To Damage OT Systems, Hackers Tap USBs, Old Bugs & Malware

Source: Mohammad Aaref Barahouei via Alamy Stock Photo

Industrial cyberattackers are increasingly using removable media to penetrate operational technology (OT) networks, then leveraging the same old malware and vulnerabilities to make their mark.

For whatever reason, USB devices are a la mode again with some of the world’s premier threat actors. Nowhere is this more evident than in the OT space where, according to Honeywell’s “2024 USB Threat Report,” attackers are “clearly” turning to USBs to get a foothold in industrial networks.

With that foothold, Honeywell reports, attackers are forgoing sophisticated exploitation techniques, zero-day vulnerabilities, or novel malware. Instead, they’re leveraging old tools and bugs, plus the built-in capabilities of OT control systems to achieve their end goals.

Why USBs?

USBs have something that none of the newest, hottest attack techniques do: the ability to bridge air gaps.

True air gaps are physical separations between OT and IT networks designed to let no malicious attacks pass through. Some also use the term to describe other kinds of setups that distinguish IT and OT systems using access controls, segmentation, and the like. Air gaps are most often used in high-risk industries — think nuclear, military, financial services, etc. — where other means of demarcating IT and OT networks won’t cut it.

“A lot of operational facilities are entirely air gapped,” explains Matt Wiseman, director of OT product marketing at OPSWAT. “Those more modern approaches like email-based attack — something over the network — aren’t really as effective when [the OT systems] are disconnected from the broader Internet. You need to be more creative, think outside the box. USBs and removable media are very interesting because they’re the only threat you can pick up in your pocket and carry beyond that air gap.”

Interestingly, the trend seems to have been born during COVID. In 2019, only 9% of USB-carried cyber threats to industry were actually designed for USBs. By 2022 — and consistently ever since — that number exceeded 50%.

Having crossed that air gap with a USB, attackers are opting for living-off-the-land tactics to perform data collection and exfiltration (observed in 36% of Honeywell’s detected USB attacks), defense evasion (29%), and escalation privileges (18%), ultimately achieving persistence in the operational network.

Clearly novel and powerful malware and vulnerabilities are not the focus, as brand name tools of yesteryear such as BlackEnergy and Industroyer (aka CrashOverride) are still making rounds. The most common vulnerabilities exploited in such attacks — such as CVE-2010-2883 and CVE-2017-11882 — are equally dated. All of the most common CVEs listed in Honeywell’s report have been known since at least 2018.

In most cases, the goal of these attacks is disruption or destruction. Around 80% of USB-based threats every year now are capable of causing disruptions to OT systems, including loss of visibility or control, or worse (ransomware, wipers, etc.).

Defending Against USB Threats

The good news for defenders is that with such antiquated threat vectors, fancy and expensive solutions aren’t necessarily the solution. “You can always go with the fundamentals,” Wiseman says, meaning strict USB policies and procedures.

At many organizations, he says, “You go back a number of years, there was an honor system. ‘Hey, did you scan that?’ Now you have technology that can check to make sure. If you plug something in, it’s not going to work unless it has been scanned and checked by some type of formal security solution.”

This technology often takes the form of a kiosk or “sanitation station” for scanning removable media, placed strategically at the exterior of a sensitive site in order to make sure no malicious ones make their way through. Sometimes those stations are paired with file transfer systems to ensure that no outside device ever actually has to cross the threshold of an industrial control floor.

“We’re seeing more mature conversations now. What’s our mobile program? What’s the process for employees? What’s the process for guests? How do we manage these devices? How do we view the activity that’s occurring? And how do we ensure that we’re ahead of it going forward?” he says. “There’s definitely a massive realization of the threat that these devices can pose.”

About the Author(s)

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes “Malicious Life” – an award-winning Top 20 tech podcast on Apple and Spotify – and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts “The Industrial Security Podcast,” the most popular show in its field.