Defend Your Industrial Assets: How to Safely Use Removable Media in ICS

Defend Your Industrial Assets: How to Safely Use Removable Media in ICS

Industrial Control Systems (ICS) form the backbone of essential infrastructures across various industries today, including power generation, water treatment, and oil and gas production. And because these systems monitor and control industrial processes, they are becoming an increasingly popular target for cyber attackers. Among the possible entry points for these threats, security experts have identified removable media as an area of critical concern. The best way to prevent the chaos ensuing from a successful attack on industrial assets is to understand how a malicious actor might approach such an attack and how security leaders can increase the security of these systems.

The Attacker’s Playbook

The first step for a malicious actor is to gather data. To identify vulnerable ICS, an attacker might scan for open ports and services, identify devices and protocols within the ICS networks, and exploit publicly known and potentially as-yet-unknown vulnerabilities in ICS software or protocols to gain access. One key aspect of an attacker’s strategy is likely to be delivering malicious payloads via removable media, such as USBs and bring-your-own-devices (BYOD), which are required to apply important upgrades or patches in isolated or air-gapped environments.
Once connected to an ICS, these compromised removable media devices can release malware, exploiting vulnerabilities to establish command and control (C2) channels. Attackers use these channels to remotely manage compromised devices and systems during a cyberattack, issue commands, receive stolen data, and maintain control over the attack infrastructure.

Ramifications for Targeted ICS Environments

Once a C2 channel is open, it increases the effectiveness of an attack, allowing attackers to perform automated tasks, launch coordinated attacks, and maintain persistence in the environment. C2 channels in traditional IT environments rely on internet connectivity for remote control, but isolated or air-gapped networks provide limited to no external access, which can make malicious activity more difficult to detect. In ICS, C2 channels are likely to leverage specialized industrial protocols, such as Modbus and supervisory control and data acquisition (SCADA), and interact with programmable logic controllers (PLCs), distributed control systems (DCS), and other industrial devices. Through C2 channels, an attacker could manipulate physical processes, resulting in equipment damage, production stoppages, and safety hazards.
Beyond the attacks within the ICS itself, attackers could manipulate settings or processes and thereby damage equipment, impact functionality, and potentially cause explosions or fires. In water treatment plants or power grids, infiltration could result in environmental contamination. Disrupting operations could cause a wide variety of problems, including economic losses and shortages of essential goods and services, while service outages could impact millions of people when power grids, transportation systems, and communication networks are disrupted. In some cases, a malicious actor attacking critical infrastructure could cause catastrophic accidents and loss of life.

Securing Industrial Assets

As the ICS threat landscape grows, industrial assets are at increasing risk worldwide. So how can security teams ensure minimal downtime and disruption of industrial assets? In any industrial control system, data must be transferred, leveraging transient cyber assets, diagnostic tools, portable storage devices, or temporary connections for maintenance using data transfer channels, such as wired networks, wireless connections, and physical media (USB drives, floppy disks, SD cards, flash drives, and more) to transmit data between devices and systems. These data transfer channels require end-to-end protective measures to address the myriad of challenges organizations face when securing critical environments.

By addressing the potential threats posed by portable media, organizations can significantly reduce their cyber risk. Due to the diverse, unusual, and often rugged environments prevalent in critical infrastructure, it’s important to choose portable media scanning solutions that:
● Leverage multiple engines when scanning for potential threats and vulnerabilities
● Provide equipment that is accessible and when needed portable that is compatible across various required media interfaces
● Include a built-in battery to enable peripheral media protection for different use cases
● Provide a lockable key to enable more secure scans
● Offer a sandbox environment to enable adaptive threat analysis technology for zero-day malware detection without requiring software installation on critical assets
● Provide a firewall that enables policy enforcement with a no-touch solution and zero endpoint installation

Organizations must ensure that peripheral media undergo essential security checks prior to entering a critical environment, both to protect themselves from malicious actors and to align with global regulations and certifications. By adopting robust, advanced peripheral media protection best practices, organizations can defend against the sophisticated and mounting cyber threats to industrial assets.

About the author

This article was written by Matt Wiseman is the Director of Product Marketing at OPSWAT managing the OT product line. Matt’s focus is on product, engineering, product marketing and cybersecurity strategy. Matt has experience working in large industrial organizations and has worked to provide comprehensive cybersecurity solutions for all key critical infrastructure industries. Prior to joining OPSWAT, Matt served in various cybersecurity strategy and global marketing leadership roles at Honeywell.