How Cyber-Resilient Are Unmanned Aircraft Systems? A Systematic Meta-Review

Abstract

Unmanned Aircraft Systems (UASs) offer a promising future for aviation operations, even though it suffers larger cyber-related challenges. As such, cyber-resilience becomes a core property for drones’ operations. This paper presents a systematic meta-review of the scientific literature on Unmanned Aircraft Systems cyber-resilience, starting from 28 literature reviews and surveys in the field. This study examines three areas: the typologies of cyber threats being investigated, the cyber-resilience aspects and functions, and how proposed mitigation strategies align with and support these resilience functions. Overall, 69 cyber threats were identified, where Global Positioning System (GPS) spoofing and jamming were the most frequent ones, underscoring the vulnerability of GPS-based navigation systems in UAS. In terms of cyber-resilience functions, the largest focus remains on the identification, protection, and detection of cyber threats, while limited attention emerges to incident handling and post-event recovery. This is confirmed by the higher frequency of preventive, rather than recovery-oriented, mitigation strategies. Overall, the findings point towards a still limited cyber-resilience implementation for Unmanned Aircraft Systems, witnessing the need for more systemic efforts to guarantee truly resilient UAS operations.

1. Introduction

The increasing digitalization and autonomy of airborne systems are radically reshaping the aviation landscape through the emergence of Unmanned Aircraft Systems (UAS). These systems constitute the technological and operational foundation of Advanced Air Mobility (AAM), intended as the set of innovative transport services carried out with electric air systems aimed at improving the accessibility and mobility of cities, metropolitan areas, and territories, as well as the overall quality of the environment, life, and citizens’ safety. As such, UAS operations promise to deliver innovative mobility solutions for both urban and non-urban environments [1]. The transition from UAS operations to the broader AAM complex system introduces significant technical complexities. For example, the three-dimensional airspace integration poses novel systemic risks due to the high complexity of innovative propulsion and automated flight systems [2]. Nonetheless, this evolution brings growing and complex cybersecurity challenges since these systems become more interconnected, relying on satellite navigation, wireless communication, and AI-driven decision-making. Under this light, UAS exposure to cyber threats intensifies, and developing countermeasures able to prevent, detect, and react to cyberattacks is momentous [3]. In parallel, the concept of cyber-resilience has gained prominence as a broader and more adaptive perspective, inspired by the longer-standing field of resilience management [4]. Cybersecurity is formally defined as the preservation of confidentiality, integrity, and availability of information in cyberspace [5]. It is primarily a proactive and defensive discipline that focuses on ‘hardening’ the system to prevent unauthorized access and minimize vulnerabilities [6].

While cybersecurity traditionally emphasizes protection and prevention, cyber-resilience represents a broader paradigm focusing on a system’s capacity to prepare (or anticipate), absorb (or withstand), recover, and adapt to adverse cyber events. This evolution reflects a transition from static defense models to a dynamic assurance of mission essential functions even under compromise. According to Kott & Linkov [7], resilience is a systemic property that enables the continued delivery of intended outcomes despite the presence of adversarial threats.

This conceptual shift is formalized by the National Institute of Standards and Technology (NIST) [8], which defines cyber resilience as the ability of a system to maintain its operations through four fundamental cyber resiliency goals:

• Anticipate: maintaining a state of informed preparedness to forestall or prepare for the compromise of mission functions.
• Withstand: continuing to support essential mission functions despite successful attacks or compromises.
• Recover: restoring mission functions to the maximum extent possible subsequent to a successful attack.
• Adapt: modifying mission functions and supporting capabilities to predict, prevent, withstand, and recover more effectively from future attacks.

In the context of Unmanned Aircraft Systems, the Recover goal is particularly critical. It encompasses more than simple data restoration; it requires a strategic orchestration of resiliency engineering techniques such as Redundancy (using multiple resources to avoid single points of failure) and Diversity (employing different technologies to reduce common-mode failures. Efficient recovery in the aeronautical domain is driven by factors such as the speed and scale of restoration, often achieved through automation and architectures based on non-persistence, which enable the system to remove attack footprints by periodically resetting to a known secure state. Integrating these adaptive feedback loops is essential for ensuring that young and rapidly expanding technologies like UAS can evolve into resilient operational ecosystems. To this end, the NIST Cybersecurity Framework (CSF) 2.0 offers a structured reference model, organizing a taxonomy of high-level resilience-related outcomes [9].

The literature on UAS cybersecurity has seen an exponential growth in primary studies, but this proliferation has led to a fragmented research landscape. Existing reviews often focus on narrow technical domains, such as specific communication protocols or sensor-level vulnerabilities, without providing a larger resilience-oriented perspective. To address this gap, this work proposes a systematic meta-review, aiming to evaluate how cyber-resilience is investigated in the current body of scientific literature and how it maps onto the NIST CSF taxonomy, synthesizing this diverse body of secondary evidence and shifting the focus from individual technical threats to a systemic evaluation of cyber-resilience.

This manuscript is guided by the following research question:

This is further operationalized through three specific objectives:

• To categorize the landscape of reported cyber-attacks into a unified macro-taxonomy;
• To measure the alignment of existing literature with the technical functions of the NIST CSF 2.0, identifying blind spots in the cyber-resilience of the domain;
• To evaluate whether proposed mitigation strategies provide a balanced coverage between preventive and restorative resilience capabilities.

In this regard, this study contributes to the field by synthesizing the current threat landscape into a unified taxonomy and evaluating the alignment of existing literature with technical resilience functions. The findings highlight critical research gaps in incident response and recovery, while the citation analysis confirms a fragmented research environment.

The remainder of this paper is organized as follows. Section 2 outlines the systematic methodology adopted for the meta-review, including the search strategy and the mapping criteria against the NIST CSF 2.0 framework. Section 3 presents the results of the bibliometric analysis, the unified threat taxonomy, and the evaluation of mitigation strategies. Section 4 provides a detailed discussion of the findings, highlighting current research gaps and the alignment of literature with resilience functions. Finally, Section 5 concludes the manuscript and suggests future research directions.

2. Methodology

The methodological approach adopted in this study is structured into five dimensions, each addressed in a dedicated subsection. Section 2.1 outlines the meta-review process. Section 2.2 presents the bibliometric analysis of the selected literature. Section 2.3 categorizes the cyber threats discussed across the reviewed papers. Section 2.4 introduces the mapping of the literature against the Functions and categories of the NIST CSF. Finally, Section 2.5 evaluates the alignment of mitigation strategies proposed in the literature with the NIST resilience Functions.

2.1. Systematic Literature Review

This meta-review adopts a systematic approach guided by the PRISMA framework, widely recognized as a methodology for ensuring transparency and replicability in literature reviews [10]. The PRISMA checklist is included in the Supplementary Materials. The literature search strategy is sketched in Figure 1.

The first phase of the review involves the identification of relevant sources and the formulation of a comprehensive search strategy. Scopus has been identified as the reference database for the literature search for two main reasons: (i) with over 7000 publishers and more than 102.6 million records [11], it represents the largest database of peer-reviewed literature, ensuring extensive coverage of engineering, computer science, and aviation; (ii) it allows for a well-structured metadata export through its APIs or manageable export files (e.g., .ris, .csv), which was essential for the systematic citation analysis performed. A dedicated query was developed to capture all relevant literature related to cybersecurity threats and cyber-resilience in the domains of UAS. The Scopus search string (TITLE-ABS-KEY) combined an aviation/UAS block (e.g., aviation, airport, vertiport, drone, UAV*, UAS, RPAS, eVTOL/VTOL) with a cyber block (e.g., cyber*, malware, phishing, jamming, spoofing, eavesdropping). The use of the “cyber*” wildcard and specific attack taxonomies was intentionally preferred over functional keywords (like “recovery” or “fault handling”) to ensure the retrieval of the broadest possible set of literature. Such an inclusive approach allowed us to manually identify and categorize resilience-related mechanisms during the eligibility phase, ensuring that papers discussing recovery strategies under different nomenclatures were not excluded. The complete query is reported verbatim in

Table A1. Search strategy.

Database	Scopus
Search date	19 May 2025
Time window	1985–now
Language	English
Full Scopus query (verbatim)	(TITLE-ABS-KEY(“aviation*” OR “advanced air mobility” OR “air mobility” OR “AAM” OR “ATC” OR “air traffic control” OR “air operation*” OR “flight operation*” OR “airport*” OR “vertiport*” OR “drone*” OR “UAV*” OR “UAS” OR “unmanned aircraft*” OR “unmanned aerial*” OR “RPAS” OR “remotely piloted aircraft*” OR “VTOL” OR “eVTOL” OR “vertical take-off and landing*”)) AND (TITLE-ABS-KEY(“cyber*” OR “penetration test*” OR “data breach*” OR “malware” OR “phishing” OR “ransom*” OR “DDOS” OR “DOS” OR “denial of service” OR “crack*” OR “hack*” OR “leak*” OR “evil twin” OR “defac*” OR “jamming” OR “spoofing” OR “Man-in-the-Middle” OR “MITM” OR “SQL injection” OR “injection attack” OR “eavesdropping”))

. A temporal filter was applied to include publications from 1985 onwards, ensuring a comprehensive historical coverage of the topic. Additionally, a language filter was applied to include only publications written in English.

The initial query returned 736 publications. To ensure higher content quality and methodological rigor, only documents from journals, trade journals, or books were considered. As a result, 31 conference proceedings that did not meet the required source type were excluded. The remaining 705 documents were manually screened based on title and abstract. Among these, 456 papers were excluded as out of scope, grouped into the following five categories:

• (n = 211) focused on cybersecurity protocols, communications, blockchain, and network resilience in aviation or UAS, without discussing cyber-resilience;
• (n = 64) related to monitoring, inspection, or assessment tasks in Unmanned Aircraft Systems’ operations, in domains such as agriculture, infrastructure, and wildlife. These papers were excluded due to little to no focus on cyber resilience aspects, making them irrelevant to the aim of this manuscript;
• (n = 143) concerning UAS positioning, communications, flight mechanics, or sensor integration, with no link to cybersecurity or cyber-resilience;
• (n = 20) technical articles exploring AI, machine learning, neural networks, or blockchain applied to UAS, but lacking focus on cyber-resilience;
• (n = 18) other irrelevant topics unrelated to UAS or cybersecurity.
• As a result, the eligibility phase focused on 249 relevant papers, which were categorized into three groups:
• (n = 152) articles about cyber-attacks in the UAS domain addressing examples, methods, or scenarios, often providing introductory context on cyber-threats;
• (n = 67) papers which include taxonomies, mitigation strategies, safety frameworks, and resilience concepts;
• (n = 30) literature reviews and surveys focusing specifically on the state of the art in cybersecurity and cyber-resilience within drone contexts.

At this point, the analysis was narrowed to the 30 screened literature reviews and survey papers, in line with the meta-review objective of this study. The inclusion of surveys in addition to reviews is motivated by the fact that, in the UAS cybersecurity domain, surveys often function as secondary evidence syntheses, providing systematic cataloguing and taxonomic organization of attack vectors, datasets, and mitigation approaches that are central to threat and mitigation mapping. Conversely, restricting the corpus to reviews only would have excluded a substantial portion of synthesis-oriented contributions that structure the field through taxonomies and comparative classifications, thereby reducing the completeness of the meta-review. During the full-text analysis of these 30 candidates, two articles were excluded because their content, while categorized as a review, provided insufficient technical depth regarding UAS-specific cyber-resilience or was found to be out of scope upon closer inspection.

