Honeywell Cyber Security team analyzes flash drive threats

USB Threat Report 300dpi 2I generally try to keep the cybersecurity talk to Joe Weiss and his Unfettered blog, but a recent report from Honeywell titled “Honeywell Industrial USB Threat Report” caught my interest, and let’s be honest, cybersecurity is essential for everyone in every industry.

The report focuses on research by Honeywell’s Industrial Cyber Security team, which analyzed USB data from its globally deployed security platform, Secure Media Exchange (SMX). Overall, the team found that although the amount of malware detected was relatively small, the types of threats discovered on inbound USB devices were serious.

Among the team’s key findings were that USB devices remain a top threat, with 44% of SMX locations detecting and blocking at least one suspicious file, according to the report.

“This high-level finding confirms that USB remains a significant vector specifically for industrial threats,” the report states. “The data also indicates that risk of industrial facility exposure to threats via USB is consistent and statistically relevant.”

Additionally, it identified USB-borne malware as a high-potency threat. “While the volume of malware discovered in this research was small relative to the total sample size volume, the malware potency was significant,” the report states. “Of those threats blocked by SMX, one in four (26%) had the potential to cause a major disruption to an industrial control environment, including loss of view or loss of control, and 16% were targeted specifically against Industrial Control System (ICS) or Internet of Things (IoT) systems.”

The report adds that 15% of the threats detected and blocked were well-known: Struxnet (2%), Mirai (6%), TRITON (2%) and WannaCry (1%).

“It’s not the presence of these threats that is concerning; on the contrary, these and other threats have been in the wild for some time,” the report explains. “Rather, it’s that these threats were attempting to enter industrial control facilities via removable storage devices in a relatively high density that is significant.”

 Additionally, the team notes in the report that old and new threats can be brought into a plant via USB devices. Among the attacks detected was the Conficker worm, which was first discovered more than 10 years ago and can cause serious network disruptions, the report explains. Yet, the TRITON, a relatively new threat, was also detected.

Taking it further, the report outlines the security implications for operators, offering some key takeaways:

  • USB security must include technical controls and enforcement.
  • Outbound network connectivity from process control networks should be tightly controlled, and such restrictions should be enforced by network switches, routers and firewalls.
  • Security upkeep is important: Anti-virus software deployed in process control facilities needs to be updated daily to be effective.
  • Patching and hardening of end nodes is necessary, despite the challenges of patching production systems.
  • Additional cybersecurity education is required for proper handling and use of removable storage.
  • Ransomware is a serious threat to industrial facilities.

You can get your copy of the report here to find out more.