How To Manage The Risks Of Removable Media In Your OT Network
Written by Joe Buck
INTRODUCTION
I was walking into the office recently when I spotted a USB flash drive on my desk that wasn’t mine. It wasn’t there yesterday when I left, it didn’t have a name on it. The first thing I wanted to do was plug it into my laptop, find out who owned it, and get it off my desk – I imagine that’s the first thing anyone would want to do – but my cyber security head stopped me and said: “This is a really bad idea”. Eventually, someone claimed the drive as theirs and there was no problem, but what if it wasn’t? By absent-mindedly connecting that drive to my device I just might have assisted in a cyber-attack.
What would you do if, you, a colleague, or an employee finds an unknown removable device? After reading this article, you’ll be better equipped to answer that question.
October 2022 is Cybersecurity Awareness Month with this year’s theme being ‘See yourself in Cyber’.
Even with all the techy language and complexity, cybersecurity is all about people. Keeping a computer safe usually boils down to how people use it – or misuse it. With this in mind, I’m going to talk about removable media, highlighting the importance of controlling how people use it, and how that can make or break the security of your network.
WHAT IS REMOVABLE MEDIA
Any device that can be removed from a computer while it is running counts as removable media. People deal with removable media every day: if you’re looking at a USB flash drive, an external hard drive, an optical disk, or even a smartphone you’re looking at something that can quickly connect, transfer data to a computer, and just as quickly disconnect. They’re super easy to use, super convenient and super portable, but it’s the portability that makes them easy to lose track of in a business environment. Effective use of removable media devices is possible, but the risks that arise scale very quickly the more reliant on them you are.
Private data suddenly becomes public as a result of the loss or theft of a flash drive. Any information about the configuration of your OT environment could give attackers an advantage and make you more of a target. If any security logs are being stored in removable media, then any shadow data – sensitive data in the form of raw text hidden in logs for example – could reveal account credentials if the device left the organisation. Because removable media is so portable, it makes it very easy for a disgruntled employee to exfiltrate data whilst being almost untraceable compared to other means. This compromise of data could spell financial and reputational damage, plus further impact site operations due to attention from outside attackers.
There seems to be a massive risk of data leaving the boundary of an organisation via removable media. The issue of traceability of these devices becomes apparent when nobody in the organisation knows: who has access to removable media, what is allowed to be stored, or what removable devices are actually used by the organisation. These questions need to be answered to get a hold on how people are currently using removable media on your site. Only with this understanding can you start looking at controlling data being improperly exfiltrated. While a sensitive removable device leaving your boundary sounds like a massive headache to manage, there could be just as many problems for you if one enters in.
REMOVEABLE MEDIA & THE HUMAN FACTOR
Defence in depth (DiD) is a security model whereby a system is kept secure through many different layers of defences. It is much less likely for a malicious actor to penetrate an environment if they cannot find an easy way in, right? If your endpoint protection is maximised, your firewall configuration is on the money, and your security logs are spotless you’ve got far less to worry about. But, when an employee waltzes through all of the locked doors and plugs in a flash drive, they found lying around outside of the building to see what it might have on it, what’s to say they didn’t just bypass all of those defences and serve your control systems on a silver platter?
In a report on the current state of operational technology and cybersecurity by Fortinet1, they show that 29% of all organisations from their global survey experienced intrusions associated with removable media. Less intrusions due to insider threats, malware and phishing were experienced by organisations with higher security maturity levels. But alarmingly, intrusions due to removable media from organisations with the highest level of maturity increased by 50% compared to others. This isn’t a recommendation from Fortinet (or me) to quickly think of ways to reduce your security maturity, so you are less likely to get attacked. This is them showing that even if your DiD is top of the range, you can still be vulnerable to attacks due to your mismanagement – or your employees’ mismanagement – of removable media.
The reason the figures for higher maturity levels are so steep is because of the human factor involved in this kind of attack. While security awareness training goes a long way to helping people make the right decisions, humans are not programmable and will make mistakes that lead to attacks like this happening.
According to Cybint2 – a cyber security education and training company – 95% of cyber incidents are caused by human error. The majority of this statistic is eaten up by the huge amount of phishing attacks that occur every day. But thinking about it further, there is no real difference between introducing a malicious actor via clicking a dodgy link in an email and connecting a dodgy flash drive to your internal network. Both methods result in an attacker getting what they want, and both exploit our default curious nature. Both are examples of social engineering, a tool in a threat actors’ belt that exploits computer systems via the people that work with them.
I’ve worked with a lot of our customers and met people who are ultimately responsible for the cybersecurity of very large industrial systems. From what I’ve seen, I know that even though you can’t exactly record them in an asset register, the people who access your internal network every day are your most important, and most vulnerable assets. For a threat actor to bypass any countermeasure, they just need to exploit someone who is already inside.
