NIST has published a new guide designed to help organizations reduce cybersecurity risks associated with the use of removable media devices in operational technology (OT) environments.
NIST Special Publication (SP) 1334 was authored by the National Cybersecurity Center of Excellence (NCCoE) and it focuses on the use of USB flash drives, but also mentions other types of removable media such as external hard drives and CD/DVD drives.
USB flash drives are often used in OT environments to conduct firmware updates or to retrieve data for diagnostics purposes, but such devices are also often a source of malware infections.
While the cybersecurity industry has long warned organizations about the security risks, the use of USB drives in OT environments still poses a significant threat to industrial control systems (ICS) and recent research has shown that while such drives typically carry commodity malware, threats are becoming increasingly sophisticated and targeted at OT.
“If a USB device is infected with malware, it can spread to the industrial control system and cause problems, such as disrupting operations or compromising safety,” NIST warned.
NIST SP 1334 condenses all relevant information on protecting ICS against USB-borne threats into a two-page document.
The guide covers four aspects: procedural controls, physical controls, technical controls, and transportation and sanitization.
In terms of procedural controls, the guide advises organizations to develop policies for purchasing, authorizing and managing devices they own, and to consider all other devices as untrusted. The acquired devices should adhere to modern security standards and their use should be limited to specific personnel and purposes.
As for physical controls, devices should be stored in a physically secure location, and they should be inventoried and labeled.
The section of NIST’s guide on technical controls recommends disabling unnecessary ports to prevent unauthorized use, scanning devices for malware before and after use, disabling autorun, encrypting data stored on portable storage media, and enabling write-protection when possible.
The agency also recommends having procedures in place for transporting devices within and between organizations, and performing data sanitization prior to the disposal of the device.
Companies such as Honeywell have been offering dedicated cybersecurity solutions designed to protect industrial facilities from USB-borne threats.
Related: New Guidance Calls on OT Operators to Create Continually Updated System Inventory
Related: No Patches for Vulnerabilities Allowing Cognex Industrial Camera Hacking
Related: Unpatched Vulnerabilities Expose Novakon HMIs to Remote Hacking
