The latest Honeywell USB Threat Report 2020 indicates that the amount of threats explicitly targeting operational technology systems has almost doubled from 16% to 28%. The number of threats capable of obstructing those systems rose from 26% to 59% in the same period.
Let’s face it. Crucial infrastructure operators in manufacturing, energy, chemical, pulp and paper, aerospace, shipping, oil and gas, building automation, and water and waste, aerospace, energy, shipping, chemical, oil and gas, pulp and paper, water and wastewater, and building automation massively rely on USB devices. The reason is simple – critical network and process control are typically well-isolated, with extreme logical and physical access controls in position.
Therefore, it is no surprise that removable media is considered one of the top vectors for cybersecurity threats. After establishing network penetration and intrusion became more complex, adversaries target the “low hanging fruit” of file transfers between the control systems and Industrial Automation.
Overall, we are observing an increase in attacks targeting Operational Technology (OT). On the contrary, we can see an increased awareness of such attacks’ consequences due to the broad news coverage of Industroyer, TRITON, Ekans, Havex, USBCulprit, and more. USB devices continue to play an essential role in these targeted attacks since they are the second most common attack vector into industrial control and automation systems behind network-based threats.
Researchers from Honeywell’s Industrial Cybersecurity GARD or Global Analysis, Research, and Defense team examined USB usage and behavioral data collected from production sites to compile the report.
According to the report verdicts, 45% of production sites have blocked at least one threat. It reaffirms that USB endures a significant vector for OT threats. It is almost certain that, over time, some threat will find its way onto USB removable media.
Even though the amount of malware detected on USB removable media was a small portion of the total size, the malware saw’s impact increased significantly since the first report in 2018, even if the overall strength of malware remained steady. A staggering 59% of total discovered threats could impact industrial control and process automation systems, up from just 26% in 2018. It includes malware capable of creating email service attacks to devices connected within automation networks, loss of view to operations administration networks, or the disruption or destruction of crucial assets.
The researchers believe that this finding directly corresponds to increased ransomware, up from 7% to 17%. Although ransomware is not viewed as an “OT specific” threat, the increased numbers seen in OT environments indicate that ransomware variants target industrial corporations. Accordingly, the rate of threats targeting OT nearly doubles from 16% to 28%.
However, the report also determines that 1 in 5 of all threats (19%) were intended to leverage USB devices as an attack vector. More than half the threats were intended to open backdoors, establish persistent remote access or download additional malicious payloads. These findings indicate more coordinated attacks, possibly attempting to target air-gapped systems used in most industrial control environments and critical infrastructure.
“USB-borne malware continues to be a major risk for industrial operators,” said Eric Knapp, director of Cybersecurity Research and Engineering fellow, Honeywell Connected Enterprise, Cybersecurity. “What’s surprising is that targeted and more dangerous. It isn’t a case of accidental exposure to the virus through USB – it’s a trend of using removable media as part of more deliberate and coordinated attacks.”
However, what is worrying is that 20% of the threats analyzed went undetected, up from 11% in the 2018 report. It concerns the high prevalence of newer threats and the clear indications of high-impact, targeted threats against industrials originating from USB removable media. The critical problem is that many organizations update their anti-virus signatures less often due to the limited availability of maintenance for windows where such updates usually occur.