Universal Serial Bus threat vector trends and implications for industrial operators

These are interesting times for Universal Serial Bus (USB) security. With increasing pressure to limit network access to industrial control systems, industrial plant dependence upon USB removable media to transfer information, files, patches and updates has been greater than ever. At the same time, past research into USB threats has shown that portable USB drives are one of the top threat vectors impacting industrial control systems.

While this is notable enough on its own, USB represents an even greater threat than spreading malware: a USB device can be used to attack systems directly, using the USB interface as a powerful attack vector. Malicious USB devices crafted specifically to attack computers via the USB interface have become readily available for purchase online, while BadUSB – a technique that turns USB devices such as fans and charging cables into potential attack vectors – has increasingly been weaponized.

In context of these USB security concerns and ongoing threat vector changes, researchers from Honeywell’s Industrial Cyber Security team analyzed USB usage and behavioural data from live production sites globally.

This report shares Honeywell USB security research findings to advance industry dialogue and threat prevention collaboration, in hopes of lowering cyber attack risk to industrial operations worldwide.

USB usage and behavioral data was extracted from a proprietary, globally deployed Honeywell security platform, Secure Media Exchange (SMX). Since SMX analyzes USB devices used in industrial facilities, it provides a highly relevant snapshot into industrial USB activity.

Data collected from SMX is anonymous with no personally identifiable information (PII), and only a sample set of all SMX data was analyzed. As such, findings represent consolidated views into the collective data set, and sample set findings are interpreted in light of impact upon the larger sample set.

Industries represented include Oil & Gas, Energy, Chemical Manufacturing, Pulp & Paper, and other industrial manufacturing facilities. No detailed correlation to region, nor detail by industry, has been provided here, in an effort to further preserve data anonymity.

The sample set consisted of 50 locations where SMX is deployed in live production environments. Data was collected from across the U.S., South America, Europe and the Middle East. This sample set represents files actively carried into production control facilities via USB removable storage devices, during normal day-to-day operations.

USB Remains a Top Threat Vector

Of the locations studied, nearly half (44%) detected and blocked at least one malicious or suspicious file that represented a security issue. This high-level finding confirms that USB remains a significant vector specifically for industrial threats. The data also indicates that risk of industrial facility exposure to threats via USB is consistent and statistically relevant. This data finding is consistent with other third-party reports that cite USB as a major threat vector.

USB-Borne Malware: A High-Potency Threat

While the volume of malware discovered in this research was small relative to the total sample size volume, the malware potency was significant. Of those threats blocked by SMX, 1 in 4 (26%) had the potential to cause a major disruption to an industrial control environment, including loss of view or loss of control, and 16% were targeted specifically against Industrial Control System (ICS) or Internet of Things (IoT) systems.

A notable 15% of the total threats detected and blocked were high-profile, well-known threats, including Stuxnet (2%), Mirai (6%), TRITON (2%), and WannaCry (1%). It’s not the presence of these threats that is concerning; on the contrary, these and other threats have been in the wild for some time. Rather, it’s that these threats were attempting to enter industrial control facilities via removable storage devices, in a relatively high density, that is significant.

These findings are worrisome for several reasons. That high-potency threats were at all prevalent on USB drives bound for industrial control facility use is the first concern. As ICS security experts are well aware, it only takes one instance of malware bypassing security defenses to rapidly execute a successful, widespread attack. Second, the findings also confirm that such threats do exist in the wild, as the high-potency malware was detected among day-to-day routine traffic, not pure research labs or test environments. Finally, as historical trends have shown, newly emerging threat techniques such as TRITON, which target Safety Instrumented Systems, can provoke copycat attackers. Although more difficult and sophisticated to accomplish, such newer threat approaches can indicate the beginnings of a new wave of derivative or copycat attacks.

Accidental Infections or Targeted Attacks?

Of the total files known to be malicious, the type and behaviour of the malware varied considerably. The most pervasive malware category by far was Trojans, representing 55% of all malware detected. This makes sense in the context of USB-borne malware, where Trojans can be very effective.

Other malware types discovered through this research included bots (11%), hacktools (6%) and Potentially Unwanted Applications (5%).

Of the malware discovered, 9% was designed to directly exploit USB protocol or interface weaknesses, making USB delivery even more effective — especially on older or poorly configured computers that are more susceptible to USB exploits. Some went further, attacking the USB interface itself. 2% were associated with common Human Interface Device (HID) attacks, which trick the USB host controller into thinking there is a keyboard attached, allowing the malware to type commands and manipulate applications. This supports earlier Honeywell findings that confirmed HID attacks such as BadUSB as realistic threats to industrial operators.

Looking at the specific malware families found, a small-but-significant degree of deliberate, targeted behavior was discovered, including such prominent industrial threats as Stuxnet, TRITON and others. As also mentioned earlier, 26% of the threats discovered had the potential to impact industrial control environments, and 16% were specifically targeted against the same environments.

A Diversity of Malware Functionality, Led by RATs and Droppers

The malware discovered was analyzed to reveal many diverse functionality types, from adware to ransomware. Interestingly, Remote Access Toolkits (RATs) were the most notable functionality used (32%), as well as Droppers (12%) designed to download and install additional malware. This is interesting because best practices dictate that industrial control environments should tightly control outbound connectivity from the industrial control site to the Internet. Proper process control network architecture would prevent all such unauthorized connectivity, making most RATs and Droppers useless. This implies attackers have a reliance upon and expectation of poor network design in the majority of the threats analyzed.

Fifteen percent were classified as “attacks”, designed to exploit a specific system or application, damage files or end stations, or perform other actions designed to cause immediate harm. While Petya and WannaCry were detected, occurrences were relatively less common (1% each). However, a notable 7% of all threats detected and blocked by SMX were ransomware.

Also discovered through the analysis was an abundance of Potentially Unwanted Applications (PUAs), worms and viruses that were of medium or low severity. Interestingly, these included a relatively high proportion of password cracking tools, illicit browsers, installers, game crackers, registry editors and other software tools that, while not malicious themselves, are capable of being used maliciously. The relative prevalence of these types of tools is notable considering that, especially in critical industries, these unwanted applications are often prohibited by policy.

While difficult to associate any specific malicious file to a broader campaign, our best efforts indicated that over 50% of the malicious files analyzed had the capabilities of persistence typical of an Advanced Persistent Threat (APT). The prevalence of evasion and enumeration techniques, combined with remote access and installation of additional packages suggest that many of the threats found were intended to gain a remote foothold.

The evidence of a relatively high percentage of threats that targeted ICS, that were capable of impacting ICS, and that exhibited persistence, validates current best practices of deploying strong network defenses and perimeters around critical areas. In this study, such attempts were blocked; however, any organization that allowed such threats to enter the process control network, and allowed outbound network connectivity, would face dangerous consequences from these threats. The findings also illustrate how an attacker, faced with an obstacle, will attempt to find another path – in this case, the use of USB removable storage as an alternate attack vector to direct network attacks.

USBs Carry Old and New Threats into the Plant

Both old malware and new threat types were detected in the sample size data. For example, the Conficker worm was detected and blocked. Conficker was first discovered over 10 years ago and is capable of causing serious disruptions to networks. It can limit recoverability by impairing backup services and deleting restore points. Its presence indicates the need to continue checking for known malware of any age, rather than assuming the organization has learned from past incidents.

The presence of the Conficker worm on USB storage media itself is unsurprising, as Conficker uses USB autorun trojans as one method of infection and propagation. It does, however, provide further evidence that such threats exist in day-to-day control system USB usage, outside of intentional malware testing facilities.

As noted in previous sections, relatively new threats such as TRITON were also identified and blocked. While data was inconclusive, researchers estimate that approximately 10% of malware variants were less than one week old.

Catching Missed Malware

To determine the efficacy of SMX, the threats uncovered by this study were also analyzed using other commercial security tools. Despite the fact that many threats have been known for some time, 5% of the total threats discovered by SMX were completely undetectable by all commercial anti-malware solutions tested (and remain undetectable at the time this report was written). Further, 11% of the malware variants were only detected erratically and only by a few anti-virus engines.  In addition, the estimation that 10% of malware variants were less than a week old at the time of detection is of concern within industrial facilities, where many organizations update

anti-virus signatures less frequently.  For facilities relying on anti-virus solutions that are out of date, such newer malware variants are completely undetectable.

SMX improves detection performance using a variety of advanced threat detection and threat intelligence technologies, and performs continuous efficacy tests to ensure that SMX is using the best techniques available. While these report findings indicate that SMX is performing well, the severity of the threats discovered warrants the use of additional security measures for true defense-in-depth.

Security Implications for Operators

These report findings clearly illustrate the importance of adopting and adhering to common industrial cyber security best practices:

• USB security must include technical controls and enforcement. Relying on policy updates or people training alone will not suffice for scalable threat prevention. Despite the widespread belief that USB drives are dangerous, and despite the prevalence of corporate USB usage policies, the data provides ample evidence that USB hygiene is generally poor.
• Outbound network connectivity from process control networks should be tightly controlled, and such restrictions should be enforced by network switches, routers and firewalls. While USB drives are useful vectors of initial infection, the attack types here reveal a tendency for hackers to establish remote access, and to download additional payloads as needed.
• Security upkeep is important: Anti-virus software deployed in process control facilities needs to be updated daily to be at all effective. Even then, additional protection is recommended, based on the poor detection rates of common AV products when analyzing the threats here.
• Patching and hardening of end nodes is necessary, despite the challenges of patching production systems. While sophisticated and targeted attacks were detected, many old threats were identified and could be easily mitigated by simply keeping the infrastructure current.
• USB security hygiene is poor. Additional cyber security education is required for proper handling and use of removable storage. This is supported by the presence of video game cheat engines, password crackers, and known hack tools found among the samples analyzed. This can and should be addressed through employee and partner awareness programs, operational personnel cyber security training, and sound security policy development.
• Ransomware is a serious threat to industrial facilities. The financial losses of ransomware are easily thwarted by maintaining regular backups and having a tested recovery process in place. It is never ideal to pay a ransom if infected: it is not guaranteed that systems will be restored, and it will encourage further ransomware campaigns to target industrial systems if they are seen as a viable market. For further advice, as well as many ransomware identification and decryption tools, visit https://www.nomoreransom.org

Conclusion: Is the Sky Falling?

While the types of threats discovered on inbound USB removable storage were more serious than the research team anticipated, the overall amount of malware was relatively small. The most important findings point to the inevitability of USB threat exposure, with nearly half of the SMX gateways analyzed blocking at least one malicious file.

When so many of the threats discovered are targeting ICS and potentially disruptive, every threat needs to be prevented. This report shares Honeywell USB security research findings to advance industry dialogue and threat prevention collaboration, in hopes of lowering cyber attack risk to industrial operations worldwide.

For the complete report, with a glossary of terms, click here

To learn more about Honeywell’s Industrial Cyber Security Solutions, visit www.becybersecure.com or contact your Honeywell account manager.