According to the 2019 SANS State of ICS Cybersecurity Survey, direct physical access is the top threat vector in operational technology and industrial control system security incidents. In 56 percent of incidents, SANS found the initial attack platform involved a USB stick or other direct access to equipment.
USB attack platforms are evolving. At the 2020 Industrial Control Systems Cyber Security Conference, held virtually this week, Eric Knapp, Chief Engineer & Global Director of Solutions & Technology at Honeywell, examined the capabilities of these new attack platforms, and the security implications they introduce to ICS/OT environments.
While malicious USBs aren’t new, Knapp said there’s been a progression from malware and firmware-based attacks, to plug and deploy, remote access, and penetration testing toolkits that are either on USB devices or a device that can be connected by USB.
“The trend is pretty obvious,” Knapp said. “The severity is getting much higher as time progresses and this trend is only going to continue.”
To understand how USB attacks are evolving, Knapp said it’s important to understand how USBs work.
“Every time you plug a USB device into the computer, there’s a USB controller on the device itself and there’s a USB host controller on the computer and those two controllers talk to each other using a USB standard,” Knapp said. “The first thing that happens is the device identifies itself. So we already have an example where we have the device telling the computer what it is and there’s an inherent trust there which can and has been and will continue to be manipulated until the standard evolves to accommodate that.”
Traditional USB attack platforms look like a USB device, but use device descriptor functions to carry out other actions. For example, a device would look like a thumb drive but act as a keyboard. Knapp said these kinds of USB attack platforms are just the tip of the iceberg.
“One of the USB device types that a USB product can emulate is a networking device. So the physical device can create a traditional network,” Knapp said. “Then the devices themselves communicate to whatever host they’re attached to or potentially to other USB devices using essentially an entirely separate networking structure that we are not monitoring or even thinking about.
“And there could be many of these on any individual USB interface and there could be many USB interfaces on our computers. I think you’d be hard pressed to find a computer, even in OT where we have legacy equipment, that doesn’t have USB ports. So we get into this situation where we have this cyber threat and we realize there’s an awful lot of them potentially and we don’t really know where they’re coming from or what they’re doing. This is a problem.”
According to Knapp, hackers can legally purchase things like remote human interface device (HID) attacks, flexible USB device emulation, and full remote command and control for less than $100, making USB attack platforms widely accessible.
“HID devices have remote access and connect to command and control centralized management capabilities. So payloads can be loaded dynamically. Multiple payloads can be preloaded…” Knapp said. “And when you combine this with other capabilities of some of these tools, like keylogging and screen capture, there’s an awful lot these devices can do. You have a pretty powerful weapon in your pocket.”
Knapp said USB attack protocols are getting smaller, smarter and stronger. He said these devices are easy to hide and can avoid detection in metal detectors. They include chips small enough to fit inside a USB cable.
The technology exists, hackers only need to get these devices in.
“The trick with one of these UAP is it has to get into your infrastructure in order to cause any mischief so we need to consider how an adversary might actually try to plant the implant,” Knapp said. “We can create malicious devices in any way, shape, or form that we might want to do. And because of that, it’s easy to trick someone into doing the implanting for you. Most people won’t pick up a thumbdrive in a parking lot anymore, but anyone who has an Apple device and has had to buy a replacement cable knows how expensive they are. If you found one, you might not pick it up, but you might.”
Knapp said serious threats like nation state actors can target an organization’s supply chain. They operate by learning the exact make and model of the IT equipment an organization uses and where it is purchased. They then create counterfeits, using the exact same VID, PID, and serial number structure and send a counterfeit package full of equipment to a soft target in IT or receiving. Then they sit back and wait as the equipment is slowly distributed throughout the organization.
In order to protect against these kinds of attacks, Knapp recommended maintaining a secure supply chain policy, knowing your sources and vendors, and validating firmware.
All these protections are normal security things but they’re not things we think of in OT because we’re needing to protect around our infrastructure and not protecting our infrastructure directly,” Knapp said. “That’s what it’s going to take. It’s refocusing and applying the same best practices but in a slightly different way. It all comes down to awareness and diligence.”