“Drones remain widely unchecked in Australia and a lot of them are used in critical infrastructure for surveillance and making repairs, but they are essentially flying computers,” CSCRC chief executive Rachael Falk told The Australian Financial Review.
“They have increasingly sophisticated sensors, cameras, image processing, and just like a regular computer you would have on your desktop, you need to make them more cyber secure. There is no regulation, or standards, around doing that.”
Diversified portfolio
CSCRC and Omni’s research noted that 70 per cent of the total global share of drones were manufactured by DJI, a Chinese company.
“Whenever you have concentration of manufacturing in one country, in this case it’s China, as it was with solar inverters, you have to consider where you’re buying your essential kit from,” Ms Falk said.
“If your drones are essential to your critical infrastructure, both in how you get from a sensitive information point of view but also commercial advantage, you need to consider whether you need to diversify your portfolio of where your drones come from.”
The report highlights China’s National Intelligence Law from 2017, which requires organisations and citizens to “support, assist and cooperate with the state intelligence work”.
The legislation was a major consideration for the Australian government’s 2018 ban of Chinese telecommunications companies, including Huawei and ZTE, from providing equipment in the rollout of 5G mobile phone networks.
“Under this statute, Chinese-owned companies are bound, or could be compelled, to provide intelligence to the Chinese Communist Party (CCP),” the report said.
Cyber threats
“In the case of UAVs, this could include, for example, injecting spyware or malware, interception of collected data, and the manufacturing of UAVs with ‘back door’ vulnerabilities and the ability to surreptitiously communicate with third parties.”
In May 2023, the Australian Defence Force suspended the use of DJI-manufactured drones. The Department of Home Affairs followed by suspending its use of DJI products, including cameras, and the Australian Federal Police also said it would transition away from their use.
Ms Falk said regulation may not be needed at this time. But formal guidance from government was a must.
Omni general manager Luke Easey said with the explosion in drone use, security should be a top priority.
“Providing clear guidance to critical infrastructure entities about UAV cyber security is an easy way to educate them about potential threats and ultimately mitigate against UAV-related cyber threats, which will benefit all Australians,” he said.
Ms Falk said this would include “things like upgrading firmware, operating system changes, applying patches, using strong passwords at your base station application, anti-virus software, subscribing to a VPN (virtual private network) between your base station and all the thing you do in the real world, and limiting the number of devices that can connect to a base station.”