Industrial facilities’ cybersecurity is very critical for the national security of every state, and comes once more into focus following the recent Honeywell’s Industrial USB Threat Report.
With increasing pressure to limit network access to industrial control systems, industrial plant dependence upon USB removable media to transfer information, files, patches and updates has been greater than ever. At the same time, past research into USB threats has shown that portable USB drives are one of the top threat vectors impacting industrial control systems.
USB represents an even greater threat than spreading malware: a USB device can be used to attack systems directly, using the USB interface as a powerful attack vector. Ever since the Stuxnet attack used a USB flash drive to obliterate any semblance of an air gap in an Iranian nuclear facility, the industry has been well aware of the vulnerability that USB devices can introduce to their operations.
When we consider threats to industrial systems, specifically crafted malware – such as the Industroyer strain which cut off the power to the city of Kiev in Ukraine for an hour – often comes to mind. Many of the operating systems, controls and equipment used to power industrial facilities have legacy components which were never designed for over-the-air (OTA) updates or cybersecurity at all and due to memory, size, and hardware limitations may not be suitable for direct protection.
A way to mitigate these risks is to implement strong perimeter defense, but if a USB key is directly connected to an industrial system, these protections can easily be circumvented. In 2017, Honeywell introduced its Secure Media Exchange technology that is designed to manage USB security by giving users a place to plug in and check devices for approved use. Through this capability, Honeywell has been able to gather the data derived from scanning and controlling USB devices at 50 customer locations.
What the research shows is that almost half of those customers (44 percent) have detected and blocked at least one file with a security issue. In addition, 26 percent of the detected threats were capable of significant disruption to the operations, including loss of view or loss of control.
“The data showed much more serious threats than we expected,” said Eric Knapp, director of strategic innovation for Honeywell Industrial Cyber Security. “And taken together, the results indicate that a number of these threats were targeted and intentional” while “Many of which can lead to serious and dangerous situations at sites that handle industrial processes.”
The threats targeted a range of industrial sites, including refineries, chemical plants and pulp and paper facilities around the world. About one in six of the threats specifically targeted industrial control systems (ICSs) or Internet of Things (IoT) devices.
Among the threats detected, 15 percent were high-profile, including well-known issues such as Triton, Mirai and WannaCry as well as variants of Stuxnet. Though these threats have been known to be in the wild, what the Honeywell Industry Cyber Security team considered worrisome was the fact that these threats were trying to get into industrial control facilities through removable storage devices in a relatively high density.
In comparative tests, up to 11 percent of the threats discovered were not reliably detected by more traditional anti-malware technology. Although the type and behavior of the malware detected varied considerably, trojans, which can be spread very effectively through USB devices, accounted for 55 percent of the malicious files. Other malware types discovered included bots (11 percent), hacktools (6 percent) and potentially unwanted applications (5 percent).
“Customers already know these threats exist, but many believe they aren’t the targets of these high-profile attacks,” Knapp said. “This data shows otherwise and underscores the need for advanced systems to detect these threats.”
Implications for Industrial Facilities Operators
The report findings clearly illustrate the importance of adopting and adhering to common industrial cybersecurity best practices since “the data provides ample evidence that USB hygiene is generally poor.” The report provides some practical guidelines on how to enhance USB hygiene.
For a start, USB security must include technical controls and enforcement. Relying on policy updates or people training alone will not suffice for scalable threat prevention.
Second, outbound network connectivity from process control networks should be tightly controlled, and such restrictions should be enforced by network switches, routers and firewalls. It is vital that anti-virus software deployed in process control facilities be updated daily to be at all effective. In addition, patching and hardening of end nodes is necessary despite the challenges of patching production systems.
Last but not least, additional cybersecurity education is required for proper handling and use of removable storage. This can and should be addressed through employee and partner awareness programs, operational personnel cybersecurity training and sound security policy development.
In the years since Stuxnet, regulators have looked to address the risk of using portable media. In April, for example, the Federal Energy Regulatory Commission ordered the revision of power reliability standards “to mitigate the risk of malicious code” stemming from such devices. But this report has also highlighted that it is important to deliver security solutions that are not either completely unusable or productivity stoppers.
“When you make things painful, people are going to find a way around it,” as Seth Carpenter, cybersecurity technologist for Honeywell, commented during an interview at the most recent Honeywell Users Group (HUG) meeting in San Antonio.
For information on how Tripwire’s solutions use these methods and other techniques to defend organization’s ICS systems, click here.