Ever since the 2010 Stuxnet attack used a USB flash drive to obliterate any semblance of an air gap in an Iranian nuclear facility, industry has been well aware of the vulnerability that USB devices can introduce to their operations. A question remains, though, as to how much any given industrial company thinks it might be at risk, and how much it’s willing to forego the conveniences of highly portable memory to protect their operations.
But now Honeywell has direct information in hand that shows just how significant of a threat those handy flash drives present. Since the automation supplier introduced its Secure Media Exchange (SMX) technology more than a year ago, it’s been able to gather the data derived from scanning and controlling USB devices at 50 customer locations. And what the research shows is that almost half of those customers (44 percent) have detected and blocked at least one file with a security issue. Further, 26 percent of the detected threats were capable of significant disruption to the operations, including loss of view or loss of control.
Honeywell began talking up its SMX technology at its North American user group meeting in 2016, when removable media like flash drives were already a top pathway for attackers to gain access to a network. SMX, launched officially last year, is designed to manage USB security by giving users a place to plug in and check devices for approved use. The SMX Intelligence Gateway is used to analyze files in conjunction with the Advanced Threat Intelligence Exchange (ATIX), Honeywell’s threat intelligence cloud.
This is a more effective approach to USB management than, say, stopping up ports with epoxy and disabling any kind of USB use. A once easy way to exchange information with contractors or download patches not only becomes completely unusable, but also becomes a productivity stopper—a dangerous proposition. “When you make things painful, people are going to find a way around it,” commented Seth Carpenter, cybersecurity technologist for Honeywell, during an interview at the most recent Honeywell Users Group (HUG) meeting in San Antonio.
Not only has SMX made USB use safer, but Honeywell has gained access to a treasure trove of information about the kinds of attacks being attempted through these devices.
“The data showed much more serious threats than we expected,” said Eric Knapp, director of strategic innovation for Honeywell Industrial Cyber Security. “And taken together, the results indicate that a number of these threats were targeted and intentional.”
Though Honeywell has long suspected the very real USB threats for industrial operators, the data confirmed a surprising scope and severity of threats, Knapp said, adding. “Many of which can lead to serious and dangerous situations at sites that handle industrial processes.”
The threats targeted a range of industrial sites, including refineries, chemical plants and pulp and paper facilities around the world. About one in six of the threats specifically targeted industrial control systems (ICSs) or Internet of Things (IoT) devices.
Among the threats detected, 15 percent were high-profile, well-known issues such as Triton, Mirai and WannaCry, as well as variants of Stuxnet. Though these threats have been known to be in the wild, what the Honeywell Industry Cyber Security team considered worrisome was the fact that these threats were trying to get into industrial control facilities through removable storage devices in a relatively high density.
“That high-potency threats were at all prevalent on USB drives bound for industrial control facility use is the first concern. As ICS security experts are well aware, it only takes one instance of malware bypassing security defenses to rapidly execute a successful, widespread attack,” Honeywell’s report noted. “Second, the findings also confirm that such threats do exist in the wild, as the high-potency malware was detected among day-to-day routine traffic, not pure research labs or test environments. Finally, as historical trends have shown, newly emerging threat techniques such as Triton, which target safety instrumented systems, can provoke copycat attackers. Although more difficult and sophisticated to accomplish, such newer threat approaches can indicate the beginnings of a new wave of derivative or copycat attacks.”
In comparative tests, up to 11 percent of the threats discovered were not reliably detected by more traditional anti-malware technology. Although the type and behavior of the malware detected varied considerably, trojans—which can be spread very effectively through USB devices—accounted for 55 percent of the malicious files. Other malware types discovered included bots (11 percent), hacktools (6 percent) and potentially unwanted applications (5 percent).
“Customers already know these threats exist, but many believe they aren’t the targets of these high-profile attacks,” Knapp said. “This data shows otherwise and underscores the need for advanced systems to detect these threats.”
Through its Industrial USB Threat Report, Honeywell recommends that operators combine people training, process changes and technical controls to reduce the risk of USB threats across industrial facilities. Read the full report and recommendations here.
