USB drives are primary vector for destructive threats to industrial facilities

USB removable storage devices are the main vector for malware attacks against industrial facilities, states Honeywell report.

According to a report published on by Honeywell, malware-based attacks against industrial facilities mostly leverage USB removable storage devices

Experts from Honeywell analyzed data collected with the Secure Media Exchange (SMX), a product it has launched in 2017 and that was designed to protect industrial facilities from USB-borne threats.

The experts analyzed attacks against energy, oil and gas, chemical manufacturing, pulp and paper, and other sectors, they collected data from 50 locations in four continents.

In 44% of the analyzed locations, the SMX product had blocked at least one suspicious file, experts pointed out that of the neutralized threats, 26% could have caused major disruptions to ICS systems.

“While the volume of malware discovered in this research was small relative to the total sample size volume, the malware potency was significant.” states the report.

“Of those threats blocked by SMX, 1 in 4 (26%) had the potential to cause a major disruption to an industrial control environment, including loss of view or loss of control, and 16% were targeted specifically against Industrial Control System (ICS) or Internet of Things (IoT) systems.”

16% of the malware detected by the product was specifically designed to target ICS or IoT systems, and 15% of the samples belonged to high profile families such as Mirai(6%), Stuxnet (2%), Triton (2%), and WannaCry (1%).

“These findings are worrisome for several reasons. That high-potency threats were at all prevalent on USB drives bound for industrial control facility use is the first concern. As ICS security experts are well aware, it only takes one instance of malware bypassing security defenses to rapidly execute a successful, widespread attack,” continuesthe report.

“Second, the findings also confirm that such threats do exist in the wild, as the high-potency malware was detected among day-to-day routine traffic, not pure research labs or test environments. Finally, as historical trends have shown, newly emerging threat techniques such as TRITON, which targetSafety Instrumented Systems, can provoke copycat attackers.”

The report shows that most of the attacks involved not targeted threats, most of the malware detected by the Honeywell product were Trojans (55%), followed by bots (11%), hacking tools (6%), and potentially unwanted applications (5%).

The analysis of malware functionalities revealed that 32% of malicious code implemented RAT features, 12% dropper capabilities and 10% DDoS abilities.

Of the malware discovered, 9% was designed to directly exploit flaws in the USB protocol or interface.

“Of the malware discovered, 9% was designed to directly exploit USB protocol or interface weaknesses, making USB delivery even more effective — especially on older or poorly configured computers that are more susceptible to USB exploits.” continues the report.

“Some went further, attacking the USB interface itself. 2% were associated with common Human Interface Device (HID) attacks, which trick the USB host controller into thinking there is a keyboard attached, allowing the malware to type commands and manipulate applications. This supports earlier Honeywell findings that confirmed HID attacks such as BadUSB as realisticthreats to industrial operators,” 

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase