INDUSTRIAL CYBERSECURITY USB THREAT REPORT 2021 - USB usage increased by 30%. 79% of threats capable of disrupting OT.
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
INDUSTRIAL CYBERSECURITY USB THREAT REPORT 2021 USB usage increased by 30%. 79% of threats capable of disrupting OT. Research Report
OVERVIEW
2020 proved to be an interesting year staff where possible led to an increase in the use of USB media by
in almost every context, and USB increased need for the movement of 30% over 2019.
cybersecurity was no exception. The digital data. As a result, the two
global pandemic influenced how most primary communication paths into OT Through analysis of data specific to
operational technology or “OT” – removable media and network this vector and specific to industrial
organizations functioned day-to-day connectivity – were under increased control/OT environments, this report
to accommodate new health and strain, and operators faced new attempts to shed new light on the
safety guidelines. Attempts to operational challenges as a result. industrial cybersecurity threats
minimize the physical proximity of Based on our findings, 2020 saw an associated with USB removable media.
TRENDS THREATS
79 %
30%
Threats capable Trojans
of disrupting OT
30 %
37%
Designed
USB removable
media usage for USB
is up by
Our ability to
detect threats
is up by 14 % Targeting
OT
30 %
110 %
51%
1
Content-based Establish
malware is remote
up by Access
Note: This report includes a glossary of terms for the
convenience of the reader. Terms that can be found
in the glossary are initially printed in bold.
1
McAfee Labs Threat Report, November 2020.
1 | www.honeywell.com
METHODOLOGY cultivated threat detection and analysis
system-the GARD Engine. While the
detected by Honeywell’s USB security
solution: Honeywell Forge Secure Media
USB usage and behavioral data was GARD Engine is used across multiple Exchange (SMX). Forge SMX analyzes
analyzed by the Cybersecurity Global Honeywell Industrial Cybersecurity USB devices as they are actively used in
Analysis, Research, and Defense (GARD) products and services, the data for this industrial facilities, providing a highly
team, using a proprietary and highly report was limited to those threats focused view of industrial USB activity.
Malware
INTERNET
Files from vendors Files to/from Files from Unwanted content from
& integrators legacy systems employees phone & other devices
Bad
SMX files
Deeper
USB drive analysis This report
Good
files
This Report is based on aggregated data Pulp and Paper, Water, Buildings, technology is 100% effective. It is
from SMX and is anonymized. A sample Aerospace and other industrial therefore possible that additional
set of this aggregated SMX data was manufacturing facilities from over 60 threats were not detected, and as a
analyzed. As such, findings represent countries across North America, South result not included in this report. Also of
consolidated views into the collective America, Europe, the Middle East, and note, this report focuses exclusively on
data set, and sample set findings are Asia. The data represents those threats USB-borne malware and does not
interpreted in light of impact upon the that were detected and blocked. While discuss other USB based attacks such
larger sample set. the efficacy rate of Forge SMX and the as BadUSB or USB Attack Platforms.
GARD Engine is exceptionally high (see For more information on USB Attack
Industries represented include Oil and “Improving Detection Efficacy” later in Platforms, please reference “[BadUSB
Gas, Energy, Chemical Manufacturing, this report), no threat detection report title]” at honeywellprocess.com
2 | www.honeywell.com
KEY
FINDINGS
Overall, the threat of USB-borne
malware continues to be a serious and
growing concern. Threats capable of
propagating over USB, or specifically
exploiting USB media for initial
infection, rose from 19% in 2019 to
just over 37% in 2020–the second
consecutive year of significant growth
in this area. Of the threats seen,
Trojans dominated again by comprising
76% of the malware detected. In
addition, more threats in 2020 were
wormable, and 52% (up from 34%)
were able to provide remote access or
remote control. This illustrates the
continuation of a trend identified in
last year’s report: adversaries are
leveraging USB removable media as an was a significant contributor in 2019. documents, PowerShell scripts, .PDF
initial attack vector, at which point The increased severity of threat comes files, etc.). In addition to the high
they will attempt to establish remote from increasingly multi-functional number (76%) of trojans overall, 12%
connectivity to download additional malware, which is capable of directly of the total threats detected leveraged
payloads, exfiltrate data, and establish impacting target systems (20%), native document structures with
command and control. Combined with downloading stage-2 payloads (9%), or embedded scripts and macros. This
a corresponding increase in threats opening backdoors, establishing direct rise in content-based malware seems
targeting industrials (from 28% to remote access, and command and to correspond to more subjective shifts
30%), this supports the theory that control (52%). in how many organizations operated
USB removable media are being used during 2020 and would indicate that
to penetrate the air-gapped
CONTENT-BASED MALWARE adversaries were attempting to take
environments found in many industrial
AS AN INITIAL VECTOR INTO OT advantage of these changes. Because
and OT environments.
A new trend identified in 2020 there is no pre-existing data
showed that a significant amount of concerning file metadata, it is
THREATS CONTINUE TO GET threats specifically leveraged impossible to draw a conclusion here,
MORE SEVERE altered or infected documents. although it is something that will be
Of the threats blocked, another trend There was a continued increase in observed in the future.
continued from 2019: the malware was trojans (malware disguised a
more capable of causing a disruption legitimate sof t ware), with a seeming Similar findings were also published by
to industrial control systems, up to shif t from the impersonation of McAfee Labs, who saw a 103% increase
79% from 59%. This is true despite a executable files and archives (.exe, in office malware and a 117% increase
slight decline in ransomware, which .zip, etc.) to document files (Of fice in PowerShell malware. 2
2
McAfee Labs Threat Report, November 2020.