Then, the eligibility step returned 28 literature reviews and surveys to be included and analyzed in the meta-review, as listed in

Table A2. List of included literature reviews and surveys.

ID	Reference	Type
1	Alquwayzani & Albuali (2024) [19]	Review
2	Adel & Jan (2024) [20]	Review
3	Ajakwe & Kim (2024) [21]	Review
4	Marchetti et al. (2024) [22]	Review
5	Al-lQubaydhi et al. (2024) [23]	Review
6	Alabidy et al. (2024) [24]	Survey
7	Abdulrahman Debas et al. (2024) [25]	Survey
8	Warnakulasooriya & Segev (2024) [26]	Review
9	Rajiv Gandhi et al. (2024) [14]	Review
10	Sarumathi & Latha (2023) [27]	Survey
11	Shueb & Che (2023) [28]	Review
12	AL-Dosari & Fetais (2023) [29]	Review
13	Hadi et al. (2023) [30]	Survey
14	Minhas (2023) [31]	Review
15	Alexandre et al. (2023) [32]	Review
16	Bhattacharya et al. (2023) [33]	Review
17	Kiesewetter et al. (2023) [34]	Review
18	Shafik et al. (2023) [35]	Review
19	Sharma & Mehra (2023) [36]	Survey
20	Khan et al. (2021) [37]	Survey
21	Abro et al. (2022) [38]	Review
22	Rugo et al. (2022) [39]	Review
23	Altaweel et al. (2023) [15]	Review
24	Jameii et al. (2022) [40]	Review
25	Ly & Ly (2021) [41]	Review
26	Chamola et al. (2021) [42]	Review
27	Lykou et al. (2020) [43]	Survey
28	Šimon & Götthans (2022) [44]	Survey

in Appendix A.

2.2. Bibliometric Analysis

A bibliometric profiling of each review was conducted. Specifically, for each of the 28 papers, the following attributes were extracted and recorded: whether a systematic review methodology was explicitly adopted and reported; the time span of the primary studies considered in the review; the number of studies initially retrieved and those ultimately included after screening; the operational domain addressed (civil, military, or both); and whether the article presented real or simulated attack scenarios.

Then, to evaluate the degree of overlap among the 28 included literature reviews and surveys, the Corrected Covered Area (CCA) metric was calculated, following the guidelines by Hennessy and Johnson [12]. This metric was operationalized by building a citation matrix where the rows represent the total pool of unique primary studies (r = 2378), and the columns represent the 28 included reviews (c = 28). With a total of N = 2533 citations identified across the corpus, the CCA was derived as a diagnostic measure of the independence of the evidence base. In practice, this metric identifies whether the meta-review draws from a concentrated or diverse pool of literature, where a low CCA indicates high complementarity and a lack of consolidation in the field.

2.3. Cyber Threats Categorization

An analysis of the 28 included literature reviews and surveys revealed a broad spectrum of cyber-attacks discussed across the sources. A cyber threat refers to any event or condition that could compromise the systems by exploiting vulnerabilities, leading to unauthorized access, disruption, or damage [13]. To identify thematic concentrations in the literature, the authors conducted a three-step inductive thematic analysis to identify and categorize these threats:

• Raw extraction: each full text was systematically scrutinized to catalogue every mentioned cyber-attack, vulnerability, or exploit.
• Semantic normalization: to ensure consistency and avoid redundancy, the tagging was consolidated under standardized labels. Terms describing the same operational impact but using different nomenclature were merged. For example, different malware and trojans, or synonyms of the same type of attack names, were consolidated into a single entry. This step resulted in the identification of 69 distinct cyber-attacks.
• Inductive categorization: these 69 threats were organized into nine macro-categories. This process was conducted ad hoc and grounded directly in the characteristics of the threats, grouping them based on the specific attack vector exploited or the targeted service or functionality.

For each unique threat, the frequency of its occurrence (i.e., the number of reviews in which it was discussed) was recorded to assess its prominence in the academic landscape. The full list of identified cyber-attacks and their mapping to macro-categories is provided in

Table A3. Full list of identified cyber threats and their mapping to macro-categories.

