A one time pad is a a data file ...
I was being facetious--if you knew the origins of the concept of a one time pad I thought that would have been immediately obvious. The main problem with what you are suggesting, aside from lack of message authenticity, is that it would tie one terminal to one drone. You could obviously address this by having a central system responsible for forwarding interactions between operators and the drones but this reduces the effectiveness of the suggested crypto and introduces the point of failure that this article is actually talking about; the drone control terminal.
You have yet to solve this particular problem but don't let practicality get in the way of a good hardware engineers response. Lets not even talk about the cost and difficulty involved of expanding/replacing the key list over time (because eventually key reuse would pose a problem as many of these drones are years old). Realistically a modern key negotiation protocol and cryptosystem would be more than sufficient for this... but again, this is not the actual problem or the situation posed in the article. Someone plugged an infected thumb drive in to the operator terminal; the encrypted control channel used by the drones remains protected.
2. If the control system is run on read-only media, and the part that handles uploads of data to external drives is a separate computer system without a 2 way communication link to the control system, then uploading a virus is by definition impossible as there is no path for such an upload to take.
This is yet another suggestion that throws cost and practicality to the wayside. How do you suggest that mapping data gets to the drone or the operator terminal (since I suspect you didn't actually bother reading the article, uploading of mapping data is the suspected attack vector)? I suppose the operator terminal could run a read only operating system and be replaced with newer versions of the ROM when the mapping data needs updating and even if we ignore the cost of replacing a ROM on potentially hundreds of operator terminals in tens of locations worldwide then we still have a central location to insert a virus: the mapping data server.
3. A hardware filter is a microcontroller or small embedded computer running a separate OS from the main computer that inspects each data packet coming and and leaving and ensures that it meets certain criteria. (such as no strings longer than the allowed buffer size, etc valid checksums, etc)
Yes, I understand the concept, but this is purely an engineers pipe dream and not something you will realistically see in practise in large scale systems like this. The criteria would need to be immensely relaxed to allow for the possibility of software and capability upgrades without physically replacing a device on all several thousand drones they may have in operation.
I'm not saying that your ideas aren't technically feasible but they are very much disconnected from the reality. You may as well have posted and told them to keep them on the ground in a safe suspended above a volcano--they would have about the same use and capability as with the 'upgrades' you have suggested (and still have not addresses the problem of a keylogger on an operator terminal that reveals: W W W A A S D W A S D W)