The latest Honeywell USB Threat Report 2020 indicates that the number of threats specifically targeting Operational Technology systems has nearly doubled from 16% to 28%, while the number of threats capable of disrupting those systems rose from 26% to 59% over the same period.
Let’s face it. Critical infrastructure operators in manufacturing, aerospace, energy, shipping, chemical, oil and gas, pulp and paper, water and wastewater, and building automation are heavily relying on USB devices. The reason is simple - process control and critical networks are typically well-isolated, with strong physical and logical access controls in place.
It is, therefore, no surprise that removable media remains one of the top vectors for cybersecurity threats. Since the established access controls make network penetration and intrusion more difficult, adversaries are targeting the “low hanging fruit” of required file transfers between industrial automation and control systems.
Overall, we are witnessing an increase in attacks targeting Operational Technology (OT). But, at the same time, we can see an increased awareness of the consequences of such attacks due to broad news coverage of Industroyer, TRITON, Havex, Ekans, USBCulprit, and more. USB devices continue to play an important role in these types of targeted attacks, since they are the second most prevalent attack vector into industrial control and automation systems behind network-based threats.
To compile the report, researchers from Honeywell’s Industrial Cybersecurity Global Analysis, Research, and Defense (GARD) team analyzed USB usage and behavioral data collected from production sites.
According to the report findings, 45% of production sites have blocked at least one threat. This reaffirms that USB remains a significant vector for OT threats. It is almost inevitable that, over time, some threat will find its way onto USB removable media.
Despite the fact that the volume of malware discovered on USB removable media was a small fraction of the total sample size, the impact of the malware found increased significantly since the first report in 2018 even if the overall concentration of malware remained steady. A staggering 59% of total discovered threats had the ability to impact industrial control and process automation systems, up from just 26% in 2018. This includes malware capable of creating denial of service attacks to devices connected within automation networks, loss of view to operations management networks, or the destruction or disruption of key assets.
The researchers believe that this finding directly correlates to the increase in ransomware, which was up from 7% to 17%. Although ransomware is not considered an “OT specific” threat, the increased numbers seen in OT environments indicate that industrial corporations are being targeted by ransomware variants. Therefore, the rate of threats targeting OT nearly doubles from 16% to 28%.
The report also shows that 1 in 5 of all threats (19%) was designed specifically to leverage USB removable media as an attack vector, and more than half the threats were designed to open backdoors, establish persistent remote access or download additional malicious payloads. These findings are indicative of more coordinated attacks, likely attempting to target air-gapped systems used in most industrial control environments and critical infrastructure.
"USB-borne malware continues to be a major risk for industrial operators," said Eric Knapp, director of Cybersecurity Research and engineering fellow, Honeywell Connected Enterprise, Cybersecurity. "What's surprising is that we're seeing a much higher density of significant threats that are more targeted and more dangerous. This isn't a case of accidental exposure to viruses through USB – it's a trend of using removable media as part of more deliberate and coordinated attacks."
What is worrying, though, is that 20% of the threats analyzed went undetected, up from 11% in the 2018 report. This is concerning especially with the high prevalence of newer threats and the clear indications of high-impact, targeted threats against industrials originating from USB removable media. The key problem is that many industrial organizations update their anti-virus signatures less frequently, due to the limited availability of maintenance windows where such updates can occur.
Implications for industrial operators
The findings of the report are useful for the industries to enhance their cybersecurity posture.
The evidence demonstrated in the Honeywell report indicates that new threat variants are being introduced more quickly through USB devices, specifically targeting industrials. Hence, industries should revisit their established controls and patch cycles to remediate these threats. Real-time detection of risks and threats, and integrated monitoring and incident response procedures should be part of every operator’s playbook.
Considering the increased threat that USB drives pose, USB security must include technical controls and enforcement. Relying solely on policy updates or staff training is not adequate to prevent increased threats to industrial systems.
USB drivers are usually vectors of initial infection for the attackers to establish remote access and download additional payloads. To prevent this pivot, egress network traffic should be tightly controlled and should be enforced by network controls such as segmentation and firewalls.
Finally, patching and hardening of end nodes is a necessity despite the challenges of patching production systems (you can read more about that topic, here). Keeping the infrastructure current is the best way to mitigate known threats and help security teams respond to sophisticated and targeted attacks.
Industries are already taking steps to address USB threats. For example, the Federal Energy Regulatory Commission has ordered the revision of power reliability standards “to mitigate the risk of malicious code” stemming from such devices. This report has also highlighted that it is important to deliver security solutions that are not either completely unusable or productivity stoppers.
Tripwire offers a wide ranges of security solutions to help industries address threats against ICS systems. You can learn more here.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.