Honeywell USB Threat Report PDF
Honeywell USB Threat Report PDF
Honeywell USB Threat Report PDF
50
(SMX). Since SMX analyzes USB devices used in industrial facilities, it
provides a highly relevant snapshot into industrial USB activity.
KEY FINDINGS
44%
USB Remains a Top Threat Vector
Of the locations studied, nearly half (44%) detected and blocked
at least one malicious or suspicious file that represented a security
issue. This high-level finding confirms that USB remains a significant of SMX Locations
vector specifically for industrial threats. The data also indicates that Detected & Blocked
risk of industrial facility exposure to threats via USB is consistent and
at Least One
statistically relevant. This data finding is consistent with other third party
Suspicious File
reports that cite USB as a major threat vector.
These findings are worrisome for several reasons. That high-potency threats were at all prevalent
on USB drives bound for industrial control facility use is the first concern. As ICS security experts
are well aware, it only takes one instance of malware bypassing security defenses to rapidly
execute a successful, widespread attack. Second, the findings also confirm that such threats do
exist in the wild, as the high-potency malware was detected among day-to-day routine traffic, not
pure research labs or test environments. Finally, as historical trends have shown, newly emerging
threat techniques such as TRITON, which target Safety Instrumented Systems, can provoke
copycat attackers. Although more difficult and sophisticated to accomplish, such newer threat
approaches can indicate the beginnings of a new wave of derivative or copycat attacks.
26% 16%
Of the
threats
blocked: Potential to cause major Targeted ICS or IOT
disruption to ICS
e.g. loss of view or loss of control
15%
Are well-known threats
9%
Designed to
e.g. Mirai, Stuxnet, TRITON, WannaCry
exploit USB
Accidental Infections or Targeted Attacks?
Of the total files known to be malicious, the type and behavior of the malware varied considerably.
The most pervasive malware category by far was Trojans, representing 55% of all malware
detected. This makes sense in the context of USB-borne malware, where Trojans can be very
effective.
Other malware types discovered through this research included bots (11%), hacktools (6%) and
Potentially Unwanted Applications (5%).
Of the malware discovered, 9% was designed to directly exploit USB protocol or interface
weaknesses, making USB delivery even more effective — especially on older or poorly configured
computers that are more susceptible to USB exploits. Some went further, attacking the USB
interface itself. 2% were associated with common Human Interface Device (HID) attacks, which
trick the USB host controller into thinking there is a keyboard attached, allowing the malware
to type commands and manipulate applications. This supports earlier Honeywell findings that
confirmed HID attacks such as BadUSB as realistic threats to industrial operators.
55% 11%
TROJANS BOTS
55% Trojans 11% Bots 6% Hacktools 5% PUAs 3% Viruses
15% were classified as “attacks”, designed to exploit a specific system or application, damage
files or end stations, or perform other actions designed to cause immediate harm. While Petya
and WannaCry were detected, occurrences were relatively less common (1% each). However, a
notable 7% of all threats detected and blocked by SMX were ransomware.
Also discovered through the analysis was an abundance of Potentially Unwanted Applications
(PUAs), worms and viruses that were of medium or low severity. Interestingly, these included a
relatively high proportion of password cracking tools, illicit browsers, installers, game crackers,
registry editors and other software tools that, while not malicious
themselves, are capable of being used maliciously. The relative
prevalence of these types of tools is notable considering that, especially
in critical industries, these unwanted applications are often prohibited
by policy.
SMX improves detection performance using a variety of advanced threat detection and threat
intelligence technologies, and performs continuous efficacy tests to ensure that SMX is using
the best techniques available. While these report findings indicate that SMX is performing well,
the severity of the threats discovered warrants the use of additional security measures for true
defense-in-depth.
