Remotely Piloted Aircraft Systems in Contested Environments
A Vulnerability Analysis
In contrast to ground and manned aviation operations, recent RPAS missions have been conducted in a permissive air environment only, where Allied forces did not anticipate vigorous enemy Air Defence assets. Based on the assumption that in the future, NATO will be forced to deal with something other than an inferior or outgunned enemy, adversaries will have the capability and intent to oppose or disrupt NATO air operations and will represent a serious threat to Allied RPAS assets.
Therefore, this study provides a detailed assessment of current RPAS components’ limitations and vulnerabilities, addressing operational, technical and legal questions. It outlines a vision of possible future conflict scenarios and compares these predicted threats with current capabilities. The study focuses on Medium Altitude Long Endurance (MALE) and High Altitude Long Endurance (HALE) RPAS. However, the identified risks and threats, as well as the given recommendations, may apply to other classes of RPAS as well.
Purpose of the Study
Over the past two decades, Remotely Piloted Aircraft System(s) (RPAS) have been fielded in increasing numbers across many nations and military services. RPAS provide distinctive capabilities for the Joint Force Commander (JFC) with reduced risk and extensive time on station in comparison to manned systems. In contrast to ground and manned aviation operations, current RPAS missions are conducted in a permissive environment only, where Allied forces do not anticipate a robust enemy Air Defence network. This study provides a detailed assessment of current RPAS limitations and vulnerabilities. It addresses operational and technical, as well as legal questions, outlines a vision of possible future conflict scenarios and compares these predicted threats with current capabilities. The study focuses on Medium Altitude Long Endurance (MALE) and High Altitude Long Endurance (HALE) RPAS. However, the identified risks, threats and recommendations may apply to other classes of RPAS also.
This study is based on the assumption that future North Atlantic Treaty Organization (NATO) operations will be forced to deal with something other than an inferior or outgunned enemy. It is assumed that future adversaries have the capability and intent to oppose or disrupt NATO air operations. It is also assumed that they are on a similar technological level and represent a serious threat to Allied forces.
The study provides assessments of possible scenarios for future conflict derived from recent strategic studies. Based on these assessments, individual threats to RPAS were identified and analysed in more detail. As RPAS typically consist of several individual system elements, a matrix was set up to identify which threat affected a given RPAS element. Once this was completed, the vulnerabilities of the individual RPAS elements were outlined in detail with reference to the matrix. To assess the individual RPAS element’s vulnerabilities, the ‘Survivability-Kill-Chain’ methodology was used. This methodology was adopted from Prof. Robert E. Ball’s book, ‘The Fundamentals of Aircraft Combat Survivability Analysis and Design’. Each identified threat and vulnerability was rated as either ‘low’, ‘moderate’ or ‘high’ and used the common ‘traffic lights‘ colour system. All individual ratings of the identified threats and their respective RPAS element vulnerabilities were correlated and consolidated in a final ‘criticality assessment matrix‘. Recommendations were outlined following the ‘Survivability-Kill-Chain’ structure used in the vulnerability analysis chapter. As the study lists more than one hundred detailed recommendations, a quick reference was added as an annex. Finally, the study concludes with a strategic vision for future RPAS operations in NATO.
RPAS have been used in support of NATO operations since 1995-96, when the first unarmed RPAS were deployed in support of Allied operations during the Bosnian War. The real turning point for RPAS came after 9/11 when the United States initiated Operation Enduring Freedom (OEF). Unmanned Intelligence, Surveillance and Reconnaissance (ISR) capabilities became critical in the global fight on terrorism. These operations were almost uniformly characterized by a permissive air environment. It must be noted this permissive air environment may have negatively influenced the most recent developments in RPAS technology. This may have resulted in exploitable vulnerabilities in newly fielded or soon to be fielded RPAS.
Possible Future Conflict Scenarios
It is difficult to predict future security threats. If NATO decides to intervene in interstate conflicts, it can be assumed that state actors are capable of confronting us with similar capabilities. Furthermore, the escalating number of actors gaining access to advanced and dual-use technologies increases the potential for asymmetric attacks against the Alliance by those who are unable to match Western military technology. It can also be assumed that an adversary will probably avoid NATO’s strengths and gravitate towards areas of perceived weaknesses. Therefore, it is likely an adversary will avoid conventional military operations and attack in an irregular or asymmetric manner.
