SpiderOak provides zero-trust solutions to protect drone data
By DRONELIFE Features Editor Jim Magill
As the number of UAVs flown for a wide variety of purposes grows, drone fleet operators are becoming increasingly concerned over the need to protect their data from malicious actors who might want to steal it, as well as protecting their fleets from spoofing or jamming attacks.
A U.S.-based data software company, which has developed a zero-trust system to ensure the security of satellite transmissions, now is offering a similar blanket of protection for data sent to and collected by drones.
“We have basically created a developmental platform for people that build software systems for drones or satellites, or really any embedded application or application that you might find in a data center,” Kip Gering, chief revenue officer for SpiderOak, said in an interview.
“This development platform allows the developers to say that for every message that they send out, that digital interaction will be authenticated and authorized by the applications that are receiving them,” he said. This differs from the traditional way of protecting the security of data, by means of relying on network security controls that are typically deployed in IT-based systems.
SpiderOak’s technology is based on the principle of zero trust. “Zero trust is a framework for adopting cybersecurity principles and best practices that fundamentally come down to ‘Never trust, always verify,’” Gering said.
Prior to the introduction of zero trust, most cyber-security principles were based on controlling access to a communications network at the network’s perimeter. “But as more devices get connected, and interactions are happening within those networks, communication may go from one network to the next network,” he said.
The guiding principle of zero trust is, “Always identify yourself, always request access and request permission for any type of interaction to occur,” Gering said. “Then build out the infrastructure to ensure that when things –whether it’s an application, a computer, a device or a sensor — request permission to share information or to communicate with each other, there’s the infrastructure there that is basically ensuring that those digital interactions can be trusted regardless of where they exist on the network.”
For the developers of drone networks used in commercial or defense applications, SpiderOak has created a development platform that “allows the developers to say for every message that they send out, that digital interaction will be authenticated and authorized by the applications that are receiving them.”
Kamrul Hasan, an assistant professor and director of the cybersecurity lab in Tennessee State University, said zero trust is based on a device’s identity as well as on authentication. So, in a case where both drones and a system’s ground station have been identified, “You have to implement a mutual authentication,” before any data transfers can take place, he said.
“The zero-trust security model assumes that no user, device or system is tested by default, even if inside the network perimeter. So, every action requires continuous verification,” said Hasan.
This system of data security protection is particularly useful for military drones, which often operate in hostile and uncontrolled environments, disconnected from radio control signals. Normally such drones are vulnerable to spoofing attacks and command signal hijacking, Hasan said. “So, if you look into those attack patterns and if you want to get solid or concrete, holistic solutions to protect from those types of attack, in that case you have to think about zero trust.”
Gering said zero-trust solutions also are expected to become more important to operators of commercial drone fleets as the FAA gets ready to implement a sweeping BVLOS rule, opening up much of the U.S. airspace to UAV traffic.
“With this ruling around BVLOS, we see an opportunity — just like we see with driverless vehicles and connected vehicles — where, for safety purposes, you may want to share information of a drone that’s in flight with other sensors and other infrastructure that may be in the proximity,” he said.
“We think that that ruling will bring about the need for more edge interactions, or interactions between infrastructure and drones, and maybe even between drones themselves,” Gering said. “And that presents its own challenge, because then you’ve got this peer-to-peer type of interaction where you need to make sure that messages are transmitted securely.”
SpiderOak’s zero-trust architecture allows this type of communication, without relying on the use of a central server, he said. “We provide you with the ability to calculate those policies and enforce the security around those digital interactions locally on board the drones and between drones and infrastructure that may be on the ground for safety or navigation purposes.”
Gering said that employing SpiderOak’s zero-trust system can even ensure that data collected by an operator’s drone will stay under the operator’s control, despite the drone’s country of origin. This potentially could prove to be an important tool for American companies that operate fleets of drones produced by Chinese manufacturers such as DJI or Autel, who nevertheless want to keep their data from traveling outside the country.
“We are a fully owned U.S. company. All of our employees are U.S. citizens, and we’ve done a lot of work with the DOD [U.S. Department of Defense]. So, we’re, we’re pretty solid from that perspective,” he said.
“If I did have a mix of Chinese and U.S. drones, I could have a consistent security architecture across those drones, and I could change what the Chinese drones were allowed to do and allowed to see versus what the U.S.-manufactured drones would be allowed to see,” he said. “So, we’re not dependent on the hardware, which would have been manufactured in China, for the security controls.
Want DRONELIFE news delivered to your inbox every weekday? Sign up here.
Read more:
- Exclusive Interview: DJI Officials Defend Data Security Policies Amid Chinese Drone Ban Concerns
- Controversy Surrounding Data Security of Chinese-made Drones Sparks Intense Debate
- Do Drone Users Really Care About Data Security? What the Survey Numbers Say
Jim Magill is a Houston-based writer with almost a quarter-century of experience covering technical and economic developments in the oil and gas industry. After retiring in December 2019 as a senior editor with S&P Global Platts, Jim began writing about emerging technologies, such as artificial intelligence, robots and drones, and the ways in which they’re contributing to our society. In addition to DroneLife, Jim is a contributor to Forbes.com and his work has appeared in the Houston Chronicle, U.S. News & World Report, and Unmanned Systems, a publication of the Association for Unmanned Vehicle Systems International.
Miriam McNabb is the Editor-in-Chief of DRONELIFE and CEO of JobForDrones, a professional drone services marketplace, and a fascinated observer of the emerging drone industry and the regulatory environment for drones. Miriam has penned over 3,000 articles focused on the commercial drone space and is an international speaker and recognized figure in the industry. Miriam has a degree from the University of Chicago and over 20 years of experience in high tech sales and marketing for new technologies.
For drone industry consulting or writing, Email Miriam.
TWITTER:@spaldingbarker
Subscribe to DroneLife here.
Leave a Reply