UP TO 11%
of threats discovered by SMX from
How effective
was AV? High Detection Rate
UNDETECTABLE BY TRADITIONAL AV
Security Implications for Operators
These report findings clearly illustrate the importance of adopting and adhering to common
industrial cyber security best practices:
• USB security must include technical controls and enforcement. Relying on policy updates or
people training alone will not suffice for scalable threat prevention. Despite the widespread
belief that USB drives are dangerous, and despite the prevalence of corporate USB usage
policies, the data provides ample evidence that USB hygiene is generally poor.
• Outbound network connectivity from process control networks should be tightly controlled,
and such restrictions should be enforced by network switches, routers and firewalls. While USB
drives are useful vectors of initial infection, the attack types here reveal a tendency for hackers to
establish remote access, and to download additional payloads as needed.
• Security upkeep is important: Anti-virus software deployed in process control facilities needs to
be updated daily to be at all effective. Even then, additional protection is recommended, based
on the poor detection rates of common AV products when analyzing the threats here.
• Patching and hardening of end nodes is necessary, despite the challenges of patching
production systems. While sophisticated and targeted attacks were detected, many old threats
were identified and could be easily mitigated by simply keeping the infrastructure current.
• USB security hygiene is poor. Additional cyber security education is required for proper handling
and use of removable storage. This is supported by the presence of video game cheat engines,
password crackers, and known hack tools found among the samples analyzed. This can and
should be addressed through employee and partner awareness programs, operational personnel
cyber security training, and sound security policy development.
• Ransomware is a serious threat to industrial facilities. The financial losses of ransomware are
easily thwarted by maintaining regular backups and having a tested recovery process in place. It
is never ideal to pay a ransom if infected: it is not guaranteed that systems will be restored, and
it will encourage further ransomware campaigns to target industrial systems if they are seen as
a viable market. For further advice, as well as many ransomware identification and decryption
tools, visit https://www.nomoreransom.org
Conclusion: Is the Sky Falling?
While the types of threats discovered on inbound USB removable storage were more serious
than the research team anticipated, the overall amount of malware was relatively small. The most
important findings point to the inevitability of USB threat exposure, with nearly half of the SMX
gateways analyzed blocking at least one malicious file. When so many of the threats discovered
are targeting ICS and potentially disruptive, every threat needs to be prevented. This report shares
Honeywell USB security research findings to advance industry dialogue and threat prevention
collaboration, in hopes of lowering cyber attack risk to industrial operations worldwide.
Glossary:
Adware
Adware is malware that is designed to display unwanted advertising material, often in banners or pop-ups. Adware is often considered a
nuisance, although the interruptions caused by adware can become serious, especially if the infection is on a critical system, by making it
difficult to interact with the computer in a normal manner.
Attacks
Malware classified as “Attacks” as opposed to threats refer to malicious programs that attempt to cause real harm by damaging, modifying or
destroying data, computer systems, or networks.
Backdoors
Backdoors provide unauthorized access to computer files, systems, or networks. Backdoors that provide access over a network are often
referred to as Remote Access Toolkits or RATs, although backdoors may also be specific to local systems or applications.
BadUSB
An exploitation of certain USB devices allowing the firmware to be overwritten by a hacker, to modify how that device operates. Typically used to
alter commercially available USB devices, so that they can be used as a cyber attack tool.
Bots
Bots are malicious programs that act autonomously. When bots are distributed across a network (referred to as a botnet), they are capable of
carrying out distributed, coordinated actions such as Distributed Denial of Service (DDoS) attacks.
Crackers
Applications designed to bypass passwords or application security measures, either as benign password recovery tools, penetration testing
tools, or as attempts to bypass software licensing.
Droppers
A Dropper is a malicious program designed to download and install other malicious programs. Droppers typically don’t cause harm directly but
are designed to ‘drop’ one or more malware payloads onto a target machine.
Enumerators
Enumeration is the process of identifying valid identities of devices and users in a network; typically as an initial step in a network attack
process. Enumerators are applications that attempt to identify valid systems and/or accounts that can then be targeted for exploitation or
compromise.
Flooders
Flooders are malicious programs designed to flood a network, typically to consume bandwidth as part of a Denial of Service attack.
Hacktools
Hacktools are applications used by penetration testers and hackers to perform tasks typically associated with hacking.
