How To Manage The Risks Of Removable Media In Your OT Network

Written by Joe Buck

 INTRODUCTION

I was walking into the office recently when I spotted a USB flash drive on my desk that wasn’t mine. It wasn’t there yesterday when I left, it didn’t have a name on it. The first thing I wanted to do was plug it into my laptop, find out who owned it, and get it off my desk – I imagine that’s the first thing anyone would want to do – but my cyber security head stopped me and said: “This is a really bad idea”. Eventually, someone claimed the drive as theirs and there was no problem, but what if it wasn’t? By absent-mindedly connecting that drive to my device I just might have assisted in a cyber-attack.

What would you do if, you, a colleague, or an employee finds an unknown removable device? After reading this article, you’ll be better equipped to answer that question.

October 2022 is Cybersecurity Awareness Month with this year’s theme being ‘See yourself in Cyber’.

Even with all the techy language and complexity, cybersecurity is all about people. Keeping a computer safe usually boils down to how people use it – or misuse it. With this in mind, I’m going to talk about removable media, highlighting the importance of controlling how people use it, and how that can make or break the security of your network.

Removable drives security

WHAT IS REMOVABLE MEDIA

Any device that can be removed from a computer while it is running counts as removable media. People deal with removable media every day: if you’re looking at a USB flash drive, an external hard drive, an optical disk, or even a smartphone you’re looking at something that can quickly connect, transfer data to a computer, and just as quickly disconnect. They’re super easy to use, super convenient and super portable, but it’s the portability that makes them easy to lose track of in a business environment. Effective use of removable media devices is possible, but the risks that arise scale very quickly the more reliant on them you are.

Private data suddenly becomes public as a result of the loss or theft of a flash drive. Any information about the configuration of your OT environment could give attackers an advantage and make you more of a target. If any security logs are being stored in removable media, then any shadow data – sensitive data in the form of raw text hidden in logs for example – could reveal account credentials if the device left the organisation. Because removable media is so portable, it makes it very easy for a disgruntled employee to exfiltrate data whilst being almost untraceable compared to other means. This compromise of data could spell financial and reputational damage, plus further impact site operations due to attention from outside attackers.

Removable media

There seems to be a massive risk of data leaving the boundary of an organisation via removable media. The issue of traceability of these devices becomes apparent when nobody in the organisation knows: who has access to removable media, what is allowed to be stored, or what removable devices are actually used by the organisation. These questions need to be answered to get a hold on how people are currently using removable media on your site. Only with this understanding can you start looking at controlling data being improperly exfiltrated. While a sensitive removable device leaving your boundary sounds like a massive headache to manage, there could be just as many problems for you if one enters in.

REMOVEABLE MEDIA & THE HUMAN FACTOR

Defence in depth (DiD) is a security model whereby a system is kept secure through many different layers of defences. It is much less likely for a malicious actor to penetrate an environment if they cannot find an easy way in, right? If your endpoint protection is maximised, your firewall configuration is on the money, and your security logs are spotless you’ve got far less to worry about. But, when an employee waltzes through all of the locked doors and plugs in a flash drive, they found lying around outside of the building to see what it might have on it, what’s to say they didn’t just bypass all of those defences and serve your control systems on a silver platter?

In a report on the current state of operational technology and cybersecurity by Fortinet1, they show that 29% of all organisations from their global survey experienced intrusions associated with removable media. Less intrusions due to insider threats, malware and phishing were experienced by organisations with higher security maturity levels. But alarmingly, intrusions due to removable media from organisations with the highest level of maturity increased by 50% compared to others. This isn’t a recommendation from Fortinet (or me) to quickly think of ways to reduce your security maturity, so you are less likely to get attacked. This is them showing that even if your DiD is top of the range, you can still be vulnerable to attacks due to your mismanagement – or your employees’ mismanagement – of removable media.

The reason the figures for higher maturity levels are so steep is because of the human factor involved in this kind of attack. While security awareness training goes a long way to helping people make the right decisions, humans are not programmable and will make mistakes that lead to attacks like this happening.

