Full Report
The Center for Cybersecurity Policy and Law (CCPL) has released a new report that examines the rise of malicious drone activity and potential gaps in the United States’ current counter-uncrewed aerial system (C-UAS) authorities, resources and preparedness. Based on a three-hour, multi-agency security exercise hosted by Grand Sky in Grand Forks, North Dakota, in October 2025,…
Analysis Summary
# Incident Report: Simulated Multi-Vector Drone Swarm Attack
## Executive Summary
On October 2025, a simulated, three-hour, multi-agency security exercise was conducted in Grand Forks, North Dakota, to test C-UAS preparedness against coordinated malicious drone activity. The multi-vector attack successfully overwhelmed local, state, and federal response capabilities by simultaneously targeting a public gathering, the local electric grid, and a nearby air base, resulting in simulated casualties and widespread power outages. The exercise highlighted significant gaps in baseline airspace awareness, detection technologies, and legal authority for advanced C-UAS engagement.
## Incident Details
- **Discovery Date:** Pre-incident (Exercise Briefing)
- **Incident Date:** October 2025 (Duration: Three hours)
- **Affected Organization:** Multiple simulated targets (University event attendees, local electric grid, air base)
- **Sector:** Critical Infrastructure, Government, Public Safety
- **Geography:** Grand Forks, North Dakota
## Timeline of Events
### Initial Access
- **Date/Time:** October 2025 (Start of 3-hour Exercise Window)
- **Vector:** Physical insertion of commercial drones into controlled airspace.
- **Details:** Three separate swarms of small commercial drones, laden with explosives, were deployed simultaneously or sequentially against distinct high-value targets.
### Lateral Movement
- **Date/Time:** Progression throughout the 3-hour exercise
- **Vector:** Coordinated aerial approach and saturation of the operational environment.
- **Details:** Attacks were phased, moving from a kinetic impact on personnel to infrastructure disruption (power grid), and finally impacting a military installation (air base).
### Data Exfiltration/Impact
- **Date/Time:** Throughout the exercise
- **Vector:** Kinetic/Physical Payload Delivery.
- **Details:** Simulated significant loss of life and injuries at the public event; widespread power outage across the town and surrounding area; considerable damage to the nearby air base.
### Detection & Response
- **Date/Time:** Throughout the exercise (Response teams reacted to inchoate warnings, active attacks, and follow-on possibilities)
- **Vector:** Detection measures (limited by regulatory/resource constraints) and multi-agency response protocols.
- **Details:** Initial detection was hindered by a lack of baseline mapping of ordinary airspace activity. Response teams struggled to confirm if sightings were malicious and faced legal confusion regarding permitted detection measures (especially those interacting with drone communication signals).
## Attack Methodology
This was a real-world simulation designed to stress C-UAS systems, not a traditional cyber intrusion. The methodology focuses on physical security threat vectors:
- **Initial Access:** Deploying commercial drone hardware into target airspace.
- **Persistence:** Sustained aerial presence and coordinated engagement across multiple locations.
- **Privilege Escalation:** Not applicable (physical threat).
- **Defense Evasion:** Utilizing small commercial platforms that may be difficult to distinguish from legitimate air traffic without specialized baseline mapping.
- **Credential Access:** Not applicable.
- **Discovery:** Not applicable, though the *human* element received inchoate warnings requiring initial assessment.
- **Lateral Movement:** Geographic spread of the drone swarms targeting distinct critical assets simultaneously.
- **Collection:** Not applicable (Kinetic payload focused).
- **Exfiltration:** Not applicable.
- **Impact:** Kinetic damage via explosives, operational failure (power loss), and personnel casualties.
## Impact Assessment
- **Financial:** Not specified (Exercise focus was preparedness, not final cost).
- **Data Breach:** None (Physical/Kinetic incident).
- **Operational:** Complete loss of power to the town and surrounding area; disruption to public gathering; damage to military air base operations.
- **Reputational:** High potential for reputational damage due to mass casualty event and infrastructure failure, if this were real-world.
## Indicators of Compromise
*Note: As this was a simulated physical threat exercise, traditional cyber IoCs are not applicable. Indicators relate to airspace activity.*
- **Network indicators:** (N/A)
- **File indicators:** (N/A)
- **Behavioral indicators:** Unrecognized, coordinated swarm activity in low-altitude airspace; multiple simultaneous alerts across disparate critical assets.
## Response Actions
Response actions were tested based on a scenario involving initial warnings, active attack, and post-attack recovery:
- **Containment measures:** Teams were tasked with engaging the threats, though engagement was limited by legal restrictions on advanced detection/mitigation methods.
- **Eradication steps:** Not fully achieved for all targets within the exercise timeframe due to demonstrated gaps.
- **Recovery actions:** Teams engaged in full recovery actions while anticipating follow-on attacks.
## Lessons Learned
The exercise demonstrated that effective C-UAS defense is critically dependent on:
1. **Effective Detection:** Without baseline mapping of normal airspace activity, distinguishing malicious drones from benign ones is extremely difficult.
2. **Resource Constraints:** Current resources are insufficient to handle a coordinated, high-volume attack across multiple infrastructure points.
3. **Legal Clarity:** Confusion exists regarding the precise legal authorities for employing certain advanced detection measures, particularly those that interact with drone communications signals.
## Recommendations
1. **Establish Airspace Baselines:** Prioritize defining and continuously monitoring "normal" low-altitude airspace activity in critical areas to create a reliable baseline for anomaly detection.
2. **Review and Clarify Legal Frameworks:** Update C-UAS authorities to provide clear legal guidelines for employing advanced detection and non-kinetic mitigation technologies during confirmed hostile events.
3. **Enhance Multi-Agency Coordination:** Improve protocols for rapid information sharing and coordinated tactical response across local, state, and federal agencies when faced with simultaneous, dispersed threats.