This might involve using social engineering techniques to stalk a single target or a small team, planting an infected device and tricking them into connecting it to their network– sniping out an individual. In contrast, this could also be creating dozens of infected flash drives, pasting the target company logo onto them, and planting them all over the place in hopes that someone picks one up and plugs it in – carpet bombing the whole company. Flash drives are a very versatile device because they are so cheap and replicable like this – that’s why they’re so useful in a workplace after all – but this inexpensiveness and expendability is also why they’re such a popular tool for cyber-attacks.
MALWARE IN YOUR POCKET
When someone says “don’t plug that drive in, it might be infected’ they mean that something on that device contains a virus or malware. Those with some security knowledge may have heard terms such as worms or trojans that do different things or initiate in different ways, but ultimately, a computer virus infecting a device is going to lead to unwanted things happening on a machine in one way or another. If malware contained in a device propagates through the whole network, then the whole network is now infected. The key to stopping propagation is segregation, the most extreme type being fully disconnecting and isolating infected systems. For an IT network, segregating infected systems, or even entire networks could be a painful and disruptive procedure resulting in downtime while systems are restored. Disconnecting a whole OT network, that might not even be possible, due to the massive impact it could have.
Any downtime of critical national infrastructure (CNI) such as oil refineries, gas pipelines and chemical processing plants affects much more than just the company that owns the site. An imbalance between supply and demand affects the wider national economy. Some organisations operate under the HSE’s control of major accident hazards regulations – classed as COMAH sites – meaning their safety instrumented systems (SIS) need to be operating with immaculate health. What if by introducing a virus into a controller workstation, it propagates into one of your SIS zones?
Disaster could strike if the plant needs to shut down and finds that it can’t do so safely.
The point is, any breach in an OT network leads to management, operators and maybe even you reading this now having to make difficult decisions. So, the elimination of removable media as a potential attack vector wouldn’t just make your IACS environment safer, it would make your life a lot easier too.
There are dozens of different things you can modify or add to a USB flash drive that makes it dangerous to plug into any computer. The USB can contain a keylogger, a type of spyware that runs on the machine and logs all input to the device – this data can be sent to attackers to analyse passwords and account details being typed into that machine. It could contain ransomware, an increasingly prominent threat to OT: entire systems are encrypted and threatened to be completely wiped unless a ransom is paid to the attackers. It could even be an entirely destructive malware, where an attacker’s objective is not to exfiltrate data, but destroy it.
Probably the most prolific malware disseminated by USB devices is that of Stuxnet, a worm that utilised four zero-day exploits in Windows systems to stifle Iran’s nuclear pro- gram as it was nearing operational status.
The Stuxnet worm, initially introduced by a flash drive to the Iranian uranium enrichment facility, worked its way through the operational network and over time, issued commands to various PLCs that caused the nuclear centrifuges to literally tear themselves apart while reporting normal operational conditions. While this was a gigantic, government-funded attack originating from a very politically charged agenda, the fact remains that no damage would have been done if the human element was managed, and a flash drive wasn’t plugged in.
A lot of malicious files and code contained in removable media utilise something called the autorun feature. This was developed initially to automatically launch programs on CD-ROMs when inserted into a computer with a Windows operating system, but any removable media can easily imitate this re-action and run whatever they want as soon as they are connected to a device. While an attacker has ways of tricking you into running malicious programs from a flash drive, they don’t even need to do that if autorun is enabled on a device.
When it comes down to it, there are two ways removable media can harm you as a company, either: media is removed from the organisational boundary when it shouldn’t be or, media is brought into the boundary and then introduced to the network when it shouldn’t be. You might not always look at it in this context, but it can be useful to think about your security from a high level.
In the next section, I’ll tell you why you don’t have to be so worried if you have the right tools, the right countermeasures and the right management.
REDUCING YOUR RELIABILITY ON RM
Removing the risks posed by removable media in the workplace is easy, right? If everyone just stops using it – If your policies and staff awareness surrounding these policies specifically ban the use of any removable media – then there’s nothing to worry about. The only risk then would be controlling what people in the workplace do if they see rogue media hovering around. Two core things that should be focused on to mitigate these risks are: reducing your reliability on removable media as an organisation and controlling that ever-important human factor.
If cutting down your dependence on it were as easy, then there wouldn’t be a need for this article. Regardless of what OT environment you’re working in, it is unlikely you can cut removable media out of your systems in one fell swoop. A drastic shift in the way the business is run is unlikely to succeed, so it is important to look at alternate solutions for different areas where removable media may cause problems.
For example, what if during a site survey I came across two software license dongles plugged into a control room PC? Are these secured effectively? Are they even necessary? My immediate thoughts would be that if the software vendor can supply an alternate solution to provide licensing, then that would be ideal – it would remove the risks associated with having to open USB ports in the back of a machine that supports essential functions. If this is the only solution, then you need to think about how to mitigate these risks.
Mitigation might include adding addition- al layers of physical security such as card access control for the control room door, or a locked cage around the PC in question so that it becomes much harder for unauthorised tampering. Port security techniques such as restricting MAC addresses connect- ing to an interface would also prevent un- known devices – like an undetected 4G dongle – from being used to replace the license dongles on those ports.
