Removal storage and USB thumb drives are a serious security incident waiting to happen, new research suggests.
When we consider threats to our industrial systems, specifically crafted malware, such as the Industroyer strain which cut off the power to the city of Kiev in Ukraine for an hour, often comes to mind.
Industrial players have a problem. Many of the operating systems, controls, and equipment used to power these facilities have legacy components which were never designed for over-the-air (OTA) updates or cybersecurity at all -- and due to memory, size, and hardware limitations may not be suitable for direct protection.
A way to mitigate these risks is to implement strong perimeter defense, but if a USB key is directly connected to an industrial system, these protections can easily be circumvented.
CNET: Electronic voting was going to be the future. Now paper's making a comeback
On Thursday, industrial and engineering conglomerate Honeywell released a new report exploring the potential risks USB drives possess and found current protective practices wanting.
According to the firm, USB drives pose a "significant and intentional" cybersecurity threat to industrial systems and could be weaponized to disrupt organizations and potentially go so far as to interrupt core services, such as those offered by water and energy utilities.
After scanning 50 customer locations across the US, South America, Europe, and the Middle East, Honeywell found that 44 percent of USB devices present at these industrial facilities contained at least one file with a security issue.
In total, 26 percent of these threats had the potential to cause operational problems, including the loss of visibility or control by operators.
Industries affected included oil & gas, energy, chemical manufacturing, pulp & paper, and other manufacturing entities.
In the report, the researchers document a variety of attack attempts at these facilities which intentionally utilized USB devices loaded with malware. One out of six of these attacks targeted industrial control systems or Internet of Things (IoT) devices.
TechRepublic: Microsoft's security tactics focus on customers, transparency, and working with its tech competitors
Trojans were the most common forms of malware on USB drives detected, some strains of which are able to create backdoors, steal sensitive information, and deliver additional malicious payloads via command-and-control (C2) servers.
Botnets, droppers, hacking tools, and potentially unwanted programs (PuP) were also discovered.
In total, 15 percent of the threats recognized included Triton (2 percent), a malware strain which has previously been connected to attacks against Schneider Electric's Triconex Safety Instrumented System (SIS) controllers; Mirai (six percent), an IoT botnet, Stuxnet (two percent), the famous worm which disrupted Iranian nuclear facilities in 2010, and WannaCry (one percent), the malware at the heart of a recent global ransomware outbreak.
See also: This is how hackers can take down our critical energy systems through the Internet
"The data showed much more serious threats than we expected and taken together, the results indicate that a number of these threats were targeted and intentional," said Eric Knapp, director of strategic innovation at Honeywell Industrial Cyber Security. "This research confirms what we have suspected for years -- USB threats are real for industrial operators. What is surprising is the scope and severity of the threats, many of which can lead to serious and dangerous situations at sites that handle industrial processes."
This is not the first time in recent months that we've heard of USB drives becoming a risk to security. In September, Schneider Electric warned customers that USB media shipped with its products may have been "contaminated" with malware during the manufacturing process.
In 2017, IBM was forced to issue a similar warning to customers after the tech giant uncovered potential malware infections in USBs supplied with Storewize storage systems.
Simple steps to erase your digital footprint
Previous and related coverage