The Department of Homeland Security’s top cyber office is warning energy companies about threats posed by drones built in China, according to a document yesterday that was reviewed by E&E News.
The alert to industry on "Chinese Manufactured Unmanned Aircraft Systems" does not single out specific companies or share concrete examples of past data theft by Chinese drone providers. Instead, it warns that China-based companies "could be persuaded or compelled" to access sensitive data collected from U.S. sites, given Beijing’s "unusually stringent obligations" on its citizens and domestic companies.
"Organizations that conduct operations impacting national security or the nation’s critical functions must remain especially vigilant as they may be at greater risk of espionage and theft of proprietary information," the alert states.
DHS’s Cybersecurity and Infrastructure Security Agency included tips for mitigating risks posed by Chinese-built drones, such as disabling the devices’ internet connections and wiping data contained on memory cards after every flight.
The warning comes as U.S. energy firms have increasingly turned to drones for inspecting infrastructure and scouting hard-to-access terrain. Foreign electric utilities, for example, have used drones for things such as burning away trash from power lines. Recently, there also have been heightened tensions between the United States and China over trade and technology.
The Trump administration has amplified potential security flaws in Chinese products, from telecommunications equipment to the large power transformers that form the backbone of the U.S. power grid (Energywire, April 25). American intelligence officials worry their Chinese counterparts could bake in back doors for spying or sabotage in such sensitive devices, though cybersecurity experts remain conflicted about the severity of the risk.
SZ DJI Technology Co. Ltd., one of the biggest U.S. commercial drone suppliers, has vehemently denied past DHS allegations that its products could redirect data to Chinese spies. DJI’s headquarters are in Shenzhen, China, and it has offices in Los Angeles; Tokyo; and Frankfurt, Germany, among other cities.
"We give customers full and complete control over how their data is collected, stored, and transmitted," DJI spokesman Adam Lisberg said in a statement yesterday on the DHS alert. "For government and critical infrastructure customers that require additional assurances, we provide drones that do not transfer data to DJI or via the internet, and our customers can enable all the precautions DHS recommends."
DJI’s assurances, paired with independent testing, have enabled the company to snag several high-profile customers in sensitive industries, including the New York Police Department. NYPD officials recently unveiled a drone program for mapping, search, rescue and tactical operations featuring 14 DJI models. Police officials did not respond to requests for comment on the risks highlighted by DHS.
Still, the Department of Defense bans use of DJI products over Army, Navy and Air Force installations, according to multiple sources. Yuneec International, another major Chinese drone manufacturer, is similarly disfavored in certain U.S. markets.
"If you’re just a hobbyist and you’re taking wedding pictures or something of that nature, you’re likely fine," said Lanier Watkins, senior cyber research scientist at Johns Hopkins University’s Information Security Institute. "But if you’re in a location that’s sensitive — like near some military facility — I wouldn’t use any of the Chinese drones. You wouldn’t know where your information could wind up."
Watkins has researched technical vulnerabilities in several commercial drones, including DJI’s popular Phantom 4 model from 2016. Although he found several flaws that hackers could exploit, Watkins noted that DJI has a "bug bounty" program aimed at fixing cybersecurity weaknesses, and he credited the company for keeping pace with peers like Yuneec and France-based Parrot SA.
"From a functionality perspective, they make some really good drones," he said of DJI. Watkins added that the company offered his team $1,000 for the three vulnerabilities it uncovered in the Phantom 4 more than two years ago. "We didn’t take the money," he said.
‘A growing risk’
Along with inspecting terrain, drones are being tapped for a variety of uses in the energy sector.
DJI advertises rugged models for use over solar power arrays or to add eyes in the sky above oil and gas facilities.
Drones that "perform inspections, pipeline right of way work, and surveillance keep our industry on the cutting edge — and save companies time, effort, and the risks of working at height," refining industry trade group American Fuel and Petrochemical Manufacturers said in a tweet yesterday. AFPM member companies received the DHS warning, which was marked "For Official Use Only" but shared widely with critical infrastructure companies.
Several large U.S. railroads and electricity companies have used DJI drones in the past, including Columbus, Ohio-based American Electric Power Co. AEP spokeswoman Tammy Ridout said the company "does own a few DJI drones that we use for very limited purposes."
"We have been aware of the concerns about DJI drones since the information was made public a couple years ago and have taken steps to minimize any potential risk associated with drone use on our system," she said in an email response to questions, noting that AEP provides guidance to drone pilots on connectivity of drones and downloading of imagery.
Along with assessing power lines and other equipment, drones at AEP may take footage for the company’s promotional materials, she said. "Footage taken by drones is downloaded to a stand-alone computer. Drones are not connected to the AEP network."
In its alert, DHS acknowledges that unmanned aircraft systems "can serve as a beneficial tool for businesses" but warns companies to "be cautious" when buying technology from Chinese manufacturers.
A Cybersecurity and Infrastructure Security Agency spokesperson said the agency "recently released an industry alert providing organizations with information related to the inherit risks associated with using [unmanned aircraft system] technology manufactured in China and measures to reduce such risk."
The North American Electric Reliability Corp., which sets and enforces cyber and physical security standards for large U.S. utilities, got the word out about the DHS alert through the Electricity Information Sharing and Analysis Center, according to a spokesperson.
The nonprofit grid overseer said in a statement that "the threat of drones is a growing risk that has been recognized by industry for years," adding that the electric power industry has incorporated drones in a biennial security exercise dating back to 2013. "By sharing previously classified information on adversary activity, this DHS report helps further our knowledge, information sharing with industry, and mitigation techniques," NERC said.
A trade ‘battleground’
The last major U.S. drone manufacturer, 3D Robotics, shifted its operations away from building unmanned aircraft systems toward providing software for optimizing drone fleets.
Two years ago, the company announced a partnership with DJI, merging its Site Scan software platform with the Chinese manufacturer’s products to make the two compatible. "With this integration, now our customers can get the best of both worlds: DJI’s drones, and 3DR’s software for managing and analyzing the data that these drones collect," the company said.
3DR didn’t respond to requests for comment on DJI’s security or the latest DHS alert. But the company’s shift has left U.S. companies wanting to buy drones in America with scant options.
So do Chinese drones’ promise outweigh their peril?
"The C-suites for any utility — water, gas or pipeline — they’ll really want to consider this and take pause," said Harry Wingo, former chairman of the cybersecurity department at National Defense University’s College of Information and Cyberspace. "If you’re a CEO or [chief information security officer], you should be prepared to understand the full range of risks, technical, legal and political, that come from relying on equipment, software and networks created and maintained in China — a nation with a known track record of espionage and intellectual property theft."
Wingo said he personally has not bought DJI drones, and he described the ongoing debate over their security as a "battleground for what will happen between the U.S. and China" on other trade fronts, like U.S. government bans on telecommunications equipment from Huawei Technologies Co. Ltd. and ZTE Corp.
John Villasenor, a UCLA professor and nonresident senior fellow at the Brookings Institution, pointed out in an email that where a drone is manufactured "is often less of a concern than how and by whom it might be used." He added that a capable nation-state interested in mapping out U.S. grid or gas networks "could presumably do so using advanced reconnaissance satellite technology instead of a drone."
"While country of manufacture may in certain circumstances be an issue of concern in relation to drones, that concern is one of many in relation to imagery of sensitive U.S. infrastructure," he said in an email.