Protecting Water Utilities from Drone Threats: Understanding the Steps of a Drone Security Methodology that Support the J100 framework

The small uncrewed aerial system (sUAS) ecosystem can seem overwhelmingly complex, but it doesn’t have to be that way. The wars in the Middle East, Nagorno Karabakh, Ukraine, and now Gaza have proven that we need to pay attention to the threat that drone technology poses to our critical infrastructure. The use cases of this evolution are abound on social media and events in the United States continue to show that it’s not a matter of “if” but “when” an event occurs. 

Ukraine is the most prominent example of this evolution as we continue to see that drone technology is moving from battlefield application to critical infrastructure targets. This should concern the security professionals responsible for securing all of our key life systems to include our water supply. For example, the event last September where a drone operator modified a commercial off-the-shelf platform to drop chemicals into swimming pools, turning the water yellow and green highlighted the simplicity of the event but also the implications it brings. 

Although this may seem harmless it does exhibit capability and did terrorize the residents of that township. Just think if this was a critical water supply and the act was not a harmless dye. Additionally, in Pennsylvania in July of 2020, a drone was used to disrupt an electrical substation. These two examples and many others in the United States indicate a trend and an awareness by nefarious actors that they have a new tool to use, but it also shows how far behind we are in developing our “ground game” to best address the coming “air domain” event. 

All too often the easy button for a security problem is to add technology. This is an extremely shortsighted approach and often a costly mistake. We, as consumers, are being inundated with a myriad of technological solutions that claim to detect, monitor, track, locate, and even mitigate the sUAS platform in real time with precision and accuracy. This may be the case in ideal environmental conditions but trying to do all these operations simultaneously with an aerial platform that is relatively small and flies very fast is hard to do. 

Additionally, security, safety, and emergency preparedness professionals are struggling with the concept of changing or updating their security programs. This is due to a stagnant playbook of physical security solutions and emergency response plans that haven’t evolved with the evolution of drone technology’s rapid maturity. Essentially, we are collectively trying to play catch up with a potential threat that has proven to be very capable, dangerous, and readily available. So, what is missing?  

As General Eisenhower once said, “Plans are worthless, but planning is everything.” This statement has lasted the test of time and resonates well and directly with the gap we are seeing with this new security challenge. It would seem intuitive at this point to take a step back and make a sound attempt to understand what is happening and how your facility and ERP development will benefit from making a concerted effort to educate, assess and train. 

The first goal is to gain a higher level of situational awareness before jumping into a capital investment regarding a technical solution that may not meet the requirements of current law. The second is to build your level of education around the ecosystem so that informed decisions can be made. So what does that look like?  

There has been considerable thought put into a drone preparedness and training methodology that is easily adaptable to all environments, but is particularly relevant and a sound addition to the J100 framework and Safe Drinking Water Act (SDWA) Section 1433 compliance requirements. This methodology is made up of five key steps/frameworks and is inclusive of the three main tenets of the thought process presented here —educate, assess, and train. 

Step 1:  Drone Vulnerability and Risk Assessment (DVRA) 

The DVRA framework is designed to impart fundamental knowledge in carrying out a drone study that provides essential information to make future informed decisions. Skipping this step is not negotiable within the security program’s structure. The DVRA provides a foundational approach to drone assessment and introduces basic concepts to kickstart your ability to include it in your security program.

The DVRA is beneficial for private sector and government operators responsible for detection and counter-uncrewed system understanding and any business looking to incorporate the “air domain” into their security protocols. The DVRA is designed to lay a solid foundation upon which you can further build risk and resilience into the program. It will serve as the bedrock for your comprehensive drone risk mitigation strategy and seamlessly integrate with your existing business security program. The framework consists of 11 steps that are tailored to technology operating in any environment.

Step 2:  Support DVRA findings with Short-Term Technology Deployment 

With DVRA findings in hand, the next step is to implement detection technology for a set period to get a better understanding of the real-time drone events over the business. Ideally, a 14-30-day deployment of a non-permanent asset will give the business additional data to support an informed decision about capital investment. 

This effort—combined with the DVRA—is the foundation of the next three major considerations for the air domain program. It is also a way to demonstrate the potential for geo-location of a drone operator that allows for a proactive response while staying within the boundaries of current mitigation laws. The DVRA and technical airspace reconnaissance combine as the bedrock for understanding the drone threat. This is a comprehensive step that affords informed decision-making. 

Step 3: Develop a Drone Emergency Response Plan (DERP) 

With the DVRA and short-term technology data defined, the next step is to develop a DERP. It will serve as the anchor for your comprehensive drone risk mitigation strategy and seamlessly integrate with your existing business security program, ERP components, and strengthen SDWA 1433 compliance. 

Water facilities thinking about this threat and technology will be far ahead of their peers as the J100 matures and technology continues to evolve. Additionally, the DERP will establish a framework for “response” and “action” during a drone event. The DERP is the beginning of operationalizing against drone-related risks, it will provide you with the essential tools to enhance your security protocols in the evolving “air domain.” 

Step 4: Left of Drone Launch (LoDL) Concept

The LoDL is the natural follow-on concept following the formalization of the DERPas it builds on the DVRA and DERP and operationalizes the analysis to support a proactive security posture as it pertains to the “air domain.” It also provides additional framework components that support an active documented standard operating procedure (SOP) concerning a drone event at any facility. 

At this point in the process, staff will work to define the environmental and technical analysis of the operating environment. By bringing together internal and external stakeholders, staff can put the focus on facilities as well as determine the best proactive actions toward their overal security program development. The LoDL step in the process will assist with the process of preparing, detecting, locating, and identifying potential left-of-launch locations as well as determine the proactive actions that need to be taken during or for any scenario. 

The goal is to create an executable plan that puts security in action and creates this proactive posture for the security team. The LoDL removes the potential for being purely reactive and gives security operations a mechanism in a restrictive mitigation environment to act if an event is identified through the air domain.In essence, the LoDL is the action arm of the security program as it pertains to sUAS events. 

Step 5: Develop an Exercise Program

The fifth step in the process is the development of an exercise program that includes training, rehearsals, and programmed exercise events that follow a crawl, walk, and run format. As you are aware, exercises keep a security posture strong even if staff turnover occurs—and it keeps the security program and your ERP up to date as threats evolve, stakeholders change and technology matures. 

This step cannot be under-emphasized. A staff that goes through a thoughtful repetitive training process based on analysis, assessment results, environmental conditions and SOP training will be a ready and resilient facility. 

Lastly, there is also a sub-task associated with this methodology and that is fundamental knowledge needed to understand Counter Uncrewed Aerial Systems (CUAS), including current United States law and legislation. This technological ecosystem consists of detection and mitigation options that—while not overly complicated—requires a deeper knowledge base. The sub-task is peppered throughout each of the major frameworks, but experience has shown that understanding this provides a great start for drone inclusion as a component of the ERP. 

Taking the time to gain a better understanding of the fast-paced evolution of commercial drones and how to begin implementation of the “air domain” in your security approach and program should be considered in every environment, especially those life systems that are critical to the daily needs of the people they serve. 

In the end, educate, assess, and train as you build your ERP and meet the SDWA 1433 compliance requirements. Simply purchasing technology to solve a problem that isn’t understood is a poor course of action. 

About Bill Edwards:

Bill Edwards is the Executive Vice President of Security Services at PMY Group. He leads the National Institute of Drone Security Standards and Training (NIDSST) and is a retired U.S. Army Colonel and Veteran of the Iraq War.