Secure Your Drone Fleet Best Practices for Commercial Drone Cybersecurity

In anticipation of GSX, we sat down with presenters of upcoming sessions in order to get a better understanding of the topics at hand. This week we are featuring “Secure Your Drone Fleet Best Practices for Commercial Drone Cybersecurity,” presented by Michael Lees, Program Specialist at Cybersecurity and Infrastructure Security Agency (CISA). Read on for what he had to say and don’t forget to register for GSX 2023!

Q: Tell us about your presentation and why should security professionals have this topic on their radar. 

A: As Unmanned Aircraft Systems (UAS), more commonly referred to as drones, are integrated into our everyday lives through technological, legal, and regulatory advancements, security planning must evolve to consider them as a permanent cyber threat vector to the nation’s critical infrastructure. Traditional security practices consider drones as physical systems, only capable of physical tactics. However, drones are connected devices, carrying the same vulnerability to bidirectional risk as laptops, smartphones, smart home systems, etc. Such risks include cyberattacks, information security compromise, and privacy violations. Organizations adopting, or planning to adopt, drones as part of their commercial operations can enhance their security posture and encourage organizational cyber hygiene through understanding vulnerable drone componentry, inherent risks, and security options. 

Q: What advice would you give security professionals interested in this topic? 

A: Organizations must understand that UAS are Information and Communication Technology (ICT) devices, and should be incorporated into risk management frameworks, cybersecurity resilience plans, and security education and training awareness plans accordingly. For further guidance, the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Best Practices for Operating Commercial Unmanned Aircraft Systems and Secure Your Drone: Privacy and Data Protection Guidance products can be found on the CISA UAS website – Unmanned Aircraft Systems | Cybersecurity and Infrastructure Security Agency CISA. 

CISA also strongly encourages organizations to consider procuring secure-by-design UAS manufactured, owned, and operated in the United States or by allied nations, due to security concerns regarding UAS manufactured by adversarial foreign powers. The Defense Innovation Unit’s Blue UAS program provides a routinely updated list of DoD approved UAS that are validated as cyber-secure and safe to fly. More information can be found at UAS solutions for the U.S. DoD. (

Q: How do you see this issue evolving in the next 2-5 years? 

A: Due to their versatile nature, the applications for UAS are still being discovered. As UAS continue to proliferate across various industries, the potential for cyber threats will increase. CISA anticipates a growing emphasis on the development of robust security measures to protect UAS from unauthorized access, data breaches, and other malicious activities. Regulatory agencies and industry stakeholders are expecting to continue collaborating to establish comprehensive cybersecurity standards and guidelines to ensure the safe and secure operation of UAS. 

Q: Why do you attend GSX? 

A: Personally, September will be my first attendance at GSX. The purpose of this attendance is to help develop strategies to remain resilient against the evolving cyber and physical threats to UAS. Other goals include building or strengthening professional networks and connections, and to discover the most recent products, technologies, and services in the UAS and cybersecurity arenas.