LNG Terminal Drone Detection: Meeting CER Directive Requirements for Energy Sector

Context and challenge

A large LNG terminal on a busy coastline faced a fast-changing security reality: drones had become cheap, capable, and easy to operate from outside the perimeter. The terminal’s risk profile made this more than a nuisance. A small aircraft with a camera could map tank layouts and patrol patterns. A drone with payload capability could attempt sabotage, disrupt operations, or trigger safety incidents near critical process areas.

At the same time, the regulatory landscape tightened. The Critical Entities Resilience (CER) Directive set expectations for operational resilience, including risk assessment, protective measures, incident handling, and demonstrable preparedness. For an LNG terminal, that meant moving beyond ad hoc “spotter” methods and toward a repeatable, auditable detection and response capability that could be tested by independent evaluators.

The operational constraints were significant:

• High electromagnetic noise and reflective structures from industrial equipment, metal pipe racks, and ship-to-shore interfaces
• Variable line-of-sight across berths, storage areas, and perimeter zones
• Mixed airspace conditions, including nearby public areas, maritime traffic, and legitimate aviation activity
• A need for 24/7 coverage with minimal operational disruption
• A requirement to support incident documentation suitable for auditors and certification processes
• A need to prove effectiveness against realistic adversary behavior, not just compliant paperwork

The terminal’s existing controls—CCTV, perimeter intrusion detection, and guard patrols—were strong for ground threats but struggled to provide early warning and classification for aerial threats, especially when drones were launched from beyond the fence line.

Approach and solution

To meet resilience obligations and close the detection gap, the terminal implemented a full AISAR ecosystem designed specifically for drone detection, classification, and response workflow:

1. Passive RF mesh for wide-area detection
2. A CAPS unit to coordinate sensing and response actions
3. A Fusion Dashboard to unify signals, alerts, and operational procedures

This architecture was selected for two reasons: it supported layered resilience (multiple sensors and decision aids) and it produced the kind of audit-ready evidence that compliance certification requires.

1) Passive RF mesh: detection without emissions

The foundation was a passive radio-frequency mesh deployed across key parts of the site, including berth approaches, tank farm edges, and perimeter-adjacent “shadow zones” where line-of-sight is poor.

Passive RF sensing brought practical advantages for an LNG environment:

• Non-emitting detection, avoiding interference risks and minimizing operational impact
• Early warning by picking up drone control links and telemetry where available
• Distributed coverage, enabling triangulation and improved localization despite reflections and structures
• Resilience-by-design, since a mesh reduces the single-point-of-failure risk of a lone sensor

During deployment, the terminal prioritized placement based on a combined analysis of:

• likely launch points outside the perimeter
• high-consequence asset zones
• historical nuisance sightings
• structural occlusion areas created by tanks and gantries

The RF mesh was tuned to reduce nuisance alerts, with thresholds adjusted to account for industrial RF “background” while preserving sensitivity to low-power drone signals.

2) CAPS unit: coordinated detection-to-response control

To move from “detection” to “operational capability,” the system incorporated a CAPS unit as the control layer coordinating sensor inputs and response steps.

In practice, this component enabled:

• Automated correlation of signals that might otherwise appear as isolated anomalies
• Event creation and prioritization, ensuring the security team saw a clear incident object rather than a stream of raw hits
• Policy-aligned alerting, mapping detection confidence and proximity into a response level consistent with site procedures
• Operator guidance, prompting next actions such as camera slewing, escalation, or airside safety notifications

The emphasis was not only on technology but on decision-making under pressure. The terminal’s security leadership wanted a system that reduced ambiguity for operators and created consistent responses across shifts.

3) Fusion Dashboard: a single operational picture with audit-ready evidence

The final element was the Fusion Dashboard, used as the operator interface and the compliance evidence layer. Rather than relying on multiple screens and manual cross-checking, the dashboard provided:

• a unified view of RF detections, location estimates, and confidence levels
• incident timelines showing what was detected, when, and how it was handled
• workflow steps aligned with internal response plans (e.g., verify, assess, escalate, document)
• structured reporting to support reviews, audits, and post-incident learning

This was critical for CER Directive-aligned resilience because it supported more than real-time monitoring. It also supported:

• repeatable procedures
• training and drills
• lessons learned and continuous improvement
• demonstrable oversight via incident records

Implementation method: from baseline to validated readiness

The rollout followed a staged process designed to minimize disruption and maximize adoption:

1. Baseline risk assessment and detection gap mapping
   Key assets, threat scenarios, and operational constraints were translated into detection coverage requirements and response objectives.

2. Pilot deployment in the highest-risk zone
   Initial sensors were placed to prove performance in the most complex RF and structural environment before expanding site-wide.

3. Operational integration and training
   Security operators were trained not only on using the dashboard but on decision thresholds, escalation triggers, and documentation expectations.

4. Procedural alignment with resilience requirements
   Incident handling steps, recordkeeping, and review cycles were aligned with broader resilience governance, ensuring the system supported compliance rather than sitting outside it.

5. Validation through adversary-style testing
   Effectiveness was proven with a third-party red team exercise designed to replicate realistic drone behaviors.

Results

Compliance certification achieved

With the AISAR ecosystem fully deployed and integrated into security operations, the LNG terminal achieved compliance certification aligned with CER Directive expectations. The certification process focused on demonstrable capability: risk-informed controls, documented procedures, operator readiness, and evidence of testing.

The system helped translate regulatory requirements into operational reality by providing:

• consistent detection coverage and alerting logic
• structured incident handling workflows
• records suitable for oversight and audit review

Successful third-party red team exercise

A critical milestone was passing a third-party red team exercise designed to test real-world performance, not just system specifications. The exercise included attempts to exploit common weaknesses such as:

• approaching from non-obvious directions (e.g., maritime side)
• using brief exposure windows to minimize detection time
• leveraging cluttered RF environments near industrial equipment
• inducing operator overload through ambiguous signals

The combined RF mesh, control layer, and fused interface provided earlier recognition, clearer classification cues, and faster coordination of verification steps. Just as important, the terminal could demonstrate how decisions were made and what actions were taken, which matters as much as detection in resilience evaluations.

Operational improvements beyond compliance

In day-to-day operations, the system produced benefits that extended past certification goals:

• Reduced reliance on chance visual spotting
• Improved shift-to-shift consistency through guided workflows
• More efficient incident review and training using replayable timelines
• Better coordination between security, operations, and safety teams during aerial anomalies

No specific performance metrics are included here; however, stakeholders reported that the largest improvement was the move from “awareness after the fact” to actionable early warning with consistent documentation.

Key takeaways

• CER Directive readiness demands proof, not promises. Resilience compliance is strengthened by systems that create audit-ready incident records and show tested procedures.

• Passive RF meshes suit complex industrial environments. Non-emitting detection can reduce operational friction while improving coverage across obstructed zones.

• Detection alone is insufficient without coordination and workflow. A control layer and unified dashboard help translate sensor data into consistent, defensible actions.

• Red team validation changes the conversation. Independent adversary-style testing provides credible evidence of real-world readiness and exposes gaps before regulators—or incidents—do.

• Integration with people and process determines success. Training, escalation rules, and documentation practices must be designed alongside the technology to achieve reliable outcomes.