix to this presentation, there's a lot more details on it. You can just reach out to me as well. Though another option is the organization that's supporting this presentation. They are in the threat intelligence business; they have tools for doing this. There are a lot of opportunities for us to support each other and support the community. And I'm deeply thankful to Mike, for giving us all this opportunity. And I'm really deeply thankful to all the other presenters for adding context and colour to the whole thing. And finally, I'm very thankful to everybody who was taking the time today to listen to me and the other speakers. Without you, we wouldn't know what we're doing right and what we're doing wrong. And I really encourage everybody who's been in this conversation today, to continue joining the conversation, reach out publicly, reach out privately, join one of the organizations or mechanism for sharing information, tell us what your problems are, and really help us help you. With that. My presentation is over. And I will see if I can get back to normal.



Leave a reply