Port blockers should be inserted into any interface that doesn’t already have something connected to it. Preferably you’d want the kind of blocker that requires a specific key to remove, rather than one that just ‘plugs the hole’. If this is an impractical idea for your environment – you might have hundreds if not thousands of ports to block – then logically disabling the interfaces that aren’t in use works as an extra layer of defence.
Ideally, both of these techniques should be utilised. To add security controls to multiple devices it is quite easy to define a group policy that disables removable media ac- cess across a whole domain. Planning for the worst, you should make sure all antivirus software is kept up to date just in case malware does get in. Endpoint protection is your last layer of defence and should always be there if an attacker manages to introduce malware to the network. By keeping it on the most recent patch, you’re keeping this defence reliable. Quick fixes like these are some of the first things to think about implementing across your OT environment.
So, what if you actually need to connect a flash drive of genuine or dubious origin, either to transfer data between network layers or because you need to know what is on the drive? You’ll need what’s called a ‘sheep-dip’ solution, where you can safely connect removable media, scan it using antivirus software and even run it in an environment that is completely isolated. This could be as simple as plugging the media into a network-segregated pc and watching what happens, or as bespoke as a dedicated device that replicates your entire network so you can see exactly how it would react to an attack from any malware on the device.
Tekgem has built a solution called Shield3, it is our dedicated hardware appliance designed as an all-in-one sheep-dip and secure file transfer solution. It maintains network segregation from the second it detects a removable media connection by disabling the network adapter and only enables it again when the device has been scanned and deemed safe. Shield also aims to reduce the organisational reliability of removable media by acting as a secure file transfer system. Modern sheep-dip solutions are one of the most sophisticated methods of keeping USB security locked down. They remove a level of uncertainty when there is an unknown device lying around: people now know exactly where to plug it in. More importantly, they give an insight into what happens if someone did make the mistake of connecting an infected device to the network. They offer a unique aspect of control. Control over your network, and how people use it, is a very powerful thing.
RISKS CONTROLS & POLICIES
The risk of letting unknown devices connect and interact with your environment is not so much because you don’t know them, but because they aren’t controlled. Ideally, your DiD should contain control measures for any device, foreign to the network or otherwise.
This ensures that the overseer of the whole OT environment should be confident in introducing unknown devices to the network because they are not inherently trusted. If you’re interested in the concept of zero trust and how it applies to OT specifically, you can find some good information here.
Some of the most uncontrolled devices that enter the OT network will be ones that you invite yourself. Any third party that comes and works on your systems likely brings their own laptop with them; for security purposes that laptop is just a really fancy – and really powerful – USB flash drive. Ideally, any time an engineer performs maintenance like routine patching or device upgrades they should be using devices controlled by you. Having dedicated maintenance laptops when you don’t know where they are, who is using them or what software they’re allowed to run is essentially allowing any third-party engineer to swoop in, compromise the network and leave without a trace. I’m not going to talk about control measures for your own laptops here, but just know that if they’re not physically and logically secure and their activity is traceable then they are not an effective, secure solution.
This section has been about reliability on removable media, and you can’t really rely on every single third-party engineer to come in and work with your own laptops. Sometimes, they’re going to need to bring their own device to access your systems. They might connect remotely, which still counts as a form of removable media connecting to a device in your network.
Regardless, you can implement as much DiD as you like, but you cannot fully control third-party devices. This is where an acceptable use policy would come into the picture: defining exactly what can be done and what can’t be done when people introduce their own devices to the network. Your DiD controls are what protect you if things go wrong, but it’s your policies more than ever that protect you from that all-important human factor.
You can (and should) compensate for misuse, but it all comes back to controlling how people use and interact with the network. You do that through your policies, and they don’t mean anything without your procedures.
A policy tells you about something – the guidelines, principles and controls that are in place that should be considered when you’re doing a certain task. A procedure is built from that policy and should describe step by step, no details left out, no stone unturned, how to perform a task. Without the policy, you have no idea why you’re doing what the procedure tells you to do. Without the procedure, the policy doesn’t have any context and provides little value.
A secure removable media policy should state why every security measure in your network should be followed, with media handling procedures detailing things like finding, scanning, and secure disposal of removable media.
If written in a way that people can understand and relate to, an IACS-specific removable media policy can go a long way to making sure people don’t just plug in random flash drives they find on desks. Importantly, it can also improve the cybersecurity culture of the workplace by making people more aware of the risks, and more aware of the security measures you’ve put in place to control them.
WRAP UP
Hopefully, I’ve given an insight into the risks associated with removable media, and why you should care about protecting your OT environment from them. I also hope I’ve made you aware that these risks are not unmanageable if you take care of the network and the people that use it. ‘See yourself in Cyber’ is the theme for this year’s awareness month and I think no matter your position, while you’re reading this, you’ll have really thought about how you as a person use removable media in your workplace. At the end of the day, everybody has a USB flash drive in their bag or on their desk at home or maybe even in their pocket. But now, everybody should have the knowledge to control them.