Cyber Attack	Citation Frequency	Macro Category
GPS Spoofing	27	Communication attacks
GPS Jamming/RF Jamming/Sensor Jamming	25	Hybrid or Multi-vector attacks
Malware/Trojan/Ransomware/Reverse shell payloads/Spyware/Intrusions	20	Communication attacks
Drone hijacking/Unauthorized control/Unauthorized navigation/Unauthorized surveillance	19	Authentication and Access control attacks
Denial of Service (DoS/DDoS)	17	Hybrid or Multi-vector attacks
Eavesdropping/Interception	17	Network-based attacks
Replay attacks	17	Authentication and Access control attacks
Unauthorized access	13	Hybrid or Multi-vector attacks
Firmware hacking/Firmware injection/Firmware hijacking/Firmware manipulation	12	Data security and Privacy attacks
Code injection attacks/SQL injection/Data injection/Message injection/Sensor data injection	11	Software and Firmware vulnerabilities
Data breach/Signal breach/Data theft/Media access	11	Communication attacks
Man-in-the-Middle (MITM)	11	Hybrid or Multi-vector attacks
WiFi exploits/WiFi penetration/Wireless channel disruption/Wireless network interception/WiFi or Bluetooth cracking/Network hijack	11	Communication attacks
De-authentication attacks	10	Communication attacks
Over-the-Air Hijack/Unencrypted control channel	9	Miscellanea
Authentication bypass/Authentication hijacking/Credential theft	7	Authentication and Access control attacks
Onboard sensor attack/Sensor blinding/Sensor disruption/Sensor failure/Sensor interference/Sensor tampering	7	Physical attacks
Telnet exploitation	7	Hybrid or Multi-vector attacks
Physical tampering/Component hacks	6	Data security and Privacy attacks
Traffic injection/Signal manipulation	6	Authentication and Access control attacks
Supply chain attacks	5	Malware and Exploits
Meaconing	5	Data security and Privacy attacks
Open ports exploitation	5	Data security and Privacy attacks
AI-based/Adversarial ML attacks	4	Physical attacks
Brute Force attacks/Password attacks	4	Network-based attacks
Buffer overflow attacks	4	Data security and Privacy attacks
Zero-Day attacks	4	Miscellanea
Black hole/Grey hole attacks	3	Software and Firmware vulnerabilities
Impersonation/Sybil attacks	3	Communication attacks
Maldrone exploitation	3	Communication attacks
Protocol exploitation/Protocol misuse/Protocol spoofing	3	Malware and Exploits
Wormhole/Flooding/Forwarding attacks	3	Software and Firmware vulnerabilities
Cache poisoning	2	Authentication and Access control attacks
Communication poisoning (e.g., ARP, DHCP)	2	Miscellanea
Insider threats	2	Hybrid or Multi-vector attacks
Message deletion attack	2	Malware and Exploits
Port scanning	2	Malware and Exploits
Privilege escalation/Elevation of privilege	2	Malware and Exploits
Sinkhole attack	2	Network-based attacks
Video hijacking	2	Communication attacks
ADS-B spoofing	1	Communication attacks
Airport ATC spoofing or jamming	1	Hybrid or Multi-vector attacks
Blockchain integrity attacks	1	Communication attacks
Botnet	1	Hybrid or Multi-vector attacks
Command forging	1	Malware and Exploits
Compromised URL	1	Communication attacks
Crack code attack	1	Physical attacks
Crash/Forced Landing attacks	1	Authentication and Access control attacks
Cross-Layer attacks	1	Network-based attacks
Distortion	1	Authentication and Access control attacks
Drone-borne payload threats (CRBNE)	1	Hybrid or Multi-vector attacks
Drone-in-the-Middle (DiTM)	1	Communication attacks
Evil Twin Attack	1	Network-based attacks
Hardware DoS (Battery DoS, NIC overflow, CPU congestion)	1	Network-based attacks
Backdoors	1	Malware and Exploits
Jam-Then-Spoof attack	1	Physical attacks
Keyloggers/Keystroke logging	1	Communication attacks
Multiprotocol attacks	1	Network-based attacks
RF spoofing	1	Communication attacks
Piggybacking	1	Malware and Exploits
Routing control attack	1	Malware and Exploits
Rushing attack	1	Malware and Exploits
SYN flood attack	1	Authentication and Access control attacks
Side-Channel attacks	1	Miscellanea
Signal-to-Noise ratio manipulation	1	Data security and Privacy attacks
Software-Defined Radio (SDR)-based spoofing	1	Miscellanea
Subroutine exploit	1	Network-based attacks
Visual Intrusion/Remote filming	1	Network-based attacks
War flying	1	Software and Firmware vulnerabilities

.

2.4. NIST CSF Thematic Analysis

For each of the 28 included literature reviews and surveys, the authors assessed the extent to which the studies addressed the Functions and specific categories defined in the NIST CSF 2.0. This taxonomy was adopted as it provides a structured framework for assessing cybersecurity outcomes across the full incident lifecycle, i.e., from risk identification to post-incident recovery. The analysis focused exclusively on the five technical Functions i.e., Identify (ID), Protect (PR), Detect (DE), Respond (RS), and Recover (RC), and their respective 16 categories, listed in

Table A4. CSF 2.0 Core Function and category names and identifiers, from [9].

Function	Category	Category Identifier
Govern (GV)	Organizational Context	GV.OC
Govern (GV)	Risk Management Strategy	GV.RM
Govern (GV)	Roles, Responsibilities, and Authorities	GV.RR
Govern (GV)	Policy	GV.PO
Govern (GV)	Oversight	GV.OV
Govern (GV)	Cybersecurity Supply Chain Risk Management	GV.SC
Identify (ID)	Asset Management	ID.AM
Identify (ID)	Risk Assessment	ID.RA
Identify (ID)	Improvement	ID.IM
Protect (PR)	Identity Management, Authentication, and Access Control	PR.AA
Protect (PR)	Awareness and Training	PR.AT
Protect (PR)	Data Security	PR.DS
Protect (PR)	Platform Security	PR.PS
Protect (PR)	Technology Infrastructure Resilience	PR.IR
Detect (DE)	Continuous Monitoring	DE.CM
Detect (DE)	Adverse Event Analysis	DE.AE
Respond (RS)	Incident Management	RS.MA
Respond (RS)	Incident Analysis	RS.AN
Respond (RS)	Incident Response Reporting and Communication	RS.CO
Respond (RS)	Incident Mitigation	RS.MI
Recover (RC)	Incident Recovery Plan Execution	RC.RP
Recover (RC)	Incident Recovery Communication	RC.CO

