June 11, 2019; 1200 EDT
UASs provide innovative solutions for tasks that are dangerous, time consuming, and costly. Critical
infrastructure operators, law enforcement, and all levels of government are increasingly incorporating UASs
into their operational functions and will likely continue to do so. Although UASs offer benefits to their operators,
they can also pose cybersecurity risks, and operators should exercise caution when using them.
To help UAS users protect their networks, information, and personnel, the Department of Homeland Security
(DHS)/Cybersecurity and Infrastructure Security Agency (CISA) identified cybersecurity best practices for UASs.
This product, a companion piece to CISA’s Foreign Manufactured UASs Industry Alert, can assist in standing up
a new UAS program or securing an existing UAS program, and is intended for information technology managers
and personnel involved in UAS operations. Similar to other cybersecurity guidelines and best practices, the
identified best practices can aid critical infrastructure operators to lower the cybersecurity risks associated
with the use of UAS, but do not eliminate all risk.
Installation and Use of UAS Software and Firmware
An important part of managing risk when employing UASs is to understand the steps involved and potential
vulnerabilities introduced during the installation and use of UAS software and firmware. UAS operators should
strongly consider and evaluate the following cybersecurity best practices when dealing with software and
firmware associated with UAS:
Ensure that the devices used for the download and installation of UAS software and firmware do not
access the enterprise network.
Properly verify and securely conduct all interactions with UAS vendor and third party websites. Take
extra precaution to download software from properly authenticated and secured websites, and ensure
app store hosts verify mobile applications.
o Access these websites or app stores from a computer not associated with, or at least not
connected to, the enterprise network or architecture.
o Ensure the management of security for mobile devices that will be directly or wirelessly connected
to the UAS.
Review additional information for enhancing security on mobile devices.
Ensure file integrity monitoring processes are in place before downloading or installing files. Check to
see if individual downloads or installation files have a hash value or checksum.
After downloading an
installation file, compare the hash value or checksum of the installation file against the value listed on
the vendor’s download page to ensure they match.
For more information on UAS cybersecurity risks, see: DHS Office of Cyber and Infrastructure Analysis. (2018). “Cybersecurity Risks Posed
by Unmanned Aircraft Systems.” PDM17252. Additional information can be found in: DHS Cybersecurity and Infrastructure Security
Agency. (2019). “Unmanned Aircraft Systems Industry Alert.”
For more information, see: National Institute of Standards and Technology (NIST). (2013). “Guidelines for Managing the Security of
Mobile Devices in the Enterprise.” Accessed May 16,
For mobile security guidance from Apple, visit
For mobile security guidance from Android, visit
A checksum is a value derived from a segment of computer data calculated before and after transmission to assure data is free from
tampering and errors. A hash value is a fixed-length numeric value that results from the calculation of a hashing algorithm. A hash value
uniquely identifies data and is often used for verifying data integrity.
Run all downloaded files through an up-to-date antivirus platform before installation and ensure the
platform remains enabled throughout installation.
Verify a firewall on the computer or mobile device is enabled to check for potentially malicious inbound
and outbound traffic caused by the recently installed software. External network communications
could be part of the installation process, and could potentially expose your system to unknown data
privacy risks.
During installation, do not follow “default” install options. Instead, go through each screen manually
and consider installing software on a removable device (external HDD or USB drive).
o Deselect any additional features or freeware bundled into the default install package.
o Disable automatic software updates. Necessary updates should follow the same process outlined
for download and installation.
o Thoroughly review any license agreements prior to approval. Consider involving a legal team in the
process to ensure organizations do not unknowingly agree to unsafe or hazardous practices on
the part of the vendor.
Securing UAS Operations
An important part of operating UASs is to ensure that communications are secure during all aspects of usage.
There are multiple publicly accessible sites that indicate and detail how to intercept UAS communications and
hijack UASs during flight operations. UAS operators should consider and evaluate the following cybersecurity
best practices when conducting UAS operations:
If a UAS data link is through Wi-Fi connections between the UAS and the controller.
o Ensure the data link supports an encryption algorithm for securing Wi-Fi communications.
Use WPA2-AES security standards or the most secure encryption standards available.
Use highly complicated encryption keys that are changed on a frequent basis. Ensure that
encryption keys are not easily guessable, and do not identify the make or model of the UAS or
the operating organization.
o Use complicated Service Set Identifiers (SSIDs) that do not identify UAS operations on the
network. Avoid using the specific make or model of the UAS or the operating organization in the
o Set the UAS to not broadcast the SSID or network name of the connection.
o Change encryption keys in a secure location to avoid eavesdropping either visually or from
wireless monitoring.
If the UAS supports the Transport Layer Security (TLS) protocol, ensure that it is enabled to the highest
standard that the UAS supports.
Have the data links for UAS control, telemetry, payload transmission, video transmission, and audio
transmission encrypted with different keys. Make sure the UAS is able to encrypt the data stored
Use standalone UAS-associated mobile devices with no external connections or disable all
connections between the Internet and the UAS and UAS-associated mobile devices during operations.
Consider running wireless traffic analyzers during selected UAS operations to understand and monitor
UAS communications traffic while in use.
