Though we’ve been hearing plenty about digital twins in manufacturing these days, we’ve heard a little less about evil twins. With the latest release of its Secure Media Exchange (SMX), a system developed to protect industrial operations against USB-based cyber threats, Honeywell’s focus is on doppelganger USB devices—those malicious USBs that might look like storage devices but act like something else entirely.
With its SMX technology out in the field for close to two years, Honeywell has been able to gather significant evidence about the types of attacks on industrial facilities through USB devices. Releasing an Industrial USB Threat Report late last year, Honeywell reported that almost half of its customers (44 percent) faced threats from USB devices, more than a quarter of which had the potential to cause major plant disruptions.
With the latest SMX release, not only has Honeywell enhanced the malware detection, but it is also reacting to trends it’s seeing in the threat landscape—in which attacks are shifting away from malware to how the USB devices themselves behave. SMX can now protect against a broad range of malicious USB device attacks that disrupt operations through misuse of legitimate USB functions or unauthorized device actions.
“Just because something looks like a USB device doesn’t mean it can be trusted as such,” said Sam Wilson, global product marketing manager for Honeywell Industrial Cybersecurity, at a press briefing during the ARC Industry Forum earlier this month in Orlando, Florida. “The attacks we’re seeing go beyond malware. You need to protect against the devices themselves that can behave in ways not expected.”
Such malicious devices—a sampling of which is shown above—look just like any other USB device, but don’t act like them. A USB device known as a Rubber Ducky, for example, acts like a keyboard. “They don’t take very sophisticated programming to turn them into something that can cause very sophisticated damage,” Wilson said.
A Bash Bunny has an embedded microcomputer that can emulate a variety of USB types in order to inject payloads onto a target computer. A USBHarpoon looks like a standard USB charging cable but has a custom firmware chip on the end that can launch attacks.
Categorically, these malicious USB device attacks represent 75 percent of today’s known USB attack types, a clear indication of the shift toward new attack methodologies. To fight against this trend, new SMX protection includes Trusted Response User Substantiation Technology (TRUST), which introduces a human validation and authentication step to ensure that USB devices are what they claim to be.
“It prompts the user and says, ‘This device says it’s a keyboard. Is that what you expected?’” Wilson explained. “It’s intercepting an automated process that we all take for granted and makes sure a human qualifies it.”
Additional layers of advanced malware detection technology are also used to further protect against malware, including artificial intelligence (AI) and machine learning to improve detection of increasingly complex malware, including zero days and evasive malware.
Other new features of the latest SMX release include centralized management, which provides increased visibility of USB devices entering industrial control environments and centralized threat management across all SMX sites; and ICS Shield integration, which closes the loop between centralized management services and distributed protections inside the industrial control system (ICS). Honeywell obtained the ICS Shield technology a couple years ago with its acquisition of Nextnine.
A new model, the SMX ST, is a more portable version of the original SMX apparatus. Some customers did not need the fully ruggedized SMX, Wilson noted, and were looking for a version that could be carried from one location to another. It also comes in at a lower price point, he added.
Honeywell will demonstrate malicious USB device attacks at the RSA Conference next month in San Francisco. Eric Knapp, chief engineer of cybersecurity solutions and technology for Honeywell, will present a talk on Thursday morning at the conference, March 7, called “Malicious, Misbehaving or Misunderstood? Making Bad USBs Good Again.”
