The war in Ukraine has shown what is possible with commercial unmanned aircraft system (UAS) technology in modern warfare. Although this is not the first conflict where the use of off-the-shelf technology has played a role in conflict, it is an example of infinitely expanded employment of the tactic. It is also the first time a government has publicly asked for private citizens to deploy their recreational UAS, also known as drones, in support of a country’s defense. There is no limit to creativity and innovation concerning this tool.

Commercial UAS give undermatched forces a sense of parity when it comes to intelligence, reconnaissance, surveillance, and kinetic targeting. The war in Ukraine has quickly become the latest testing ground for commercial drone use in combat, but more importantly, it has shown what is possible with simple modifications, limited training, and a drive to use these platforms outside of a recreational purpose.

The ability for experimentation by both sides grows astronomically every day the war continues, and, as in the 2014 conflict in Ukraine over Russia’s annexation of Crimea, this new battleground has shown what these tools can do. Some of the most recent reporting shows private unmanned systems being used to identify targets for ground forces, generate information and intelligence, and set conditions for either an attack from the air or coordinated maneuvering of ground forces. Other uses include airborne improvised explosive devices (IEDs) as well as weapon delivery platforms outfitted to drop Molotov cocktails.

Tactical operations centers (TOCs) are standing up across the country to give Ukrainian forces situational awareness and an ability to command and control from ad hoc locations. In addition, this private UAS air force gives the world clear video and real-time updates of the front lines, which in many ways has brought the war into the living rooms around the world, raising awareness and support for the people of Ukraine. In an age of instant communication where social media and the digital domain continue to change the landscape of war, this particular use of commercial UAS has become a powerful strategic communications enabler and may someday be credited with once again changing the way countries go to war.

So why is this important for private sector security and safety professionals? Simply put, security professionals across the globe should be taking note of the creative uses of recreational UAS because nefarious actors certainly are.

The war in Ukraine has given security professionals an unprecedented and important view into what is possible from a product that you can buy quickly online. More importantly, it is another wake-up call for comprehensive, layered, and integrated security program development that includes consideration for the likelihood of cyberattack. Building programs that consider the convergence of physical and cyber security threats should be a norm within security planning.

So, what should security and safety professionals do?

Start by establishing a security program framework:

1. Conduct a threat, vulnerability, and risk assessment (TVRA). The TVRA is the foundation of all security work. A security program will have a hard time getting off the ground if a TVRA is bypassed because this assessment identifies threats, critical assets, vulnerabilities, and risk mitigation options. There is no way to proceed into effective security programming and planning without a TVRA.
2. Perform a technology audit. If a system of technology solutions exists, there should be a review and audit of the capability. A good way to look at technology is to create a roadmap that sunsets equipment when the end of life is reached. This will also help with programming and budgeting so that large capital investment purchases are no surprise.
3. Consider your capital investment. Purchase or upgrade a technology package that answers the problems found in the TVRA.
4. Design a security operations center (SOC).
5. Develop security policies and procedures.
6. Develop an emergency operations plan.
7. Plan for business continuity and mutual aid agreements.
8. Determine the staff needed.
9. Build standard operating procedures (SOPs).
10. Plan, train, rehearse, and exercise SOPs.
11. Conduct relevant security tabletop exercises twice a year.
12. Conduct a full exercise with all security stakeholders once a year.

A security program designed to deal with the threats posed by UAS would look something like the following.

First it’s important to understand the threats, vulnerabilities, and risks that UAS pose to your assets. The experience in Ukraine and in other cases can inform your threat and vulnerability assessments. First, conduct surveillance of your airspace using a UAS detection and monitoring capability. This will determine the true activity of UAS over the business and provide a pattern of life analysis to determine critical times, all of which will add to your risk assessment.

There are a variety of technology approaches to address the threats posed by UAS. Security professionals should look at drone detection and monitoring options. Currently, there are many options that offer radio frequency (RF) detection capabilities, but this is a shortsighted attempt at gaining an understanding of the problem. The best solution, and one that tends to evade the market from an affordability perspective, is a layered solution that brings RF, radar, optical, and audio functions to the consumer in a package. This is a more precise way to use technology to your advantage. It's time for this approach to become readily available for any business that hosts public events.

Next, your UAS security program needs to be integrated into your overall existing security program. You need to understand how it will fit in your security operations center, or consider creating a SOC if one does not currently exist. You will need to understand what kind of capital and human resource investments will be needed for the program.

You will need to develop policies and procedures. For example, you will need a policy that establishes a UAS detection and monitoring approach. Policy sets the foundation for operational procedures, and it addresses the need for follow on action. This should be added to your overall security program framework and no longer be an afterthought.

Once the people, technology, and procedural parts of the plan are done, you need to develop training and ongoing exercise programs. Training and exercise programs turn your policy and procedures into action and form the basis of operational SOPs. In simple terms, you are developing a training calendar for your staff and stakeholder community to come together to work on specific scenarios that might happen or take shape during a public event.

A great place to start is to have a third-party security professional facilitate a tabletop exercise that challenges the entire team to address a hypothetical scenario where a drone enters the airspace within the venue during a live event. This type of tabletop will produce a clear thought process and action checklist that helps you meet your duty of care for patrons of the event.

The war in Ukraine has shown us in a very short time how a single technology can and will have an impact on security programs. It is important to remain relevant and demonstrate recent activity around current plans and procedures. Updating the TVRA annually is a prudent step. Additionally, conduct a technology audit every three years, and update the technology roadmap based on the end-of-life determination for all critical security technology components. It is a security leader’s job to customize and execute the program to protect the people and critical assets associated with the business, especially as new threat vectors emerge.

Bill Edwards, CPP, PCI, PSP, CPD, CIMP, is the president of Calibre Engineering and a retired U.S. Army Colonel with more than 34 years of experience as a security, safety, and intelligence professional.