Global Drone Incidents
A Day in the Life of a cUAS Security Operator
In a LinkedIn Live session, David Lewin, Regional Sales manager at Echodyne interviews Zev Nadler who consults in the cUAS space with a specialty in the use of OSINT (Open-Source Intelligence) to counter nefarious UAS (unmanned aerial system) threat actors. He began working with drones in 2015 by generating videos for firearms manufacturers as well as for RECOIL TV. He is now the Director of Strategic Sales for Drone Security Operations, Inc. (DSO), the authorized agent in the Americas for DroneSec’s NOTIFY Global UAS Threat Intel platform.
Lewin and Nadler discuss current observed cUAS activity and how security operators stay ahead of the threats:
- Examine incident maps showing global impacts of drone incursions.
- Review a weekly threat intel report of recent global incidents.
- Discuss 3 drone incident reports for critical infrastructure sites.
- Understanding threat actors and their TTPs to apply to my facility, today.
- Staying current on training, dynamic verses static.
In this 10-minute read, discover more about a "day in the life" of a cUAS security operator and how they can leverage threat intelligence information and dynamic training to optimize security preparation, planning, and systems. Or watch the session today to hear the conversation and view examples of DroneSec’s NOTIFY.
The Interview
David Lewin:
Welcome everybody. And I'm sure that folks will be coming in over time here is as we get started. I'm really excited to have a discussion today about the global drone incidents that are real incidents that are happening with drones all over the globe, different countries including the US, and really bring some awareness and education around that. And help provide tools that inform a cUAS operator, who has a job daily to stay in front of this emerging threat. And so, I'm really excited to talk with Zev Nadler and highlight some of the education resources, global threat intelligence, that the DroneSec NOTIFY Global UAS threat Intel platform brings. And as we talk, I really want to invite you guys to post questions, comments. We can see them come through live and we'll highlight them and try to answer as many as we possibly can here live. So, as we share and get into different nuances and examples of real threats, we're going to look at actual threat intelligence reports and real incidents with some photos, some details. You know I imagine, as we do that, there's going to be questions that come up and application questions, et cetera. So please feel free to do that. Let's make this interactive. With that said, as I mentioned and I'll kind of start from the top again, as folks are coming in, we are going to be talking about global drone incidents and threat intelligence reports. And we're going to look at a day in the life of a cUAS operator. Zev, I'll give a brief bio, and then I'll hand it to you.
Zev Nadler consults in the cUAS space with a specialty in the use of Open Source Intelligence or OSINT to counter these nefarious UAS actors. Zev, I'll just give it to you because I really want to hear your story. I think folks will be intrigued by what led you to this path-what got you into this whole drone threats cUAS world. You were sharing that with me earlier and I thought that would be a really interesting place to start. And then we can kind of dive in from there.
Zev Nadler:
Thank you, David. So first, I appreciate you having me on. It was wonderful meeting you at the Drone Responders Conference in Virginia, that was a hoot, I appreciate that. Sharing some stories and getting to know each other was great.
David Lewin:
Absolutely.
Zev Nadler:
So basically at 20 years old, I was working in a slaughterhouse [laughs] and I was taking IT courses. This is back in probably 1981 or so, and I thought it was a natural transition to go from the Slaughterhouse to IT. If you've ever worked with computers or in IT you can get that.
Fast forward I saw the programmers were making more money than the hardware technicians which is what I went in as. And because I speak a couple of different languages, learning the syntax of programming was pretty quick and the next thing I knew I was in EDS employee on a General Motors account because General Motors bought EDS.
I'd gone into GM as a consultant, and fast forward from there 20 years later or so I was a senior manager at a large consulting confirm McGladrey & Pullen and kind of semi-retired in 2000 here in Scottsdale. I made a couple of bad high tech stock moves which had me go back to work and I opened another IT firm here. We were able to get the Arizona State e-procurement system. Then from there, I got a little bit tired of IT, and scope creep and all the good stuff that goes with being in the IT world.
And I had this dream of teaching people how to drive correctly and shoot correctly in the desert, here in Arizona. We have a lot of open desert land and people go driving in there and you know, don't necessarily take care of the land, the way it is, and it was my purpose to teach them how to do that. So instead of being in the back of a Hummer or a Jeep, we had 15 formally IDF Special Forces Vehicles which are like golf carts on steroids, and I mostly hired former Marines as my guides. There was a guide in front of the guy in the back because these guys really have been trained to make sure everything comes back intact and to keep people safe.
