For security reasons many companies make sure their industrial control systems (ICS) aren’t connected to the Internet. Usually that means USB sticks are used for transferring information, files, patches and updates.
But according to a recently-released report from Honeywell Int’l, which makes ICS products, companies aren’t making enough of an effort to sanitize USB sticks before they touch production equipment.
Of the locations studied, nearly half (44 per cent) detected at least one malicious or suspicious file that represented a security issue, says the report.
“This high-level finding confirms that USB remains a significant vector specifically for industrial threats. The data also indicates that risk of industrial facility exposure to threats via USB is consistent and statistically relevant. This data finding is consistent with other third-party reports that cite USB as a major threat vector.”
While the volume of malware discovered in this research was small relative to the total sample size volume, the malware potency of what was detected was significant. Of those threats blocked 26 per cent had the potential to cause a major disruption to an industrial control environment, including loss of view or loss of control. Sixteen per cent were targeted specifically against ICS or Internet of Things (IoT) systems.
The data came from a sample of anonymized USB usage and behavioral data collected from 50 Honeywell customers using its Secure Media Exchange platform. The company said the sample set represents files actively carried into production control facilities via USB removable storage devices, during normal day-to-day operations.
Fifteen per cent of the total threats detected and blocked included well-known threats such as Stuxnet (believed to have caused Iranian nuclear centrifuges to have spun out of control in 2010), code to link to the Mirai botnet, the Triton ICS malware and the WannaCry ransomware.
Some malware also could have attacked a USB interface itself, including common Human Interface Device (HID) attacks, which trick the USB host controller into thinking there is a keyboard attached, allowing the malware to type commands and manipulate applications.
Others ranged from adware to ransomware. Remote Access Toolkits (RATs) were in the mix, as were Droppers designed to download and install additional malware.
The report urges infosec pros to adhere to industrial cyber security best practices. “USB security must include technical controls and enforcement,” the report says. “Relying on policy updates or people training alone will not suffice for scalable threat prevention. Despite the widespread belief that USB drives are dangerous, and despite the prevalence of corporate USB usage policies, the data provides ample evidence that USB hygiene is generally poor.”
Also, outbound network connectivity from process control networks should be tightly controlled, and such restrictions should be enforced by network switches, routers and firewalls.
Read the full report here. Registration required.