Industrial organizations spend a lot of time and money on high-tech walls designed to keep out malware. But lately hackers have been deploying a simple tool to breach those walls: the humble USB drive.
Data from the 2022 Honeywell Industrial Cybersecurity USB Threat Report shows that an eye-opening 52 percent of malware is now designed specifically to piggyback its way inside targets on USB devices and other removable media. This is up from the 32 percent found by the previous year’s report and up significantly from 19 percent in 2020.
Cybercriminals are always evolving and finding new attack vectors. Clearly, they have learned that removable media are an effective way to bypass external defenses and gain access to their targets.
It is critical that organizations recognize this threat because malware that rides on USB devices like thumb drives—which are still used in industrial networks every day—is one of the few attack methods that can bypass air-gapped OT (operational technology) environments.
USB Attacks Can Penetrate Air Gaps and Cause Serious Trouble
As more companies have come to appreciate the value of air-gapping to improve security for their industrial/OT environments, hackers have been looking for workarounds. One of the workarounds they’ve found is USB-borne malware, which is now leveraged often in cyberattack campaigns. Removable media is an easy and effective way to penetrate the air gaps that many facilities rely on to defend their data.
By planting malware on USB devices, hackers can do serious damage. They can access networks and set up remote connectivity, steal data, and establish command and control. The USB is their landing craft and, once they’ve set up a beachhead inside a facility, there will be trouble. This is why industrial organizations must develop strategic plans to improve their security against USB infiltration and further limit the risks of damage to their operations.
Industrial cyber threats continue to grow in number and power. Along with USB attacks, the 2022 Honeywell report found that Trojans make up 76 percent of malware detected. The report warned that Trojans are of particular concern due to their ability to inflict serious disruption on industrial operations and infrastructure.
The report also revealed that malware designed to establish remote access was constant from the previous year, at 51 percent, while malware designed specifically to attack industrial control systems was up from 30 percent to 32 percent, year over year. As for potency, the report found that malware is now better able to cause disruption to control systems.
Cybercriminals have been thwarted by air gaps in recent years and they’re ramping up their efforts to circumvent those defenses. To protect themselves, industrial organizations must respond. Here’s how they can do it.
1: Establish a clear USB policy and communicate it to employees.
The policy should include technical measures and enforcement steps to improve protections against the risks that USB media and peripherals contain malware. For example, employees should be required to keep personal and work-related USB devices separate. Workers should not be downloading Internet videos to work-related USB sticks.
2: Close the mean time to remediation (MTTR).
Data shows that new malware is being developed in greater volume and more quickly. Much of this malware is purpose-built to ride on USB devices and target industry. To combat this threat, industrial organizations should reevaluate their current controls and revisit their patch cycles to close the MTTR. They should consider external controls to gain real-time detection and improved protection of their primary systems. They should also consider integrated monitoring and incident response.
3: Give heightened attention to digital content, including files and documents.
In addition, industrial organizations should establish detection- and protection-based controls. It’s vital that these be applied to the vectors into and among important industrial facilities (vectors like removable devices and network connections) in order to improve protections against the introduction and spread of content-based malware.
4: Place tight controls on outbound connectivity from process-control networks.
These controls should be enforced by network switches, firewalls, and routers. This is essential because malware on USBs can bridge air gaps and establish a foothold in industrial systems, create backdoors and set up remote access to deliver further payloads, and establish command and control remotely.
5: Reemphasize security upkeep.
Update antivirus software in process-control facilities not monthly or weekly but daily. On top of that, establish a layered system of threat detection that includes OT-specific threat intelligence. Due to the volume of threats now aimed at OT environments—threats that can evade detection by traditional anti-malware tools—it’s vital that anti-malware software is kept up to date in real time.
6: Patch and harden end nodes.
This is necessary given the number of threats out there that can establish persistence and covert remote access to air-gapped systems. The hardening of OT systems is also vital to improving incident MTTR.
Final Takeaway to Combat Malware Threats
Threats targeting industrial/OT environments are rapidly growing in sophistication and frequency. They pose a dire risk to industrial operations everywhere. In response, industrial operators must take new action to better defend themselves. They must continually survey the threat landscape and know the weapons—like USB drives—that hackers are deploying. If they don’t, they risk serious damage from a cyberattack.
ISA/IEC 62443, for example, is a great place for industrial operators to start. The ISA/IEC 62443 cybersecurity standards were crafted by leaders in the IT/OT space from across the globe through the formation of the Global Cybersecurity Alliance under the International Society of Automation (ISA). ISA/IEC 62443 can help you manage risks consistently, setting a foundation for your company’s success at the industrial level. To learn more about ISA/IEC 62443, visit https://isaautomation.isa.org/cybersecurity-alliance/.