With their ability to carry malware into sensitive environments, USB drives have long been a red flag for industrial facilities. A new study puts hard data behind those concerns and shows how the drives can propagate advanced threats like Stuxnet and Trisis.
Of the 50 industrial sites on four continents where Honeywell International analyzed USB usage, 44 percent of sites detected and blocked at least one malicious file. These weren’t just run-of-the-mill files: 15 percent of the threats detected and blocked were infamous malware packages like Stuxnet and Trisis (2 percent each), Mirai (6 percent) and WannaCry (1 percent). About a quarter of the threats blocked could cause “a major disruption to an industrial control environment,” according to Honeywell, an industrial automation giant.
The overall volume of USB-based malware found by Honeywell researchers was relatively small, but the types of threats detected were more serious than researchers had anticipated.
“It’s not the presence of these threats that is concerning; on the contrary, these and other threats have been in the wild for some time,” the research states. “Rather, it’s that these threats were attempting to enter industrial control facilities via removable storage devices, in a relatively high density, that is significant.”
The study also highlights how attackers have customized USB devices to suit their needs.
“Malicious USB devices crafted specifically to attack computers via the USB interface have become readily available for purchase online, while BadUSB – a technique that turns USB devices such as fans and charging cables into potential attack vectors – has increasingly been weaponized,” the authors concluded.
Stuxnet, a computer worm reportedly developed by the U.S. and Israel, hammered home the threat posed by such portable media to industrial control systems. The attackers used portable media to reach an “air-gapped” system at a uranium enrichment facility in Iran in 2009.
In the years since Stuxnet, regulators have looked to address the risk of using portable media. In April, for example, the Federal Energy Regulatory Commission ordered the revision of power reliability standards “to mitigate the risk of malicious code” stemming from such devices.
Meanwhile, there have been periodic reminders of the potentially insidious nature of USB drives. In August, energy-management software supplier Schneider Electric alerted customers that they may have received malware-laced USB drives in shipments of some of the company’s products. The drives contained documentation and “non-essential” software, the company said, but the incident still served as a cautionary tale.
Roughly 10 percent of the malware variants found by the Honeywell researchers were less than a week old when detected, underscoring the importance of using updated anti-virus signatures.
“For facilities relying on anti-virus solutions that are out of date, such newer malware variants are completely undetectable,” the report states.