USB Attacks: The Threat Putting Critical Infrastructure At Risk

The use of removable media remains crucial across many sectors, including critical national infrastructure (CNI) operators, for vital tasks such as software updates. 

However, as removable media plays such an important role in organisational operations, it naturally becomes a target for cybercriminals. 

Which Sectors Rely On Removable Media?

Removable media, such as USB drives, are essential in key sectors that handle sensitive information and rely heavily on physical data transfer, particularly in manufacturing, transportation, healthcare, and finance.

Operational technology (OT) environments rely on removable media for managing data transfer within air-gapped critical assets. USB drives play a crucial role in updating isolated systems, performing regular maintenance, and applying firmware patches.

For instance, in the energy sector, many industrial control systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, and programmable logic controllers (PLCs) are deployed on air-gapped networks or segmented into demilitarised zones (DMZ). The only way to update security agents, apply patches, and export logged system events is through USB drives and other types of removable media, such as external hard drives.

Some of the world’s largest companies continue to rely on USB drives, making them a prime target for threat actors. For example, in 2023, the Sogu malware attack—a cyber campaign that used infected USB drives to distribute malware—targeted the USB drives of multinational companies in the US and EU.

Why Is Removable Media A Primary Vector For Attackers?

Malware hosted on USB drives can bypass traditional network-based security measures and move laterally between IT and OT systems, leading to potential financial losses, operational downtime, and public safety risks.

Many air-gapped environments were not designed to detect IT malware, leaving them highly vulnerable when compromised via removable media. Once inside these environments, attackers often employ “living-off-the-land” tactics - using legitimate tools and services within the target's infrastructure to collect and exfiltrate data, evade detection, and escalate privileges.

Attacks on isolated networks in critical infrastructure have grown increasingly sophisticated. A notable trend in removable media attacks involves keystroke injection methods, such as the “Rubber Ducky” technique, where a malicious USB device emulates a keyboard to execute covert commands on the host system.

A recent ESET report indicated a significant rise in USB-based malware capable of infiltrating secure environments. The compromise of air-gapped European government systems and subsequent data theft highlight the urgent need for stronger security measures.

What Are The Challenges In securing Rremovable Media?

Securing removable media is challenging, as it includes any portable storage device that can be easily removed from a computer system - ranging from USB drives to CDs, DVDs, and memory cards.

Many organisations lack a unified security policy for removable media and do not account for the unique security requirements of different environments. For instance, suitable media types and architectures may vary between facilities due to their specific needs and expectations.

Consequently, security teams often have limited visibility into the devices connecting to their organisation's systems and the flow of data transfers. This opens a pathway for malware-infected USB drives, leading to data exfiltration and the encryption of critical systems.

Despite this risk, many organisations still overlook removable media security as an essential part of their overall cybersecurity strategy. Implementing the right technologies is crucial for securing these devices to safeguard data and critical systems.

How Can Organisations Ssecure Removable Media?

To secure removable media, organisations need a multi-layered strategy to mitigate risks.

  • First, organisations should implement a scanning policy that monitors all incoming traffic from removable devices before it reaches critical network assets.

Scanning policies must be enforced at every entry point and combined with other defences, such as firewalls, endpoint protection, and managed file transfers.

  • All files should be cleaned of malicious content using Content Disarm and Reconstruction (CDR) techniques and stored in secure, isolated data vaults. Only data from these vaults that has been sanitised and validated is allowed into OT networks.
  • In addition to scanning policies, teams should perform regular audits of removable media to detect suspicious activities or policy violations. Implementing strict access controls limits the use of external devices to authorised personnel, with authentication and authorisation required before accessing or transferring data.
  • Access policies should ensure that all USB drives are thoroughly scanned and sanitised before data is permitted within the organisation. This process can be efficiently managed at scale using dedicated scanning kiosks integrated with secure file storage and managed file transfer capabilities.

These steps dramatically reduce the risk of introducing malicious code into secure network environments.

Beyond preventive technologies, an effective security strategy should include measures to minimise the impact of a potential breach. All sensitive data transferred to removable media should be encrypted to remain protected even if the device is compromised.

Employees also play a critical role in securing removable media. Organisations must invest in comprehensive training and awareness programmes to educate employees and third-party providers about the risks associated with removable media.

James Neilson is SVP International at OPSWAT

Image: Bru-nO

You Might Also Read: 

Is The British Government Doing Enough To Combat Cyberattacks Against Critical Infrastructure?:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Hacker Sentenced For Bitcoin Theft
Virtual iPhones: A Game Changer For Mobile App Development Security »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CDW

CDW

CDW is a leading multi-brand provider of information technology solutions to business, government, education and healthcare customers in the United States, the United Kingdom and Canada.

IASME Consortium

IASME Consortium

IASME is one of five companies appointed as Accreditation Bodies for assessing and certifying against the UK Government's Cyber Essentials Scheme.

Information Security Group (ISG) - Royal Holloway

Information Security Group (ISG) - Royal Holloway

The Information Security Group, Royal Holloway, University of London, is an Academic Centres of Excellence in Cyber Security Research.

Engage Black

Engage Black

Engage Black provides solutions for securing and protecting cryptographic keys, data at rest, and data in motion.

MaxMind

MaxMind

MaxMind is an industry-leading provider of IP intelligence and online fraud detection tools.

ObserveIT

ObserveIT

ObserveIT helps companies identify & eliminate insider threats. Visually monitor & quickly investigate with our easy-deploy user activity monitoring solution.

Sphonic

Sphonic

Sphonic provides regulated institutions of any size a powerful compliance & risk platform to quickly and securely onboard new customers and manage ongoing AML and Fraud & Risk trends.

Risk Based Security (RBS)

Risk Based Security (RBS)

Risk Based Security provide the most comprehensive and timely vulnerability intelligence, breach data and risk ratings.

Coveware

Coveware

Coveware helps businesses remediate ransomware. We help companies recover after files have been encrypted, and our analytic, monitoring and alerting tools help companies prevent ransomware incidents.

Exterro

Exterro

Exterro is a leading provider of e-discovery and information governance software specifically designed for in-house legal, privacy and IT teams at Global 2000 and Am Law 200 organizations.

Spyderbat

Spyderbat

Spyderbat ATI closes the manual investigation gap between detection and response by instantly presenting causally connected threat activity to security analysts at the onset of an investigation.

Brightsolid

Brightsolid

Brightsolid are experts in Hybrid Cloud. We design, build and manage secure, scalable cloud environments that meet customers’ business ambitions.

Contextal

Contextal

Contextal develops cutting-edge open-source cybersecurity solutions, designed to connect the dots and detect complex threats, which slip through the existing protections.

AKIPS

AKIPS

AKIPS develops the world's most scalable network and infrastructure monitoring software, delivered as a turn-key software appliance.

Telenor Cyberdefence

Telenor Cyberdefence

Telenor Cyberdefence is a newly established (2024) cloud-born Managed Security Service Provider focused on the Nordic markets.

aiComply

aiComply

aiComply's AI-driven platform offers automated intelligence for an efficient cybersecurity compliance workflow, eliminating onerous manual and time-consuming paperwork.