Protection against drone deployments as part of information security risk management

Information security is a key issue for companies and organizations in Germany and Europe. A new type of threat is the use of drones. The fact that this is a risk that is becoming increasingly important in practice is shown not least by the recently detected drone overflights over the grounds and facilities of the Bundeswehr.

The German Federal Office for Information Security (BSI) has also recognized this and published the guidance "Overview of drone-based cyber threats and aspects of defence" (currently available here). In this article, we shed light on the legal framework, the specific risks posed by drones and the countermeasures to be taken to protect against such threats.

Essential legal framework for information security in Germany and the EU

German and European law provides for a large number of regulations according to which organizations and companies, especially operators of critical infrastructures, must take measures to protect against security incidents and cyber threats. These measures must be implemented as part of risk management. The most important legal requirements in this area include the national BSI law and the two European NIS2 and CER directives.

Both the NIS2 Directive and the CER Directive need to be transposed into national law in Germany. The implementation deadline for this transfer has already expired at the end of 2024. Even if the implementing laws have not yet come into force and also if individual companies and organizations may not have to do so. should not be subject to regulation by the implementing laws, they should nevertheless urgently address the issues of physical security and information security in order to ensure their resilience and thus the protection of their companies and organizations in the best possible way.

Risks from the use of drones

Drones pose a significant threat to IT systems, networks, physical security and the protection of trade secrets of companies and public institutions. Their ability to be served from a certain distance, their small size and maneuverability and thus the possibility of remaining undetected make them a valid reconnaissance and attack instrument.

The following risks in particular are central here:

1. Optical and infrared reconnaissance: Drones can be used to monitor sites, installations, systems, and people. You can capture sensitive information by "shoulder surfing" screens, whiteboards, and documents.
2. Interception and interception of communications: Drones can be used as mobile listening stations to intercept confidential communications from personnel, IT systems and telephones.
3. Hacking and jamming attacks: Drones can be used as relay stations for man-in-the-middle attacks or to disrupt wireless communication systems. They can be used to compromise local networks, manipulate data, and disrupt communications.
4. Physical attacks: Drones can transport weapons, explosives or similar substances and carry out targeted attacks on critical infrastructure.
5. Swarm attacks: Multiple drones can be used at the same time to overload defenses and perform diversionary maneuvers.

Protection against drones as part of risk management

To protect themselves from the risks described, companies and organizations should integrate the use of drones into their risk management. To this end, drone scenarios must be included in existing risk analyses and security concepts and measures must be defined to protect against, detect and respond to the use of drones.

Risk management can include the following aspects, for example:

1. Prevention

• Information and awareness campaigns: Employees should be informed and trained about the threats posed by drones. Internal reporting procedures for drone sightings should be established.
• Reduce visibility: Critical areas and installations should not be visible. Site and building plans as well as information on building supply, such as electricity, water, air conditioning and ventilation, should be avoided.
• Optical shielding: Windows should be fitted with blinds or curtains to prevent visual reconnaissance. Sensitive information and accessible trade secrets should be covered with appropriate safeguards.

2. Recognition

• Technical sensors and effectors: Drone sensors and defense systems should be installed on the perimeters and at highly sensitive targets. Attaching nets can also protect openings and buildings from drone intrusion.
• Regular inspections: Facades, roofs, and other hard-to-reach areas should be regularly checked for unusual objects. Video surveillance, high-resolution binoculars, and thermal imaging cameras can help detect anomalies.

3. Reaction

• Transmitter localization: Portable tools for detecting and locating Wi-Fi networks and jammers should be used regularly to identify unexpected radiation.
• Neighborhood relations: Good relationships with neighbors and their security personnel can help identify and report threats at an early stage.

Conclusion

The use of drones poses a serious threat to information security. Companies and organizations should therefore develop additional and new countermeasures and integrate them into their existing security processes. This includes technical and organizational measures to raise awareness and shield as well as to detect and respond to drone operations.

By integrating drone scenarios into existing risk analyses and implementing the aforementioned measures within the framework of existing security concepts, companies and authorities can significantly improve their information security and arm themselves against the growing threats posed by drone operations. Only through a holistic and proactive approach can the risks posed by drone operations be effectively minimized.