Honeywell has published a report according to which malware is being delivered to industrial facilities through USB removable storage devices and some threats can even cause notable interruptions.
The industrial giant has launched Secure Media Exchange (SMX) last year, which is a product designed to protect facilities from USB-born threats, and they are also using it to determine the risk posed by USB drives to such organizations.
Honeywell has analyzed data collected from 50 locations across the United States, South America, Europe and the Middle East. The enterprises whose systems were part of the study represented the energy, oil and gas, chemical manufacturing, pulp and paper, and other sectors.
The company claims that they were able to block at least one suspicious file in 44% of the analyzed locations. Of the neutralized threats, 26% could have caused major disruptions to industrial control systems (ICS), including loss of control or loss of view. 16% of the detected malware samples were designed specially to target ICS or IoT systems, and 15% of the samples belonged to high profile families such as Mirai (6%), Stuxnet (2%), Triton (2%), and WannaCry (1%).
These high-potency threats were widespread on USB drives bound for industrial control facility use. It only takes one instance of malware bypassing security defenses to rapidly execute a successful, widespread attack. The findings reveal that such threats exist in the wild because these high-potency malwares were detected among day-to-day routine traffic and not based on laboratory experiments. The newly emerging threat techniques such as TRITON, which target Safety Instrumented Systems, can provoke copycat attackers.
It is a common thing for malware to get into industrial networks but in most of the cases these are non-targeted threats. However, there are few incidents involving malware specifically targeted at industrial systems.
More than half of the threats found by Honeywell were Trojans (55%), some of them were bots (11%), hacking tools (6%), and potentially unwanted applications (5%). One-third of samples had RAT functionality and 12% were capable of dropping other malware onto the compromised system. Seven percent of malicious files were hiding ransomware. 9% of malware was designed to directly exploit flaws in the USB protocol or interface.
Some of the threats attacked the USB interface itself. 2% were associated with common Human Interface Device (HID) attacks, which fools the USB host controller to think that there is a keyboard attached, permitting the malware to type commands and manipulate applications.