New Research Details the Serious Cybersecurity Threat From USB Devices

Nov. 9, 2018
Studying 50 industrial locations using its Secure Media Exchange technology, Honeywell found that nearly half of its customers faced threats from USB devices, more than a quarter of which had the potential to cause major plant disruptions.

Ever since the 2010 Stuxnet attack used a USB flash drive to obliterate any semblance of an air gap in an Iranian nuclear facility, industry has been well aware of the vulnerability that USB devices can introduce to their operations. A question remains, though, as to how much any given industrial company thinks it might be at risk, and how much it’s willing to forego the conveniences of highly portable memory to protect their operations.

But now Honeywell has direct information in hand that shows just how significant of a threat those handy flash drives present. Since the automation supplier introduced its Secure Media Exchange (SMX) technology more than a year ago, it’s been able to gather the data derived from scanning and controlling USB devices at 50 customer locations. And what the research shows is that almost half of those customers (44 percent) have detected and blocked at least one file with a security issue. Further, 26 percent of the detected threats were capable of significant disruption to the operations, including loss of view or loss of control.

Honeywell began talking up its SMX technology at its North American user group meeting in 2016, when removable media like flash drives were already a top pathway for attackers to gain access to a network. SMX, launched officially last year, is designed to manage USB security by giving users a place to plug in and check devices for approved use. The SMX Intelligence Gateway is used to analyze files in conjunction with the Advanced Threat Intelligence Exchange (ATIX), Honeywell’s threat intelligence cloud.

This is a more effective approach to USB management than, say, stopping up ports with epoxy and disabling any kind of USB use. A once easy way to exchange information with contractors or download patches not only becomes completely unusable, but also becomes a productivity stopper—a dangerous proposition. “When you make things painful, people are going to find a way around it,” commented Seth Carpenter, cybersecurity technologist for Honeywell, during an interview at the most recent Honeywell Users Group (HUG) meeting in San Antonio.

Not only has SMX made USB use safer, but Honeywell has gained access to a treasure trove of information about the kinds of attacks being attempted through these devices.

“The data showed much more serious threats than we expected,” said Eric Knapp, director of strategic innovation for Honeywell Industrial Cyber Security. “And taken together, the results indicate that a number of these threats were targeted and intentional.”

Though Honeywell has long suspected the very real USB threats for industrial operators, the data confirmed a surprising scope and severity of threats, Knapp said, adding. “Many of which can lead to serious and dangerous situations at sites that handle industrial processes.”

The threats targeted a range of industrial sites, including refineries, chemical plants and pulp and paper facilities around the world. About one in six of the threats specifically targeted industrial control systems (ICSs) or Internet of Things (IoT) devices.

Among the threats detected, 15 percent were high-profile, well-known issues such as Triton, Mirai and WannaCry, as well as variants of Stuxnet. Though these threats have been known to be in the wild, what the Honeywell Industry Cyber Security team considered worrisome was the fact that these threats were trying to get into industrial control facilities through removable storage devices in a relatively high density.

“That high-potency threats were at all prevalent on USB drives bound for industrial control facility use is the first concern. As ICS security experts are well aware, it only takes one instance of malware bypassing security defenses to rapidly execute a successful, widespread attack,” Honeywell’s report noted. “Second, the findings also confirm that such threats do exist in the wild, as the high-potency malware was detected among day-to-day routine traffic, not pure research labs or test environments. Finally, as historical trends have shown, newly emerging threat techniques such as Triton, which target safety instrumented systems, can provoke copycat attackers. Although more difficult and sophisticated to accomplish, such newer threat approaches can indicate the beginnings of a new wave of derivative or copycat attacks.”

In comparative tests, up to 11 percent of the threats discovered were not reliably detected by more traditional anti-malware technology. Although the type and behavior of the malware detected varied considerably, trojans—which can be spread very effectively through USB devices—accounted for 55 percent of the malicious files. Other malware types discovered included bots (11 percent), hacktools (6 percent) and potentially unwanted applications (5 percent).

“Customers already know these threats exist, but many believe they aren’t the targets of these high-profile attacks,” Knapp said. “This data shows otherwise and underscores the need for advanced systems to detect these threats.”

Through its Industrial USB Threat Report, Honeywell recommends that operators combine people training, process changes and technical controls to reduce the risk of USB threats across industrial facilities. Read the full report and recommendations here.

About the Author

Aaron Hand | Editor-in-Chief, ProFood World

Aaron Hand has three decades of experience in B-to-B publishing with a particular focus on technology. He has been with PMMI Media Group since 2013, much of that time as Executive Editor for Automation World, where he focused on continuous process industries. Prior to joining ProFood World full time in late 2020, Aaron worked as Editor at Large for PMMI Media Group, reporting for all publications on a wide variety of industry developments, including advancements in packaging for consumer products and pharmaceuticals, food and beverage processing, and industrial automation. He took over as Editor-in-Chief of ProFood World in 2021. Aaron holds a B.A. in Journalism from Indiana University and an M.S. in Journalism from the University of Illinois.

Companies in this Article

Sponsored Recommendations

Meet our experts - Reduce complexity of a DCS Migration

Sign up for a complementary onsite assessment.

Revolutionizing Germany’s energy landscape: The Wilhelmshaven floating LNG terminal

The German LNG terminal lays the groundwork for future sustainable energy initiatives. Here's how Schneider Electric helped make it happen.

Navigating Distributed Control Systems Migration

Navigating Distributed Control System (DCS) migrations doesn't have to be as complex as it seems. Whether you are planning a migration or seeking to enhance ...

Revolutionize process safety with Tricon CX V12

The most versatile TÜV certified safety instrumented system. One system with a choice of architectures and form factors delivering a lifetime of safe, resili...