OT networks are often completely or partially outsourced from the IT network to prevent online threats from penetrating these areas. Many security standards and certifications such as ISO 27001 require that the separation between IT and OT networks is managed in a controlled manner. OT networks contain ICS (Industrial Control Systems), which are often structured as a SCADA (Supervisory Control And Data Acquisition) system / network or a DCS (Distributed Control System). These then contain robots, programmable logic controllers and IIoT devices that may need to receive or output data via a USB mass storage interface.

The standard USB mass storage interface itself offers very limited options for ensuring security. A USB device that identifies itself according to the USB standard generally gains full access to the parts of the host system dictated by the type of device, be it a mass storage device or a keyboard.

Malicious hardware and electrical attacks

The main actor that has significantly violated trust in the USB protocol is known as BadUSB. Such BadUSB devices are, in short, "imposters". They masquerade as trustworthy drives but actually carry out a malicious attack, often in the form of a keystroke injection attack. The poster child for this type of attack is the RubberDucky produced by Hak5. Theoretically, even a security token such as Yubikey could be programmed to transmit malicious content. These are by no means the only culprits, as other general purpose computing platforms such as Arduino or Raspberry Pi can also be used to launch the same attack. The know-how and budget required by the attacker is very low, as ready-made attacks can be obtained for little money.

The lack of overvoltage protection leads to further distrust of USB interfaces, as they simply supply power to everything that is connected. This behavior has made the so-called USB killer possible: the device uses the energy provided by the interface for charging and then discharges the accumulated electrical load back into the host via the USB port. This causes an overvoltage and often a complete electrical failure of the host computer. The USB killer is similar to a wrench thrown into a moving machine. However, it uses the USB port and leaves less of a mark. The end result is a broken robot with no real identifiable cause.

USB Jumping Malware

How can you maliciously affect an offline network? For the developers of the Stuxnet malware, the answer was simple: infect as many USB drives as possible, eventually the malware will find its industrial target system. Stuxnet waited patiently until one day a suitable target was reached: the workstation PC of an engineer with access to the PLC devices in the Iranian uranium enrichment plant in Natanz. An estimated 1,000 centrifuges were destroyed in the attack. The Stuxnet attack and the technology used in it gave rise to other ICS-specific threats, such as Trisis. Trisis, also known as Triton or Hatman, is capable of forcing a malfunction in the Triconex Safety Instrumented System (SIS), a commonly used logic controller from Schneider Electric. These controllers are primarily used to manage equipment in nuclear power, oil and gas production plants and paper mills. These attacks can have extraordinary consequences, as reported in MIT's Technology Review in 2019: "The malware can disable safety systems designed to prevent catastrophic industrial accidents. It was discovered in the Middle East, but the hackers responsible are now targeting companies in North America and other parts of the world." This prompted MIT Technology Review to call it "the world's most murderous malware". The reason for this is a high-profile attack that TechCrunch summarized as an attempt to "blow up a Saudi petrochemical factory."

The common weakness of PLCs that is exploited in these attacks is the lack of verification based on cryptographic signatures, as the devices more or less process what is delivered to them - assuming the format is correct. In this context, it should be noted that all normal desktop computers in OT networks can of course be infected with standard malware attacks. One example is the Spora ransomware discovered in early 2020, which can spread via generic USB drives.

USB security solutions

Datalocker offers a secure USB hardware solution with the Sentry K350, which has been available since November 2021.

© Prosoft

Dealing with security in an ICS environment generally requires a multi-layered approach, as recommended by the NIST (National Institute of Standards and Technology) in the Guide to Industrial Control Systems (ICS) Security. USB protection measures are only one part of a complex protection concept. The ICS-CERT, the National Cybersecurity and Communications Integration Center, has published a guide specifically for the use of USB drives: It recommends creating strict guidelines for corporate and ICS networks. How these are designed depends on the respective organization.

The physical layout of plant and OT networks can vary greatly: From a single industrial plant to the widespread network of a power grid operator.

