← All insights
Strategy

What Is the Future of Commercial Drone Security?

Commercial drone programmes in the UK are being accelerated by the restrictions of the Coronavirus lockdown: medical PPE drops from mainland UK to the Isle of Wight, essential medicines delivered to doorsteps in Northern Ireland. These trials are early indicators of what could be possible commercially, at scale. But when innovation moves too fast and gets ahead of legislation, the risk and potential for misuse climb just as fast.

Drones have also proven, many times over, how effective they are for malicious use: smuggling drugs into prisons, grounding flights, even bringing an international airport to a standstill for days, as happened at Gatwick in December 2018.

Between innovative programs and ongoing malicious use, commercial drones will become attractive targets in their own right: for their payloads, and for the drones themselves, which will only gain capability over time.

This raises the question of ‘what is the future of commercial drone security?‘

The Threat Model

First, we need to look at some of the potential threats and who the would-be attackers are. Below is a high-level attack tree outlining possible steps attackers could take to compromise a drone.

Hijacking control communications could allow an attacker to take unauthorised control of the drone

Another well documented incident happened in 2011 when an American Lockheed Martin RQ-170 (UAV) was captured by Iranian forces near the city of Kashmar in north eastern Iran purportedly brought down by the Iranian cyberwarfare unit. The Iranians then reverse engineered the drone to build copycat drones one of which was shot down and captured by the Israelis in 2018.

If this can happen to military organisations where security is of the highest level, then the implications for commercial ventures cannot be ignored.

Attacks on communications such as those used to control drones are also a valid target where compromise could result in a catastrophic outcome. By jamming the communications, the drone could lose control and crash. Hijacking control communications could allow an attacker to take unauthorised control of the drone perhaps crashing it into a target, stealing it or its cargo, or using it to cause disruption.

Location communications such as GPS are also a consideration. Imagine if an attacker could manipulate GPS data to send a delivery drone to the wrong location.

This model primarily considers attacks on the control and communications of drones, but we should also consider the risk posed by supply chain attacks or attacks targeting operating systems or software. Many long-range drones are controlled remotely from base stations by human operators. It might prove difficult to break into the buildings and take over the drones, but if attackers target the control software and remote hack into the systems then they could bypass the human operators.

We can look at car manufacturers that issue vehicle software updates over the air to see the potential of this as an attack vector. In 2017 a Chinese white hat hacker group, managed to remotely hack the Tesla Model S through a malicious Wi-Fi hotspot and take over various controls including the braking system.

Commercial drone enterprises will likely rely on similar systems to manage a fleet from control bases. Most hobbyist drones run on inexpensive IoT control boards and off-the-shelf software that is notoriously insecure. To keep costs down, many commercial offerings will use the same software and components, inheriting the same vulnerabilities, and if those aren’t thoroughly tested or secured they become security weaknesses.

With state and terrorist cyber-attacks on essential infrastructure well documented. It is not a far leap to see the attraction to threat actors of taking over a flock of drones for miscreant purposes.

This leads to two questions:

  1. How do we ensure proper security testing and auditing of drone technology in the commercial space?
  2. How do you measure and insure the cyber risk of the commercial drone market without such testing?

In regards to the first question, the CAA has regulations contained within the Air Navigation Order 2016 (ANO 2016) with specific additional steps that must be taken if a drone is being flown for commercial operations. This is good but simply puts the onus onto the company operating the drone to comply with a set of regulations in relation to the flying and operating of the drones, and does not tackle the underlying subject of security testing and resilience against attacks targeting commercial drones or their reliant infrastructure.

What is needed is a proper set of security standards that all commercial drone operators adhere to pertaining to stringent security testing and threat mitigation. Until then the space will be a wild west of varying security standards and safety with potentially life-threatening outcomes.

For question number 2, the answer is that without proper security testing and auditing you cannot. Without that there is no way to reliably measure or mitigate the risk. The cyber insurance markets already grapple with technology moving at ever increasing pace with new threats and attack vectors uncovered on an almost daily basis, drone technologies are only going to complicate matters.

For now the responsibility falls on each commercial drone enterprise to ensure full and proper security testing and risk assessment of the entire pipeline: the components used to build the drones, the control systems, the software and operating systems, and the procedures used to fly and manage the fleet. This isn’t just good practice. It makes long-term financial sense, because when a drone-related incident happens, someone will be asked who was liable.

If you are operating in the commercial drone space and would like to discuss security testing or how our services would help your organisation, then please visit www.osec.com or contact us at: info@osec.com

More in Strategy
Nobody Gives a S##t About Cybersecurity: A Postcard from the Edge of the IndustryMar 23, 2026 · 11 minThe Day Zero Trust DiedMar 9, 2026 · 8 minThe $10M Distraction: Why 50,000 CVEs Don't Matter (But 3 Attack Paths Do)Feb 16, 2026 · 3 min
Talk to an expert