Securing Critical Infrastructure - CISA

ACI’S 2ND ANNUAL

NATIONAL C-UAS CONGRESS

SECURING

CRITICAL INFRASTRUCTURE

DEFEND TODAY, SECURE TOMORROW

Who is CISA?

CISA’s mission is to lead the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.

The integration of unmanned aircraft systems into the national airspace system and within critical infrastructure operations has emerged as a particularly concerning physical and cyber threat.

Why are we focused on UAS?

Careless & Clueless

▪ Most common incidents

▪ Intent not required to represent a threat

▪ UAS maintenance and operator training unverifiable leading to recklessness

▪ Unintentionally or unknowingly violate flight restrictions

Non-attack nefarious Cyber / physical attack

▪ Hide in plain sight

▪ Spying to conduct IP theft or Espionage

▪ Pre-operational planning surveillance

▪ Disrupt to distract or delay

▪ Deliver payloads supporting insider criminal acts

▪ Battle tested

▪ Traditional security measures ineffective (gates/guards)

▪ Close-in blast capable

▪ Expansive cargo array

▪ Payload / drop capable

▪ Sprayers

▪ Cyber-attack platform

▪ Sensors / Cameras

What UAS incidents at critical infrastructure sites?

Commercial Facilities Sector incidents include disrupting sporting venues and crashing into amusement rides.

Energy Sector incidents include drones crashing into electricity substations, damaging powerlines, and surveillance on oil & gas facilities.

Transportation Systems Sector incidents include disrupting air operations and suspicious activity around rail facilities and pipelines.

Chemical Sector incidents include conducting surveillance around chemical facilities and drones landing/crashing in secure areas.

Nuclear Reactors, Materials, and Waste Sector incidents include interfering with nuclear facilities and conducting surveillance.

What are the challenges with managing UAS risk?

Majority of critical infrastructure is owned/operated by the private sector

Airspace above most critical infrastructure is generally unrestricted

Limited/no air domain awareness due to legal restrictions/ambiguity when operating detection-only technology

When detection is possible -- attribution and accountability are unreliable

Private sector AND their supporting SLTT law enforcement not authorized mitigation technology to counter credible threats

How is the private sector addressing UAS risk?

Modifying risk assessment methodology

Engaging local communities and posting signage

Investing in and operating authorized detection-only technology

Updating incident response plans and partnering with local law enforcement to address suspicious activity

Advocating for federal, state and local laws and regulations

What else needs to be done?

Execute the Domestic C-UAS

National Action Plan

Reauthorize and expand existing C-UAS authorities

✓ TSA C-UAS authority

✓ Detection-only for critical infrastructure

✓ SLTT law enforcement C-UAS Pilot

Improve UAS incident reporting

Operationalize Remote ID

Implement Section 2209 of the FAA Extension, Safety and Security Act of 2016

“Establish procedures for applicants to petition the FAA to prohibit or restrict the operation of drones in close proximity to a fixed site facility (critical infrastructure)”

Invest in public awareness and education activities

Are UAS an aircraft or a connected device?

Information and Communications Technology and Services

“hardware, software or other product or service…primarily intended to fulfill or enable the function of information or data processing, storage, retrieval or communication by electronic means”

Why it matters – too often inexperienced operators view drones as a toy and ignore airspace rules –similarly, organizations with siloed security functions can overlook drones as a connected device and ignore cyber hygiene and cybersecurity standards required to protect information and networks.

UAS ICTS National Security considerations?

Chinese UAS market dominance

Chinese Intelligence Law of 2017

Executive Order 13981

Chinese military-civil designations – 1206h

2023 National Cybersecurity Strategy

2023 ODNI Annual Threat Assessment

How can we manage UAS cybersecurity risk?

Invest in tested and verified secure drone technology

Integrate physical and cybersecurity security functions

Establish and maintain secure drone fleets

Train drone operators on cyber hygiene and cybersecurity before, during and after flights