As automation in industrial companies grows, so do certain challenges. While digital transformation can offer numerous competitive advantages, it also harbors new ways of making the company vulnerable to attack. Industrial cyber security is therefore one of the biggest technical challenges of our time. As a rule, many companies and plant operators across industries do not expect to be the target of a sophisticated cyberattack. This is a misconception with potentially serious consequences. However, another aspect is often underestimated or barely considered - the potential dangers can also be lurking on the inside. The Honeywell Industrial USB Threat Report, which examined 50 facilities worldwide in industrial sectors such as oil/gas, energy, chemicals and pulp and paper manufacturing, recently showed that USB removable storage devices in particular are a significant source of threat to industrial companies.

The high damage potential of the malware found is one of the main findings of the study. One in four infected USB removable storage devices had the potential to cause significant disruption in the industrial control environment. Of these, 16% of the malware found was even specifically designed to disrupt control systems in industrial plants (ICS) or IoT systems. Furthermore, 15 percent of the malware identified was well-known malware such as Mirai, TRITON, WannaCry or a variant of Stuxnet, which was specifically placed on USB removable media intended for industrial plant systems. Plant operators know that it only takes one vulnerability to cause costly damage to operations.

The dependence on removable media

Even if companies do not use USB media internally, external service providers largely rely on USB-based replacement when implementing frequent updates in customer systems. For industrial systems, it is currently almost impossible to operate their systems without removable media. This is because USB is still one of the most common methods for data transport and exchange in automation. 90 percent of employees and service providers use removable media to transfer their data. One example: If there are 259 open USB interfaces in an oil refinery and a further 28 external employees are active every day in addition to the numerous in-house employees, the potential danger posed by supposedly inconspicuous USB storage media can quickly be extrapolated.

Companies that cannot do without the advantages of USB media in automation systems (SCADA/PLS) must protect themselves against USB-based attacks with dedicated solutions.

Traditional IT products for USB protection still face the following challenges, among others:

- USB-related policies are not enforced as USB scanning can be bypassed or files can be added and modified after initial scanning.
- USB security mechanisms are usually weak as files are only scanned for threats at USB storage level by anti-virus programs, but not at USB firmware level. In addition, polymorphic malware remains undetected and the latest threats such as BadUSB and Rubber Ducky, for example, would not be detected.
- A great deal of manpower and manual effort is required to update the malware signatures.
- Vulnerabilities are added with a delay and depending on staff availability. Protection mechanisms are therefore never really up to date. These delayed system updates pose a risk to corporate security.

On top of this, conventional USB protection solutions are linked to control automation networks. All these factors mean an increased attack surface for cyberattacks on company networks and can have devastating consequences.

Check USB removable media

Traditional USB scanners ultimately do not solve the security problem of removable media in industrial sites, as they require continuous updating of the antivirus software. In addition, they are only designed to detect IT-related threats. Honeywell's solution for the USB storage device as a potential malware smuggler is "Secure Media Exchange" (SMX), a holistic solution against USB-based attacks on the IT and OT network. SMX consistently enforces security guidelines by only allowing access to the USB device after check-in. It also offers tamper protection and digitally marked clean files.

USB data carriers that are to be used in the company are inserted into a compact, robust hardware-software box (SMX Gateway), checked and encrypted with a unique certificate after verification. At the same time, the SMX Driver is installed on each device to be protected, which can now only recognize and read verified and encrypted media. This prevents unverified USB devices from using the USB ports; the SMX driver only keeps the interface open for verified USB devices. Checked-in, encrypted USB media are now no longer recognizable to other computers. This prevents the subsequent transfer of malware to a USB medium that has already been checked in. This means that the Automation security guidelines are enforced consistently and without exception.

The SMX Gateway is not connected to the system network and carries out the check process for unknown USB removable media in isolation. © Honeywell

The SMX gateway is also not connected to the system network and carries out the checking process for unknown USB removable media in isolation. SMX is therefore not a target. The SMX Gateway communicates - via LTE or Ethernet - directly and permanently with the Honeywell hybrid service subscription Advanced Threat Intelligence Exchange (ATIX). ATIX provides always up-to-date threat information with self-learning functions and automation. The time window for attacks on system operation is limited.

SMX also means lower maintenance costs as it does not require manual maintenance. It offers a fully managed solution and can therefore contribute to cost savings through personnel efficiency and integrated threat detection. Independent, permanent protection updates of the SMX inform the system about industrial and control technology threat sources that go far beyond standard antivirus software. This means that the globally detected threats are automatically added to the threat sources and constantly expanded.

SMX not only scans the files, but also the USB firmware and protects against threats such as BadUSB or Rubber Ducky. In addition to antivirus scans, SMX also offers advanced reputation & file code analysis and thus also protection against polymorphic malware.

In addition, Honeywell offers a range of services for recording and assessing the respective threat situation, creating a cyber security profile for the company in question, integrating technology and training the relevant personnel. Even the outsourcing of certain measures, such as automatic patching or regular monitoring and notification in the event of an alarm, is now possible with corresponding managed services packages.