USB-based malware is a growing concern for industrial firms, new Honeywell findings show

The hacking tools could be bad news for industrial systems.
Honeywell products control systems similar to this wastewater treatment apparatus. (Wikimedia)

The number of cyber threats designed to use USB sticks and other external media devices as launching pads doubled in 2021, according to new research from Honeywell, the industrial automation giant. 

Of those threats, 79% could be used to disrupt operational technology systems, researchers found. The report was based on cybersecurity threat data collected from hundreds of industrial facilities over a 12-month period. 

“USB-borne malware was a serious and expanding business risk in 2020, with clear indications that removable media has become part of the playbook used by organized and targeted attacks, including ransomware,” Eric Knapp, director of cybersecurity research at Honeywell Connected Enterprise said in a statement. 

Since many industrial systems are cut off from the internet, external devices like USB drives can provide hackers with a foothold into sensitive networks. USB drives have been known to carry infamous malware strains including Stuxnet and WannaCry. 


The new report noted similar trends. Strands observed by Honeywell included “industrial malware classics” including Stuxnet, Triton and Industroyer. Researchers also spotted Agent Tesla and some early Dridex variants.

“Because there are so many strains, individually they look small,” Knapp said. “However, when we looked at malware capabilities a clear trend emerged: significant numbers of the threats were capable of crossing an air gap, establishing remote access, and disruption operations.”

More than 20 industrial sites located around the world detected malicious files from USB storage devices, according to 2018 findings from Honeywell. A financially-motivated hacking group also aimed to infect targets by sending them USB devices in the mail, researchers learned in 2020.

Dragos, a firm specializing in industrial cybersecurity, hasn’t noticed any uptick in attacks using USB devices, according to senior intelligence analyst Anna Skelton.

Such attacks are often driven by opportunity and may not indicate that a system was intentionally targeted, she noted. Recent industrial attacks, such as those on water suppliers in San Francisco and Florida exploited remote management software using employee credentials.


Researchers have also noted a rise in ransomware attacks against industrial targets such as manufacturing and energy providers during the coronavirus-pandemic. Honeywell was the victim of such an attack earlier this year.

The Honeywell report advises companies to adopt security policies for removable media.

The problem of poor security practices when it comes to external devices extends beyond industry. Last year a Department of Energy watchdog called out multiple government research labs for failing to instill safeguards around USB sticks and other removable media.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts