By Gregory Hale
Memory sticks, thumb drives, flash drives, or just plain USB; whatever you call them, they all provide a valuable service, and like it or not, just about everyone in the manufacturing automation sector uses them.
The catch is, while they remain a valuable tool, manufacturers are in a constant battle to eliminate them from the plant floor – and with good reason.
“USB threats are shifting away from malware to how USB devices behave,” said Sam Wilson, global product marketing manager for Honeywell Cyber Security, during a talk at the ARC Industry Forum 2019 in Orlando, FL, earlier this month. “There are USBs when you plug it in acts like a keyboard. It is no longer safe to assume when something looks like a USB storage device, it is a USB. It may not be safe to use.”
That is one reason why Honeywell unveiled its latest version of Secure Media Exchange (SMX) during the industry forum. SMX is a device that can protect industrial operators against new and emerging USB threats. SMX includes capabilities to protect against a broad range of malicious USB device attacks, which disrupt operations through misuse of legitimate USB functions or unauthorized device actions.
In short, the user can plug their USB into the SMX device and it will be able to tell if there is any malicious software on the device. Once SMX clears the device, it is then OK to use out on the plant floor.
In the latest release there are advanced protections to complement additional SMX enhancements to malware detection, utilizing machine learning and artificial intelligence (AI) to improve detection by up to 40 percent above traditional anti-virus solutions, according to a Honeywell study. Together, these updates to the SMX platform deliver enterprise-wide USB protection, visibility and control.
USB devices include flash drives and charging cables, as well as many other USB-attached devices. They represent a primary attack vector into industrial control system (ICS) environments, and existing security controls typically focus on the detection of malware on these USBs.
New research by Ben-Gurion University shows there are new categories of USB threats that manipulate the capabilities of the device standard to circumvent traditional security controls and directly attack ICS.
Since manufacturing automation professionals use USB devices more often than not, these USB assaults represent 75 percent of today’s known USB attacks. These attacks can weaponize common USB peripherals like keyboards, speakers.
‘Dirty Little Secret’
“There is a dirty little secret out there, we need to start protecting against actual devices itself,” Wilson said. “The weak link sinks the ship. Three quarters of attacks can attack through the device itself and not through malware on the device.”
Wilson gave examples of named USB attacks like “USB Harpoon, which is storage device that ends up connected and attackers can gain information.” BashBunny which is a USB looking device that contains a mini computer. RubberDucky, which contains a keyboard.
Part of using the SMX, Wilson said, allows for good security basics:
1. Enforce technical controls
2. Monitor and manage network traffic
3. Regular, rapid AV updates
4. Patch and Harden end nodes
5. Consider restricting personal USB devices
6. Deploy (and test) back and recovery
The latest SMX technology release includes:
• Centralized Management which provides visibility of USB devices entering industrial control environments and centralized threat management across all SMX sites
• ICS Shield Integration which provides additional visibility into USB activity on protected end nodes, closing the loop between centralized management services and distributed protections inside the ICS
• Expanded SMX offering provides multiple form factors to meet specific industrial needs, including portable SMX ST models for busy operational staff, and fully ruggedized models that meet industrial use cases including hazardous environments
SMX has been out for a few years and last year Honeywell released a report about what ICS attacks they have found since manufacturers started using the device.
In the anonymized report, 16 percent of malware blocked by SMX was targeted specifically against ICS or Internet of Things (IoT) systems, according to the report.
On top of that, 1 in 4 (26 percent) had the potential to cause a major disruption to an industrial control environment, including loss of view or loss of control, the report found.
ICS Attack Malware
“It is not the fact there are threats on USB drives, everybody understands USB drives are the way for malware to move around,” Eric Knapp, chief engineer, cyber security solutions and technology at Honeywell Industrial Cyber Security said when the report released back in October. “I was surprised of the malware we did find, there was a lot of it that was potent. We have 16 percent specifically targeted for industrial control systems or IoT. Fifteen percent of the total malware found was big name stuff. We found Stuxnet, we found Triton, we found Mirai and a bunch of others. A surprising amount of it was capable of causing some sort of disruption.”
Even though manufacturers understand the inherent dangers of using USB drives, there is more pressure to limit network access to industrial control systems, so dependence upon removable media to transfer information, files, patches and updates has been greater than ever.
USB represents an even greater threat than spreading malware since a USB device can be used to attack systems directly, using the USB interface as a powerful attack vector. As mentioned earlier, the USB device does not need to have malware on it to attack. BadUSB, a technique that turns USB devices such as fans and charging cables into potential attack vectors, is starting to become weaponized, according to the report.
The report findings illustrate the importance of adopting and adhering to cyber security best practices, including:
• USB security must include technical controls and enforcement. Relying on policy updates or people training alone will not suffice for scalable threat prevention. Despite the widespread belief that USB drives are dangerous, and despite the prevalence of corporate USB usage policies, the data provides ample evidence USB security is poor.
• Outbound network connectivity from process control networks should be tightly controlled, and such restrictions should be enforced by network switches, routers and firewalls.
• Security upkeep is important: Antivirus software deployed in process control facilities needs to be updated daily to be at all effective.
• Patching and hardening of end nodes is necessary, despite the challenges of patching production systems.
• USB security is poor. Additional cyber security education is required for proper handling and use of removable storage. This is supported by the presence of video game cheat engines, password crackers, and known hack tools found among the samples analyzed. This can and should be addressed through employee and partner awareness programs.
• Ransomware is a serious threat to industrial facilities. The financial losses of ransomware is easily thwarted by maintaining regular backups and having a tested recovery process in place.