News & Events > FAA Lacks Sufficient Security Controls and Contingency Planning for its DroneZone System

FAA Lacks Sufficient Security Controls and Contingency Planning for its DroneZone System

  • Apr 22, 2020
  • Categories: Counter Drone News

The Office of the Inspector General of the US Department of Transport has just published the report of its performance audit to assess the effectiveness of FAA’s UAS registration system security controls, including controls to protect PII, and to determine whether FAA’s contingency planning limits the effects caused by the loss of DroneZone during disruptions of service.

EXECUTIVE SUMMARY

What We Looked At
In 2012, Congress directed the Federal Aviation Administration (FAA) to develop a plan for the safe integration of unmanned aircraft systems (UAS)—also known as drones—into the National Airspace System. As part of its integration and oversight of UAS, FAA compiles data in its UAS registration service—known as FAA DroneZone—as well as in its Low Altitude Authorization and Notification Capability (LAANC), an automated system that authorizes registered UAS users to fly their drones near airports. Both DroneZone and LAANC are cloud-based systems that contain sensitive data provided by the general public, including personally identifiable information (PII). We initiated this audit to determine whether FAA’s UAS registration system has the proper security controls and recovery procedures in place. Our audit objectives were to (1) assess the effectiveness of FAA’s UAS registration system security controls, including controls to protect PII, and (2) determine whether FAA’s contingency planning limits the effects caused by the loss of DroneZone during disruptions of service.

What We Found
FAA has not effectively ensured that DroneZone and LAANC have adequate security—including
privacy—controls. For example, FAA has continued to authorize DroneZone operations without
conducting a comprehensive assessment of its security controls since it first began to operate the system in 2015. In addition, FAA’s inadequate monitoring of security controls and use of unauthorized cloud systems increases the risk of the systems being compromised. Furthermore, FAA could not demonstrate that 24 of 26 privacy controls were assessed to protect 1.5 million DroneZone users’ PII.

We also found that FAA’s contingency planning does not adequately limit the effects caused by a
potential disruption of services. Finally, FAA does not have sufficient controls for handling backups and off-site storage to ensure continuous operations and maintain data availability.

Our Recommendations
FAA concurred with all 13 of our recommendations to improve the security of the DroneZone and
LAANC systems and privacy of user information.

Source: UAS VISION

Related Posts

  • FAA Evaluates Drone Detection Systems Around Denver

      November 16– Unmanned Aircraft Systems (UAS) that enter the protected airspace around airports can pose serious threats to safety. The FAA is coordinating with our government and industry partners to evaluate technologies that can be used safely to detect drones near airports. This week, the FAA and the Department of Homeland Security (DHS) are […]

  • Implementing Combat Lessons with C-UAV Capabilities

    Determined to meet the challenge of hostile Unmanned Aerial Systems (UAS), the US Army acquired a number of countermeasures able to defeat such threats using electronic warfare. The Islamic State in Iraq and Syria pioneered the use of commercially available micro drones armed for attack or suicide missions. These weapons were used on a large […]

  • ORBITAL ATK CREATES INTEGRATED, COUNTER UAS CAPABILITY

    At DSEI, Orbital ATK showcases Tactical-Robotic Exterminator (T-REX), a mounted and integrated version of the combat-proven Liteye AUDS non-lethal Electronic Attack (EA) capability combined with the lethal defeat capability of the Orbital ATK XM914 30mm BUSMASTER Chain Gun. This new mounted system integrated with tactical radar detection and electro-optical infrared (EO/IR) sensors, provides great Unmanned Aerial System (UAS) identification […]

This website uses cookies to ensure you get the best experience on our website. Visit our Privacy & Terms of Use here.