The Security Threat in Disguise
Whether you call them USBs, flash drives, or pen drives, it’s almost certain your teams are carrying these devices around – and that’s putting your industrial organization at risk.
Security-related news reports might lead you to conclude that bad guys are breaking in using only web vulnerabilities and database hacks. But don’t be fooled by the wolf in sheep’s clothing: seemingly benign USB devices. Based on Honeywell research examining real-world data, USB devices remain a major threat vector for industrial operators.
Our researchers analyzed USB usage data from live production sites in process control industries worldwide. The results demonstrate how often true security threats (almost) enter industrial sites, and how they can impact operations. By understanding the dangers, you can make informed decisions to keep staff productive while mitigating security risks.
Malice in a Pocket
In our age of instant connectivity, you may find it even hard to believe that USBs are still in use. Yet based on Honeywell estimates, anywhere from a dozen to 150 maintenance personnel may work at an industrial site on any given day – and that could just be at one building. For critical legacy equipment, USBs are often the only option the maintenance workers have for updating systems too old to accept centralized software pushes.
Even though cloud-based data sharing is commonplace in IT environments, many in operations (OT) still keep their networks and machines segmented for security reasons. USBs continue to fill a technical need to effectively reach particular systems. They are portable, durable, and easy to use.
And they’re still dangerous.
All it takes to create disruption in an industrial plant is a rogue employee or an innocent contractor with a malicious USB. The device might carry a payload, or it might be programmed to take over the machine. As soon as it’s plugged in, it bypasses all the basic system security running on today’s off-the-shelf computer systems.
Worse than costly and disruptive viruses on USBs are deliberate efforts to bring down a company’s infrastructure. It is entirely too easy for someone to purchase malicious USB devices crafted specifically to attack computers via the USB interface. BadUSB, for example, can turn everyday USB devices like fans and charging cables into potential attack vectors. And there are many more variants of malicious USB device attacks. The threat is not static.
Think your staff knows better than to plug in any old USB? When it comes to human behavior, it’s hard to say. As a 2016 study at the University of Illinois, Urbana Champaign discovered, “Users Really Do Plug in USB Drives They Find,1” dropping a drive in a parking lot is as effective as leaving it in a protected conference room. In a controlled experiment, the researchers dropped 297 USB keys on a large university campus. “We find that the attack is effective with an estimated success rate of 45–98 percent and expeditious with the first drive connected in less than six minutes,” they wrote. Despite awareness and training, many of your employees or contractors might be tempted by the simple notion of a free USB device.
Bottom line: Portable USB drives are one of the top threat vectors impacting industrial control systems (Source: BSI, 2016)
A New View into USB Threat Realities
In the past it has been hard to distinguish between security hype and real danger, but with data derived from real-world USB usage, better security decisions are now possible. In fact, it was a quest for better data to inform our future product design that led to our recent USB Threat Report findings.
As part of rigorous self-evaluation, our internal teams assessed the state of USB threats and potential solutions. Data from our globally deployed Secure Media Exchange (SMX) solution offered a rare window into day-to-day USB activities. As part of its regular process, before devices are approved to use in the industrial facility, SMX analyzes files compared to the latest threat intelligence when users “check-in” their USBs in an SMX Intelligence Gateway. That analysis, in aggregate, provides an illuminating collection of wisdom about USB threats in the real world.
Our security experts evaluated data extracted from SMX across industrial facilities worldwide; the samples were gathered from 50 locations including the U.S., South America, Europe, and the Middle East. The industries represented include oil and gas; energy; chemical manufacturing; pulp and paper and other industrial manufacturing facilities. This sample set represents files actively carried into process control network environments via USB removable storage devices, during normal day-to-day operations.
The SMX data collected is anonymous with no personally identifiable information (PII). To further preserve data anonymity, our analysis presented here does not look in detail at region or industry.
Plug In These USB Threat Takeaways
The report data yields fascinating – if sadly unsurprising – insights:
- In the 50 industrial locations studied, at least one malicious or suspicious file was detected (and blocked!) at 44 percent of locations.
- One in four of the blocked threats could have caused a major disruption to an industrial control environment, including loss of view or loss of control.
- A notable 15 percent of the total threats detected and blocked were high-profile, well-known threats, including Mirai (6 percent), Stuxnet (2 percent), TRITON (2 percent), and WannaCry (1 percent). While these threats have been in the wild for some time, the takeaway is they were attempting to enter industrial control facilities via removable storage devices.
- General malware is bad enough, but 16 percent were targeted specifically against Industrial Control System (ICS) or Internet of Things (IoT) systems. While the volume of malware discovered in this research was small relative to the total sample size volume, the malware potency was significant.
You Won’t Quit Using USB Keys. Just Use Them Safely.
The data analysis might inspire you to issue a corporate policy saying that no one may use a USB device for any reason. Perhaps you think in terms of turning off access to all the USB ports so nobody can read one of these drives. But that’s not feasible.
In industrial control networks, USBs are common, easy ways to maintain systems and ensure everything operates correctly. Convincing people to stop using USBs might also stop plant productivity.
Digital transformation is driving more and more connectivity between and across your assets, not to mention across your multiple sites. People want to – and need to – share data and keep key equipment updated. But we want to stay safe – and don’t want to put employees and partners in a position where they have to “cheat” in order to get their work done.
You can, however, ensure USBs are used safely. It’s important to institute defense-in-depth measures, including technical controls designed especially to work in operational settings. When you layer in technology, process, and people-related initiatives, you can more safely use USBs and more tightly control them.