Honeywell revealed the continuation of a trend identified in last year’s report as hackers are leveraging USB removable media as an initial attack vector, at which point they will attempt to establish remote connectivity to download additional payloads, exfiltrate data, and establish command and control techniques.
The latest research detected that 79 percent of threats originating from USB devices have the potential to cause a major disruption in an industrial control environment, leading to critical business disruptions. For the third year in a row, the threats seen attempting to enter industrial/OT environments have continued to increase in sophistication, frequency, and the potential risk to operations, Honeywell said.
The global pandemic influenced how most operational technology (OT) organizations functioned day-to-day to accommodate new health and safety guidelines, according to data released in Honeywell Industrial Cybersecurity USB Threat Report 2021. Attempts to minimize the physical proximity of staff where possible led to an increased need for the movement of digital data. As a result, the two primary communication paths into OT – removable media and network connectivity – were under increased strain, and operators faced new operational challenges as a consequence.
Based on Honeywell’s findings, 2020 saw an increase in the use of USB media by 30 percent over 2019. Through analysis of data specific to this vector and specific to industrial control/OT environments, the report attempts to shed new light on the industrial cybersecurity threats associated with USB removable media.
The Honeywell data also detected that USB removable media are deliberately used to circumvent the “air gap” that protects industrial environments. Analyzing the contents of removable media inbound to OT environments, there are strong indications that cyber hackers are deliberately leveraging USB removable media for this purpose.
Threats capable of propagating over USB, or specifically exploiting USB media for initial infection, rose from 19 percent in 2019 to over 37 percent in 2020 – the second consecutive year of significant growth in this area, Honeywell said. Of the threats seen, Trojans dominated again by comprising three-fourths of the malware detected. In addition, more threats in 2020 were wormable, and 52 percent (up from 34 percent) were able to provide remote access or remote control, thereby illustrating the continuation of a trend identified in last year’s report.
A corresponding increase in threats targeting industrials rose from 28 percent to 30 percent, supports the theory that USB removable media are being used to penetrate the air-gapped environments found in many industrial and OT environments.
Of the threats blocked, Honeywell identified that malware has risen to 79 percent from 59 percent, demonstrating that such intrusions are more capable of causing a disruption to industrial control systems. This is true despite a slight decline in ransomware, which was a significant contributor in 2019.
The rising threat severity can be connected to the increase in multi-functional malware. This consists of those malware threats that directly impact target systems registered 20 percent, those that are downloaded on stage-2 payloads accounting for 9 percent, and others such as opening backdoors, establishing direct remote access, and command and control, which recorded 52 percent.
A new trend that Honeywell identified in 2020 was a significant amount of threats that specifically leveraged altered or infected documents. There was a continued increase in trojans (malware disguised as legitimate software), with a seeming shift from the impersonation of executable files and archives to document files.
Malware samples were also more sophisticated than expected, with the ability to propagate to other systems and establish backdoor access, download and install other components, and provide remote command and control. The concentration of this type of malware among samples specifically entering ICS/OT on removable media is simply too high to be coincidental.
In addition, an increasing number of threats, about 30 percent, were known to have been designed specifically for industrial use or associated with industrial cyber-attack campaigns. A similar proportion had qualities associated with early-stage attacks that are likely part of a larger campaign.
USB-borne malware is clearly being leveraged as part of larger cyber-attack campaigns against industrial targets. Honeywell recommends continued diligence to defend against the growing USB threat, and strong USB security controls are highly recommended.