CISA
Critical infrastructure
Malware, Phishing & Ransomware
News

CISA and FBI issue guidance on Chinese-manufactured UAS for critical infrastructure owners and operators

January 17, 2024
CISA and FBI issue guidance on Chinese-manufactured UAS for critical infrastructure owners and operators

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued on Wednesday a warning to increase awareness of potential threats associated with Chinese-manufactured Unmanned Aircraft Systems (UAS). They also provided recommendations for cybersecurity measures to help protect networks and sensitive data for critical infrastructure entities, as well as state, local, tribal, and territorial (SLTT) partners. 

TItled ‘Cybersecurity Guidance: Chinese-Manufactured UAS,’ the cybersecurity guidance identified that the People’s Republic of China (PRC) has enacted laws that provide the government with expanded legal grounds for accessing and controlling data held by firms in China. The use of Chinese-manufactured UAS in critical infrastructure operations risks exposing sensitive information to PRC authorities. 

Additionally, the guidance outlines the potential vulnerabilities to networks and sensitive information when operated without the proper cybersecurity protocols and the potential consequences that could result. The guidance also provides additional resources to augment an organization’s preparedness, response, and resilience.

“Our nation’s critical infrastructure sectors, such as energy, chemical, and communications, are increasingly relying on UAS for various missions that ultimately reduce operating costs and improve staff safety. However, the use of Chinese-manufactured UAS risks exposing sensitive information that jeopardizes U.S. national security, economic security, and public health and safety,” David Mussington, CISA executive assistant director for infrastructure security, said in a Wednesday media statement. “With our FBI partners, CISA continues to call urgent attention to China’s aggressive cyber operations to steal intellectual property and sensitive data from organizations.”  

“Without mitigations in place, the widespread deployment of Chinese-manufactured UAS in our nation’s key sectors is a national security concern, and it carries the risk of unauthorized access to systems and data,” Bryan A. Vorndran, assistant director of the FBI’s Cyber Division, said. “The FBI and our CISA partners have issued UAS guidance in order to help safeguard our critical infrastructure and reduce the risk for all of us.”  

The PRC’s collection of sensitive information and potential network access obtained from Chinese-manufactured UAS may result in significant consequences to critical infrastructure security and resilience. Acquisition of such data or network access has the potential to advance the PRC’s strategic objectives and negatively affect U.S. economic and national security by exposing intellectual property to Chinese companies and jeopardizing an organization’s competitive advantage. 

It also included providing enhanced details of critical infrastructure operations and vulnerabilities increasing the PRC’s capability to disrupt critical services; compromising cybersecurity and physical security controls leading to potential physical effects such as theft or sabotage of critical assets, and exposing network access details that enhance the PRC’s capability to conduct cyber-attacks on critical infrastructure.

The CISA-FBI guidance identified that UAS devices controlled by smartphones and other internet-connected devices provide a path for UAS data egress and storage, allowing for intelligence gathering on U.S. critical infrastructure. While ensuring that network-connected devices are up to date with the latest patches and firmware is critical for the secure operation of any ICT device, updates controlled by Chinese entities could introduce unknown data collection and transmission capabilities without the user’s awareness. That data might be accessed by the PRC through legal authorities.

Furthermore, it detailed that as UAS and their peripheral devices such as docking stations are incorporated into a network, the potential for data collection and transmission of a broader type—for example, sensitive imagery, surveying data, and facility layouts—increases. This new type of data collection can allow foreign adversaries like the PRC to access previously inaccessible intelligence. 

The UAS guidance emphasizes the integration of UAS into organizational cybersecurity strategies, including developing secure operational plans for UAS programs, treating UAS components as IoT devices within the cybersecurity framework, and isolating networks to contain breaches, using separate networks or VPNs. It also focuses on adopting a zero trust architecture to verify all network activities; using phishing-resistant multi-factor authentication (MFA) for enhanced security; and unifying cybersecurity and physical security for comprehensive risk management.

The CISA-FBI said that when procuring UAS, organizations should select UAS that meet operational and security needs and are designed with security in mind, understand the manufacturing origins and applicable laws to evaluate security and supply chain risks; and review the UAS privacy policy for data handling practices. They must also implement a Supply Chain Risk Management (SCRM) Program for ICT devices to maintain UAS integrity and reliability. They conduct software and hardware bill of materials reviews for critical UAS components to mitigate supply chain risks and enhance ecosystem resilience.

When it comes to UAS maintenance, the guidance identified that organizations should regularly update, analyze, and train personnel as per organizational procedures, manage the UAS within an IT asset framework for effective tracking and risk management, run a vulnerability management program to apply firmware patches and updates promptly and use a configuration and change management program to ensure security and functionality. They must also obtain firmware updates directly from the manufacturer or a trusted source to avoid compromise; use a sandbox environment for verifying firmware updates before deployment, conduct log analysis and compliance checks to detect unauthorized access, and provide IT security education and training to keep operators informed about threats and best practices.

During UAS operations, the cybersecurity guidance calls upon critical infrastructure owners and operators to ensure adherence to operational and security policies’ installation of current software and firmware to reduce threats. – Strong encryption for data-at-rest and data-in-transit to protect data confidentiality and integrity; and deletion of data from UAS after transfer and secure storage. It also calls for the removal and secure storage of portable storage devices like SD cards, maintenance of a secure connection using VPN or encryption to safeguard communication, and avoidance of broadcasting or live streaming to prevent unauthorized data access.

Last month, the CISA and FBI released a joint Cybersecurity Advisory (CSA) containing updated information on the tactics, techniques, and procedures (TTPs) employed by ALPHV Blackcat affiliates. The advisory also includes indicators of compromise (IOCs) that have been identified through recent FBI investigations, as of Dec. 6, last year.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings