The uses of drones—or unmanned aerial systems (UAS)—seem endless. Insurers are employing drones to conduct site surveys of large properties, such as farms or vineyards, for less money. Utilities can use drones to inspect long stretches of power lines. Amateur pilots participate in competitions for the best drone-captured videos. And malicious actors use those same commercially available drones to smuggle drugs into prisons, spy on business competitors to steal intellectual property, or inflict physical damage.

In 2017, a man was charged for violating airspace regulations by flying a drone over two National Football League (NFL) games in California that dropped political leaflets on attendees. Between 19 and 21 December 2018, hundreds of flights were cancelled and approximately 140,000 passengers were affected at Gatwick Airport near London following reports of drone sightings near the runway. On 4 August 2018, two commercial drones detonated explosives at a National Guard parade in Caracas, Venezuela, in an apparent attempt to assassinate Venezuelan President Nicolás Maduro. In 2019, multiple attacks in the Middle East—including in Yemen and Iraq—were carried out with drones laden with explosives.

“Drone risks and threats appear to be getting significantly more sophisticated with time, depending on the locale,” says Max Klein, chief technology officer with SCI Technology. “In the beginning, it was primarily hobbyist or toy-level drones being used, mainly by nonmalicious actors who did not realize what they were doing was illegal or dangerous, and they were causing inadvertent hazards. Now, that’s been brought forward over the past three to five years by criminal organizations with more smuggling. And recently, organized, large terrorist organizations outside of ISIS have been using these weaponized drones for attacks.”

“The ability to attack is getting both larger in payload capacity and more sophisticated in control and intent,” he adds.

While most countries have their own UAS restrictions and policies, in the United States, drones are considered aircraft and are given similar protections as commercial or passenger aircraft—interfering with one without legal permission or an immediate risk to life or property is prohibited. The U.S. Federal Aviation Administration (FAA)—part of the Department of Transportation—has authorization to set no-fly zones in the United States. Depending on the facility, operation, or mission, public authorities such as the U.S. Departments of Energy, Defense, Homeland Security (DHS), and Justice may be granted counterdrone authority to interfere with UAS that violate these airspace restrictions.

At the 2019 NFL Super Bowl in Atlanta, there were 54 drone incursions—despite the FAA’s declaration that the area around the stadium was a “No Drone Zone.” While federal law enforcement at the event could address those risks and confiscate intruding drones, private organizations are significantly more limited.

U.S. law prohibits private organizations or individuals from interfering with drones in flight, including signal jamming—which could potentially interfere with nearby medical devices or other aircraft.

For high-value events or high-threat targets, organizations can request assistance from the FBI or DHS, but if that help is unavailable, experts say the best option is to observe and report: monitor the drone’s activity, attempt to locate and communicate with the operator, and report the incident to both local law enforcement and the FAA.

While many organizations are considering legitimate uses for drone-based systems—including deliveries, site surveys, and emergency rescue reconnaissance—the technology has evolved faster than regulations, says James Acevedo, CPP, president of security consultancy Star River Inc.

“Other countries are advancing faster than in North America,” he says. “They have allowed for much more to happen within their airspace…. Drones are delivering life-saving medications in Africa. You have drones that are doing mail deliveries to remote locations in The Netherlands. China is just blowing the drone market up in terms of integrating them into its airspace; they have allowed for so much.”

Meanwhile, regulatory changes around drones in the United States remain conservative. In late 2019, UPS was approved for a pilot program using drones to deliver packages on campus settings. But many programs that would operate drones out of the operator’s line of sight or over heavily populated areas are still evaluated on a case-by-case basis. Even so, there are numerous drones in operation today, and regulations around legal threat responses to them are slow in coming.

Regarding drone threat response, the United States and most of Europe are struggling with the same challenge: finding the balance between freedom and security, says Michael Rozin of Rozin Security Consulting and former security director for the Mall of America. In the Middle East and Asia, however, mitigation limitations are less stringent, and many countries allow private organizations to jam signals, shoot down UAS, or capture them, he adds.

“To the FAA, safety and security across the totality of aviation are two sides of the same coin,” says Angela Stubblefield, FAA chief of staff. “You have to have safety and security to have a stable, reliable national airspace. There are times when mitigation for a safety risk may introduce a security concern or vice versa.”

These side effects mean interagency cooperation when crafting regulations is essential, she adds. But collaboration inevitably slows down regulations as the FAA works closely with other departments and stakeholders to tailor or waive requirements in order to avoid unintended consequences.

For example, enabling remote ident­ification of drones could allow operators and observers to know where other UAS and their operators are, especially when the devices are flying beyond the operator’s line of sight. If DHS is trying to operate a UAS undercover as part of a law enforcement operation, however, sharing this identifying information could jeopardize the mission.

Detecting Drones

Overall, current counter-UAS capabilities fall into two categories: detection and mitigation.

Good mitigation requires good detection, Stubblefield says. “Identification helps you know something about that UAS: where the operator is located, cross-referencing it with the FAA’s UAS registry so you might be able to know if it’s owned by Amazon or Google. Or if it’s owned by a private citizen, you now have a name you could run against various databases like law enforcement runs a license plate.”

Identifying drone operators and their intentions also gives organizations a better picture of their risk levels, Stubblefield adds.

For example, if a UAS is identified as an Amazon delivery drone, one can more reasonably assume it is operating on legitimate business. Alternately, an incursion of drones flying near a remote utility substation could signal a threat or represent the presence of a new aviation club in town that has not been educated well enough about where not to fly. Connecting with the operators of those drones will let security professionals make more informed decisions about the path forward.

As of May 2019, there were approximately 1.25 million personal drones in the United States, as well as an additional 277,000 commercial drones. The FAA predicts that there will be 1.4 million personal drones and 835,000 commercial drones by 2023, especially as more businesses adopt UAS-based programs for deliveries, inspections, and other uses. With so many drones in the air, primarily for legitimate purposes, organizations will need a more nuanced security response.

“Drones are not going away,” Rozin says. “You cannot plan on responding to every drone on the horizon. It’s an overreaction to legitimate users and wastes security resources, especially in urban environments.”

Instead, detection and assessing intent should be security professionals’ top priority, he adds.

“Detection is a great place to start,” Stubblefield says. “Ninety-nine percent of the time, it’s just somebody who didn’t know better or they might have known better but they have no malicious intent,” Stubblefield says. “If you just mitigate without having that information, you don’t get to have information of what the real threat was.”

The biggest hurdle to drone response now is being able to identify drones that are supposed to be in the airspace, Acevedo says, because as soon as one system is introduced, malicious actors will find a way to circumvent it.

“We need to move forward in a creative manner,” he adds. “We need to think so far outside the box on building a detection system that anybody would be silly to try to defeat it—it will need to be a multitude of integrated systems that all work together to create a safer airspace.”

There are major technology options available, including radar, LiDAR, optical tracking with surveillance or thermal cameras, acoustic detection, and radio frequency (RF) detection, which looks for command and control links between the operator and the drone.

However, each option has tradeoffs. Radar has a very good range for detecting drones from a distance and can tell how far away something is, but it falls short on detecting how elevated the object is and whether it is to the left or right of the sensor, Klein says. Optical detection has less range than radar but provides good data on elevation and location. Pairing complementary systems gives organizations a better picture of the threat’s actual location and behavior.

“The coupling of technologies is nontrivial,” Klein notes, adding that not all standalone systems can be integrated for this purpose, and often specialized integration is required. Nuances of the radar signal can verify an alert is a drone and not a bird, and an optical camera can help confirm that for a more reliable, unified alarm.

Apart from some RF-based tools that interfere with the connection between controller and drone, many detection tools do not require legislative relief and can be used by private organizations, Stubblefield says.

When it comes to detection, this sort of layered approach is essential, Klein says. “There is no silver bullet for detection, and there is no silver bullet for neutralization,” he adds.

Because drone security events are usually short—20 seconds to detect, respond, and neutralize, Klein says—accuracy and quick detection are key. Pushing the perimeter of detection out further can help, but not much, because some drones can fly up to 100 miles per hour. The goal in developing an accurate program is to achieve a high probability of detection with a low false alarm rate, he notes, and no one technology can do it all.

Early detection means the organization can assess the risk posed by the UAS faster—determining the speed, size, payload capacity, and control method of the device—and measure that against the environment, including the risk for collateral damage to people or property. From there, security personnel can begin mitigation.

Mitigation Rules

If a drone intrudes on or near an organization’s facility, having a policy in place on how to respond quickly is essential. Acevedo notes that the first course of action is to call law enforcement immediately, then try to use lights to blind any cameras on the UAS from spying on sensitive areas of the facility—without interfering with the device’s flight path—and attempt to find the operator.

“There is no way to respond to a rogue system or rogue drone other than trying to find the pilot,” says Acevedo.

Signal jamming is illegal within the United States, outside of authorized federal agencies, Klein says, and shooting down a drone is barred as well.

“There are situations in which mitigation is necessary,” Stubblefield says. “The concern from the FAA on the current state of mitigation is a lot of those systems, which were built on military technology, can have collateral impacts that are concerning.”

For example, jamming can affect emergency and first responder communications, interfere with GPS tools onboard manned aircraft, or disrupt legitimate unmanned aircraft nearby. Depending on how certain UAS react to these technologies, they can go into uncontrolled flight, causing a safety hazard from a falling or uncontrolled drone.

“The technology is not mature enough technically to be very precise about how it takes down a potentially threatening drone,” Stubblefield adds.

“In general, it is not illegal to fly over your private property from a federal perspective,” Klein notes. “It might be a nuisance, but it may be legal in your jurisdiction.”

However, some U.S. states and cities are creating their own regulations on drone use in addition to the FAA regulations at the federal level. For example, New York City banned drone use outside of parks. More hyperlocal restrictions like these may be coming, Klein says.

While many mitigation concepts are not permitted, private organizations can still chart a course forward. Stubblefield recommends promoting drone education in the local area to inform users about which regions are “No Drone Zones” and which are appropriate for hobbyist use. There are kits available online through the FAA with “No Drone Zone” signage and other materials.

One of the most essential responses is to report incidents to both law enforcement and the FAA, Stubblefield says. While law enforcement will pursue any applicable criminal charges, the FAA can take civil action against an unsafe or intruding UAS operator.

“The FAA can’t follow up on incidents if it does not know about them,” she adds. “It’s really key to report any sightings you have—any concerns—to law enforcement so they can respond, and to the FAA as well. That helps us work with law enforcement to get information that may allow us to conduct civil action—anything from an education letter, a warning letter, or up to suspension of their license, depending on how egregious the situation is. And then there can also potentially be companion criminal charges as well.”

Beyond that, if organizations wish to request expanded authority to respond to or mitigate drone threats, the FAA will need this comprehensive record of risks to justify the case, Stubblefield says.

“It also helps when anyone is trying to go forward with getting expanded authorities. The first thing Congress asks is ‘How many UAS incidents do you have? What are the threats, the risks you’re trying to counter?’ And if you don’t report that information, then it’s very hard to characterize what that risk is,” she says.

Claire Meyer is managing editor at Security Management. Connect with her on LinkedIn or at [email protected].