Industrial organizations face security threats not only on their networks but across their factories and facilities. A successful cyberattack can compromise hardware and software used for critical operations. Though most attacks are launched via a network or individual computer, some are staged via storage devices. A report published Tuesday by Honeywell looks at how malware on USB devices can threaten industrial facilities.
For its 2022 Industrial Cybersecurity USB Threat Report, Honeywell noted that USB storage drives can be used to carry files into or out of industrial facilities. These drives are enlisted to infect systems with malware or to compromise sensitive information. Since the first such report was published four years ago, the threats faced by operational technology (OT) environments have become more ubiquitous and more dangerous.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
USB-based threats on the rise
To devise its report, Honeywell’s Cybersecurity Global Analysis, Research and Defense team analyzed USB-based threats detected and blocked by its security engine. The devices examined were actively used in industrial facilities. As the results were limited to malware that was blocked, there were likely additional threats not detected or recorded by the report.
Among all the security threats seen by Honeywell, 32% were specific to industrial facilities. Ones designed to propagate using USB devices or exploit USB drives to install malware rose to 52% this year from 37% the previous year.
Threats aimed at establishing remote access into the compromised system were level at 51%. Over the same time, high-impact security threats able to trigger a loss of control or loss of visibility into an industrial device increased to 81% from 79% of all the visible threats.
This year’s results are an improvement over previous years when some of the threats doubled in activity. The more moderate increases seen this year are a sign that the level of threats against this sector may have reached a plateau; though, they continue to remain at extremely high levels.
“USB-borne malware is clearly being leveraged as part of larger cyberattack campaigns against industrial targets,” Honeywell said in the report. “Adaptations have occurred to take advantage of leveraging the ability of USB removable media to circumvent network defenses and bypass the air gaps upon which many of these facilities depend on for protection.
“Continued diligence is necessary to defend against the growing USB threat, and strong USB security controls are highly recommended.”
Honeywell’s advice for protecting against USB-based malware
For industrial organizations seeking to protect their facilities and operation technology from compromise via USB, Honeywell offers the following recommendations.
SEE: Mobile device security policy (TechRepublic Premium)
Establish a clear USB security policy
USB removable media can easily be used as an initial attack method into industrial control and operational technology environments. For that reason, establish and enforce policies to better secure USB media and peripherals.
Reduce the time it takes to remediate a threat
New types of threat variants are surfacing more quickly, specifically using USB devices to target individuals. To combat these threats, examine existing security controls and patch cycles to close the time required to eliminate a threat. Also, look at any external controls used to provide real-time detection of threats.
Secure your files, documents, and other digital content
Make sure to inspect the primary routes into and between industrial facilities, including removable media and network connections. The goal is to improve the ability to prevent the introduction and propagation of content-based malware.
Control outbound network connectivity from process control networks
This type of access must be tightly controlled and enforced by network switches, routers and firewalls. Security threats that cross the air gap via USB can sneak into industrial systems, setting up backdoors to install additional payloads and creating remote command-and-control processes.
Keep your security up to date
Be sure to regularly update antivirus and security software used in process control facilities. But beyond traditional anti-malware defenses, a more layered approach to threat detection with threat intelligence that covers operational technology is strongly recommended.
Patch and harden all end nodes
Security threats can set up persistence and covert remote access to otherwise air-gapped end nodes and other systems. As such, be sure to patch and protect the end nodes in your industrial facilities. By hardening your operational technology systems, you also reduce the time required to mitigate a threat.