According to Cybint2 – a cyber security education and training company – 95% of cyber incidents are caused by human error. The majority of this statistic is eaten up by the huge amount of phishing attacks that occur every day. But thinking about it further, there is no real difference between introducing a malicious actor via clicking a dodgy link in an email and connecting a dodgy flash drive to your internal network. Both methods result in an attacker getting what they want, and both exploit our default curious nature. Both are examples of social engineering, a tool in a threat actors’ belt that exploits computer systems via the people that work with them.

I’ve worked with a lot of our customers and met people who are ultimately responsible for the cybersecurity of very large industrial systems. From what I’ve seen, I know that even though you can’t exactly record them in an asset register, the people who access your internal network every day are your most important, and most vulnerable assets. For a threat actor to bypass any countermeasure, they just need to exploit someone who is already inside.

This might involve using social engineering techniques to stalk a single target or a small team, planting an infected device and tricking them into connecting it to their network– sniping out an individual. In contrast, this could also be creating dozens of infected flash drives, pasting the target company logo onto them, and planting them all over the place in hopes that someone picks one up and plugs it in – carpet bombing the whole company. Flash drives are a very versatile device because they are so cheap and replicable like this – that’s why they’re so useful in a workplace after all – but this inexpensiveness and expendability is also why they’re such a popular tool for cyber-attacks.

MALWARE IN YOUR POCKET

When someone says “don’t plug that drive in, it might be infected’ they mean that something on that device contains a virus or malware. Those with some security knowledge may have heard terms such as worms or trojans that do different things or initiate in different ways, but ultimately, a computer virus infecting a device is going to lead to unwanted things happening on a machine in one way or another. If malware contained in a device propagates through the whole network, then the whole network is now infected. The key to stopping propagation is segregation, the most extreme type being fully disconnecting and isolating infected systems. For an IT network, segregating infected systems, or even entire networks could be a painful and disruptive procedure resulting in downtime while systems are restored. Disconnecting a whole OT network, that might not even be possible, due to the massive impact it could have.

MalwareAny downtime of critical national infrastructure (CNI) such as oil refineries, gas pipelines and chemical processing plants affects much more than just the company that owns the site. An imbalance between supply and demand affects the wider national economy. Some organisations operate under the HSE’s control of major accident hazards regulations – classed as COMAH sites – meaning their safety instrumented systems (SIS) need to be operating with immaculate health. What if by introducing a virus into a controller workstation, it propagates into one of your SIS zones?

Disaster could strike if the plant needs to shut down and finds that it can’t do so safely.

The point is, any breach in an OT network leads to management, operators and maybe even you reading this now having to make difficult decisions. So, the elimination of removable media as a potential attack vector wouldn’t just make your IACS environment safer, it would make your life a lot easier too.

There are dozens of different things you can modify or add to a USB flash drive that makes it dangerous to plug into any computer. The USB can contain a keylogger, a type of spyware that runs on the machine and logs all input to the device – this data can be sent to attackers to analyse passwords and account details being typed into that machine. It could contain ransomware, an increasingly prominent threat to OT: entire systems are encrypted and threatened to be completely wiped unless a ransom is paid to the attackers. It could even be an entirely destructive malware, where an attacker’s objective is not to exfiltrate data, but destroy it.

Probably the most prolific malware disseminated by USB devices is that of Stuxnet, a worm that utilised four zero-day exploits in Windows systems to stifle Iran’s nuclear pro- gram as it was nearing operational status.

The Stuxnet worm, initially introduced by a flash drive to the Iranian uranium enrichment facility, worked its way through the operational network and over time, issued commands to various PLCs that caused the nuclear centrifuges to literally tear themselves apart while reporting normal operational conditions. While this was a gigantic, government-funded attack originating from a very politically charged agenda, the fact remains that no damage would have been done if the human element was managed, and a flash drive wasn’t plugged in.

A lot of malici