Below are suggested solutions that meet the required criteria.

Standardized USB devices in the OT network

Physical security controls should ensure that only selected, trusted, managed and secure USB devices are allowed for use on the OT network. This eliminates the threat of malicious hardware attacks and especially an electrical attack. Some OT networks are more difficult to control in terms of which devices are allowed physical access, so this approach often requires supporting measures to be effective.

One example to better secure OT networks are USB sticks with an alphanumeric keypad. These keyboard devices can be fully managed and monitored. If these devices are connected to client PCs, they can also be used as removable media with controlled, independent authentication. The ability to unlock independently is crucial for PLC and IoT devices to read and write data. The devices also offer the ability to purge the media using cryptographic erasure. This is crucial to meet the requirements of different networks. Cryptographic erasure can also be part of a legal requirement to ensure that confidential data is destroyed after a project is completed.

Set up area protection boundaries

Kiosk systems or removable media locks are another protective measure. The purpose of these systems, also known as white stations, is to implement access control between the IT and OT networks. This allows a certain level of security to be achieved for all data that is brought into the OT network. The White Station should be designed to be the guardian and the only device to counter external threats. There are a variety of ways to set up a desktop computer as a white station. In general, the device should have an up-to-date anti-malware engine and a regular maintenance schedule for operating system updates. The standard hardware can also be supplemented with an ESD (Electrostatic Discharge) protected USB hub to prevent overvoltage. It is also recommended to allow only one HID keyboard to eliminate most BadUSB hazards immediately.

Optional policies to restrict file types

By combining different technologies, it is possible to set up one or more White Stations depending on the policy. The USB stick can be configured so that integrated malware protection ensures that malware introduced via USB is stopped immediately. When managing the stick, it is possible to use a file restriction policy to specify which file types are permitted for the OT network. If the device is combined with USB port control software on a desktop during installation, further protection can be achieved. The software can then be configured so that only read operations from devices on the White Station are permitted.

Check USB ports at any time

Where possible, access to USB ports on PLC and computer devices should also be restricted by lockable cabinets or physical USB locks - if these cannot be fitted with USB port control software. Port control software should be installed for every standard operating system. The logic behind this protection is quite simple: by restricting access to the USB port, the threat of unauthorized USB devices is eliminated. USB port control software should be installed on all compatible computers in the OT and IT network to ensure that only the authorized devices can be used as USB mass storage devices.

Data cleansing of storage devices

Regularly cleaning up used storage media is another sensible measure to prevent the spread of malware. This ensures clean control points in operation and can also be part of regulatory compliance to prove that sensitive data can never be stored indefinitely on removable media. Normal USB drives can also be referred to as data hoarding devices as they are designed to ensure maximum device life. This means that the data sectors are only overwritten when absolutely necessary and regardless of whether the file allocation table (FAT) indicates a "clean" device. With a regular USB drive, the user feels safe, but the data can be easily recovered by anyone.

Hardware-encrypted drives solve the complicated cleanup problem by using a method called 'cryptographic erasure'. This involves destroying the previous key and generating a new AES key. This process ensures that the media is clean and meets the NIST 800-88 guidelines for media sanitization. Most countries have similar standards, as complete cryptographic erasure is the fastest and most effective erasure.

Anti-malware and data authenticity

The author: Robert Korherr is Managing Director at Prosoft.

© Prosoft

The white stations and all compatible endpoints in the OT network should be equipped with at least one malware protection layer, especially to combat malware that spreads via USB. In addition, all data destined for PLCs or machines should be pre-verified on the white stations. This can be done by verifying cryptographic signatures or hash values provided by the software manufacturer. This step ensures that the transferred data is an exact copy of the data originally supplied by the software developer.

A USB stick with both integrated malware protection and file type restrictions is therefore recommended. This allows an administrator to check the MD5 hash value of all data stored on the device to ensure that only the correct data is transferred to the PLC.