Regulating the “Internet of Flying Things” - ‘Security by design’ and the deployment of IoT connected drones in smart cities

Drones are increasingly present in our skies, and although it is not yet common to connect them to the Internet of Things (IoT), visions of connected drones are already part of many plans for near-future cities. For example, consider the speculative visions of a “Drone Aviary” produced by design consultancy Superflux.
Extending beyond their initial applications for military purposes, drones are currently used for policing; disaster relief, journalism; conservation, activism, and a range of commercial activities such as advertising, construction, mining, agriculture, and delivery of goods.

Drones rely on various connected mechanisms to operate, such as avionics, ground control, and GPS for spatial referencing. Some now have on-board processors. As such, they can be understood as connected objects: ‘things’ that are controllable through Internet connected systems with data collected being sent to the ‘cloud’. Growing debates suggest that drone technology holds significant benefits for both government and commercial uses in smart city spaces. However, our preliminary research findings show they also come at a significant cost. Having more of them in our skies certainly raises questions of privacy, data protection, and safety. What has emerged as the most striking insight, however, is the lack of engagement with security by design, presenting a challenge for IoT developers regarding both drone use and connected ‘things’ more broadly.
Security by design is a major concern underpinning the development of future connected communication systems.

In the case of drones, this covers:
- the design of the ‘smart systems’ that drones are connected to;
- the emerging regulatory space for drone systems;
- ethical considerations for connected systems

The drone case raises further implications for the design and regulation of a range of connected systems.

Drones in ‘smart systems’
Drones can be part of broader ‘smart systems’ in cities or elsewhere: carrying equipment ranging from video cameras, including passively reflected thermal and infrared radiation and emitted thermal radiation sensing devices, to audio monitoring devices, speakers, liquid sprayers, to GPS, light emitters, and accelerometers. The commercial sector generally deploys drones in two ways: as sensor platforms and delivery systems. Most ‘smart’ systems (e.g. smart city systems) anticipate using drones in these ways, but they can also provide an innovative solution to expanding network relay connectivity; as well as surveying and mapping functions, especially in disaster assessment and recovery scenarios.

Connected drones are also able to offer cybersecurity advantages such as the ability to identify rogue signals, monitor sensing operations, locate jammed signals, and support incident response for other connected systems. One research participant noted that there are many existing benefits which will eventually grow given the right regulatory circumstances. But these regulatory frameworks are emerging slowly and with difficulty, at least in the UK.

Smart regulation?
In 2014, the European Union declared that key stakeholders must create a roadmap for robust drone regulation; however, in the UK such implementations have been measured. A crash between a consumer drone and a British Airways jet over Heathrow Airport as well as a series of near-misses have reinvigorated calls for strong regulatory frameworks.
That said, the rules governing drone use are at least evolving. For example, representatives of the National Aviation Authorities of the UK, Finland, and France joined with European Aviation Safety Agency (EASA) experts to form a Task Force to investigate the risks to manned aircraft from the operation of drones and to consider how to manage such risks. A proposal for an EU-wide regulatory framework for civil use of drones was recently agreed upon by the European Parliament. This framework addresses issues of safety, security, and personal data protection. The provisional agreement must now be approved by the Council of Ministers (EU governments) and the European Parliament, which is anticipated to occur this year.

In the UK context, Civil Aviation Authority (CAA) regulations have been put in place to prohibit unmanned aircraft from flying within 50m of any vessel, vehicle or structure that is not in the control of the individual in charge of the machine. It is only legal to fly a drone that weighs more than 20kg in certified "danger areas”. Individuals using drones that weigh less than 20kg for commercial purposes must demonstrate to the CAA that they are “sufficiently competent”.
Furthermore, CAA permission is required for all flights conducted for commercial work. The Information Commissioner’s Office (ICO) and the Surveillance Camera Commissioner have also established rules governing use of drones equipped with cameras in a way that is respectful of the privacy of others, and complies with the provisions of the Data Protection Act 1998 (DPA).
NATS (National Air Traffic Services), the UK’s main air traffic control provider, has developed, a website to help users understand how to fly their drones safely.

Additionally, the incoming General Data Protection Regulation (GDPR) introduces requirements for manufacturers and operators to incorporate privacy-by-design dimensions or conduct data protection impact assessments as essential features of drone activities that collect personal information.

Despite these moves to regulate, actions taken have tended to be reactive more often than proactive, thus illustrating Crovitz’s point: “Innovation first, regulation later is how technology takes flight.” Furthermore, these regulatory moves do not explicitly address the issue of drone security in IoT contexts and their implications for ‘smart systems’, such as the higher risk of malicious attacks which can be debilitating to smart city infrastructures.

Hacking machines
The smart city depends on interconnected devices that can generate dynamic data used to improve services. These smart environments rely on accurate data in order to function properly. This kind of digital ecosystem combines an array of hardware and software components in a multilayer stack of IoT technologies. The rise of IoT connected objects has prompted commentators to suggest that smart cities have the potential to be a security nightmare. Simply, the more we connect the more we expand the smart city attack surface to hackers. Tampering with infrastructure data can cause significant disruption to operations and citizens’ lives, if not their overall well-being.

