Andrea Danti - Fotolia
USB attacks: Big threats to ICS from small devices
USB devices can carry malware that can wreak havoc on industrial control systems. Expert Ernie Hayden explores the history of USB attacks and possible mitigations.
It's amazing that a device as small as a USB drive could be a serious threat to critical infrastructure systems. Although a USB drive is simply a chip on a stick, when used maliciously, it can deliver malware, steal critical data and cause other malicious attacks.
Unfortunately, USB attacks have been used over the years to target systems with harmful results. The mother of all USB-delivered attacks on industrial control systems (ICS) was the Stuxnet worm in 2009.
Honeywell USB threat report
In November 2018, researchers at Honeywell International Inc. released a report entitled "Honeywell Industrial USB Threat Report." The Honeywell report offered some security research findings based on accumulated data from its proprietary Secure Media Exchange (SMX) platform. The industries represented in the data include industrial manufacturing and other enterprises, such as oil and gas, chemical, and pulp and paper.
The key finding in the report was that the USB device "... remains a significant vector specifically for industrial threats." Also, the report observed that USB-borne malware is significant. It noted that approximately a quarter of all threats blocked by SMX "... had the potential to cause a major disruption to an industrial control environment."
The mother of USB attacks
The Honeywell report validates the threat posed by infected USB drives to industrial environments. However, this threat vector was already in the spotlight following the 2009 Stuxnet attack on the Natanz uranium enrichment plant operated by the Iranian government.
According to reports, the June 2009 attack was launched when a worker inserted an infected USB drive into the Natanz control system. This drive was allegedly smuggled on site by an Iranian double agent working for Israel. The net result was substantial damage to many uranium centrifuges at the site and a temporary delay of the Iranian nuclear program.
The small, simple, unobtrusive USB drive delivered the first known malware attack that resulted in the physical destruction of equipment. This was a substantial wake-up call for the world -- especially industrial controls security experts who thought their systems were not of interest to any attackers.
Forms of USB attacks
USB drives pose two challenges to security professionals. First, detecting and preventing data leakage can be difficult due to their small size, ease of concealment and ubiquity. The second, which Honeywell document, is the difficulty of preventing a system compromise from malware, viruses and spyware carried on the USB drive itself.
An interesting and disturbing list of 29 different types of USB attacks was compiled by researchers at Ben Gurion University of the Negev in Israel. They sorted the attacks into four separate categories:
- reprogrammable microcontroller USB attacks;
- maliciously reprogrammed USB peripheral firmware attacks;
- attacks based on unprogrammed USB devices; and
- electrical attacks caused by USB killers, which permanently destroy equipment when a USB triggers a rapid electrical charge/discharge cycle.
USBs can also be used in social engineering attacks, including attacks on industrial control systems. Researchers at Carnegie Mellon University analyzed the social engineering aspects of USB attacks.
For instance, there have been tests performed where infected USB drives have been tossed onto the pavement of parking lots where unsuspecting individuals might pick up the drive, and, out of curiosity, insert it into their computer to see what it contains.
Other USB network attacks include the following, outlined by ICS-CERT:
- USB Switchblade. In this attack, the aggressor uses a USB device to illegally obtain user website credentials cached in the victim's browser or a victim's domain credentials. This can be used to bypass workstation screensaver authentication controls.
- For this mode of attack, the U3 USB drive LaunchPad application is infected with malware. The malware then infects the LaunchPad application in the USB drive and uses the Autorun feature of Microsoft Windows as a means to copy itself to the victim's workstation and to other targeted machines. This attack vector is one primary reason why, in 2011, Microsoft recommended that Autorun be disabled.
- USB Drive Infection. In this attack, a previously infected computer downloads malware onto a USB drive inserted into the machine. This is an example of jumping the air gap, where a newly infected USB drive is then used to transfer files to a separate ICS computer.
USB attacks and cases
Besides the Stuxnet attack, there have been other examples where USB drives were either maliciously used to inject malware into a system or were used accidentally, resulting in equipment shutdown, infection, etc.
Mariposa botnet (2008)
The Mariposa botnet is an attack methodology using cyberscamming and denial-of-service attacks. The botnet included 12.7 million unique IP addresses. One U.S. company affected by the Mariposa botnet discovered that the initial attack vector may have been a USB drive shared at an industry conference.
According to a 2010 U.S. Department of Homeland Security advisory, an instructor at an industry conference shared a USB drive with students at a training event. A utility employee attending the training inserted the infected USB drive into their laptop and subsequently brought the infected laptop back to the utility, thus spreading the Mariposa botnet into multiple business systems.
U.S. Department of Defense bans USB drives (2008)
In 2008, U.S. CERT issued a warning that malicious code was being spread via USB drives. Around the same time, the U.S. Department of Defense temporarily banned the use of USB drives and other removable storage devices because of the potential spread of malware.
Operation Copperfield (2017)
In an article that reads like the opening of a suspense thriller, the Industrial Safety and Security Source described how an employee used a USB drive to download and view a movie on a critical infrastructure computer in the Middle East. The operator did not realize that his actions released a piece of malware known as Copperfield that could result in data leakage, remote control of an ICS workstation and network scanning.
The Copperfield malware is very potent and can:
- send information about the machine -- including the antivirus products installed -- to the attacker;
- update itself;
- upload any file from the machine to the attacker's server;
- run any command on the machine;
- download and run any added executable, such as malware, keystroke loggers, screen scrapers and audio recorders; and
- infect a USB drive to spread the infection to other devices.
Mitigating the threat
A key approach to mitigating the threat of infected USB drives is focusing on the human aspect. There are multiple documents that offer guidance to ICS security managers to help them reduce the threat.
For instance, ICS-CERT -- now referred to as the National Cybersecurity and Communications Integration Center -- offers the following guidance for using USB drives:
- establish strict policies for the use of USB drives on all enterprise and ICS networks; and
- caution users about the USB drive attack vector and remind them that USBs of unknown or questionable origin should never be plugged into a business, personal or ICS computer.
The U.K. National Cyber Security Centre has also offered some guidance regarding USB drive hygiene. Their guidance suggests that you:
- control how USB drives can be used;
- block access to physical ports for most users;
- use antivirus tools; and
- only allow approved USB drives within your organization.
A new innovation to check USB drives for malware before using them at a physical plant is USB virus check kiosks.
One vendor, Olea, offers a portable media cybersecurity kiosk to safeguard networks and ICS systems against malware threats caused by removable media brought in by contractors, vendors, employees or anyone else. The kiosk can scan USB drives and other portable media using up-to-date antivirus systems. For instance, the kiosk can be placed at the entrance to a production floor or factory building to specifically ensure that USB drives are clean before they cross the plant threshold.
Implementing policies and procedures to prohibit the use of unknown USB drives is a great start, but they require training and enforcement. Your technical barrier should include antivirus and possibly physically blocking USB ports. As was demonstrated by Stuxnet and Copperfield -- the USB delivery vector can be a substantial risk, and it can result in cyber and physical damage to your plant.