USB Cyber Threats Are on the Rise. Here’s What You Can Do to Stop Them

The year 2020 was an unprecedented one on many levels. Alongside the devasting health impact of COVID-19, the pandemic unleashed a wave of new cybersecurity challenges as many businesses shifted to a work-from-home model. One of those challenges was rising USB threats that can cause serious and costly business disruptions. These threats rose dramatically during a year in which the usage of removable media and network connectivity skyrocketed as more and more employees worked remotely.

Indeed, the work-from-home revolution led to a growing dependence on removeable media. That’s likely one of the reasons the use of USB media climbed by 30 percent in 2020 compared to the previous year, according to the 2021 Honeywell Industrial USB Threat Report. The report, based on anonymized cybersecurity threat data collected, aggregated, and analyzed from hundreds of industrial facilities globally, also found that 37 percent of cyber threats in 2020 were specifically designed to utilize removable media—almost doubling from 19 percent in 2019.

The research highlights the growing and pernicious nature of USB-borne threats. In fact, 79 percent of cyber threats found on USBs in 2020 were capable of causing critical disruptions in operational technology (OT) environments, up from 59 percent the previous year. Along with USB attacks, the report reveals a rising crescendo of cyber threats associated with USB removable media including remote access, Trojans, and content-based malware, which all have the potential to severely cripple industrial infrastructure.

Sneaking Through the Back Door

The reality is that even though many industrial and OT systems are air-gapped or cut off from the Internet to shield them from cyber threats, adversaries are using removeable media and USB devices as an initial attack vector to penetrate networks and open them up to major attacks. And once those back doors are open, cybercriminals can then establish remote connectivity to download additional payloads, exfiltrate data, and establish command and control.

Thirty-seven percent of cyber threats in 2020 were specifically designed to utilize removable media.

Another interesting trend identified in 2020 is the growing number of threats targeting altered or infected documents, with 12 percent of the total threats detected leveraging native document structures with embedded scripts and macros. This rise in content-based malware likely corresponds to the shift toward remote work in 2020 and underscores the fact that cyber criminals were savvy enough to make adjustments to take advantage of these organizational changes.

Several factors clearly indicate that the bad guys are deliberately targeting USBs to circumvent the air gap that protects industrial environments. The first indication is the use of malware specifically designed to propagate via USB media. Combined with a high concentration of malware that seemed to target OT, and an even higher concentration of malware designed to establish persistent remote access, it’s easy to infer the intent. Clearly, adversaries see USBs as an initial penetration vector and are leveraging removable media as part of a larger cyber-attack campaign on industrial operators.

Improving Detection

So, what can be done in the face of USB-borne cyber intrusions that are growing in strength and volume? Well, organizations must adopt a formal security program to protect against intrusions and avoid potentially costly downtime.

To combat USB-related threats, organizations need several layers of OT cybersecurity that can deliver advanced threat detection for critical infrastructure by monitoring, protecting, and logging use of removable media throughout industrial facilities. This includes the ability to monitor for vulnerabilities such as open ports or the presence of USB security controls to strengthen endpoint and network security, while also ensuring better cybersecurity compliance.

Detecting malware is more complex than ever and, unfortunately, no single malware detection tool or technology will ever be completely effective. This is especially true as new malware variants come on the scene at alarming rates—as many as 220 million per year. The sheer volume of threats in existence makes it ever-more difficult to maintain strong detection efficacy.

However, organizations can improve detection by using a layered detection and response strategy. This involves leveraging the specific strengths of certain techniques against specific classes or families of malware. One such approach is to use a tool that proactively combines and correlates the latest security research to identify emerging threats as early as possible in a malware’s lifecycle. Doing so allows organizations to gain visibility into these early day threats. These are threats that many commercial anti-malware software solutions might not catch simply due to the growing volume of sophisticated malware that is capable of evasive behaviors.

The bottom line is that more threats are attempting to enter industrial environments, and these threats are more sophisticated than ever, resulting in a clear and present danger to operations. USBs are a prime target because they provide an easy entry point that can then be exploited by the bad guys to wage larger cyber campaigns against industrial targets. Organizations are advised to be aware of these attacks and show continued diligence is defending against the growing USB threat.

Paul Griswold is the chief product officer, cybersecurity, for Honeywell Connected Enterprise (HCE). In this role, Griswold is responsible for all the strategy of HCE’s cybersecurity software, managed services, and consulting services portfolios. Prior to joining Honeywell, Griswold spent seven years with IBM Security, most recently as the executive director of strategy and offering management for IBM’s X-Force threat intelligence and threat protection offerings. Griswold holds both an MBA and a BS in Computer Science from Georgia Tech.