CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
June 11, 2019; 1200 EDT
CYBERSECURITY BEST PRACTICES FOR OPERATING COMMERCIAL
UNMANNED AIRCRAFT SYSTEMS (UASs)
UASs provide innovative solutions for tasks that are dangerous, time consuming, and costly. Critical
infrastructure operators, law enforcement, and all levels of government are increasingly incorporating UASs
into their operational functions and will likely continue to do so. Although UASs offer benefits to their operators,
they can also pose cybersecurity risks, and operators should exercise caution when using them.
To help UAS users protect their networks, information, and personnel, the Department of Homeland Security
(DHS)/Cybersecurity and Infrastructure Security Agency (CISA) identified cybersecurity best practices for UASs.
This product, a companion piece to CISA’s Foreign Manufactured UASs Industry Alert, can assist in standing up
a new UAS program or securing an existing UAS program, and is intended for information technology managers
and personnel involved in UAS operations. Similar to other cybersecurity guidelines and best practices, the
identified best practices can aid critical infrastructure operators to lower the cybersecurity risks associated
with the use of UAS, but do not eliminate all risk.
Installation and Use of UAS Software and Firmware
An important part of managing risk when employing UASs is to understand the steps involved and potential
vulnerabilities introduced during the installation and use of UAS software and firmware. UAS operators should
strongly consider and evaluate the following cybersecurity best practices when dealing with software and
firmware associated with UAS:
Ensure that the devices used for the download and installation of UAS software and firmware do not
access the enterprise network.
Properly verify and securely conduct all interactions with UAS vendor and third party websites. Take
extra precaution to download software from properly authenticated and secured websites, and ensure
app store hosts verify mobile applications.
o Access these websites or app stores from a computer not associated with, or at least not
connected to, the enterprise network or architecture.
o Ensure the management of security for mobile devices that will be directly or wirelessly connected
to the UAS.
Review additional information for enhancing security on mobile devices.
Ensure file integrity monitoring processes are in place before downloading or installing files. Check to
see if individual downloads or installation files have a hash value or checksum.
After downloading an
installation file, compare the hash value or checksum of the installation file against the value listed on
the vendor’s download page to ensure they match.
For more information on UAS cybersecurity risks, see: DHS Office of Cyber and Infrastructure Analysis. (2018). “Cybersecurity Risks Posed
by Unmanned Aircraft Systems.” PDM17252. Additional information can be found in: DHS Cybersecurity and Infrastructure Security
Agency. (2019). “Unmanned Aircraft Systems Industry Alert.”
For more information, see: National Institute of Standards and Technology (NIST). (2013). “Guidelines for Managing the Security of
Mobile Devices in the Enterprise.” https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-124r1.pdf. Accessed May 16,
For mobile security guidance from Apple, visit www.apple.com/privacy/manage-your-privacy.
For mobile security guidance from Android, visit www.android.com/play-protect.
A checksum is a value derived from a segment of computer data calculated before and after transmission to assure data is free from
tampering and errors. A hash value is a fixed-length numeric value that results from the calculation of a hashing algorithm. A hash value
uniquely identifies data and is often used for verifying data integrity.