The US Cybersecurity and Infrastructure Security Agency (CISA) has issued new guidance warning critical infrastructure operators to brace for rising drone threats and urging them to treat low-altitude airspace as an active attack surface.

CISA’s message is clear: UAS threats are no longer hypothetical. The agency describes drone activity as a growing component of the physical-security landscape for critical infrastructure sectors, including military bases, which it says are “subject and frequent, and often unidentified, UAS incursions.” The agency emphasises that its new guidance is intended to help operators “be air aware” by building a continuous posture of situational awareness around facility airspace, rather than treating drones as an occasional or peripheral concern.

CISA’s guidance outlines a structured, vendor-neutral process for selecting and deploying UAS-awareness systems. It stresses that detection tools are legally and operationally distinct from counter-UAS equipment: the document covers only capabilities that can detect, track or identify drones, and excludes any technologies that would disrupt, take control of or otherwise interfere with an aircraft.

CISA makes a point of noting that organisations considering systems capable of monitoring communications between drones and their operators should seek legal advice, underlining the regulatory constraints around intercepting radio-frequency signals.

The guidance sets out three major steps for critical infrastructure organisations. First, operators should establish their detection-technology requirements by analysing the facility’s location, layout, exposure and operating environment, and by assessing the types of UAS threats most relevant to their sector. Second, they should determine which technologies – such as radar, radio-frequency sensing, electro-optical cameras or acoustic systems – best fit the site’s threat profile and physical characteristics. Third, operators are urged to integrate any chosen detection capabilities into existing security plans, treating them as part of a layered and interconnected security architecture rather than a standalone system.

CISA argues that integration is the key to operational value: UAS alerts should flow into established incident-response processes, perimeter-security workflows, access-control systems, and local emergency co-ordination arrangements. The guidance encourages facilities to conduct exercises and drills that include UAS events and to build relationships with local law enforcement and regulators to ensure that any incidents can be escalated appropriately.

A second document on suspicious UAS activity moves the focus from technology selection to investigative behaviour. It highlights the need for operators to distinguish between known, authorised or expected UAS flights – such as law-enforcement operations or utility inspections – and anomalous or suspicious activity.

CISA outlines behavioural indicators that may warrant attention, from repeated overflights at unusual hours to drones hovering near sensitive assets. Where a drone crashes or lands within facility boundaries, the guidance stresses the importance of safe handling procedures and secure storage, recognising that downed devices may contain hazardous materials, improvised modifications or valuable forensic data.

The agency also encourages operators to share information with appropriate federal, state and local agencies, reinforcing the role of cross-sector reporting in building a national picture of UAS threats.

CISA’s wider “Be Air Aware” initiative aims to embed UAS risk into the same planning culture that governs cybersecurity, insider threat and physical-security disciplines. The agency describes the new guidance as the “latest addition” to the campaign, and says operators must consider how drones could be used for reconnaissance, disruption or pre-attack staging.

The timing reflects growing concerns across Western security communities about the proliferation of small UAS platforms and their increasing sophistication. Commercial systems now offer long-range communications and high-resolution sensors that can be exploited by hostile actors.

The move also reflects a legal and regulatory reality: most US critical infrastructure operators cannot deploy kinetic or electronic counter-UAS measures without explicit federal authority. Detection, therefore, becomes the practical baseline for building resilience.

Although the guidance is US-focused, much of it aligns with international thinking on critical infrastructure protection. The same operational challenges, from assessing low-altitude risk to integrating UAS awareness into security governance are shared across allied nations. As drone incidents involving airports, energy sites and manufacturing facilities continue to rise globally, the principles presented in CISA’s documents will look increasingly familiar to regulators and operators beyond US borders.

For now, CISA’s message lands squarely on the need for operators to modernise their threat models. Low-altitude airspace is becoming busy, contested and strategically important, and critical infrastructure owners must adapt quickly.