. Moreover, due to its high-level nature, the NIST CSF 2.0 allows for the integration of a wide array of specifics of cyber resilience and cyber recovery functions for UAS, such as backup solutions, disaster recovery orchestration, endpoint detection and response, and threat intelligence platforms. The Govern (GV) Function was excluded from consideration, as it primarily addresses organizational and policy-level activities that fall outside the scope of typical scientific publications. Given that the NIST CSF is designed for assessing cybersecurity systems and organizational practices rather than for classifying scientific literature, the interpretation of Functions, categories, and Subcategories was adapted to fit the context of academic review papers. This approach required a degree of flexibility in mapping research content to the CSF’s intended outcomes, recognizing that scientific literature may indirectly address some cybersecurity outcomes through broader conceptual or technical discussions. The investigation has been conducted via a thematic analysis, through deductive semantic reasoning. Given the challenges described, rather than treating the NIST as a reference codebook, a more reflexive approach has been undertaken. As an example of how reflexive mapping was performed, in [14], the authors’ “system aspects” framing was interpreted as ID.RA (Risk Assessment) because it links vulnerabilities (e.g., “weak GPS authentication”) to impacts (e.g., “drone navigates based on spoofed signals), potentially leading to crashes, unintended landings, or hijacking. The same paper also provides a direct rationale for PR.AA (Identity Management, Authentication, and Access Control) by stating that the “lack of authentication mechanisms allows attackers to transmit fake GPS signals”, proposing mitigation strategies that involve implementing a secure authentication mechanism. Another example is given by [15], which redesigns a taxonomy of GPS spoofing defenses and explicitly defines one objective class as “mitigation mechanisms”, which help the UAS to recover from the effects of the attack. This recovery-oriented framing has been reflexively mapped to RC.RP (Incident Recovery Plan Execution), because it emphasizes post-incident recovery actions to restore operational capability, noting that the paper does not prescribe organizational recovery plans, but classifies technical mechanisms by recovery intent.

2.5. Mitigations

To further assess how the NIST CSF Functions are addressed in the literature, the mitigation approaches and robustness aspects discussed across the 28 literature reviews and surveys have been systematically catalogued. This process resulted in the identification of 14 distinct mitigation items, representing key strategies and technologies aimed at enhancing cybersecurity and cyber-resilience. For each item, the frequency of citation across the reviewed literature was recorded, providing insights into the prevalence and emphasis of different mitigation strategies within the scientific scene. Subsequently, each mitigation item was mapped to the corresponding NIST CSF Functions it supports, thereby establishing a linkage between the identified approaches and the cybersecurity outcomes outlined in the CSF 2.0. The identification and grouping of mitigation strategies were conducted through inductive thematic analysis.

3. Results

The bibliometric analysis of the 28 selected papers reveals the following distribution across operational domains: 1 (3.6%) paper focuses exclusively on the military domain, 10 (35.7%) papers address the civil domain, and 17 (60.7%) papers cover both civil and military contexts. Regarding the type of review conducted, 20 (71.4%) papers are classified as literature reviews, while 8 (28.6%) are surveys. In this manuscript, literature reviews have been interpreted as a synthesis of the existing body of research, highlighting trends, gaps, and conceptual developments. In contrast, surveys generally catalog, compare, and organize methods, tools, and datasets, employing taxonomies or classification schemes. Furthermore, 19 out of 28 (67.9%) papers include descriptions of real or simulated attack scenarios. Given the meta-analytical nature of this study, the primary evidence base synthesized by the reviewed papers is diverse, and the level of technical detail varies across the secondary sources. Nevertheless, these 19 publications typically present historical incident analysis derived from official reports, or experimental validation through field tests, or simulations performed in virtual environments. The remaining 32.1% of the reviews focus on conceptual taxonomies or theoretical frameworks without detailing specific experimental scenarios.

As outlined in the methodology, a citation matrix was constructed to map the primary studies referenced across the 28 selected literature reviews and surveys. The CCA was calculated to quantify the degree of overlap among the included reviews, resulting in a CCA value of 0.241%, indicating an extremely low level of overlap.

Figure 2 presents the temporal coverage density of the primary studies considered across the 28 included reviews and surveys. The identified covered time span goes from 1995 to 2024. For each year in the time window, the graph illustrates how many of the selected reviews included that specific year within their original search scope, revealing a significant concentration of research interest in the last decade.

A total of 69 distinct cyber threats were identified within the included papers. To facilitate a higher-level understanding of the threat landscape, these threats were grouped into nine macro-categories based on their attack vector or the targeted service or functionality. These categories were developed ad hoc by the authors through the inductive process, grounded in the characteristics and terminology of the threats as described across the reviewed papers. Table 1 reports the identified macro-categories with the number of unique cyber threats within each macro-category and the total frequency of their citations across the 28 included papers. Specifically, the identified macro categories are as follows:

• Hybrid or Multi-vector attacks: complex attack strategies integrating multiple technical vectors or sequential phases (e.g., cross-layer and multi-stage attacks) to bypass layered security protocols and disrupt mission integrity;
• Communication attacks: vectors targeting the availability, integrity, or confidentiality of command and control (C2) links and navigation signals, with a specific focus on GNSS interference (jamming/spoofing) and wireless signal manipulation;
• Authentication and Access control attacks: exploits aimed at bypassing identity verification protocols and authorization mechanisms to gain unauthorized control over the UAS or the Ground Control Station;
• Malware and Exploits; dissemination of malicious software or targeted code (e.g., trojans, ransomware, logic bombs) designed to infect onboard systems, enabling data exfiltration or remote disruption of flight functions;
• Data security and Privacy attacks: unauthorized interception, access, or manipulation of sensitive data, including telemetry, mission payload information, and metadata, compromising operational confidentiality;
• Network-based attacks: exploitation of network protocol vulnerabilities (e.g., MitM attacks, replay attacks, DoS/DDoS saturation) to intercept traffic or saturate communication channels;
• Software and Firmware vulnerabilities: attacks leveraging defects in software design, unpatched firmware, or improper input handling (e.g., buffer overflows) within the operating system or flight control applications;
• Miscellanea: a heterogeneous set of threats encompassing non-traditional vectors such as social engineering, supply chain compromises, and physical-digital side-channel attacks;
• Physical attacks: direct kinetic or hardware interferences, ranging from sensor disruption to unauthorized physical tampering or modification of aircraft components.

Table 1. Macro-categories of cyber threats.

Macro Category	Cyber-Threats	Frequency
Hybrid or Multi-vector attacks	9	78
Communication attacks	13	73
Authentication and Access control attacks	8	54
Malware and Exploits	11	39
Data security and Privacy attacks	6	33
Network-based attacks	9	29
Software and Firmware vulnerabilities	4	18
Miscellanea	5	17
Physical attacks	4	13

Table 1. Macro-categories of cyber threats.

Macro Category	Cyber-Threats	Frequency
Hybrid or Multi-vector attacks	9	78
Communication attacks	13	73
Authentication and Access control attacks	8	54
Malware and Exploits	11	39
Data security and Privacy attacks	6	33
Network-based attacks	9	29
Software and Firmware vulnerabilities	4	18
Miscellanea	5	17
Physical attacks	4	13

Figure 3 illustrates the percentage of papers (out of the 28 included in the meta-review) that address each category of the NIST CSF 2.0 across the five technical Functions. The results reveal that the most frequently addressed categories are Continuous Monitoring (DE.CM) at 92.9%, Risk Assessment (ID.RA) at 89.3%, and Data Security (PR.DS) at 75.0%. Moderate coverage is observed in categories such as Management, Authentication, and Access Control (PR.AA) at 46.4%, and Incident Analysis (RS.AN) at 50.0%. Several categories, including Awareness and Training (PR.AT), Improvement (ID.IM), and Incident Response Reporting and Communication (RS.CO), show no coverage across the reviewed papers. Recovery-related categories, such as Incident Recovery Plan Execution (RC.RP) and Incident Recovery Communication (RC.CO), are addressed in 10.7% and 0.0% of the papers, respectively.

Table 2. Coverage of NIST CSF Functions by number of categories addressed.

Functions	Categories Addressed (%)
	≥1	≥2	≥3	≥4	≥5
ID	96.43	35.71	0.00	NA	NA
PR	82.41	57.14	21.43	10.71	0.00
DE	92.86	17.86	NA	NA	NA
RS	53.57	32.14	3.57	0.00	NA
RC	10.71	0.00	NA	NA	NA

displays the proportion of papers addressing each category within the NIST CSF Functions.

Within the ID Function, 96.4% of papers address at least one category, while none of the included papers covered all three ID categories. The PR Function exhibits varied coverage, with at least one category addressed by 82.1% of papers. The DE Function shows high engagement for at least one category at 92.9%, dropping to 17.9% for both of them. The RS Function has moderate overall coverage, with one category addressed by 53.6% of papers, and subsequent categories less frequently. The RC Function is the least represented, with only 10.7% coverage for one category and none for both.

Following the systematic cataloguing described in the methodology, 14 distinct mitigation approaches were identified.

Table 3. Frequency of mitigation approaches.

Mitigation Approach	Frequency
AI and data-driven techniques	26
Intrusion Detection Systems (IDSs)/Threat detection	23
Network and infrastructure security	22
Cryptography	20
Secure communication (WiFi, IoT-based, Framework, Firmware)	19
Access and identity management	12
Drone forensics	10
Privacy and data management	6
Threat modeling	5
Physical and kinetic countermeasures	5
Security governance and risk management	4
Game theory-based models	2
Fail-Safe system design	2
Testing and Validation	1

reports the relative frequency of citation for each mitigation item within the reviewed literature. To clarify the technical scope of the identified categories, each primary study was analyzed to map specific mitigation implementations into broader approaches. For instance, AI and Data-Driven Techniques encompass various Deep Learning architectures, such as Neural Networks tailored for jamming detection or the identification of temporal patterns in spoofing attacks. The Intrusion Detection Systems (IDSs) category aggregates hybrid schemes that integrate physical-layer anomaly detection; examples include multi-sensor consistency checks between GNSS data and inertial or visual navigation systems to detect signal manipulations. Regarding Cryptography, the literature focuses on the study of specific technical methodologies, such as leader-follower encryption and blockchain-based integrity checks. In contrast, Access and Identity Management serves as a broader category for approaches that target system confidentiality and controlled access, notably through the implementation of robust authentication protocols. Furthermore, Secure Communication highlights the adoption of hardened IoT-oriented protocols (e.g., MQTT), while Fail Safe measures emphasize operational resilience through mechanisms such as redundant control systems, autonomous return-to-home triggers, and emergency landing protocols for GPS-denied environments. Privacy and Data Management addresses the protection of sensitive telemetry through techniques exemplified by data masking and secure cloud-based storage. Moreover, strategic analysis is represented by Threat Modeling frameworks (e.g., STRIDE) and Game Theory Models (e.g., Stackelberg games), while Drone Forensics targets post-incident data recovery and forensic log analysis to reconstruct attack sequences. Network and Infrastructure Security encompasses the deployment of secure architectures, such as 5G/6G integration and edge computing, alongside terrestrial sensing systems like ground-based radars and acoustic detectors for airspace monitoring. Physical and Kinetic Countermeasures involve hardware-level protection, such as RF shielding and anti-tampering measures, as well as active defense mechanisms, including kinetic interception or targeted signal jamming to neutralize rogue platforms. The Security Governance and Risk Management mitigation approach aggregates research on standardized risk assessment methodologies and compliance with international regulatory frameworks. Lastly, Testing and Validation focuses on the systematic evaluation of security resilience through penetration testing, fuzzing, and simulation-based validation of UAS security properties.

