USB Attacks: The Threat Putting Critical Infrastructure At Risk

Uploaded on 2024-11-15 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The use of removable media remains crucial across many sectors, including critical national infrastructure (CNI) operators, for vital tasks such as software updates. 

However, as removable media plays such an important role in organisational operations, it naturally becomes a target for cybercriminals. 

Which Sectors Rely On Removable Media?

Removable media, such as USB drives, are essential in key sectors that handle sensitive information and rely heavily on physical data transfer, particularly in manufacturing, transportation, healthcare, and finance.

Operational technology (OT) environments rely on removable media for managing data transfer within air-gapped critical assets. USB drives play a crucial role in updating isolated systems, performing regular maintenance, and applying firmware patches.

For instance, in the energy sector, many industrial control systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, and programmable logic controllers (PLCs) are deployed on air-gapped networks or segmented into demilitarised zones (DMZ). The only way to update security agents, apply patches, and export logged system events is through USB drives and other types of removable media, such as external hard drives.

Some of the world’s largest companies continue to rely on USB drives, making them a prime target for threat actors. For example, in 2023, the Sogu malware attack—a cyber campaign that used infected USB drives to distribute malware—targeted the USB drives of multinational companies in the US and EU.

Why Is Removable Media A Primary Vector For Attackers?

Malware hosted on USB drives can bypass traditional network-based security measures and move laterally between IT and OT systems, leading to potential financial losses, operational downtime, and public safety risks.

Many air-gapped environments were not designed to detect IT malware, leaving them highly vulnerable when compromised via removable media. Once inside these environments, attackers often employ “living-off-the-land” tactics - using legitimate tools and services within the target's infrastructure to collect and exfiltrate data, evade detection, and escalate privileges.

Attacks on isolated networks in critical infrastructure have grown increasingly sophisticated. A notable trend in removable media attacks involves keystroke injection methods, such as the “Rubber Ducky” technique, where a malicious USB device emulates a keyboard to execute covert commands on the host system.

A recent ESET report indicated a significant rise in USB-based malware capable of infiltrating secure environments. The compromise of air-gapped European government systems and subsequent data theft highlight the urgent need for stronger security measures.

What Are The Challenges In securing Rremovable Media?

Securing removable media is challenging, as it includes any portable storage device that can be easily removed from a computer system - ranging from USB drives to CDs, DVDs, and memory cards.

Many organisations lack a unified security policy for removable media and do not account for the unique security requirements of different environments. For instance, suitable media types and architectures may vary between facilities due to their specific needs and expectations.

Consequently, security teams often have limited visibility into the devices connecting to their organisation's systems and the flow of data transfers. This opens a pathway for malware-infected USB drives, leading to data exfiltration and the encryption of critical systems.

Despite this risk, many organisations still overlook removable media security as an essential part of their overall cybersecurity strategy. Implementing the right technologies is crucial for securing these devices to safeguard data and critical systems.

How Can Organisations Ssecure Removable Media?

To secure removable media, organisations need a multi-layered strategy to mitigate risks.

  • First, organisations should implement a scanning policy that monitors all incoming traffic from removable devices before it reaches critical network assets.

Scanning policies must be enforced at every entry point and combined with other defences, such as firewalls, endpoint protection, and managed file transfers.

  • All files should be cleaned of malicious content using Content Disarm and Reconstruction (CDR) techniques and stored in secure, isolated data vaults. Only data from these vaults that has been sanitised and validated is allowed into OT networks.
  • In addition to scanning policies, teams should perform regular audits of removable media to detect suspicious activities or policy violations. Implementing strict access controls limits the use of external devices to authorised personnel, with authentication and authorisation required before accessing or transferring data.
  • Access policies should ensure that all USB drives are thoroughly scanned and sanitised before data is permitted within the organisation. This process can be efficiently managed at scale using dedicated scanning kiosks integrated with secure file storage and managed file transfer capabilities.

These steps dramatically reduce the risk of introducing malicious code into secure network environments.

Beyond preventive technologies, an effective security strategy should include measures to minimise the impact of a potential breach. All sensitive data transferred to removable media should be encrypted to remain protected even if the device is compromised.

Employees also play a critical role in securing removable media. Organisations must invest in comprehensive training and awareness programmes to educate employees and third-party providers about the risks associated with removable media.

James Neilson is SVP International at OPSWAT

Image: Bru-nO

You Might Also Read: 

Is The British Government Doing Enough To Combat Cyberattacks Against Critical Infrastructure?:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Hacker Sentenced For Bitcoin Theft

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Security Weekly

Security Weekly

Security Weekly provides free content within the subject areas of IT security news, vulnerabilities, hacking, and research.

Cyber Conflict Studies Association (CCSA)

Cyber Conflict Studies Association (CCSA)

Cyber Conflict Studies Association (CCSA) is a non-profit organization dedicated to leading a diversified research agenda in the field of cyber conflict.

Paygilant

Paygilant

Paygilant’s disruptive technology is designed to protect mobile payment  financial transactions against fraudulent attacks, whether executed by NFC, QR code, P2P or in-app.

IQ Solutions

IQ Solutions

IQ Solutions is a Digital Integrator and an ICT Services Provider, focusing on innovative Cyber Secured ICT managed solutions tailored to the needs of the Maritime Industry.

Institute for Cybersecurity & Privacy (ICSP) - University of Georgia

Institute for Cybersecurity & Privacy (ICSP) - University of Georgia

The goal of ICSP is to become a state hub for cybersecurity research and education, including multidisciplinary programs and research opportunities, outreach activities, and industry partnership.

Inseego

Inseego

Inseego provides Enterprise SaaS solutions and IoT & Mobile solutions, which together form the backbone of intelligent, reliable and secure IoT services with deep business intelligence.

Sothis

Sothis

Sothis is an information technology services company offering a range of solutions including cybersecurity, managed security services, information governance and compliance.

Gospel Technology

Gospel Technology

Gospel presents a totally new way of accessing and controlling data which is enterprise grade scalable, highly resilient, and secure.

CMMI Institute

CMMI Institute

CMMI Institute enables organizations to elevate and benchmark performance across a range of critical business capabilities, including product development, data management and cybersecurity.

PROOF

PROOF

PROOF is a Brazilian leader in cybersecurity. Our goal is to assist our Customers in managing security efficiently and in tune with business needs.

Fingent

Fingent

Fingent develops strategic software solutions for businesses across the globe in areas including Network Security, Infrastructure Security, Application Security, Risk and Compliance.

Sequoia Capital

Sequoia Capital

Sequoia Capital is a venture capital firm focused mainly on technology. We partner both with young companies finding their stride and established ones looking for growth.

Qrator Labs

Qrator Labs

Qrator Labs is a leader in DDoS attack mitigation, helping organizations protect their websites from the most harmful, sophisticated DDoS attacks.

Raiven Capital

Raiven Capital

Raiven Capital is a global early-stage technology venture capital fund. We focus on founder-led, driven companies on the leading edge of disruption.

Guardsman Cyber Intelligence (GCI)

Guardsman Cyber Intelligence (GCI)

GCI provides proven cyber intelligence solutions to protect your business against ever present physical and digital threats shadowing your online business.

Cysurance

Cysurance

Cysurance is a next-generation risk mitigation company that insures, warranties and certifies security solutions.