August 16, 2022:
USB-borne malware can infect your industrial equipment unless you take the proper precautions, says Honeywell.
Industrial organizations face security threats not only on their networks but across their factories and facilities. A successful cyberattack can compromise hardware and software used for critical operations. Though most attacks are launched via a network or individual computer, some are staged via storage devices. A report published Tuesday by Honeywell looks at how malware on USB devices can threaten industrial facilities.
For its 2022 Industrial Cybersecurity USB Threat Report, Honeywell noted that USB storage drives can be used to carry files into or out of industrial facilities. These drives are enlisted to infect systems with malware or to compromise sensitive information. Since the first such report was published four years ago, the threats faced by operational technology (OT) environments have become more ubiquitous and more dangerous.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
To devise its report, Honeywell’s Cybersecurity Global Analysis, Research and Defense team analyzed USB-based threats detected and blocked by its security engine. The devices examined were actively used in industrial facilities. As the results were limited to malware that was blocked, there were likely additional threats not detected or recorded by the report.
Among all the security threats seen by Honeywell, 32% were specific to industrial facilities. Ones designed to propagate using USB devices or exploit USB drives to install malware rose to 52% this year from 37% the previous year.
Threats aimed at establishing remote access into the compromised system were level at 51%. Over the same time, high-impact security threats able to trigger a loss of control or loss of visibility into an industrial device increased to 81% from 79% of all the visible threats.
This year’s results are an improvement over previous years when some of the threats doubled in activity. The more moderate increases seen this year are a sign that the level of threats against this sector may have reached a plateau; though, they continue to remain at extremely high levels.
“USB-borne malware is clearly being leveraged as part of larger cyberattack campaigns against industrial targets,” Honeywell said in the report. “Adaptations have occurred to take advantage of leveraging the ability of USB removable media to circumvent network defenses and bypass the air gaps upon which many of these facilities depend on for protection.
“Continued diligence is necessary to defend against the growing USB threat, and strong USB security controls are highly recommended.”
For industrial organizations seeking to protect their facilities and operation technology from compromise via USB, Honeywell offers the following recommendations.
SEE: Mobile device security policy (TechRepublic Premium)
USB removable media can easily be used as an initial attack method into industrial control and operational technology environments. For that reason, establish and enforce policies to better secure USB media and peripherals.
New types of threat variants are surfacing more quickly, specifically using USB devices to target individuals. To combat these threats, examine existing security controls and patch cycles to close the time required to eliminate a threat. Also, look at any external controls used to provide real-time detection of threats.
Make sure to inspect the primary routes into and between industrial facilities, including removable media and network connections. The goal is to improve the ability to prevent the introduction and propagation of content-based malware.
This type of access must be tightly controlled and enforced by network switches, routers and firewalls. Security threats that cross the air gap via USB can sneak into industrial systems, setting up backdoors to install additional payloads and creating remote command-and-control processes.
Be sure to regularly update antivirus and security software used in process control facilities. But beyond traditional anti-malware defenses, a more layered approach to threat detection with threat intelligence that covers operational technology is strongly recommended.
Security threats can set up persistence and covert remote access to otherwise air-gapped end nodes and other systems. As such, be sure to patch and protect the end nodes in your industrial facilities. By hardening your operational technology systems, you also reduce the time required to mitigate a threat.