By Gregory Hale
There was a drive against using Universal Serial Bus (USB) drives in systems across the manufacturing automation industry, but they still pose a big threat against industrial control systems (ICS).
In fact, 16 percent of malware blocked by Honeywell’s USB security platform, Secure Media Exchange (SMX), was targeted specifically against ICS or Internet of Things (IoT) systems, according to a report released by Honeywell.
On top of that, 1 in 4 (26 percent) had the potential to cause a major disruption to an industrial control environment, including loss of view or loss of control, the report found.
“It is not the fact there are threats on USB drives, everybody understands USB drives are the way for malware to move around,” said Eric Knapp, chief engineer, cyber security solutions and technology at Honeywell Industrial Cyber Security. “I was surprised of the malware we did find, there was a lot of it that was potent. We have 16 percent specifically targeted for industrial control systems or IoT. Fifteen percent of the total malware found was big name stuff. We found Stuxnet, we found Triton, we found Mirai and a bunch of others. A surprising amount of it was capable of causing some sort of disruption.”
Even though manufacturers understand the inherent dangers of using USB drives, there is more pressure these days to limit network access to industrial control systems, so dependence upon removable media to transfer information, files, patches and updates has been greater than ever.
USB represents an even greater threat than spreading malware since a USB device can be used to attack systems directly, using the USB interface as a powerful attack vector. BadUSB, a technique that turns USB devices such as fans and charging cables into potential attack vectors, is starting to become weaponized, according to the report.
In context of these USB security concerns and ongoing threat vector changes, researchers from Honeywell’s Industrial Cyber Security team analyzed USB usage and behavioral data from live production sites globally. This report shares findings from these research activities and presents USB threat trends.
USB usage and behavioral data was extracted from the SMX platform. SMX can track, control, log, and secure USB device usage, and since it analyzes USB device data, it can offer a snapshot into industrial USB activity.
Only a sample set of all SMX data was analyzed. As such, findings represent consolidated views into the collective data set, and sample set findings are interpreted in light of impact upon the larger sample set. Industries represented include oil and gas, energy, chemical manufacturing, pulp and paper, and other industrial manufacturing facilities.
The sample set consisted of 50 locations where SMX is deployed in live production environments.
Of the locations studied, nearly half (44 percent) detected and blocked at least one file that represented a security issue. This high-level finding confirms USB remains a significant vector specifically for industrial threats.
Of the 26 percent that had the potential to cause a major disruption, 15 percent of the total threats detected and blocked were high-profile, well-known threats, including Stuxnet (2 percent), Mirai (6 percent), Triton (2 percent), and WannaCry (1 percent), according to the report.
“I think there is a predisposition to assume USB drives can get malware on them, but it is just going to be adware or spyware and accidental infections of more typical viruses, and there was certainly a share of that, but there are some targeting industrials, ones capable of causing damage, ones that were specifically leveraging USB weaknesses to move and link vulnerabilities,” Knapp said. “When you look at them all together, it really does point to the fact there are targeted attacks aimed at industrials coming in on USBs.”
Of the total files known to be malicious, the type and behavior of the malware varied considerably. The most pervasive malware category was Trojans, representing 55 percent of all malware detected, the report said. Other malware types discovered through this research included bots (11 percent), hacktools (6 percent) and potentially unwanted applications (5 percent).
Of the malware discovered, 9 percent was designed to directly exploit USB protocol or interface weaknesses, making USB delivery even more effective, especially on older or poorly configured computers that are more susceptible to USB exploits, according to the report. Some went further, attacking the USB interface itself. Two percent were associated with common human interface device (HID) attacks, which trick the USB host controller into thinking there is a keyboard attached, allowing the malware to type commands and manipulate applications. This supports earlier Honeywell findings that confirmed HID attacks such as BadUSB as realistic threats to industrial operators.
“If you look at the fact 16 percent of the malware we did find was malware specifically designed to hit industrial or IoT and all of the USB drives were USB drives entering industrial facilities. This isn’t an academic exercise, this is taking data from USB drives actually in use going into industrial control facilities. Sixteen percent is a pretty high number. We don’t know for sure, but it seems too high to be accidental. Either way, it is still concerning. If it is not targeted, these frameworks are so prevalent out there they are just accidently entering industrial control facilities and that is almost worse.”
The malware discovered was analyzed to reveal over a dozen functionality types, from adware to ransomware. Remote access toolkits (RATs) were the most notable functionality used (32 percent), as well as droppers (12 percent) designed to download and install additional malware, according to the report.
With RATs being the top type of malware found, it is interesting because industrial control environments should tightly control outbound connectivity.
“Whether the malware gets in a facility or not, it depends on its ability to connect back to the outside networks,” Knapp said. “Everybody focuses on protecting the networks against the outside world, they don’t think to protect the outside world from the control system. If there is a firewall in place it is important to say you are controlling what is going out as well as what is going in.
The report findings illustrate the importance of adopting and adhering to cyber security best practices, including:
• USB security must include technical controls and enforcement. Relying on policy updates or people training alone will not suffice for scalable threat prevention. Despite the widespread belief that USB drives are dangerous, and despite the prevalence of corporate USB usage policies, the data provides ample evidence USB security is poor.
• Outbound network connectivity from process control networks should be tightly controlled, and such restrictions should be enforced by network switches, routers and firewalls.
• Security upkeep is important: Antivirus software deployed in process control facilities needs to be updated daily to be at all effective.
• Patching and hardening of end nodes is necessary, despite the challenges of patching production systems.
• USB security is poor. Additional cyber security education is required for proper handling and use of removable storage. This is supported by the presence of video game cheat engines, password crackers, and known hack tools found among the samples analyzed. This can and should be addressed through employee and partner awareness programs.
• Ransomware is a serious threat to industrial facilities. The financial losses of ransomware is easily thwarted by maintaining regular backups and having a tested recovery process in place.
“It goes to show that while we are aware of the fact USBs can be dangerous, and most companies realize that, the primary way people are addressing it is through policy,” Knapp said. “And there haven’t been any really good technical controls to enforce it. No one has really known how bad the threat really is and there has been no way to quantifying or protecting against it. There is a lack of education among everyday users the fact that they are carrying around drives that have infections in them and they don’t know it.”