From there I sold that back in '13 and went into the firearms industry and round 2015. The company, I was working for said, "You knows Zev, I think drones would be great at a firing range because you could be five feet above and five feet in front of the shooter without risking the camera down range at the targets." And so, I got myself a phantom and the next thing I knew I was in commercials for firearms companies and did some work for recoil TV. By 2020, I was performing business development for some US and international drone entities. And by April of '22 I became a specialist. I'm by no means a subject matter expert. That's reserved for guys like Jimmy McMahon who have trained 12,000 people, worked on 120 different types of SHORAD and air defense systems. But I became a specialist in OSINT to help our country and NATO be able to defend against nefarious drones. So that's what I’m doing now and it's been a lot of fun.
David Lewin:
That's great. Well, that's the fun story. I mean it's really interesting to hear everybody's paths. I'm glad that you know you weren't making those investments when this whole SVB bank and all those things that... [laughs] They've failed on a bunch of people. So, there's probably going to be more startups coming from people who thought that they were nice and retired and now may need to shift gears right?
Zev Nadler:
Now, a lot of the companies that have been using the periscope as their basis for their RF detection, are going to have to find a new way of doing that as well, right?
David Lewin:
Yeah totally. There’s opportunity for innovation for sure. So that leads us right to the meat of the conversation.
I wanted to get into the global drone incidents and talk about the map. We can pull that up here in a second. When you signed up for this LinkedIn live, you probably saw the snapshot of global incidents with drones. We’ll take a look at the map and all the underlying data and threat intelligence reports. But just the map showing the level of activity is enlightening.
It's difficult for a lot of critical infrastructure security teams to actually make the business case internally to their leadership to prove that drones and the emerging potential threat of drones is worth prioritizing over other risks and threats.
And so, you know we certainly want to make good decisions based on data and not hype. There's actual real data here that not everyone knows is available and it helps to have real life data to make a true business case and put a higher priority on implementing full technology for drone detection. Even if it's just putting resources into training and creating a counter drone program and response plan so that folks at least know what to do if they do happen to see a drone, right? So, across the board it is very helpful if there's a good strong business case based on data. And with that, I'll share the screen of that map.
Zev Nadler:
It is important to know how we maintain the intel constantly to be ahead of the threat. I'm going to take on the persona of an operator in an electrical power plant - let's call it a gas fire energy power plant. And I'm right on the Arizona border and I've got cartels to the south of me, and various actors all over and we see some bad critical infrastructure strikes. So, the first thing I'm going to do is show you what I do when I first come to work in the morning.
Zev Nadler:
You're looking at the dashboard that a typical operator would pull up every morning and they would see what's going on in the world. So, on the top here we can see a bunch of blinking items. This is usually things that have happened in the past 30 days.
We're seeing overall incident in phone overall artifact info. Why are artifacts important? Because at the core of what we're looking at here of our global threat UAS tool is OSINT, our Open Source Intelligence, and that's gleaned through scraping the internet and being really good at doing it-we've been doing it for about four years or so. I would have to say that the other 20% is our analysts having burrowed deep into the various actors’ layers, like the dark web, certain groups they're in, having known the groups or certain personas that allow them to get information when these folks brag about their feats that they've accomplished.
So, when we look at the artifact categories, where do they come from? Counter drone systems, UTM systems, various regulations will come out, drone news and so on. We also take a look at the incident categories.
And then the last thing we have are instant results of the incidents that occurred, how many were seized and how many were not seized.
Okay, so we're going to go into the incident map now. So, when you see something with cannabis in the gun, it's going to be a prison drop. Prisons are a critical infrastructure with regard to the risk chain due to potential impact of escapees or increased criminal activity (like drones dropping drugs or weapons in the yard, or prison release or escapees) in neighboring communities.
David Lewin:
If we take these concerns and concepts and apply them to a day the life as the COS operator at electric utility, data is a powerful tool for creating a business case and solution before a site has a very bad day as consequence of drone activity. Looking at global activity will inform US based security and safety responses, longer term and as drone use expands – both as tools and intentional threat carriers.