For more information on securing a wireless network, see: DHS Cybersecurity Engineering. (2017). “A Guide to Securing Networks for Wi-
Fi (IEEE 802.11 Family).” Accessed March
18, 2019.
Run mobile device applications in a secure virtual sand-box configuration that allows operation while
securely protecting the device and the operating system.
Data Storage and Transfer
Ensuring the security and privacy of UAS data, while at rest or in transit, is essential to managing UAS
cybersecurity risks. UAS operators should consider and evaluate the following cybersecurity best practices for
UAS data storage and transfer:
When connecting the UAS or UAS-associated removable storage device to a computer:
o Use a standalone computer to connect to the UAS or removable storage device to ensure no
access to the Internet or enterprise network.
o Verify a firewall on the computer or mobile device is enabled to check for potentially malicious
inbound and outbound traffic caused from the connection of the UAS or removable storage
device. Verify and ensure that the computer has up-to-date antivirus installed.
Data should be encrypted both at rest and in transit to ensure confidentiality and integrity.
Authentication mechanisms should be in place for UASs with access to private or confidential data.
Use Multi-Factor Authentication (MFA) whenever possible for accounts associated with UAS
Follow data management policies for data at rest, data in transit, and any sensitive data.
Erase all data from the UAS and any removable storage devices after each use.
Information Sharing and Vulnerability Reporting
By participating in information-sharing programs and reporting non-public, newly-identified vulnerabilities,
users will have access to timely information to mitigate cybersecurity threats. These programs can also serve
as a forum for UAS operators to share security vulnerabilities that could potentially impact the Nation’s critical
infrastructure, or pose a threat to public health and safety. The following are three information sharing
Cyber Information Sharing and Collaboration Program (CISCP):
o CISCP enables actionable, relevant, and timely information exchange through trusted, public-
private partnerships across all critical infrastructure (CI) sectors by leveraging the depth and
breadth of DHS cybersecurity capabilities within a focused, operational context.
o For more information on the CISCP program, visit or email
Automated Indicator Sharing (AIS) Program:
o The AIS program enables the quick exchange of cyber threat indicators between the Federal
Government and the private sector through CISA’s National Cybersecurity and Communications
Integration Center (NCCIC). Companies that share indicators through AIS are granted liability
protection and other protections through the Cybersecurity Information Sharing Act of 2015.
o For more information on NCCIC 24/7 services, call 1-888-282-0870 or email For more information on AIS and how to join, go to
For more information on encrypting stored data, see: National Institute of Standards and Technology (NIST). (2007). “Guide to Storage
Encryption Technologies for End User Devices.” NIST Special Publication 800-111. Accessed March 15, 2019.
For more information on security controls, see: National Institute of Standards and Technology (NIST). (2013). “Security and Privacy
Controls for Federal Information Systems and Organizations.” NIST Special Publication 800-53, Revision 4. Accessed March 15, 2019.
Information Sharing and Analysis Centers (ISACs):
o Information Sharing and Analysis Centers (ISACs) are non-profit, member-driven organizations
formed by critical infrastructure owners and operators to share information between government
and industry. CISA, through the NCCIC, works in close coordination with all of the ISACs.
o For more information about ISACs, go to
If an organization discovers a UAS software or hardware vulnerability, or a suspicious or confirmed UAS
cybersecurity incident occurs, CISA recommends reporting the vulnerability or incident through the following
o Email or call 1-888-282-0870. When sending sensitive
information to DHS CISA via email, we recommend encryption of messages. For more information,
CERT Coordination Center:
o To report a vulnerability, go to
The UAS Cybersecurity Best Practices document is a collaborative product written by CISA's National Risk Management
Center and Cybersecurity Division. This product was coordinated with the DHS/CISA/Infrastructure Security Division,
DHS/Federal Protective Service, U.S. Army/Combat Capabilities Development Command, and Federal Bureau of
Investigation/Cyber Division.
The National Risk Management Center (NRMC) provides a simple and single point of access to the full range of
government activities to mitigate a range of risks, including cybersecurity, across sectors. All NRMC products are visible
to authorized users at HSIN-CI and Intelink. For more information, contact or visit
OMB Control No.: 1670-0027
Expiration Date: 01/31/2021
Please rate your satisfaction with each of the following:
Satisfied (5)
Satisfied (4)
Dissatisfied (2)
Dissatisfied (1)
Relevance of product
To help us understand more about your organization so we can better tailor future products, please provide (OPTIONAL):
Contact Number:
Partner Type:
Privacy Act Statement
Paperwork Reduction Act Compliance Statement
REV: 14 July 2016
Other uses (please specify)
Do you have questions that this product didn't answer?
6. Would you like to see more on this topic?
Product Title:
Timeliness of product
How could this product be improved?
Are there other topics or questions you would like to see addressed by CISA?
(Please specify)
(Please specify)
Neither Satisfied
Nor Dissatisfied (3)
Yes No
Integrated into one of my own organization's information or analytic products
If so, which products?
Used contents to improve my own organization's security or resiliency efforts or plans
If so, which efforts?
Shared contents with government, private sector, or other partners
If so, which partners?
Customer Feedback Survey
Cybersecurity and Infrastructure Security Agency
National Risk Management Center
Cybersecurity Best Practices for Operating Commercial Unmanned Aircraft Systems
Select One
Select One
Select One