The Story Plot
It’s a Sunday morning at 7AM. A 2018 Ford F150 parks along the side of the perimeter fence protecting the hydropower plant. The parked truck seems innocuous as it’s along the road passing the power plant, the same road 15,000 people travel on each day. In fact, no one seems to notice, as most people are still catching up on their sleep from the long work week.
The driver walks around the back of the truck and opens the tailgate. In the bed is a small consumer size drone purchased online for under $200. He then proceeds to take out an iPad, powers on the drone, and pairs it with the iPad. Sitting in the trunk bed, the driver (now drone pilot) flies the drone over the fence and around the back of the facility. A line of sight is not necessary as the pilot can view through the video camera as if he was sitting in the cockpit of the drone.
The drone approaches a sensitive portion of the facility where delivery containers are stored, as well as the emergency backup generators used in the event of a major plant failure. The power generated by this facility powers over 50,000 homes in the area, as well as a CDC remote facility, nearby Water Treatment Plant, a state prison, and local law enforcement.
As the pilot flies the drone closer, he obtains a close-up view of what he was looking for, the precise location of the power distribution bus and transformers, contained within a secondary fence. He additionally notes the manufacturer, model numbers, and other characteristics of this portion of the facility, including the perimeter cameras. Physical security doesn’t notice the activity, as the security cameras are pointed horizontally and downward towards the ground looking for unauthorized personnel or anything else nefarious. No one sees the drone flying overhead.
The driver flies the drone back to his truck, packs it up, and heads off in the morning sunrise, completely unnoticed and undetected by the physical security, video security, or network security. With this intel, he and his team can plan to drop a small bomb at a later time to take the facility offline. This follow-up attack will also go unnoticed or undetected, and allow the attackers to move onto their next target, while the staff at the current target are still trying to determine what happened, and by whom…
Detection of Radio Anomalies (Drones)
The capabilities exist today for your average person to conduct this exact type of spy mission. But what capabilities exist to detect such activity?
Drones such as this emit RF (Radio Frequency), commonly WiFi, but certainly other types of RF can be used to control the drone as well. In this scenario the drone is being controlled by an iPad. When the drone is powered on, it advertises an SSID, just like a regular access point. The iPad can then be paired with the drone to allow not only control, but viewing and recording of audio and video. As a result, characteristics about this drone can be detected using RF surveillance.
802 Secure’s AirShield can detect such activity by fundamentally detecting the RF transmissions to and from the drone. This is typical of some other solutions in the industry. But when performing detection or post-mortem forensics customers want as much information as possible to identify the perpetrator. The AirShield sees more than just the drone transmissions, it also identifies the specific make and model of the drone, the iPad used to control the drone as well as the relevant MAC address(es). This provides important forensic information. While the drone might be detected in the vicinity of the building, the iPad can be detected along the perimeter fence line. Correlating this to video feeds or physical security observations, the power facility can get a view of the perpetrator as well.
In this fictitious story we also described a 2018 Ford F150. This truck as well as many other new vehicles include built-in WiFi and/or Bluetooth. AirShield also identifies these transmissions as well, even if they’re just broadcasting but not paired to anything. Furthermore, AirShield sees more than just a MAC address, it identifies the type of vehicle. Another very important piece of forensic information. In the broader picture, perhaps a video feed caught a glimpse of the truck on the side of the fence or as it passed by the rest of the facility, maybe even the license plate.
Detection, monitoring, and forensics encompass the analysis of the broader picture, by correlating and understanding the who, what, when, where, and how. The more information the better, especially when protecting critical infrastructure such as a power facility on which so many people rely upon.