Zev Nadler:
Yes. What's happening around the globe is going to happen in a theater near you soon. So, it's something that you want to look at, you want to see things that are going on across the globe and then you might want to look into you know your area and see what's happening that is notable?
Now, if we go back into the incident map, we could see basic intrusions - two arrested for going over Dow Chemical plan, for example. Now, when I open up critical infrastructure, we can see an oil tank, we can see educational facilities and power grids – all critical infrastructure. You see how COTS (commercial off the shelf) drones are being used.
David Lewin:
And Zev, I got a comment here. I'm going to highlight this from Christopher Schaffer, "Arizona prisons have been experiencing large uptake in drops. You know, we just had some with Arizona law enforcement." And I thought that was interesting if you want to comment on that and you know, and maybe highlight you know something on the map.
Zev Nadler:
I was showing the system to an administrator of this prison, and he asked me to do a search on anything in Mississippi and he said, "Yep, that was mine, I was there, and that was in that cam that caught that Phantom 3." And as we go through it, you know, he sees his desk, he sees his chair, he sees his drone, and he sees the contraband, and this is the beauty of OSINT. Then we do an analysis. We talked about what happened and our analysts tells you what the TTP's of these threat actors are and what could have been done.
David Lewin:
Here’s a question related to something we were talking about right before we started and there was kind of an interesting reaction from the prison and they saw their own photos on their, right?, "How are the OSINT reports confirmed and what steps are taken to avoid false reports duplicates or other potential inaccuracies?"
Zev Nadler:
Yeah, so it's a great question and the answer is that we vet every single item that you see in our system from three different sources when possible, and that's most of the time. So, anything you see in here, any link to an artifact has been verified.
David Lewin:
Adam thanks for your comment. He agrees with Chris, "At Arizona and many other DOCs across the US are experiencing them flux of drone-borne contraband." As are other critical infrastructure sites. That's a big deal, right?
Zev Nadler:
Absolutely. Here's an electrical grid threat that I brought up I think we're all familiar with - the drone that came to the copper wire to intentionally disrupt power. And in here (within the data system), this is where we give a summary. We give a picture of the drone taken by someone at the scene. And the interesting thing about this one, where we all can learn from again, is that they did everything they could to thwart any forensics. So, they actually had its camera, internal memory card, and any identifying markings removed. So that goes far beyond you know, just tape over the navigational lights with duct tape. They're actually doing more they're getting smarter, and they know how to cover their tracks which is why when we looked at the dashboard, we see there are those pilots who have been apprehended and those who have not. So yeah, great point, Adam. It's nice to see you on here. I know we chat sometime, see each other's posts on LinkedIn. It's good to see you as well, Christopher.
David Lewin:
So maybe you were going here already, Zev. But I would be really interested in looking at that weekly threat intelligence report because we’re all trying to stay in front of this curve. You need to, right? You need tools, resources, education, so that you're not just deploying a system, setting in and forgetting it. That does not work.
With that said, it's important to be able to have some sort of summary almost like you know, reading the Wall Street Journal if you're working on Wall Street you need to stay up to date and current, and have those resources. And so, these Global UAS threat intelligence reports - how would someone use something like that you know, real world to just very quickly drill in and get some highlights on things they should be concerned about, they should bring to their team et cetera?
Zev Nadler:
Absolutely, this goes hand-in-hand with one of the value propositions you mentioned today which is how can you have something to bring to your boss for budgetary and procurement purposes, in addition to doing your job, so the juice is really worth the squeeze. Okay, so a private intelligence report is delivered weekly into my inbox; subscribers see featured advisories, you'll see counter drone systems, drum technologies, conflict news and so on. So, they actually give you a picture of it, and then analysis. Also, we'll talk about what kind of contraband is being dropped and what's dropping it. This is all critical information for you to understand what people are doing, what is happening. You see here are some pistols and ammunitions.
David Lewin:
Well, and for my consultant standpoint or a hardware manufacturer, anyone who's helping advise a critical infrastructure client on what type of technology stack that they need to have that awareness, that detection capability. This is really fascinating, right? To see how people operate what their tactics are, where they're taking off from, where they're landing, what types of drones, what size, what kinds of payload, you know? We talked a lot about layer technology - whether it's radar, cameras, RF, acoustics -and you see real world examples of threats and get actual data points on how bad actors are actually operating.
