USB Attacks: The Threat Putting Critical Infrastructure At Risk

Uploaded on 2024-11-15 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The use of removable media remains crucial across many sectors, including critical national infrastructure (CNI) operators, for vital tasks such as software updates. 

However, as removable media plays such an important role in organisational operations, it naturally becomes a target for cybercriminals. 

Which Sectors Rely On Removable Media?

Removable media, such as USB drives, are essential in key sectors that handle sensitive information and rely heavily on physical data transfer, particularly in manufacturing, transportation, healthcare, and finance.

Operational technology (OT) environments rely on removable media for managing data transfer within air-gapped critical assets. USB drives play a crucial role in updating isolated systems, performing regular maintenance, and applying firmware patches.

For instance, in the energy sector, many industrial control systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, and programmable logic controllers (PLCs) are deployed on air-gapped networks or segmented into demilitarised zones (DMZ). The only way to update security agents, apply patches, and export logged system events is through USB drives and other types of removable media, such as external hard drives.

Some of the world’s largest companies continue to rely on USB drives, making them a prime target for threat actors. For example, in 2023, the Sogu malware attack—a cyber campaign that used infected USB drives to distribute malware—targeted the USB drives of multinational companies in the US and EU.

Why Is Removable Media A Primary Vector For Attackers?

Malware hosted on USB drives can bypass traditional network-based security measures and move laterally between IT and OT systems, leading to potential financial losses, operational downtime, and public safety risks.

Many air-gapped environments were not designed to detect IT malware, leaving them highly vulnerable when compromised via removable media. Once inside these environments, attackers often employ “living-off-the-land” tactics - using legitimate tools and services within the target's infrastructure to collect and exfiltrate data, evade detection, and escalate privileges.

Attacks on isolated networks in critical infrastructure have grown increasingly sophisticated. A notable trend in removable media attacks involves keystroke injection methods, such as the “Rubber Ducky” technique, where a malicious USB device emulates a keyboard to execute covert commands on the host system.

A recent ESET report indicated a significant rise in USB-based malware capable of infiltrating secure environments. The compromise of air-gapped European government systems and subsequent data theft highlight the urgent need for stronger security measures.

What Are The Challenges In securing Rremovable Media?

Securing removable media is challenging, as it includes any portable storage device that can be easily removed from a computer system - ranging from USB drives to CDs, DVDs, and memory cards.

Many organisations lack a unified security policy for removable media and do not account for the unique security requirements of different environments. For instance, suitable media types and architectures may vary between facilities due to their specific needs and expectations.

Consequently, security teams often have limited visibility into the devices connecting to their organisation's systems and the flow of data transfers. This opens a pathway for malware-infected USB drives, leading to data exfiltration and the encryption of critical systems.

Despite this risk, many organisations still overlook removable media security as an essential part of their overall cybersecurity strategy. Implementing the right technologies is crucial for securing these devices to safeguard data and critical systems.

How Can Organisations Ssecure Removable Media?

To secure removable media, organisations need a multi-layered strategy to mitigate risks.

  • First, organisations should implement a scanning policy that monitors all incoming traffic from removable devices before it reaches critical network assets.

Scanning policies must be enforced at every entry point and combined with other defences, such as firewalls, endpoint protection, and managed file transfers.

  • All files should be cleaned of malicious content using Content Disarm and Reconstruction (CDR) techniques and stored in secure, isolated data vaults. Only data from these vaults that has been sanitised and validated is allowed into OT networks.
  • In addition to scanning policies, teams should perform regular audits of removable media to detect suspicious activities or policy violations. Implementing strict access controls limits the use of external devices to authorised personnel, with authentication and authorisation required before accessing or transferring data.
  • Access policies should ensure that all USB drives are thoroughly scanned and sanitised before data is permitted within the organisation. This process can be efficiently managed at scale using dedicated scanning kiosks integrated with secure file storage and managed file transfer capabilities.

These steps dramatically reduce the risk of introducing malicious code into secure network environments.

Beyond preventive technologies, an effective security strategy should include measures to minimise the impact of a potential breach. All sensitive data transferred to removable media should be encrypted to remain protected even if the device is compromised.

Employees also play a critical role in securing removable media. Organisations must invest in comprehensive training and awareness programmes to educate employees and third-party providers about the risks associated with removable media.

James Neilson is SVP International at OPSWAT

Image: Bru-nO

You Might Also Read: 

Is The British Government Doing Enough To Combat Cyberattacks Against Critical Infrastructure?:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Hacker Sentenced For Bitcoin Theft
Virtual iPhones: A Game Changer For Mobile App Development Security »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

King & Spalding

King & Spalding

King & Spalding is an international law firm with offices in the United States, Europe and the Middle East. Practice areas include Data, Privacy & Security.

S21sec

S21sec

S21sec is a leading European pure play cybersecurity consultancy, services and solutions provider.

DG Technology

DG Technology

DG Technology is a customer-centric technology expert and business consultant that delivers services and products to minimize your information security, compliance, and business risks.

CyberProof

CyberProof

CyberProof aims to give clarity and confidence to businesses worldwide using a new risk-based approach to cyber security services.

Farsight Security

Farsight Security

Farsight Security provides the world’s largest real-time actionable threat intelligence on how the Internet is changing.

Sopher Networks

Sopher Networks

Sopher is a secure communication and collaboration platform for business and personal use.

Apozy

Apozy

Apozy replaces a secure web gateway to nullify phishing, malware and impersonation attacks.

IntelligInts

IntelligInts

IntelligInts provide 24×7 threat monitoring, hunting, alerting, and mitigation in our world class Security Operations Center.

David Hayes-Export Controls

David Hayes-Export Controls

David Hayes-Export Controls provides assistance to companies affected by export controls or who are considering entering the market but are unsure of the commercial and regulatory implications.

NodeSource

NodeSource

NodeSource helps organizations run production-ready Node.js applications with greater visibility into resource usage and enhanced awareness around application performance and security.

Cyber Security Operations Consulting (CyberSecOp)

Cyber Security Operations Consulting (CyberSecOp)

CyberSecOp is an ISO 27001 Certified Organization which provides cyber security operations services and risk management consulting.

SessionGuardian

SessionGuardian

SessionGuardian (formerly SecureReview) is the world's first and only technology which ensures second-by-second biometric identity verification of your remote user, from log on to log off.

nsKnox

nsKnox

nsKnox is a fintech-security company, enabling corporations and banks to prevent fraud and ensure compliance in B2B Payments.

Panther Labs

Panther Labs

Panther’s mission is to make security monitoring fast, flexible and scalable for all security teams.

Aunalytics

Aunalytics

Aunalytics is a data platform company that delivers insights as a service to answer your most important IT and business questions.

Swick Technologies (SWICKtech)

Swick Technologies (SWICKtech)

SWICKtech offer IT managed services to increase IT security, stability, and performance for your organization.