Hackers Are Jumping the Air Gap to Target Operational Technology

A new report finds industrial control systems are increasingly targeted by cyberattacks using removable media and offers tactics to stop them.

The risk of cyberattacks against industrial control systems and operational technology (OT) in manufacturing is on the rise, and hackers are specifically designing malware to jump the airgap many manufacturers count on to protect their systems.

According to the 2022 Honeywell Industrial Cybersecurity USB Threat Report, removable media such as USB drives and memory cards constituted 52 percent of threats, up from 32 percent in 2021 and more than double the 19 percent reported in 2020.

“This year’s report indicates that adversaries are deliberately leveraging removable media as an initial attack vector to establish remote connectivity, exfiltrate data and establish command and control,” Jeff Zindel, vice-president and general manager, Honeywell Connected Enterprise Cybersecurity, said in a press release. “It’s now painfully clear that USB removable media are being used to penetrate industrial/OT environments, and that organizations must adopt formal programs to defend against this type of threat to avoid costly disruptions.”

Honeywell says its report shows cybersecurity threats continue to be more prominent and potent, with the number of threats designed specifically to target industrial control systems increasing slightly year-over-year from 30 percent to 32 percent. The report also indicates malware was more capable of disrupting industrial control systems, climbing to 81 percent from 79 percent the previous year.

Additionally, attempts to compromise industrial/OT environments continue to increase in sophistication and frequency, with USB-borne malware used to initially circumvent network defenses and bypass air gaps as part of larger cyberattack campaigns.

Honeywell recommends continued diligence and strong USB controls to defend against the growing removable media threat. The report outlines a number of steps engineers can take to harden their systems against damaging hack attacks:

·       Establish a clear USB security policy: Technical controls and enforcement must be established to better secure USB media and peripherals.

·       Close the Mean Time to Remediation (MTTR): Existing controls should be re-examined and patch cycles re-evaluated to reduce the MTTR. External controls to provide real-time detection and protection of key systems should be considered, as well as integrated monitoring and incident response procedures.

·       Be vigilant with files, documents and digital content: Inspection and detection-based controls are necessary for the primary vectors into and between protected industrial facilities to prevent the introduction and propagation of content-based malware.

·       Place tight controls on outbound network connectivity from process control networks: Threats crossing the air gap via USB are used to gain a toe hold into industrial systems, establishing backdoors and remote access to install additional payloads and remote command-and-control.

·       Be diligent with security updates: Anti-virus software deployed in process control facilities needs to be updated daily. Even then, a layered approach to threat detection that includes OT-specific threat intelligence is strongly recommended.

·       Patch end nodes: Many threats can establish persistence and covert remote access to otherwise air-gapped systems. Hardening OT systems also improves incident MTTR.

The report was based on aggregated cybersecurity threat data from hundreds of industrial facilities around the world gathered by Honeywell during a 12-month period.

Download the report here.