USB Attacks: The Threat Putting Critical Infrastructure At Risk

Uploaded on 2024-11-15 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The use of removable media remains crucial across many sectors, including critical national infrastructure (CNI) operators, for vital tasks such as software updates. 

However, as removable media plays such an important role in organisational operations, it naturally becomes a target for cybercriminals. 

Which Sectors Rely On Removable Media?

Removable media, such as USB drives, are essential in key sectors that handle sensitive information and rely heavily on physical data transfer, particularly in manufacturing, transportation, healthcare, and finance.

Operational technology (OT) environments rely on removable media for managing data transfer within air-gapped critical assets. USB drives play a crucial role in updating isolated systems, performing regular maintenance, and applying firmware patches.

For instance, in the energy sector, many industrial control systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, and programmable logic controllers (PLCs) are deployed on air-gapped networks or segmented into demilitarised zones (DMZ). The only way to update security agents, apply patches, and export logged system events is through USB drives and other types of removable media, such as external hard drives.

Some of the world’s largest companies continue to rely on USB drives, making them a prime target for threat actors. For example, in 2023, the Sogu malware attack—a cyber campaign that used infected USB drives to distribute malware—targeted the USB drives of multinational companies in the US and EU.

Why Is Removable Media A Primary Vector For Attackers?

Malware hosted on USB drives can bypass traditional network-based security measures and move laterally between IT and OT systems, leading to potential financial losses, operational downtime, and public safety risks.

Many air-gapped environments were not designed to detect IT malware, leaving them highly vulnerable when compromised via removable media. Once inside these environments, attackers often employ “living-off-the-land” tactics - using legitimate tools and services within the target's infrastructure to collect and exfiltrate data, evade detection, and escalate privileges.

Attacks on isolated networks in critical infrastructure have grown increasingly sophisticated. A notable trend in removable media attacks involves keystroke injection methods, such as the “Rubber Ducky” technique, where a malicious USB device emulates a keyboard to execute covert commands on the host system.

A recent ESET report indicated a significant rise in USB-based malware capable of infiltrating secure environments. The compromise of air-gapped European government systems and subsequent data theft highlight the urgent need for stronger security measures.

What Are The Challenges In securing Rremovable Media?

Securing removable media is challenging, as it includes any portable storage device that can be easily removed from a computer system - ranging from USB drives to CDs, DVDs, and memory cards.

Many organisations lack a unified security policy for removable media and do not account for the unique security requirements of different environments. For instance, suitable media types and architectures may vary between facilities due to their specific needs and expectations.

Consequently, security teams often have limited visibility into the devices connecting to their organisation's systems and the flow of data transfers. This opens a pathway for malware-infected USB drives, leading to data exfiltration and the encryption of critical systems.

Despite this risk, many organisations still overlook removable media security as an essential part of their overall cybersecurity strategy. Implementing the right technologies is crucial for securing these devices to safeguard data and critical systems.

How Can Organisations Ssecure Removable Media?

To secure removable media, organisations need a multi-layered strategy to mitigate risks.

  • First, organisations should implement a scanning policy that monitors all incoming traffic from removable devices before it reaches critical network assets.

Scanning policies must be enforced at every entry point and combined with other defences, such as firewalls, endpoint protection, and managed file transfers.

  • All files should be cleaned of malicious content using Content Disarm and Reconstruction (CDR) techniques and stored in secure, isolated data vaults. Only data from these vaults that has been sanitised and validated is allowed into OT networks.
  • In addition to scanning policies, teams should perform regular audits of removable media to detect suspicious activities or policy violations. Implementing strict access controls limits the use of external devices to authorised personnel, with authentication and authorisation required before accessing or transferring data.
  • Access policies should ensure that all USB drives are thoroughly scanned and sanitised before data is permitted within the organisation. This process can be efficiently managed at scale using dedicated scanning kiosks integrated with secure file storage and managed file transfer capabilities.

These steps dramatically reduce the risk of introducing malicious code into secure network environments.

Beyond preventive technologies, an effective security strategy should include measures to minimise the impact of a potential breach. All sensitive data transferred to removable media should be encrypted to remain protected even if the device is compromised.

Employees also play a critical role in securing removable media. Organisations must invest in comprehensive training and awareness programmes to educate employees and third-party providers about the risks associated with removable media.

James Neilson is SVP International at OPSWAT

Image: Bru-nO

You Might Also Read: 

Is The British Government Doing Enough To Combat Cyberattacks Against Critical Infrastructure?:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Hacker Sentenced For Bitcoin Theft
Virtual iPhones: A Game Changer For Mobile App Development Security »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Acunetix

Acunetix

Acunetix is a leading web vulnerability scanner, widely acclaimed to include the most advanced SQL injection and XSS black box scanning technology.

AA Certification (AAC)

AA Certification (AAC)

AAC provide ISO Quality Management System certification services including ISO 27001.

mnemonic

mnemonic

mnemonic helps businesses manage their security risks, protect their data and defend against cyber threats.

EverC

EverC

EverC (formerly EverCompliant) is a leading provider of cyber intelligence that allows acquiring banks and payment service providers (PSP) to manage cyber risk.

Awake Security

Awake Security

Awake Security offer a security solution built on an AI platform that acts like the human brain to sense, detect, and respond to threats you may not even know exist.

Shieldfy

Shieldfy

Shieldfy is a cloud-based security shield for your website to protect it from cyber attacks and malwares.

ISMS Accreditation Center (ISMS-AC)

ISMS Accreditation Center (ISMS-AC)

ISMS-AC is the national accreditation body for Japan. The directory of members provides details of organisations offering certification services for ISO 27001.

Innova

Innova

Innova is Turkey's leading IT solutions company, providing platform independent solutions to organizations in telecommunication, finance, production, public and service sectors.

ArmorText

ArmorText

ArmorText offers a seamless channel for communication and collaboration for organizations concerned with keeping communication data private and secure.

WidePoint

WidePoint

WidePoint Corporation is an innovative provider of Trusted Mobility Management (TM2) solutions.

Hadrian

Hadrian

Hadrian is modernizing offensive security practices with automation, making them faster and more scalable. Equipped with the hacker’s perspective, companies can now know what their critical risks are.

Paubox

Paubox

Paubox offers secure, HIPAA compliant email and marketing solutions to fit the needs of modern healthcare organizations of every size.

JanBask Training

JanBask Training

JanBask Training is a dynamic, highly professional, global online training provider committed to propelling the next generation of technology learners with a whole new way of training experience.

GovSky

GovSky

GovSky streamlines CMMC compliance, saving time and significantly reducing cost.

Orca Fraud

Orca Fraud

Orca is an AI-driven fraud orchestration platform. We empower fraud fighters to outpace fraud using our custom ML models.

Black Cipher Security

Black Cipher Security

Black Cipher is a New Jersey-based cybersecurity and incident response consulting firm.