TRITON, Mirai, Stuxnet all identified: “The data showed much more serious threats than we expected”
Research by industrial conglomerate Honeywell has found that nearly half (44 percent) of USB devices scanned across 50 industrial sites held files containing malware.
The threats identified (55 percent of which were trojans) targeted a range of industrial sites, including refineries, chemical plants and pulp-and-paper manufacturers.
Some 26 percent of the detected threats were capable of “significant disruption by causing operators to lose visibility or control of their operations”, Honeywell said.
The research marks the first commercial report to focus exclusively on USB security in industrial control environments.
USB Malware Risk: Many Companies Ban Use
The report comes as many companies, including IBM, have banned the use of portable storage devises like USB sticks owing to security risks.
In an advisory to employees in May 2018, for example, IBM’s global CISO Shamla Naidoo said the company “is expanding the practice of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive).”
Such steps come as both penetration testers and black hats rapidly leaped on techniques revealed as a result of Edward Snowden’s 2013 leak of the National Security Agency’s so-called “ANT Catalogue“.
This revealed the NSA’s use of covert USB-based channels that can support software modification, along with data infiltration and exfiltration, and heightened enterprise awareness of the risks of USB use.
“More Serious Threats than we Expected”
“The data showed much more serious threats than we expected, and taken together, the results indicate that a number of these threats were targeted and intentional,” said Eric Knapp, director of strategic innovation, Honeywell Industrial Cyber Security.
He added: “This research confirms what we have suspected for years – USB threats are real for industrial operators. What is surprising is the scope and severity of the threats.”
The report examined data collected from Honeywell’s Secure Media Exchange (SMX) technology, which is designed to scan and control removable media.
Among the threats detected (55 percent of which were Trojans) were high-profile, well-known issues such as TRITON and Mirai, as well as variants of Stuxnet, an attack type previously leveraged by nation-states to disrupt industrial operations.
Of the malware discovered, nine percent was designed to directly exploit USB protocol or interface weaknesses, making USB delivery even more effective — especially on older or poorly configured computers that are more susceptible to USB exploits.
Some went further, attacking the USB interface itself: two percent were associated with common Human Interface Device (HID) attacks, which trick the USB host controller into thinking there is a keyboard attached, allowing the malware to type commands and manipulate applications.
In comparative tests, up to 11 percent of the threats discovered were not reliably detected by more traditional anti-malware technology, Honeywell claimed.