With several months of cybersecurity weeks behind us, it can be easy to lose sight of the lessons learned from these efforts, much like how our New Year’s resolutions get a little blurry in March. But safety is key to the success of our industry. It impacts public perception and trust, government contracts, data integrity, national security, and more. Incidents that lead to critical breaches of our data can cast a shadow over whether drones are a reliable technology to be used commercially, whether that is to capture critical infrastructure data, participate in public safety services. and emergency, or provide oversight of our assets. At the end-user level, this can lead to the question of whether they can trust personal data. This is why safety is a permanent subject that must be discussed often and kept in the news throughout the year, to remember not to lose sight of this critical aspect.
To fully understand how important cybersecurity is to our industry, Commercial UAV News sat down with Jeff Horne, Skydio’s new security manager, to talk about his new role with the company, what t is the culture of safety and its importance, the impact of safety. a on trust, how governments view and think about security, and more.
Danielle GagnÃ©: What brought you to join Skydio as the new Head of Security?
Jeff Horne: I have been incredibly lucky to have worked on several interesting projects with great teams. I have already worked on securing autonomous vehicles and I am also passionate about FPV drones. When I heard that Skydio was looking for a security chief, I was immediately interested. Safety is a primary concern in the drone industry which is often the deciding factor in which drone customers can use to meet their needs – an exciting chance for a security professional to be critical to the success of the business. business. As the reach of small camera drones has widened from consumer toys to essential tools for national security, we are seeing a shift in the market from manual drones manufactured by China-based companies to compatible autonomous drones. with AI made in the United States.
Skydio is leading this charge, and I knew I wanted to work for a company that had a great, easy-to-use product that could help keep people safe and their jobs more efficient. From my very first meeting with Skydio, it was obvious that the team also had something else that means a lot to me: passion. In addition to being highly skilled and technical, the teams are passionate about their work, dedicated to product improvement, and committed to truly helping our customers deliver on the promise of autonomous drones.
In your opinion, what are some of the biggest physical and cyber security threats facing the drone industry?
Drone safety is somewhat new. Originally, drones were seen as offline devices or simple Internet of Things (IoT) devices that only needed Internet access to download updates. Drones have now evolved into autonomous flying computers supported and operated by cloud services. I think the biggest threat to the drone industry right now is the actual safety and security of the device.
Securing an autonomous flight computer has several facets that openly touch on aspects of confidentiality and security. Skydio is the industry leader in autonomous drones, and I want to make sure that we continue to be the leader in cybersecurity as well.
In your previous interviews, you explained that safety must be at the heart of a company’s culture. Can you tell us what it looks like in concrete terms?
I think making safety a part of a company’s culture starts with instilling the understanding that responsibilities for safety extend to everyone in the company. Beyond general security awareness training, I think it’s important both to educate employees on the common attacks businesses face every day and to encourage reporting any potential security issues. . I believe social compliance with poor safety practices is a major issue in many organizations and educating employees and making them ask why or report a potential risk is one way to break this cycle.
In practice, this means training employees on a regular basis and being transparent about the risks your business faces, as well as the details of incidents and security issues the organization has experienced. However, I think it is also important that all employees become safety stewards and hold accountable and inspire people to raise potential safety concerns. Sunlight is the best disinfectant.
When looking to build your security infrastructure, a good place to start are the fundamentals: single sign-on, multi-factor authentication, enforcing encryption at rest and in transit, regular update rate, vulnerability discovery and remediation, and security awareness. safety training. All of these are absolutely necessary to both pass common security compliance (eg SoC2 Type II) and thwart basic attacks.
In addition to protecting your organization, you can continue to protect your customers by injecting a culture of safety into your product culture. Our Skydio X2 is designed to deliver enterprise-grade cybersecurity, offering signed and encrypted vehicle firmware, encrypted storage and data link encryption.
What can happen if safety is not part of the corporate culture?
If security is not part of the corporate culture, there is an increased risk of simple security issues not being discovered in time and leading to a breach. If you look at the history of security vulnerabilities, you will find that the vast majority were not complicated hacks with 0day exploits found in vulnerable code. Instead, most of the breaches were apparently basic security oversights like; compromised passwords on external services, private key leaks in source code, social engineering workers and misconfigured databases on the internet, etc.
Last year, the supply chain attack on a US IT company that was attributed to Russian nation-state actors with advanced capabilities but able to access the target’s network through a server of files connected to the Internet whose password has been leaked on the Internet is a good example. months earlier. To make matters worse, this breach had been reported to the company months before the attack by an outside security engineer and was never corrected. A culture of urgency around cybersecurity would have preempted this basic vulnerability using basic information security techniques.
Beyond the safety culture of a sole proprietorship there is a lot of back and forth between various government agencies regarding safety that is impacting this industry right now, what are the main concerns of these agencies?
My main concern for US government agencies is their ability to keep up with new technologies and adopt the appropriate controls to use those technologies safely. I have a lot of experience with various government agencies and a ton of respect for the men and women who work in those agencies, but I’m concerned that the bureaucracy will slow down their time to adapt to new technologies and associated security best practices. to these new technologies and instead they are implementing the same outdated security controls that prevent them from innovating in the private sector.
How do we navigate, deal with and plan for these government security issues as an industry?
I believe the private sector needs to quickly implement the security controls mentioned in the newly proposed security frameworks and regulations (e.g. CMMC, Cyber ââSecurity Maturity Model Certification, NIST800-161 Draft) and others safety laws well ahead of deadlines. The private sector has historically sat and watched government cybersecurity proposals come and go and wait for the dust to settle before planning to meet the implementation deadline that sometimes is years away. Personally, I think the significant risks are clearly defined today for areas such as the software supply chain and I would like more companies to be proactive in addressing these gaps in a thoughtful manner.
A major topic that enters conversations about the adoption of drone technology is trust. What is the relationship between security and trust in the drone industry?
I firmly believe that confidence in the drone industry is based on safety and security. An organization won’t trust a UAS company if its system is visibly unsafe and insecure, or if the manufacturer is beholden to governments that don’t care about the privacy of end-customer data. Much of the cybersecurity work done on trust involves managing supply chain risk. Code used on UAS is not always uniquely developed by the UAS Company and may include dependencies on other code or other third party applications. I think safety on board is paramount and that we take very seriously at Skydio.
What are your final thoughts or takeaways on cybersecurity in the drone industry?
The only way to trust a connected device is to trust the manufacturer and the legal framework in which they operate. Skydio products have won the trust of the world’s most demanding customers. The US Department of Defense has concluded that Skydio’s defense and corporate products meet the supply chain security requirements required by Congress in the National Defense Authorization Act (NDAA). For these reasons, Skydio X2 has been selected as a trusted drone platform for the US Department of Defense as part of the Defense Innovation Unit’s Blue sUAS program.
To learn more about Skydio and how they approach security, check out their website here.