The identified threat dimensions for RPAS can be subdivided into symmetric, asymmetric and systemic. A symmetric threat is commonly defined as an attack on a comparable military level (i.e. force on force) which abides by the Laws of Armed Conflict (LoAC). The most probable adversary that can deliver a symmetric attack is a state actor. In the NATO Glossary of Terms and Definitions (Allied Administrative Publication 06, AAP-06), an asymmetric threat is defined as a ‘threat emanating from the potential use of dissimilar means or methods to circumvent or negate an opponent‘s strengths while exploiting their weaknesses to obtain a disproportionate result.’ Lastly, there are systemic limitations that may have an impact on future RPAS operations as well, e.g. the public perception of RPAS is influenced by the legal and moral aspects of their use.
In addition to the aircraft itself, all RPAS consist of several common components, which are the payload, human element, control element, data links and support element. RPAS share many of the same limitations manned aircraft have and have additional unique vulnerabilities. This study analyses the vulnerabilities of each individual RPAS component listed above.
Remotely Piloted Aircraft and Payload
The vulnerabilities of Remotely Piloted Aircraft (RPA) and their attached payload are quite similar to those of manned aircraft. The highest risk to airborne RPA will come from enemy Air Defence (AD) systems and combat aircraft as they are designed to detect and engage aircraft at long ranges. However, even Rocket-Propelled Grenades (RPGs) or sniper rifles could cause catastrophic damage to the airframe and payload if an adversary were within range. Each RPA is one of many nodes in the overall RPAS network, each of which is vulnerable to cyber-attacks and the corruption of microelectronics supply chains.
Human Element and Support Element
Attacking personnel rather than the RPA may be a favourable option for an adversary. Depending on the mission, RPAS personnel may be working at different locations. Within the Area of Operations (AOO), adversaries may engage RPAS personnel with any available weapons, e.g. combat aircraft, artillery or infantry. The vulnerability of RPAS personnel is equal to that of any other military personnel deployed to the AOO. RPAS remote split operations offer different opportunities for an adversary to conduct covert attacks. Special Operations Forces (SOF) assets or other means of asymmetric force can be employed on mission critical RPAS personnel in non-secure (civilian) environments. This study could not identify protective measures currently in place for off-duty and/or non-deployed personnel, but countless references were found revealing the names and identities of RPAS personnel during interviews and other press-related activities, indicating there is ample information to support such attacks.
The Control Element consists of physical infrastructure (external hardware), computer systems (internal hardware) and non-physical software. All may be subject to different types of attack. The physical hardware may be attacked by kinetic weapons while the non-physical software may be subject to attack through cyber-warfare. Due to their unique size and shape, the hardware components may be positively identified as RPAS components to an alert adversary. Their persistent radio transmissions may also reveal their location to enemy electronic reconnaissance.
The Control Element’s computer systems often include Commercial-off-the-Shelf (COTS) components. Identifying the multiple layers of contractors, subcontractors and suppliers contributing to the design or fabrication of a specific chip is difficult; tracing all of the contributors for a complete integrated circuit is even more difficult. This widely dispersed supply chain may provide an adversary with opportunities to manipulate those components or penetrate the distribution chain with counterfeit products.
The software components necessary to operate an RPAS are not limited to the Ground Control Station (GCS), but also include the aircraft, satellites and ground stations if applicable, as well as support systems for logistics, maintenance or Processing, Exploitation and Dissemination (PED). This variety provides an adversary with a broad spectrum of possible entry points into the RPAS network. Although current protective measures are thought to ensure an adequate level of cyber-security, they cannot guarantee absolute security.
Data links connect RPA with the GCS and enable the operators to remotely control the RPA and receive transmissions. Possible Electronic Warfare (EW) targets for the adversary include the GCS, RPA, satellites and satellite ground segments. From the enemy’s perspective, the satellite’s receiving antenna and the RPA’s Global Positioning System (GPS) antenna appear to be the most promising targets for EW engagements. Regarding the exploitation of transmitted RPAS signals, multiple discoveries of pirated RPA video feeds have proven that militant groups have adapted their tactics and have regularly intercepted Full-Motion Video (FMV) feeds. Shortly after these security issues were revealed, encryption of FMV streams was designated as a high priority. However, even today, not all currently fielded RPAS are capable of transmitting encrypted video feeds.
