Cyber Risk Assessment and Scoring Model for Small Unmanned Aerial Vehicles

Based on lessons learned from similar domains of aircraft operation, information technologies, cyber-physical systems, and cyber insurance, a cyber risk assessment methodology tailored for small UAVs is developed.

The desire of man to fly is almost as old as time itself. Since the dawn of flight, aircraft have evolved to meet new demands and innovations, through the 20th century and into the 21st. While UAVs have been around since the earliest days of aircraft, technology in the last two decades has allowed an explosion of options that allow for militaries and commercial organizations alike to consider the aerial automation of missions like never before. In particular, small UAVs provide a lower cost of entry and less overhead, with much of the same aerial advantages as larger vehicles.

As with all computer devices, small UAVs come with risks associated with their missions, both physical and cyber related. The physical risks of collisions and damage to structures or people is reflected in United States government regulations and licensing through the Federal Aviation Administration (FAA). In contrast, the cyber risks accepted by organizations and individuals has received very little attention and over-sight by regulators. Most organizations do incorporate some sort of cyber risk framework to manage risks, but these frameworks are reliant on lackluster risk assessments for small UAVs.

Components of Typical UAV

In some sense, manufacturers currently control small UAVs’ cyber security standards by setting their own levels of protection, which may not be acceptable with consumers. Organizations have little measurement or insight into the risks accepted with purchasing and operating these vehicles as there is no formal method of comparison, as may be seen with other vehicle safety. Additionally, while manufacturers may have a vested interest in protecting their devices from outside compromise, the cost of cyber security efforts and overhead of components and software compete with financial and physical constraints.

This research defines a new cyber risk assessment for small UAVs using the lessons learned from assessments in related systems and then tests and analyzes this new scoring system by presenting case studies that represent the breadth of models and mission scenarios for small UAVs. The research objectives of this work are as follows:

  • Assess whether any cyber or physical risk assessments of similar domains accurately quantify the cyber risk of small UAVs.

  • Determine the success criteria a small UAV cyber risk assessment should meet, based on similar domain assessments.

  • Define a new small UAV cyber risk assessment tool (assuming none exists).

  • Establish the objectives a hardware-in-the-loop simulation of a small UAV should meet to best bring awareness to potential vulnerabilities.

The hypothesis of this research is that no cyber risk assessment tool currently exists and no similar domain assessment accurately portrays the risk of small UAVs to its operators/owners. If none exist, a new tool will need to be built using the lessons learned and scoring models of similar domains that have seen success.

The approach consists of first analyzing and comparing many of the similar domains’ risk assessments for applicability to small UAVs and defining the best set of objectives for a new risk assessment based on the unique characteristics. Utilizing the closest risk assessment to the required need, a new cyber risk assessment specific to small UAVs will be defined with as little deviance from the scoring model as possible to maximize the value of the chosen tool’s lessons learned. The new tool will then be analyzed against a multitude of case studies to verify its ability to easily and accurately quantify associated risk of the vehicles to mission scenarios. Lastly, from the analysis of the case studies, a proposal for objectives that a hardware-in-the-loop simulation for small UAVs must meet will be presented.

The analysis of similar domains’ risk assessments assumes that all practical assessments have been discovered. It is expected that there are many risk assessments that are not public domain or unclassified that may relate to this research. This research also assumes that all publicly available specifications and configurations of utilized small UAVs (under 55 pounds per FAA regulations) are correct. This research is limited to risk assessments for only small UAV platforms due to the unique characteristics, though there may be benefits or applicability of the new tool to larger UAVs.

This work was done by Dillon M. Pettit for the Air Force Institute of Technology. For more information, download the Technical Support Package below. AFIT-0001



This Brief includes a Technical Support Package (TSP).
Document cover
Cyber Risk Assessment and Scoring Model for Small Unmanned Aerial Vehicles

(reference AFIT-0001) is currently available for download from the TSP library.

Don't have an account? Sign up here.