Zev Nadler:
And that's why we call it, “the art of counter ‘insert exponents’ here,” UAS. It's a cat and mouse game that's going to continue. Before we were able to do things with GPS and RF spoofing and now we can't because they're figuring out how to subvert that counter-measure - they're using on-board waypoints or on-craft map with AI. By the way, what you guys are doing is incredible because you've extended the reach of detection by putting your radar panels on EasyAerial craft that can fly and observe 10, 15 miles away and then send it back via repeater and receiver so we know what might be coming.
I know we talked about the map, and I want to show that to you. So, I'm going to get out of this for one moment.
David Lewin:
And I will say Zev, we have about 18 minutes left. I do want to make sure you're able to show some of the video clips and other things. And keeping that in mind as you're transitioning, I want to highlight a question by Charles Mason: "How does a live report to local police get handled when many local police aren't trained to handle these types of situations and it may end with it being an FAA rule of law." So, I mean, as we know, the regulations are very prohibitive right now of anyone, but those very select few two or three, more federal agencies that are allowed to actually directly interdict a drone that's in flight.
Zev Nadler:
That is a great point and a good segue, but I want to show the global map first. Let me come back to this question because I have a pretty robust answer. We want to get this on screen because a lot of people came to see this.
David Lewin:
Yeah okay, got you.
Zev Nadler:
So, we produce a map every month, global, European, US, and so on. This is a drone incident summary that folks will get for the month of February, showing what and where key outstanding issues occur. You can then find more about these in our knowledge base along with a legend of what was high priority, what was medium priority - crashes, military drones, collisions, contraband and so on. This map can be shared as part of a weekly threat assessment report to the brass. At the same token, this gives you an idea of what's going on, on an ongoing basis.
Zev Nadler:
Going back to our questions about live reports, the way it works right now is we do not receive feeds from any one particular agency.
Now, you had alluded to, and that's very important to talk about, the National Action Plan in which number five of the priorities is having a dashboard that everybody can look at and pump information up to and get information down from the federal level to the state level. For the 18,000 SLTTs, tribal territorial and local agencies, that doesn't exist at the moment.
Further, the FAA can log reports, but they cannot use information from those reports to help law enforcement, at this time. The stuff that they capture is not going to have RIDs that they can disseminate. That's an important process that the guys are working through. And I know that everybody wants to see that sped up and I've been reading some LinkedIn post about how hey, you know, the laws aren't keeping up with the tech. And we all want UTM (Unmanned Aircraft System Traffic Management), we all want AAM (advanced air mobility) but until the point that we know that detection and mitigation isn't going to mess with the volume of delivery within the UTM airspace we have to be careful, and we have to make sure that something bad doesn't happen.
We can detect right now, but we're not allowed to mitigate. So, what else can we do? Well, we can identify where our possible threats might come from to our facility.
As part of my job as an operator, my boss came to me and said "Zev, I need you to put together a survey, as to where the threats might be coming from, so that we can have our security guys know where our problem points are." I'm going to share audio for this for a couple of minutes so that you get an idea of what's going on
Video audio from Zed's screen: This is a zoomed-out vision of our target point and that is on the side of the road there, it's roughly up to about 600 meters of mapping, and they're not interested in further than that. Now, in Photoshop, we've left the color grade, 100% for the middle circle, which will call Alpha eventually, the second circle there, which we call Bravo...
I'm zooming ahead now just so that you see how we identify launch points and how one would begin to identify likely launch points. I didn't know how to do this until I took this training so that's part of what drone SEC does - they have a training portal that allows you to get the coveted DSOC drone security operation certificate which has become somewhat of an industry standard.
So, in this particular case, I'm just going to zoom ahead we've been able to show what are low-risk locations, medium-risk, and high-risk, where might they be launching from.
I know we have about 12 minutes left, and I thought perhaps that could be a good time to take some more questions for.
David Lewin:
Sure, yeah, I really appreciate that. With regard to that overall question of “what can we do now?,” there are concrete actions that teams can take today - we can assess our sites, do a risk assessment, create a plan, and try to get ahead of potential launch points, so that we know where to look for the pilot potentially. And then have response plans in place.