Among the most frequently cited approaches are AI and data-driven techniques (26, i.e., 92.9%), Intrusion Detection Systems (IDS) and threat detection (23), Network and infrastructure security (22, i.e., 78.6%), and Cryptography (20, i.e., 71.4%). Less frequently addressed approaches include Fail-Safe system design (2, i.e., 7.1%), Game theory-based models (2, i.e., 7.1%), and Testing and Validation (1, i.e., 3.6%).

Each mitigation item was further mapped to the specific NIST CSF Functions it supports, providing insight into how these strategies contribute to different aspects of cyber resilience. Figure 4 illustrates this mapping by showing both the raw and citation-weighted coverage of mitigation approaches across the five NIST Functions. Raw coverage captures breadth, i.e., the share of distinct mitigation items associated with each Function. Citation-weighted coverage captures emphasis, as the same mapping is weighted by how frequently each mitigation item is cited across the reviewed literature, so mitigations appearing more often contribute more strongly than rarely cited ones. Raw data indicate that most mitigation strategies support the PR Function (78.6%), followed by ID at 64.3% and DE at 42.9%. The RS Function is moderately covered (21.4%), while the RC Function is not addressed by any of the mitigation approaches cited in literature. Citation-weighted results reveal a similar pattern, reinforcing the predominance of PR and DE-related strategies, while suggesting a lower representation of mitigation efforts targeting ID Functions.

Overall, the evaluation of the literature also considered the maturity of the proposed solutions against the NIST CSF Tiers. Most reviewed papers propose technical measures that align with Tier 2 (Risk-Informed) or Tier 3 (Repeatable) behaviors. However, the Tier 4 (Adaptive) level, defined by the ability of a system to proactively adapt its practices based on previous activities and predictive indicators, is virtually absent in the current corpus. This means that UAS cyber-resilience is being addressed at a functional level (e.g., Detect or Protect), but the capability for autonomous, self-evolving adaptation is not yet a mature topic in the current body of literature reviews.

The main results of the analytical mapping and the full dataset supporting the findings presented in this section are available for consultation in the dedicated project repository [16].

4. Discussion

The analysis of the meta-review reflects a growing interest in the literature regarding cybersecurity and cyber-resilience, as evidenced by the increasing number of literature reviews published over the past decade (cf. Figure 2) covering both civil and military domains, with a predominance of literature addressing dual-use scenarios. The CCA value of 0.241% falls well within the 0–5% range, which represents a ‘slight’ overlap according to the benchmarks established in [12], indicating that there is virtually no redundancy among the 28 reviews analyzed. However, it also underscores the fragmented nature of the field, with limited consolidation of findings on core threats and countermeasures. Such a fragmented landscape justifies the role of this meta-review in bridging disconnected research efforts to provide a first holistic overview of UAS cyber-resilience.

The identification of 69 distinct cyber threats demonstrates the complex and multi-vector nature of cyber threats in UAS environments, always evolving. The analysis reveals that the literature’s interest lies mainly in Communication attacks, Hybrid attacks, and Authentication and Access control attacks. In particular, the major scientific focus is on GPS spoofing and jamming, appearing in 96.4% of reviewed papers, as the dependence of drone operations on GNSS is widely recognized as a critical vulnerability both for drone operations and in the broader aviation sector. An example which further reinforces this research priority is given by [17], which emphasizes that securing communication channels and control architectures remains the foremost challenge for ensuring the operational integrity of UAS. The synthesis of these threats into a unified taxonomy reveals that GNSS vulnerabilities are well-documented, but the cascading operational impacts of such attacks remain under-investigated. Furthermore, malware-related threats are addressed in 71.4%, although there appears to be limited differentiation or technical depth concerning specific malware types or propagation mechanisms. Moreover, the vulnerabilities linked to privacy and authentication, such as unauthorized control (67.9%), eavesdropping and data interception (60.7%), are also widely addressed in the literature review. These threats are viewed not only as technical challenges in the UAS domain but also as critical concerns with social and regulatory implications. Conversely, less attention is given to software integrity violations, appearing in only 39.3% of the papers, suggesting a lower prioritization in current research efforts. Additionally, the limited number of Physical attacks identified is likely attributable to the specificity of the initial search query, rather than a reflection of scientific irrelevance.

To clarify the interpretation of the threat prioritization, the use of citation frequency as a metric is directly aligned with the main research question: evaluating the coverage of cyber-resilience within the current body of scientific literature. Consequently, the high frequency of certain threats, such as GNSS-related attacks, reflects a high level of academic concern and research intensity rather than a statistical measure of real-world occurrence or operational likelihood. Despite this, the meta-review identifies significant thematic clusters in the research; the authors acknowledge that scientific interest may not always mirror the immediate priorities of civil aviation authorities or industry incident reports.

The mapping of literature content to the NIST CSF 2.0 technical Functions reveals an unbalanced coverage across the five Functions of the taxonomy (cf. Figure 3). The ID, PR, and DE Functions are relatively well represented, particularly through categories like Continuous Monitoring (DE.CM), Risk Assessment (ID.RA), and Data Security (PR.DS), reflecting a strong research effort on assessing cybersecurity risks, implementing protective safeguards, and detecting potential threats and compromises. In contrast, the RS and RC Functions receive overall less attention. This minor coverage of the Functions related to the incident is not unexpected and may be partially attributed to the emerging nature of UAS operations since those systems are relatively new and limited to certain specific domains, while air taxi operations remain largely in the conceptual or early prototyping stages. However, the minor coverage of Respond and Recover Function, specifically the Incident Mitigation (RS.MI), and Incident Recovery Plan Execution (RC.RP), highlights a significant blind spot in the current research landscape about incident response planning and post-attack resilience. It is also important to note that certain categories, such as Improvement (ID.IM), Awareness and Training (PR.AT), Incident Response Reporting and Communication (RS.CO), and Incident Recovery Communication (RC.CO), were not matched in any of the reviewed papers. This absence is due to the structural difference between the NIST CSF and academic literature: the former is designed to evaluate organizational cybersecurity practices, whereas academic papers tend to focus on technical innovations or theoretical frameworks. As such, while methodological adaptation was implemented to enable this mapping, some categories inherently lack analogs in the scientific domain.

