Rise in USB-Based Cyberattacks on Operational Technology Systems

April 30, 2024

Cyberattackers are increasingly using removable media, specifically USB devices, to infiltrate operational technology (OT) networks. They are then using old malware and vulnerabilities to cause damage. This resurgence in the use of USB devices is particularly evident in the OT space, according to Honeywell's '2024 USB Threat Report'. The report reveals that attackers are turning to USBs to gain access to industrial networks. Once inside, they are not using sophisticated exploitation techniques or new malware but are instead leveraging old tools and vulnerabilities.

USB devices have a unique advantage over other attack techniques: they can bridge air gaps. These are physical separations between OT and IT networks designed to prevent malicious attacks from passing through. Air gaps are often used in high-risk industries such as nuclear, military, and financial services. Matt Wiseman, director of OT product marketing at OPSWAT, explains that many operational facilities are completely air-gapped, meaning traditional network-based attacks are less effective. USBs and removable media are therefore a creative solution for threat actors, as they can be physically carried beyond these air gaps.

The trend of using USBs for cyberattacks seems to have originated during the COVID-19 pandemic. In 2019, only 9% of USB-carried cyber threats were actually designed for USBs. By 2022, however, this number exceeded 50%. Once they have crossed the air gap using a USB, attackers are using 'living-off-the-land' tactics to perform data collection and exfiltration, defense evasion, and escalation of privileges, ultimately achieving persistence in the operational network.

Notably, the focus is not on new and powerful malware and vulnerabilities. Instead, well-known tools from the past such as BlackEnergy and Industroyer (also known as CrashOverride) are still in use. The most commonly exploited vulnerabilities in such attacks, such as CVE-2010-2883 and CVE-2017-11882, are also quite dated.

The primary goal of these attacks is disruption or destruction. Approximately 80% of USB-based threats are now capable of causing disruptions to OT systems, including loss of visibility or control, or worse (ransomware, wipers, etc.). The silver lining for defenders is that due to the use of such old threat vectors, expensive solutions are not necessarily required. Wiseman suggests adhering to strict USB policies and procedures, and using technology to ensure that any plugged-in device has been scanned and checked by a formal security solution.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.