TThe proliferation of BYOD and portable media devices is increasing the cybercrime attack surface exponentially. TechAdvisory.org reports that 25 percent of malware is spread today through USB devices alone. Transient cyber assets — or devices not connected to the network all the time (which includes USB devices) — are proving to be an acute vulnerability for both information technology (IT) and operational technology (OT) environments.
Once someone plugs a USB device into the network, any number of problems could occur. The devices can contain both media and file-based threats and, using the devices, bypass an organization’s security layers. In any instance, malware can mean disaster for an entire corporation, but an attack in an OT environment — where hardware and software are used to run industrial control systems — can be one of the worst of all. This risk is enhanced when using portable media, which is often the only way to introduce files into air-gapped OT networks. According to a new report from Fortinet, 77 percent of organizations with OT networks have experienced an IT security incident in the past year, and 78 percent have only partial centralized visibility on the cybersecurity of their OT environments.
Knocking out the production of critical materials or infrastructure can grind a company to a complete standstill. Just this year, the Norwegian aluminum manufacturer Norsk Hydro lost more than $40 million in the weeks that followed a ransomware attack. The attack forced the company to stop its operational production and switch to a manual operation. Imagine the damage that just one infected portable device in an OT environment could do when it pertains to critical infrastructure.
The very same week that Norsk Hydro was dealing with this attack, a woman was arrested by the Secret Service at President Trump’s Mar-a-Lago resort. After managing to bluff her way into the resort, she was caught carrying passports, cellphones, a laptop, an external hard drive, and a USB thumb drive that, according to the criminal complaint, contained malware. This near-disaster was a little too close for comfort, and the fact that a Secret Service agent placed the USB into a laptop without testing it first is alarming.
We can learn from failures and breaches, but also success stories. One of the world’s largest specialists in energy management and automation, Schneider Electric, is entirely on top of cybersecurity in every step of every process, and every part in a supply chain. In 2017, its Triconex safety product line was under a targeted attack named “Triton” (or “Trisis”), attempting to sabotage safety equipment (SIS) in the Middle East. Schneider successfully mitigated the attack with a comprehensive approach, ensuring the safety of all customers. Company Global CISO Christophe Blassiau said in a blog post that “the potential cyber attack surface is large and can be used at any step of the kill chain. We, therefore, adopt a layered approach to cybersecurity that tracks to the NIST framework with its five concurrent and continuous functions: identify, protect, detect, respond and recover.”
In the energy sector, the North American Electric Reliability Corporation (NERC) is paying attention and has come forward with new standards, such as CIP-010 R4, to manage the use of removable media and other devices. NERC CIP 003-7 will require that by January 1st of 2020, operators must protect low impact (or less critical) BES Cyber Systems. Additionally, the US-CERT (Computer Emergency Response Team) has issued many warnings about the threat of USBs.
Portable media cybersecurity kiosks are an effective measure to prevent attacks and to obtain visibility as well as exhibit regulatory compliance. According to Oren Dvoskin, a former Israeli Air Force IT expert and the current marketing director at Sasa Software, the Israeli cyber command recommends portable media kiosks with content disarm and reconstruction (CDR) as a fundamental security layer for the protection of critical infrastructures. A kiosk design prevents media-based attacks, and the built-in CDR technology prevents advanced and undetectable file-based attacks. The effectiveness of CDR and cybersecurity kiosks in regulated sectors has led to widespread commercial adoption in Israel.
In Singapore, IT security authorities have adopted these recommendations as they look to Israel for cybersecurity best practices. In the United States, commercial organizations are following US-CERT’s recommendations and energy sector regulatory standards with strict lock-down policies, such as IBM’s ban of USB drives.
With targeted cyber-attacks against OT networks on the rise, it is time for CISOs to have a solid plan about how to protect OT environments from compromised transient cyber assets. These plans should include devices like USB drives, optical discs, SD cards, legacy floppy discs, and even entire laptops brought into the OT environment by vendors. Transient devices are essential for day-to-day activities and maintenance of isolated and air-gapped networks and must be subjected to processing by a cybersecurity kiosk using CDR technology before they are introduced into the network.
There is no doubt that CISOs and CIOs are looking to add multiple, compliant security levels to OT environments to protect the companies and infrastructure under their purviews. Cybersecurity professionals can learn from Nir Eitan, manager of offshore IT security operations at Noble Energy. He said, "We found the usage of portable (USB) media in our OT networks to be a key concern, including at off-shore sites. Employees and vendors are required to bring in files, and we found AV scans to be insufficient against advanced malware and media based attacks. The use of cybersecurity kiosks enables us to transfer files securely from the media into our OT networks while enabling policy enforcement, visibility and full control using a central management and reporting system.”
Robert Bigman retired in 2012 from the Central Intelligence Agency (CIA), after serving a thirty year distinguished career, the last 15 as the CISO. A pioneer in the field of classified information protection, Bigman developed technical measures and procedures to manage the nation’s most sensitive secrets. He is now an independent cyber security consultant and president of 2BSecure LLC in Bethesda, Md.