With increased threats posed by the apparently innocuous USB removable media, security must include technical controls and enforcement, instead of merely relying on policy updates or staff training to prevent increased threats to industrial systems, according to a Tripwire post.
“USB drivers are usually vectors of initial infection for the attackers to establish remote access and download additional payloads,” wrote cybersecurity expert Anastasios Arampatzis in a Tripwire blog post. To prevent this pivot, egress network traffic should be tightly controlled and should be enforced by network controls such as segmentation and firewalls. The patching and hardening of end nodes is a necessity despite the challenges of patching production systems, while working towards keeping the infrastructure current to mitigate known threats and help security teams respond to sophisticated and targeted attacks, he added.
The USB (universal serial bus) removable media is emerging as a significant security threat for industrial environments. A two-fold increase in the frequency and the impact of USB-borne security threats for critical infrastructure operators has been identified, while the removable media remains one of the top vectors for cybersecurity threats, according to a Honeywell whitepaper.
The USB-borne malware that had the potential to cause a major disruption in an industrial control system increased more than two-fold, from 26 percent to 59 percent, according to the ‘Honeywell Industrial Cybersecurity USB Threat Report 2020” whitepaper. The trend is increasingly troubling for critical infrastructure operators in manufacturing, aerospace, energy, shipping, chemical, oil and gas, pulp and paper, water and wastewater, and building automation, as removable media remains one of the top vectors for cybersecurity threats.
Early indications that USB removable media are being used as a deliberate attack vector into operational technology (OT) have been reinforced by an increased detection rate of USB-specific malware, as well as continued detection of malware that specifically targets industrial control/OT organizations. A rise in attacks that specifically target OT along with increased publicity given to such attacks has contributed to the role played by USB devices in targeted attacks.
“It is almost inevitable that, over time, some threat will find its way onto USB removable media,” according to the whitepaper. “While this may seem obvious, it is important to keep this in mind when considering the types of threats detected, and the potential impact that they could have on industrial facilitates and critical infrastructure,” it added.
Honeywell collected data from over 60 countries across North America, South America, Europe, the Middle East, and Asia. The sample-set represents only files actively carried into production control facilities using USB removable storage devices, during normal day-to-day operations. The data represents those files that were detected and blocked.
USB removable media usage and behavioral data were analyzed by the Cybersecurity GARD Threat team, using a proprietary and highly cultivated threat detection and analysis engine – the GARD Threat Engine. Honeywell’s Global Analysis, Research, and Defense team (GARD) is dedicated to OT-focused cybersecurity research, innovation and integration. It operates as part of Honeywell Forge Cybersecurity, using data curated from seven Honeywell cybersecurity research centers, and from over 5,000 deployments in over 65 countries – to provide OT threat analysis and threat detection.
“Being able to quantify actual threats seen over a very specific vector proves what everyone already suspected – that USB-borne malware continues to be a major risk for industrial operators,” said Eric Knapp, director of cybersecurity research and engineering fellow at Honeywell Connected Enterprise. “What’s surprising is that we’re seeing a much higher density of significant threats that are more targeted and more dangerous. This isn’t a case of accidental exposure to viruses over USB, this is a trend of using removable media as part of more deliberate and coordinated attacks.”
In 2018, 14 percent of total threats detected were known to have been developed specifically to target industrial systems, leveraging a specific vulnerability in industrial devices or protocols, which dropped slightly to 11 percent, Honeywell said.
However, a staggering 59 percent of total threats in the latest study had the ability to impact industrial control and process automation systems, up from 26 percent, according to the Honeywell GARD team. This includes malware capable of creating a denial of service type attack to devices connected within automation networks, loss of view to operations management networks, or the destruction or disruption of any key assets.
An increasing number of threats found on USBs had removable media in mind. Of the sample analyzed, 19 percent specifically used USB removable media for infection or propagation. This is more than twice as many as discovered in the initial USB Threat Report, which found that about 9 percent of threats were specifically crafted to leverage USB.
“Traditionally, this was because process control and critical networks are typically well-isolated, with strong physical and logical access controls in place; as such, attacks relying on network penetration and intrusion can be more difficult,” Honeywell said. The remaining ‘low hanging fruit’ for attackers is the need for file transfers into and among industrial automation and control systems, it added.