With the addition of drone technologies to smart city systems, hackers have the capacity to access drones to disrupt WiFI, Bluetooth, and other wireless connections; intercept corporate communications, personal data, and geospatial analytics. By exploiting a weak encryption between a drone and its controller module known as a “telemetry box,” a hacker can potentially reverse engineer flight software to block commands from the drone’s legitimate operator, an attack that can result in rendering the machine unresponsive, vulnerable to theft, and worse, crashing it into a vehicle, aircraft, building, or any other populated space.

Informational disruptions can also become mobile, spreading like a virus from one infrastructure backbone to the next. As is the case with how autonomous cars can be compromised, hackers have the capacity to hijack or jam a drone operating in smart cities and program it to carry malicious code to other urban networks.

The consequences here are similar to the process of accidental seed spreading, where a moving vehicle can create a wind-tunnel effect, collecting seeds and depositing them in new locations, thereby disrupting the local ecosystem. But instead of seeds, the drone would be spreading malware across smart city landscapes. All told, as drones are being considered as smart city solutions, it is now more important than ever to focus existing debates on responsible regulations for IoT connected commercial drones, especially in terms of developing robust regulations for security by design. Drones facilitate a range of possibilities for connected systems; however, can these machines be properly secured? What can be done to combat the security risks that drones create?

Security by design
When drones are used commercially, a range of social and ethical implications begin to emerge. Growth in civil use has generated public concern and debate mostly around issues of safety, privacy, and security of information. These are often addressed through the possibility of security by design, which can be a solution in domains such as health and automation where regulatory controls are quite strictly enforced given the potential risks of harm toward a human being. However, in other domains where risks are less well defined, designers can struggle to address these issues.

As mentioned previously, a recurring observation made during our field work is the lack of ethical thinking and action around commercial drone development specific to security by design. Some of this may be due to the fact that doing ethics seems to be grounded on different moral principles depending on context: principles that govern an individual’s or culture’s behaviour can vary from context to context.

Our research strongly suggests that security measures should not be optional add-ons; rather, they should be considered at the point of design and throughout the lifecycle of IoT applications. This point has been raised by other commentators interested in exploring the relationship between drones and the IoT. However, research participants identified that security, which is related to data protection for both consumers and corporations, is not something that all companies can afford to do, especially not start-ups and SMEs with limited financial resources. The argument from start-ups/SMEs tends to be that embedding security into a device at the point of design is costly, so they are willing to risk bypassing this layer of security. Larger companies, however, have the financial means to take security by design seriously which potentially gives them an advantage over smaller companies when it comes to obtaining public trust. Whether or not larger companies are engaging in this process is variable.

A significant concern, then, is that companies are lagging with regards to security by design, which is especially worrisome with the potential deployment of connected drones into smart systems.

Concluding thoughts: Regulating harm
Commercial drone use is still in its nascent stages, and laws and regulations are not sufficiently well established to substantively address various social and ethical challenges, such as issues around security specific to connected systems. While larger companies have the capacity to incorporate security mechanisms into machines at the point of design, start-ups and SMEs are unable and/or unwilling to do so given the prohibitive costs involved.

These gaps in security measures give rise to important ethical questions around harm. For instance, as drones replace some human tasks in smart cities, we are faced with an ethical question about responsibility regarding when and how these units ought to be deployed: When a commercial drone is hacked, fails, or behaves in a way that generates negative consequences, who is accountable, how, and to whom?

It is clear that the use of drones in IoT rich environments comes with the risk of negative social impacts, specific – but not restricted to – issues of security. It makes sense, then, for drone use to be more tightly regulated in accordance with the principles of responsible innovation. However, one significant issue that emerged in our research is the concern that if rules and regulations become too proscriptive they will restrict or stop innovation. As such, companies have preferred under-regulation to stricter regulatory frameworks.

Regulatory action is challenging given technical limitations, such as variability in drone size and capability, so it becomes difficult to implement over-arching regulatory frameworks. Furthermore, when regulations are put in place, they are sometimes inconsistent across jurisdictions and often change rapidly.

Despite these challenges, our research shows that it is necessary to develop meaningful governance structures that encourage responsible design and use of commercial drones. As others have pointed out, regulatory frameworks must comprise mechanisms that mitigate operational risks and [ideally] harmonise legislation across the EU.

Discussion and communication with the public is necessary to clarify the social impact of IoT connected drones, and to facilitate involvement in regulatory actions that guide research and innovation.
Furthermore, action must be taken to create a market that provides start-ups and SMEs with incentives to incorporate security by design into their IoT products. Governing bodies need to ensure that companies benefit from the use of IoT connected drones while also upholding the need for public safety, privacy, and security.

IoT Ethics, privacy, Security