The industrial firm’s fourth annual report has been released, with its main focus being on the USB Threat discovered by one of its specialized security devices on USB sticks taken into the industrial settings of its customers. The data analysis conducted by Honeywell revealed that the USB Threat targeted specifically at the industrial sector has skyrocketed from 11% in the 2020 report to 32% in the 2021 report. In comparison to 2021, the number of USB Threats created in 2022 that were either intended to spread via USB or to deliberately exploit USB for infection has increased by a staggering 52%.
We have a special opportunity to examine the actual malware dangers that industrial enterprises face by taking a close look at a particular vector in industrial automation setups. This is significant because there are only a handful of real entry points into OT (Operational Technology) environments: the supply chain, which allows hardware and software to enter a mill, plant, refinery, or another industrial automation facility, and the network, which is restricted to certain information conduits between operational and business networks.
Physical access (the act of physically carrying thumb drives and other media into a facility) and the supply chain are two of the categories in which removable media is included. This research specializes in malware discovered on USB storage devices that are used to transport files into, out of, and between industrial facilities. Based on malware discovered and stopped by technologies deployed internationally by Honeywell, the research of the Honeywell Industrial Cybersecurity USB Threat Report. Since all data is anonymous, no connections can be drawn to particular businesses, sectors, or geographical areas. To give a unique perspective on the kinds of malware dangers that industrial environments face via USB portable media, all data is derived from real OT facilities.
USB Threat: The Problem
The threat report has already demonstrated a glaring trend: dangers will only grow stronger and more visible.
- Threats that expressly target USB for infection or are designed to spread over USB increased from 37% to 52%.
- At 51%, threats intended to create remote access capabilities remained stable.
- From 79% to 81%, there are now more threats that could result in loss of control or loss of vision.
The growth of numerous indicators decreased this year compared to previous iterations of this study, which frequently indicated enormous increases or even doublings. These more gradual increases suggest the number of threats using this vector may have peaked, despite the fact that they continue to exist at extremely high levels.
Type of USB Threats?
According to the Company, “this confirms our belief that adversaries are actively using USB removable devices as a first attack vector, at which point they will attempt to establish remote access to download more payloads, exfiltrate data, and establish command and control.”
The use of USB-borne malware in more extensive cyberattack efforts against industrial targets is evident. Adaptations have been made to take advantage of USB portable media’s ability to get around network security measures and get through the air gaps that many of these facilities rely on for protection. Strong USB security controls are strongly advised in order to protect against the expanding USB threat, according to Honeywell.
What do Reports conclude?
The GARD Threat Engine, a highly developed and exclusive threat detection and analysis technology, was used by Honeywell’s Global Analysis, Research, and Defense (GARD) team to evaluate USB usage and behavioral data. Despite the fact that the GARD Threat Engine is utilized by a variety of Honeywell Industrial Cybersecurity products and services, the information for this study was only comprised of threats discovered by Honeywell’s USB security platform, Honeywell Secure Media Exchange (SMX). With its highly focused perspective on industrial USB activity, Honeywell SMX examines USB devices as they are being used actively in industrial facilities.
What are the main factors affecting USB Threat?
The threat posed by USB-borne malware is still a major worry overall. Threats that can spread over USB or particularly use USB media for initial infection increased from 19% in 2019 to slightly more than 37% in 2020 to 52% in 2021, reflecting a pattern of declining (but still alarming) rise seen across other metrics.
Trojans continued to dominate the threats observed, making over 76% of the malware found. Additionally, the percentage of malware that may grant remote access or control remained constant at 51%. This confirms our belief that adversaries are utilizing USB-detachable devices on purpose as an initial attack vector. From there, they will try to establish remote access in order to download further payloads, exfiltrate data, and establish command and control. This further supports the hypothesis that USB portable media are being utilized to breach the air-gapped settings present in many industrial/OT systems by correlating a rise in threats targeting industrials (from 30% to 32%).
What are the best security practices for USB Threats?
- It is necessary to have a clear USB security policy. Evidence suggests that the initial attack vector in OT and industrial control environments is USB portable media. Therefore, it is necessary to develop technical controls and enforcement to increase the security of USB media and peripherals.
- Reduce the Mean Time to Repair (MTTR). Evidence suggests that new threat variants are emerging more swiftly, particularly via USB and with a focus on industrials. In order to close the MTTR, existing controls should be reviewed, and patch cycles should be reassessed. The use of integrated monitoring and incident response processes, as well as external controls that offer real-time detection and protection of crucial systems, should be taken into consideration.
- Files, documents, and other digital stuff should be given more attention. In order to increase your capacity to stop the introduction and spread of content-based malware, controls that rely on inspection and detection are required for the main entry points into and between protected industrial facilities (such as removable media and network connections).
- Network switches, routers, and firewalls must strictly regulate and enforce outbound network connectivity from process control networks. Threats entering industrial systems using USB are used to open backdoors and gain remote access in order to install extra payloads and establish remote command and control.
- Maintenance of security remains crucial. Daily updates are required for antivirus software installed in process control facilities. Even still, for maximum effectiveness, a multi-layered approach to threat detection that incorporates OT-specific threat intelligence is strongly advised. Anti-malware controls must be kept up to date in order to be successful due to the high percentage of threats observed in OT environments that were able to avoid detection by conventional anti-malware software.
- The amount of threats that can establish persistence and covert remote access to otherwise air-gapped systems necessitates patching and hardening of end nodes. Hardening OT systems is another important factor in reducing incident MTTR.
The sophistication, frequency, and potential risk to operations of the threats seen trying to access industrial/OT environments have all increased for the fourth year in a row. It is evident that malware that is transmitted via USB is used in broader cyberattack campaigns against industrial targets. There have been modifications to take advantage of the potential of USB-detachable media to get around network security and get past the air gaps that many of these facilities rely on for protection. Strong USB security procedures are highly advised, and ongoing diligence is required to guard against the rising USB danger.