The analysis of mitigation strategies shows that most papers propose technical solutions aligned with the Protect (78.6%), Identify (64.3%), and Detect (42.9%) Functions (cf. Figure 4). Specifically, techniques strictly tied to PR and DE Functions, such as AI-driven threat detection, intrusion detection systems (IDSs), and cryptography mechanisms, are the most frequently cited. This aligns with more recent studies; for example, Alsadie [18] highlights how the integration of artificial intelligence is becoming fundamental for developing proactive detection capabilities and real-time automated response systems, effectively addressing the limitations of traditional static defense models. Additionally, since most mitigation approaches and techniques are linked to multiple NIST Functions, and given that the ID Function pertains to understanding and assessing current cybersecurity risks, it consequently exhibits the second-highest level of raw coverage among all Functions. Mitigation strategies related to response coordination and recovery planning are notably scarce across the reviewed literature. Among the limited approaches associated with the Respond Function are several AI-based techniques, which may contribute to incident response capabilities in specific contexts, as well as drone forensics and physical and kinetic countermeasures. However, no mitigation strategy identified is explicitly linked to the Recover Function. Even a fail-safe system design, while conceptually related to resilience, does not imply the execution of restorative actions following a cybersecurity incident, and therefore was not mapped to the Recover Function.

It is important to emphasize that Figure 3 and Figure 4 present complementary but distinct perspectives on NIST Function coverage. The former illustrates the overall extent to which the five NIST Functions are addressed across the 28 reviewed papers, encompassing both conceptual discussions and technical contributions. Conversely, the latter focuses specifically on the subset of content related to mitigation strategies, showing how those approaches map to the Functions. While PR, ID, and DE emerge as the most frequently covered Functions in the overall literature (cf. Figure 3), the mitigation strategies identified are primarily associated with the Protect and Detect Functions in the citation-weighted results, whereas raw frequencies emphasized Protect and Identify (cf. Figure 4). The apparent discrepancy lies in the fact that mitigation-focused content within the papers does not fully reflect the broader discussion of the Detect Function. In other words, although many papers explore aspects of the detection conceptually, few propose concrete mitigation strategies that directly support DE-related outcomes.

5. Conclusions

This meta-review synthesized 28 survey studies on cybersecurity and resilience in advanced air mobility, revealing 69 threats across nine categories dominated by communication, hybrid, and authentication attacks that exploit GNSS dependence. Bibliometrics show research clusters around NIST CSF Identify, Protect, and Detect Functions, while Respond and Recover remain underexplored. Overall, the findings point towards a still limited cyber-resilience implementation for Unmanned Aircraft Systems, witnessing the need for more systemic efforts to guarantee truly resilient UAS operations. Future research must shift the focus from ‘prevention-only’ to restorative resilience. Based on the identified gaps, subsequent research should prioritize developing fail-safe designs that do not merely ground the drone but actively execute restorative actions to maintain operational continuity. This involves integrating technical mitigations specifically linked to the NIST CSF Functions to ensure that Respond and Recover capabilities reach the same maturity level as the currently dominant Identify and Protect functions. As a further direction for future work, it would be valuable to compare these cyber-resilience findings with similar studies conducted in more mature industrial domains, both within traditional aviation and in other cyber-physical sectors such as maritime, railway, or critical infrastructure. Such a comparison would identify whether the observed lack of focus on response and recovery is a distinctive characteristic of the UAS research landscape or a broader, systemic gap across sectors.

Despite these structured results, a limitation of the proposed methodology lies in the interpretative mapping of scientific papers to the NIST CSF, as the framework was originally designed to manage cybersecurity risks within systems and organizations rather than assessing cyber-resilience within academic publications. The lack of a dedicated taxonomy backs our findings of a limited fragment field.

Another limitation of this systematic meta-review stems from the specific focus of the retrieved literature, which exhibits a predominant attention to UAS with less emphasis on the broader AAM framework. Consequently, the meta-review intends to map the threat landscape for Unmanned Aircraft Systems, but it only partially accounts for the future aviation landscape where UAS and eVTOLs will share low-altitude airspace with other manned aircraft, particularly in dense urban scenarios. Although falling outside the primary scope of this article, the integration of these heterogeneous systems into a shared environment, such as the U-space framework, would entail further cyber-physical safety implications that were partially addressed in the reviewed studies. Factors such as cross-platform communication integrity and coordinated traffic management represent critical variables that may significantly influence the overall cyber-resilience of these interconnected systems.

The lack of emphasis on ‘Adapt’ functions suggests that UAS research is still focused on defending against known threats rather than evolving with the technological landscape. Achieving a Tier 4 (Adaptive) posture requires a shift from static security snapshots to ‘dynamic imaging’. In this paradigm, UAS operations must incorporate iterative feedback loops where ‘lessons learned’ from previous incidents and flight test failures are used to proactively interrupt potential failure paths and to defend from cyber-threats. Although UAS are still relatively young technologies and their applications are rapidly expanding, the results discussed highlight the need for greater attention to response and recovery planning to ensure the development of resilient drone systems and operations.