Industrial firms aren’t sanitizing USB sticks used for ICS updates: Report

USB flash drive with the word
Image from Katsapura via Thinkstock.com

For security reasons many companies make sure their industrial control systems (ICS) aren’t connected to the Internet. Usually that means USB sticks are used for transferring information, files, patches and updates.

But according to a recently-released report from Honeywell Int’l, which makes ICS products, companies aren’t making enough of an effort to sanitize USB sticks before they touch production equipment.

Of the locations studied, nearly half (44 per cent) detected at least one malicious or suspicious file that represented a security issue, says the report.

“This high-level finding confirms that USB remains a significant vector specifically for industrial threats. The data also indicates that risk of industrial facility exposure to threats via USB is consistent and statistically relevant. This data finding is consistent with other third-party reports that cite USB as a major threat vector.”

While the volume of malware discovered in this research was small relative to the total sample size volume, the malware potency of what was detected was significant. Of those threats blocked 26 per cent had the potential to cause a major disruption to an industrial control environment, including loss of view or loss of control. Sixteen per cent were targeted specifically against ICS or Internet of Things (IoT) systems.

The data came from a sample of anonymized USB usage and behavioral data collected from 50 Honeywell customers using its Secure Media Exchange platform. The company said the sample set represents files actively carried into production control facilities via USB removable storage devices, during normal day-to-day operations.

Fifteen per cent of the total threats detected and blocked included well-known threats such as Stuxnet (believed to have caused Iranian nuclear centrifuges to have spun out of control in 2010), code to link to the Mirai botnet, the Triton ICS malware and the WannaCry ransomware.

Some malware also could have attacked a USB interface itself, including common Human Interface Device (HID) attacks, which trick the USB host controller into thinking there is a keyboard attached, allowing the malware to type commands and manipulate applications.

Others ranged from adware to ransomware. Remote Access Toolkits (RATs) were in the mix, as were Droppers designed to download and install additional malware.

The report urges infosec pros to adhere to industrial cyber security best practices. “USB security must include technical controls and enforcement,” the report says. “Relying on policy updates or people training alone will not suffice for scalable threat prevention. Despite the widespread belief that USB drives are dangerous, and despite the prevalence of corporate USB usage policies, the data provides ample evidence that USB hygiene is generally poor.”

Also, outbound network connectivity from process control networks should be tightly controlled, and such restrictions should be enforced by network switches, routers and firewalls.

Read the full report here. Registration required.

Would you recommend this article?

0
0

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News