Daily Archives: January 4, 2016

Got a Drone for Christmas? Don’t forget Registration and Regulation

Whilst trying to contain my disappointment at not getting Millennium Falcon drone in my stocking, I asked Advent IM Security Consultant, Del Brazil, what the implications are for those of us who do have drones, Star Wars based or not…

Civil Aviation Authority (CAA)

Image courtesy of Salvatore Vuono at FreeDigitalPhotos.net

Image courtesy of Salvatore Vuono at FreeDigitalPhotos.net

As Christmas has been and gone many of us will now be the proud owner of a drone in some form or another.  The excitement and thrill of being in control of your own flying machine coupled with maybe a camera of some description is only matched by the recent hype related around the new Star Wars movie.  Some people including the author may disagree including; however some people may view the freedom of flying a drone quite a fun hobby but we all have our own vices.

The CAA defines a drone as an unmanned aircraft which unlike traditional remote controlled model aircraft, which have been used by enthusiasts for many years, have the potential to pose a greater risk to the general public and other aircraft.   Unlike manned or model aircraft there are currently no established operating guidelines so operators may not be aware of the potential dangers or indeed the responsibility they have towards avoiding collisions.  Anyone flying a drone either recreationally or commercially has to take responsibility for doing so safely.

The CAA’s focus is purely safety. For the criminal use of drones, including harassment, anti-social behaviour or damage to property, it is a police matter. If people have concerns about a drone being flown in public they should call the police, a CAA spokesman says. “Local police can assess the situation in real time and, if there is any evidence of breaching the air navigation order, they will pass on any information on to us.”

It has been reported that the CAA has prosecuted two Unmanned Aerial Vehicle (UAV) operators relating to safety breaches with another four investigations pending. The Association of Chief Police Officers was unable to say how many prosecutions the police have made over drones but there have been a few; although during the ongoing House of Lords select committee inquiry on remotely piloted aircraft systems, Chief Inspector Nick Aldworth of the Metropolitan Police said: “We do not have a criminal privacy law in this country, so it is not the concern of the police to try to develop or enforce it.”

Is there any other legislation that drone operators may fall foul of?  Well according to Chief Inspector Aldworth “The most obvious example to date is the Sexual Offences Act 2003 and the specific offence of voyeurism.”

The number and frequency of incidents being report around the world is on the increase which include a Euro 2016 qualifier in Belgrade being stopped after a drone trailing an Albanian flag was flown over the stadium whilst in France a number of nuclear power stations were buzzed by drones in a number of mysterious incidents.

A number of associations affiliated with flying and/or airspace The British Airline Pilots Association (BALPA) is campaigning for drones to be programmed not to enter certain airspace – known as geo-fencing. The Phantom series of drones, sold by manufacturer DJI, already includes geo-fencing. The GPS of the drone is programmed with the co-ordinates of thousands of airports around the world. It cannot enter these areas. If it tries to it will be forced to land. And within a 2km radius of a major airport its height will be capped at just 10m.

Another step that BALPA is calling for is that, just like with a car or television, people purchasing a drone would have to give their personal information to the retailer and that this information should be logged or that there is a requirement for users to register their drones with the relevant authority.  This has a twofold effect in that if a drone is apprehended the owner can be traced to ensure that it is returned to its rightful owner and that it may also assist in any investigation relating to illegal activity that may have been undertaken by the operator.

Another possible solution would be to build in strict height limitations just like the Phantom 2 which is limited to a height of 400 feet; although this is likely to be easily circumvented with software.

Regulations have just come into play in the United States which requires hobbyists to register drones as small unmanned aircraft systems on the Federal Aviation Administration website.  The online registration service is active but it is unclear as to the scale of uptake and amount of registrations that have actually taken place thus far.

In Ireland as of 21st December 2015 it is now mandatory for all drone operators to register any drone that weighs more than 1kg in accordance with the Small Unmanned Aircraft (Drones) and Rockets Order S.I. 563 of 2015.  There is clear ‘do’s and don’t guide’ available on the Ireland Aviation Authority (IAA) website.

At present there is no actual regulation in place within the UK that requires operators to register their drones; however that is likely to change as more incidents occur that not only threaten life but also privacy.  There are plans afoot within the House of Lords EU Committee for a drone register to be created which initially would capture business and professional operators and eventually normal consumers too.  There is an Official UK Drone Register but this is specifically for drone operators/owners who voluntarily add their details to a public register to aid in returning drones if they go astray.

The cyber-buck stops in the boardroom…

Advent IM Security Consultant, Del Brazil gives us his view of some of the comments and take-outs that ALL boards need to be aware of, following Dido Harding’s appearance before a parliamentary committee on the TalkTalk Breach.

The TalkTalk security breach continues to roll on with the TalkTalk CEO Dido Harding telling a parliamentary committee on 23.12.15 that she was responsible for security when the telecoms firm was hacked in October. Although there was indeed a dedicated security team in place within TalkTalk it is unrealistic to place the blame solely at the feet of the security team as security is a responsibility of the whole organisation.  It is fair to assume that in the event of an security related issue, as in this case, one person must take overall responsibility and be held to account for the potential lack of technical, procedural measure that may have prevented the breach occurring.

It is a fair assumption to make that in the event that the security breach can be attributed to a single individual then that is an internal disciplinary matter for TalkTalk to resolve unless there is a clear criminal intent associated with the individual concerned.

It is worth noting that although every effort maybe taken to implement the latest security techniques or measures that there is always the possibility that a hacker, like minded criminal organisation or even a disgruntled member of staff may find a way through or around them.

As long as an organisation can demonstrate that they have taken a positive approach to security and considered a number of possible attacks and taken steps to mitigate any potential attack, this may satisfy the ICO that the one of the key principles of the DPA has been considered.

Organisations should always consider reviewing their security measures and practices on a regular basis to ensure that they are best suited to the ever changing threat.  It is appreciated that no one organisation will ever be safe or un-hackable but as long as they conduct annual threat assessments and consider these threats in a clear documented risk assessment they can sleep at night knowing that they have taken all necessary steps to defeat, deter and/or detect any potential attack.

advent IM data protection blog

The TalkTalk security breach has highlighted a number of failings, in the opinion of the author and although they are deemed to be of a serious nature praise should go to the TalkTalk team for being open, honest and up front from the onset.  This has resulted in quite a lot of bad press from which TalkTalk are still feeling the effects from; although some people say that ‘all publicity is good publicity.’  It is clear that TalkTalk are taking the security breach very seriously and are fully engaged with the relevant investigation bodies whilst making every effort to bolster their current security posture.

It is very easy for board members to assume to the role of Director of Security without fully understanding the role or having any degree of training or background knowledge.  Any organisation should ensure that it employs or appoints staff with the correct level of knowledge and experience to specific posts thus facilitating the ‘best person for the best role’ approach.  Currently security, but more specifically IT Security, is seen as a secondary role that can be managed by a senior person from any area within an organisation; however it is finally becoming more apparent to organisations that the IT Security role warrants its own position within the organisational structure of the organisation. Pin Image courtesy of Master isolated images at FreeDigitalPhotos.net

In the author’s opinion it is the organisations that have yet to report security breaches that are more of a concern as no one knows what level of security is in place within these organisations.  It’s not that the author is skeptical that there is an insufficient amount of security in place within these organisations but the fact that they do not report or publicise any cyber security related incidents that is of concern.  No one organisation is that secure that a breach of cyber security or at least a cyber related security incident doesn’t occur.  It’s far better for organisations to highlight or publish any attempted or successful attacks to not only assist other organisations in defeating or detecting attacks but it also shows a degree of transparency to their customers.