We work with electric utilities, for example, that have policies where they're able to reroute power at certain critical substations if they detect a drone incursion and that way they can manage and get ahead of any sort of potential cascading effects. They can shoot it down out of the sky, but they can take a proactive stance on how they will respond.
David Lewin:
I want to say briefly here, Eleanor, thanks for the question, you said, "So, in terms of the business case for cUAS systems, there should be a huge global market," is that correct? There's a challenge with the laws around mitigating and folks aren't even sure what to do. But that has I think you know, slowed the proliferation of cUAS systems and there is a pent-up global market for the technology. Also to clarify, when you say cUAS counter UAS often that's referring to an actual mitigation system that can take down a drone or cause it to land or fly away. And that is not legal to date, for anyone except a chosen - DOJ, DOE, and a few others.
However, detection using radar, cameras, RF, acoustics is within legal boundaries, almost always for almost all security entities.
Zev Nadler:
Would you mind sharing my screen again? Because there's two other items that I think are import. In addition to the knowledge base, we have a threat glossary with additional information including a description of their motivation goals or TTPs record a contrabands and crimes, and what type of crafts they're using. And this is constantly updated.
For example, with regard to Border Security, most people think of the Sinaloa cartel as being a priority threat. So, we look and see that based on catalogues and verified activity and incidents, Jalisco New Generation is of high concern. They're already in Yuma and El Paso. I have a bunch of saved searches to see what it is that they're doing. Users of the database can do the same for their regional priorities.
Then the other thing we have is a drone database. This is where I can go into consumer and hobbyist drones, I can go into enterprise and commercial drones, and I can get some information on drone capabilities.
And then lastly, we have stolen drones, which helps you identify whether you're dealing with Friend or Foe right away. So, this is an up-to-date list of every stolen drone. That's been reported that's fed into the system: the drone serial number, the flight control serial number this does have the remote-control serial number, and so on. As well, who to contact if it does show up.
David Lewin:
That's great. Another question, "What can radars do against autonomous drones inside the metropolitan area on close ground level flights? How can you prevent them in time for when, they are programmed to an attack at Embassy, for example?"
I mean, brilliant question. Whenever you set up a detection technology, whether it's radar or others that we've been mentioning, it’s important to consider system design and layout and to be thoughtful looking at your risk assessment, and additional data including those reports of potential launch points and making sure you strategically place a radar in the right place where you can have line of sight to the path that you think that a nefarious actor might actually leverage. With that said, there's limitations on how they can be mounted in urban environments on buildings, right? Where there may be obstructions to the path including flying low to the ground.
Some intruders with the right level of intelligence, may be able to bypass certain radar systems if they're permanent installations without line of sight to the exact approach path. With that said, what we do see national security entities doing is leveraging mobile setups of radar on tripods and trailers, such that they can position those real time. This provides flexibility negotiate those locations to make sure that they have line of sight based on their assessment of where those paths might and what they are observing in real time.
It's being strategic and leveraging the technology in the right way to mitigate against a particular threat that you're concerned about. Radar will detect an autonomous drone; the radar picking up the autonomous drone because it's just an object moving through space. Whereas some of the other technologies may or may not pick up on the drone if they're not in a preset catalog. Radar is little bit different in that it sees anything that's moving and you can tune it which further leverages machine learning to clarify exactly what you're looking at.
So, with that, it is time to wrap up. Zev, do you have any other comments?
Zev Nadler:
I think two comments as follow-on to the conversation we just had. A placement plan is the key and you need to decide what your defensive area is and allowable reaction time to avert negative consequence.
David Lewin:
Absolutely well, we're right up against the hour. Follow up on LinkedIn. Let's keep the conversation going, and let's make this collaborative effort.
Zev and myself representing different manufacturers and want to invest the time with you to educate and bring awareness, and then be a resource as you have questions
I didn’t give a formal introduction at the beginning, but I represent Echodyne radar If you do want to dive a little bit deeper into that space and what radar is capable of and what the right applications are for it, then feel free to reach out to me as well. Add me on LinkedIn so I guess with that we'll sign out. Thanks everybody.
Zev Nadler:
Thank you, David. This is great. Thank you.
Note: Minor edits have been made to the transcribed dialogue for clarity only.
Ready to learn more about the threat of drones and how you can secure your site?