USB threat vector trends and implications for industrial operators

New WAF attack timelines show the start and end of a threat.
No more logs. See how →

In an attempt to make industrial control systems less accessible to attackers, industrial players are limiting network access and increasingly using USB media devices to transfer patches, updates and files to those systems.

But that choice is not devoid of all risk.

Researchers from Honeywell’s Industrial Cyber Security team have analyzed USB media usage and behavioral data from 50 of its customers’ live production sites across the US, Europe, South America and the Middle East, and have found that, in 44 percent of locations, its security solution detected and blocked at least one file with a security issue.

The findings

The threats targeted a wide variety of industrial sites, including refineries, chemical plants and pulp-and-paper manufacturers.

Trojans were the most pervasive – 55% of all the malware detected – followed by bots (11%), hacktools (6%) and Potentially Unwanted Applications (5%).

Industrial USB threats

15 percent of the threats detected and blocked were well-known threats such as Mirai (6%), Stuxnet (2%), TRITON (2%), and WannaCry (1%).

26 percent of the detected threats were capable of significant disruption by causing operators to lose visibility or control of their operations, and and 16% were targeted specifically against Industrial Control System (ICS) or Internet of Things (IoT) systems.

9% of the threats was designed to directly exploit USB protocol or interface weaknesses, and some were able to attack the USB interface itself.

“2% were associated with common Human Interface Device (HID) attacks, which trick the USB host controller into thinking there is a keyboard attached, allowing the malware to type commands and manipulate applications. This supports earlier Honeywell findings that confirmed HID attacks such as BadUSB as realistic threats to industrial operators,” the researchers pointed out.

Advice for industrial administrators

Their advice to companies that run ICSes is to:

  • Regularly update systems, AVs and other security solutions in use
  • Improve USB security
  • Tightly control outbound network connectivity (“The attack types here reveal a tendency for hackers to establish remote access, and to download additional payloads as needed.”)
  • Patch and harden end nodes.
  • Preempt loss due to ransomware by maintaining regular backups and having a tested recovery process in place.
Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.