Consolidated Criticality Assessment Matrix
To determine the most critical effects on RPAS operations, the respective ratings of the threat and vulnerability summary are correlated. The individual ratings are displayed according to the standard ‘traffic light colour system’. (cf. Table 1) Red indicates a highly critical issue which affects current RPAS operations and should be addressed as a high priority. Yellow indicates a moderately critical issue which is not yet highly critical, but may become so as technology evolves. Green indicates a less critical issue, meaning the RPAS could sustain attacks from threats listed in this category or they are not expected to face these threats.
This study identified more than one hundred individual recommendations throughout the entire scope of RPAS. They include measures in the air, ground and cyber-domains. However, there is no single solution that is suitable for all types of remotely piloted systems currently in use by NATO nations. Some recommendations may be easily and quickly adopted whereas others are expected to take years of development and integration. The annexes provide tables with an overview of all recommendations sorted by RPAS elements, threat types, application areas and expected implementation timeframes. They also provide the reader with a reference to the respective chapter number of the individual recommendation for further details.
Remotely Piloted Aircraft
It is very unlikely there will be a ‘one-size-fits-all’ solution for RPAS operations in a contested environment. In addition to Reconnaissance RPAS, which are expected to be upgraded and continue the role of current MALE/HALE systems, this study envisions the following categories of future RPAS which are optimized for specific purposes:
Deep Penetration RPAS – designed for full electromagnetic stealth, designated to conduct reconnaissance and air strikes deep inside enemy territory;
Combat RPAS – designed for high G-forces and manoeuvrability, designated to conduct air-to-air and air-to-ground combat in non-permissive and hostile air environments;
Swarm RPAS – designed for expendability and operating in large numbers, forming a swarm;
Carrier RPAS – designed to carry an immense stock of long-range, precision-guided air-to-air and air-toground munitions, designated to project military power like naval aircraft carriers.
Ground-Based RPAS Elements and Personnel
To improve the survivability of deployed RPAS ground components, users should employ established and proven measures such as camouflage and dispersion of equipment, reducing radio transmissions or increasing mobility to facilitate leapfrog operations. However, the best way to protect RPAS ground elements would be to not deploy them at all. Therefore, the range of RPA must be significantly improved so they can be launched and recovered from inside NATO territory. This study did not identify protective measures currently in place for off-duty personnel. Pre-emptively deterring threats for home-based RPAS infrastructure and personnel must not be considered a military-only task. Military Force Protection Conditions (FPCON) should be complemented with additional protective measures provided by local civilian authorities. Comprehensive and joint civil and military force protection measures should also encompass the domestic environment to include families of RPAS personnel.
Command, Control, Communications and Computers
Improvement of RPAS Command, Control, Communications, and Computer (C4) security must be comprehensive and should encompass the physical components required for RPAS communication, the computer systems (to include their software packages), the electromagnetic spectrum they operate in, and any personnel with access to the RPAS. They may be all subject to different types of attacks and require different levels of protection. Physical components should follow the same principles of camouflage, dispersion and mobility like any other ground-based element aiming to avoid detection. COTS computer hardware should be thoroughly balanced against the inherently superior security of proprietary systems. If COTS systems are preferred, trustworthy supply chains for these hardware components and their sub-components must be ensured. Capable, trustworthy and updated security software suites are essential in defending computer networks. In addition to these defensive measures, offensive and pre-emptive cyber-operations should be conducted to eliminate threats in advance. Future RPAS development should focus on reducing radio communications dependency by introducing new means of data transmissions and increasing RPA automation. To prevent corruption, adversary recruitment or blackmail attempts which may lead to a breach of security, RPAS personnel should receive mandatory training to raise awareness of those issues. Computer system access policies (both for software and hardware) should be as restrictive as necessary to defend against intrusion attempts or exploitation of human carelessness.
Automation and Human Interaction
Achieving higher levels of automation is a prerequisite in enabling many of the recommendations made in this study; however, what is technically possible is not necessarily desirable. The automated release of lethal weapons should be considered very judiciously with respect to legal, moral and ethical questions. This study recommends two fundamental types of lethal weapons release, i.e. deliberate attack and automated defence. For any target that requires approval by the Joint Targeting Process, a deliberate human decision for weapon release must be enforced. Conversely, automated weapon release should be approved for any target that is actively engaging the RPA. The threshold of what is considered an active attack should follow the same principles as for manned combat aircraft. This study refrains from recommending an ‘Automated Attack’ mode for RPAS. Such an automated attack mode would entail a multitude of legal, moral and ethical questions.