It wasn’t too long ago when workers in an energy company identified a piece of malware on a memory stick left by mistake in the USB port of a human-machine interface (HMI) computer by another staffer.
In this case, the Hamweq virus was not able to perform its tasks because it depended on the operating system’s auto-run function, which the user disabled on all devices, according to a report with ICS-CERT.
If the auto-run feature was running, the threat could have injected malicious code and created a backdoor which attackers could take advantage of to steal sensitive information.
The industry hears all the time about the huge state-sponsored attacks like Stuxnet, Duqu and Flame, among others, but there are others that quietly occur and industry security practitioners do not necessarily hear about them. But rest assured, attacks happen.
They happen all the time and users need to stay aware and prepare a solid defense in depth platform.
To avoid incidents like the energy company, organizations should always properly mark removable media. They should also disable auto-run functions when it’s possible, according to ICS-CERT.
Other recommendations include the use of dedicated media for the same types of systems, and the separation of malfunctioning or potentially infected drives from ones that are acceptable, according to ICS-CERT.
In addition, employees that operate industrial control systems should never connect removable media drives with an unknown origin to a system without properly checking it first. They should also avoid using personally-owned devices for work-related tasks.