WatchGuard Blog

Pendrives are still a major threat vector

Over the past year, pendrive use in industrial organizations has grown by 30%. Cyber attackers noticed this trend and promptly doubled the number of threats designed to be deployed from these devices, 79% of which could affect facilities and machinery. These are the main conclusions of a recent study published by an industry specialist.

Pandemic as cause

The report pointed to the pandemic as the reason behind the increase in these risks. Remote working has also put pressure on organizations’ cybersecurity, as we have blogged about before, but there are differences from service sector companies: many "Operational Technology" (OT) systems (i.e. industrial machinery and plants) are air gapped, meaning that their network is isolated from Internet connectivity or other networks that are considered insecure. This has led employees who have to work from home resorting much more frequently to connecting external memory sticks to workplace equipment to store their data and take it home to work on.

Hackers took note of this and so, out of all the malware detected, 76% consisted of Trojans with remote control capabilities. In addition, they also observed changes in the techniques used compared to other years: a high level of malware appeared in infected documents (mostly Excel), which contained malicious code embedded in scripts and macros.

Worrying trends

Nonetheless, all these trends highlighted in the report are worrying for several reasons:

Firstly, because some of the organizations with industrial facilities are considered critical infrastructures: they provide essential services to society, such as energy supply, and disrupting their operations can have direct consequences for the population. The latest serious incident was at the Oldsmar water plant in Florida, where the cybercriminal managed to alter the sodium levels in the supply remotely.

Secondly, because it reminds us that some of the most damaging industrial cyber attacks in the past involved pendrives, such as Stuxnet, which paralyzed operations at a nuclear plant in Iran when a worker, recruited as an insider by an intelligence agency, introduced the malware via a USB connection

And thirdly, because malware via pendrives had declined due to the lower frequency of use but the pandemic reversed this trend. While use is increasingly sporadic as these devices are being replaced by cloud storage, in industrial organizations USB sticks have remained more prevalent due to the air-gapped characteristics of premises mentioned above.

Usage policies and full endpoint protection

The first step to minimizing the risk of threats is to have a strict policy with guidelines for pendrive use in the organization. These practices should include the industrial equipment to which they can be connected, set role levels and permissions based on employee profiles, only using devices provided and verified by the organization's IT team or MSP, and that can only be used on company-provided and properly secured laptops.

However, these guidelines may not be sufficient in the face of dangerous threats: if the facilities are critical infrastructure, they may be a target for state-linked APT groups employing highly sophisticated tools and malware that are capable of circumventing them. In this context, organizations need to have the most advanced endpoint security possible and full visibility of their activity, including USB connectivity.

WatchGuard Endpoint Security (now available on WatchGuard Cloud) addresses this need: its Zero-Trust Application Service in its WatchGuard EDR and WatchGuard EPDR solutions first classifies processes as either malware or trusted, and then allows only trusted processes to run on each endpoint. This greatly reduces the chances that malware on a pendrive will go undetected and infiltrate a machine. As a result, cybercriminals will have far fewer options when targeting industrial plants.