Mirai
Mirai is malware designed to infect networked Linux devices, turning them into remotely controlled “bots” that can then be used as part of a
botnet in large-scale network attacks. Mirai is notable because it targeted IP cameras and home routers, in what is largely recognized as the
first large-scale IoT botnet. Mirai was able to create a DDoS botnet of sufficient size and capacity to take down the “Krebs on Security” website,
GitHub, Twitter, Reddit, Netflix and others, as well as several Internet Domain name Servers that took several ISPs offline.
Petya
Petya is a family of ransomware that infects the master boot record , preventing Windows from booting, and also the Master File Table (MFT),
making the computer’s file system unreadable and extremely difficult to recover. The encryption of the MFT earned Petya notoriety for being the
“next step” in the evolution of ransomware. A later variant of Petya, NotPetya, is known for widespread damage to targets, including the Ukraine
energy sector. Unlike Petya, NotPetya is self-replicating and easily spread without human interaction. NotPetya is named because, while derived
from Petya, it is not ransomware: while it encrypts systems like Petya, it does so to cause damage with no intention of recoverability.
Ransomware
A type of malware designed to block users from accessing or using a computer system until a ransom is paid. Most ransomware functions by
encrypting specific files, the master boot sector, and/or the master file table of a computer. When the ransom is paid, the decryption keys may be
provided to allow the restoration of the infected computer. For advice on prevention and remediation of ransomware visit
https://www.nomoreransom.org
Stuxnet
An advanced cyber attack against an industrial control system, consisting of multiple zero-day exploits used for the delivery of malware that
then targeted and infected specific industrial controls for the purposes of sabotaging an automated process. Stuxnet is widely regarded as
the first cyber attack to specifically target an industrial control system. Stuxnet is also significant in its complexity, as it represented a massive
advancement in capability over any previously known malware at the time.
TRITON
TRITON is an industrial control system attack framework capable of writing new application memory to susceptible Safety Instrumented System
(SIS) controllers. TRITON allows an attacker to modify SIS behavior under certain conditions. TRITON is considered a critical threat because
SIS systems are responsible for independently monitoring an industrial process and initiating a safe shutdown in advance of a hazardous state.
TRITON could be used to trigger a shutdown, taking an industrial process offline, or it could potentially be used to prevent a shutdown even
when a hazardous state has been reached. In coordination with other ICS attacks, TRITON could increase the chances of causing physical
damage via a cyber attack.
Trojan
A Trojan is malware that masquerades as a legitimate application, in order to trick a user into executing it. The term is derived from the Trojan
Horse, which tricked the defenders of Troy into carrying hidden Greek troops within the city walls. Unlike computer viruses and worms, Trojans
generally do not operate autonomously, instead relying on a user for execution.
Viruses
A computer virus refers to malicious software that is capable of “infecting” other computer programs by inserting its own code to modify them.
WannaCry
A ransomware campaign that leveraged the EternalBlue exploit, a nation-state level Windows exploit that was stolen and leaked by a group
known as the Shadow Brokers. WannaCry is significant in the scale of its initial infection, which encrypted more than 200,000 computers
across 150 countries. Because WannaCry is able to spread and infect other computers across the Internet as well as laterally across a local
network, it is classified as a worm.
Worms
A computer worm is a standalone malware computer program that is able to self-replicate by spreading to and infecting other computers.
About Honeywell
Industrial Cyber Security
Honeywell is the leading provider of cyber
security solutions that protect industrial
assets, operations and people from
digital-age threats.
With more than 15 years of industrial cyber security
expertise and more than 50 years of industrial domain
expertise, Honeywell combines proven cyber security
technology and industrial know-how to maximize
productivity, reliability and safety. We provide innovative
cyber security software, services and solutions to
protect assets, operations and people at industrial and
critical infrastructure facilities around the world. Our
state of-the-art Cyber Security Centers of Excellence
allow customers to safely simulate, validate and
accelerate their industrial cyber security initiatives.