USB Attacks: The Threat Putting Critical Infrastructure At Risk

The use of removable media remains crucial across many sectors, including critical national infrastructure (CNI) operators, for vital tasks such as software updates. 

However, as removable media plays such an important role in organisational operations, it naturally becomes a target for cybercriminals. 

Which Sectors Rely On Removable Media?

Removable media, such as USB drives, are essential in key sectors that handle sensitive information and rely heavily on physical data transfer, particularly in manufacturing, transportation, healthcare, and finance.

Operational technology (OT) environments rely on removable media for managing data transfer within air-gapped critical assets. USB drives play a crucial role in updating isolated systems, performing regular maintenance, and applying firmware patches.

For instance, in the energy sector, many industrial control systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, and programmable logic controllers (PLCs) are deployed on air-gapped networks or segmented into demilitarised zones (DMZ). The only way to update security agents, apply patches, and export logged system events is through USB drives and other types of removable media, such as external hard drives.

Some of the world’s largest companies continue to rely on USB drives, making them a prime target for threat actors. For example, in 2023, the Sogu malware attack—a cyber campaign that used infected USB drives to distribute malware—targeted the USB drives of multinational companies in the US and EU.

Why Is Removable Media A Primary Vector For Attackers?

Malware hosted on USB drives can bypass traditional network-based security measures and move laterally between IT and OT systems, leading to potential financial losses, operational downtime, and public safety risks.

Many air-gapped environments were not designed to detect IT malware, leaving them highly vulnerable when compromised via removable media. Once inside these environments, attackers often employ “living-off-the-land” tactics - using legitimate tools and services within the target's infrastructure to collect and exfiltrate data, evade detection, and escalate privileges.

Attacks on isolated networks in critical infrastructure have grown increasingly sophisticated. A notable trend in removable media attacks involves keystroke injection methods, such as the “Rubber Ducky” technique, where a malicious USB device emulates a keyboard to execute covert commands on the host system.

A recent ESET report indicated a significant rise in USB-based malware capable of infiltrating secure environments. The compromise of air-gapped European government systems and subsequent data theft highlight the urgent need for stronger security measures.

What Are The Challenges In securing Rremovable Media?

Securing removable media is challenging, as it includes any portable storage device that can be easily removed from a computer system - ranging from USB drives to CDs, DVDs, and memory cards.

Many organisations lack a unified security policy for removable media and do not account for the unique security requirements of different environments. For instance, suitable media types and architectures may vary between facilities due to their specific needs and expectations.

Consequently, security teams often have limited visibility into the devices connecting to their organisation's systems and the flow of data transfers. This opens a pathway for malware-infected USB drives, leading to data exfiltration and the encryption of critical systems.

Despite this risk, many organisations still overlook removable media security as an essential part of their overall cybersecurity strategy. Implementing the right technologies is crucial for securing these devices to safeguard data and critical systems.

How Can Organisations Ssecure Removable Media?

To secure removable media, organisations need a multi-layered strategy to mitigate risks.

  • First, organisations should implement a scanning policy that monitors all incoming traffic from removable devices before it reaches critical network assets.

Scanning policies must be enforced at every entry point and combined with other defences, such as firewalls, endpoint protection, and managed file transfers.

  • All files should be cleaned of malicious content using Content Disarm and Reconstruction (CDR) techniques and stored in secure, isolated data vaults. Only data from these vaults that has been sanitised and validated is allowed into OT networks.
  • In addition to scanning policies, teams should perform regular audits of removable media to detect suspicious activities or policy violations. Implementing strict access controls limits the use of external devices to authorised personnel, with authentication and authorisation required before accessing or transferring data.
  • Access policies should ensure that all USB drives are thoroughly scanned and sanitised before data is permitted within the organisation. This process can be efficiently managed at scale using dedicated scanning kiosks integrated with secure file storage and managed file transfer capabilities.

These steps dramatically reduce the risk of introducing malicious code into secure network environments.

Beyond preventive technologies, an effective security strategy should include measures to minimise the impact of a potential breach. All sensitive data transferred to removable media should be encrypted to remain protected even if the device is compromised.

Employees also play a critical role in securing removable media. Organisations must invest in comprehensive training and awareness programmes to educate employees and third-party providers about the risks associated with removable media.

James Neilson is SVP International at OPSWAT

Image: Bru-nO

You Might Also Read: 

Is The British Government Doing Enough To Combat Cyberattacks Against Critical Infrastructure?:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Hacker Sentenced For Bitcoin Theft
Virtual iPhones: A Game Changer For Mobile App Development Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CLUSIF

CLUSIF

Clusif is the reference association for digital security in France. Its mission is to promote the exchange of ideas and feedback through working groups, conferences and publications.

NetGuardians

NetGuardians

NetGuardians is a leading Fintech company recognized for its unique approach to fraud and risk assurance solutions.

CSIRT-IE

CSIRT-IE

CSIRT-IE is the body within the NCSC that provides assistance to constituents in responding to cyber security incidents at a national level for Ireland.

CTM360

CTM360

CTM360 is a unified external security platform offering 24x7x365 Cyber Threat Management for detecting and responding to cyber threats.

CryptoCurrency Certification Consortium (C4)

CryptoCurrency Certification Consortium (C4)

The CryptoCurrency Certification Consortium is a non-profit organization that provides certifications to professionals who perform cryptocurrency-related services.

Elysium Analytics

Elysium Analytics

Elysium Cognitive Security Analytics delivers the latest and most flexible security system to reduce cost and complexity while providing unmatched scalability.

Nubeva Technologies

Nubeva Technologies

Nubeva provide a breakthrough TLS Decrypt solution with Symmetric Key Intercept to gain the visibility needed to monitor and secure network traffic.

FortifyData

FortifyData

FortifyData is the next generation of cyber risk management–a comprehensive platform that continuously evaluates your third-party, internal and people risks.

Whistic

Whistic

Whistic is a cloud-based platform that uses a unique approach to address the challenges of third-party risk management.

YorCyberSec

YorCyberSec

YorCyberSec act as a trusted Cyber and Information Security broker and procurement specialist. We help companies to Reduce Risk, Increase Assurance and Improve Performance.

VCG Group

VCG Group

VCG provides everything you need for the design, implementation and management of data centres, cyber-secure enterprise networks, cloud and connectivity services.

Mandiant

Mandiant

Mandiant deliver dynamic cyber defense solutions powered by industry-leading expertise, intelligence and innovative technology.

Supra ITS

Supra ITS

Supra ITS is a leading full-service technology partner offering IT Consulting, Cloud Services, 24x7 Managed IT & Cybersecurity Services, and IT Project Support.

Netsurit

Netsurit

Managed IT, Cloud, and Security Services. Netsurit is Your IT Innovation and Digital Transformation Accelerator.

Intertec Systems

Intertec Systems

Intertec Systems is an award-winning, global IT solutions and services provider that specializes in digital transformation, cybersecurity, sustainability, and cloud services.

SalvageData Recovery Services

SalvageData Recovery Services

Since 2003, SalvageData has been providing high-quality data recovery with the certifications needed to work with any storage media manufacturer.