3 | www.honeywell.comATTACKERS
ARE USING
USB TO BYPASS
THE AIR GAP
As mentioned above, several factors USB removable media for this purpose. are likely part of a larger campaign.
indicate that USB removable media are First, a rise in sophisticated content- While many (9%) had the sole purpose
deliberately used to circumvent the based malware, designed to impersonate of installing additional payloads, over
“Air Gap” that protects industrial legitimate files that operators interact half (52%) were designed to establish
environments. In most modern systems, with regularly. Second, malware a permanent backdoor or remote
true air gaps have been replaced with samples were more sophisticated than access, and were capable of down-
strongly segmented and protected expected, with the ability to propagate loading and installing additional
networks–either way, penetrating this to other systems and establish payloads, and providing command and
layer of defense can be a daunting task backdoor access, download and install control functions.
for an attacker. An alternative approach other components, and provide
is to circumvent the network completely, remote command and control. The We saw the first indications of this
and physically carry your attack across concentration of this type of malware behavior in 2019, and the consistent
the air gap, using USB removable media, among samples specifically entering increase across all of these factors
or even specialized USB attack platforms ICS/OT on removable media is simply strongly indicates that the patterns are
(see “Honeywell Cybersecurity Report: too high to be coincidental. intentional: adversaries targeting
USB Hardware Attack Platforms”, industrial operators are specifically
www.honeywellprocess.com In addition, an increasing number of leveraging USB removable media as an
threats (30%) were known to have been initial penetration vector, as part of a
Looking at the contents of removable designed specifically for industrial use larger cyber-attack campaign.
media inbound to OT environments, or associated with industrial
there are strong indications that cyber cyber-attack campaigns. A similar
adversaries are deliberately leveraging proportion (34%) had qualities
associated with early-stage attacks that
4 | www.honeywell.comIMPROVING
DETECTION
EFFICACY
Malware detection is complex, and no single malware detection tool or technology
will ever be 100% effective. Using a layered detection and response strategy can
improve detection, by leveraging the specific strengths of certain techniques
CYBER THREATS CAN
against specific classes or families of malware. However, new malware variants are
AVOID DETECTION
developed at an alarming rate–as many as 419 new threats per minute or over 220
46 %
million per year–and the sheer volume of threats in existence requires makes it
difficult to maintain strong detection efficacy. 2
To help improve detection, GARD implemented Early Threat Detection (ETD) in
of known OT cyber threats are poorly
2020. ETD combines proactive security research to identify the newest and
detected or not detected at all
emerging threats as early as possible in a malware’s lifecycle. Doing so allows
GARD to provide improved detection to these “early day” threats, when commercial
detection signatures and threat intelligence feeds strategy focus on the challenge
of OT-relevant threats, why some AV engines might not catch certain threats.
As in previous reports, we cross-checked the base detection results of GARD
against a variety of commercial anti-malware software solutions. The results show
an increasing amount of threats that were able to avoid detection by the
commercial anti-malware engines tested. 11% completely avoided detection by all
11 %
completely avoid detection
35%
tested engines, while 35% were classified as “poor detection rates”, able to avoid
detection by the majority of engines tested. Focusing our results only on those
threats that are known to specifically target OT, as many as 46% of the threats
analysis fell into this category. There could be several reasons for this poor
detection rate: for example, an increase in more sophisticated threats that are poorly detected by most engines
capable of evasive behaviors, or the use of newer and target-specific variants.
While the implementation of ETD did impact the efficacy gap, it alone does not
account for the delta. Of the threats detected, 7% were the direct result of ETD.
Therefore, it is more likely that the threats detected and analyzed in this report were
simply more specialized and difficult to detect using traditional means–a likely
scenario considering the highly focused nature of this report, which looks at threats
exclusively from a specific vector (USB) into a specific environment (OT). This
hypothesis also supports previous findings of the types of threats detected, and
their highly targeted qualities, presented earlier in this report.
While the exact cause of poor detection rates is unknown, it remains a concern.
Many industrial organizations rely on legacy anti-virus systems as a sole-source for
protection against malware. In addition, these anti-virus systems are typically
updated less frequently on OT assets due to the limited availability of maintenance
windows where such updates can occur. This further increases the risk of
depending solely on commercial AV scanning.
5 | www.honeywell.comSECURITY
IMPLICATIONS
FOR OPERATORS
New evidence indicates that USB Evidence continues to indicate that new As workplaces adapt to a global
removable media is intentionally used threat variants are being introduced pandemic, additional scrutiny should
as an initial attack vector into industrial more quickly, specifically via USB, and be placed on the files, documents, and
control and OT environments. As specifically targeting industrials. To other digital content. Inspection and
such, a clear USB security policy this end, existing controls should be detection-based controls are necessary
must be established, and technical re-examined, and patch cycles should be for the primary vectors into and
controls and enforcement must re-evaluated in an attempt to close the between protected industrial facilities
be established to better secure Mean Time to Remediation (MTTR). (e.g., removable media, network
USB media and peripherals. External controls to provide real- connections), to prevent the
time detection and protection of key introduction and propagation of
systems should be considered, as well content-based malware. Threats
as integrated monitoring and incident crossing the air gap via USB.
response procedures. For more
information on closing the MTTR gap in
OT environments, please refer to https://
www.sans.org/webcasts/114525
Threats crossing the air gap via USB Security upkeep remains important. Due to the extent of threats that are
are used to establish a toehold into It is critical that anti-malware controls capable of establishing persistence
industrial systems, establishing are kept current in order to be effective. and covert remote access to
backdoors and remote access to install Anti-virus software deployed in process otherwise air-gapped systems,
additional payloads and establish control facilities needs to be updated patching and hardening of end
remote command-and-control. daily. Even then, a layered approach nodes is necessary. Hardening of
Outbound network connectivity from to threat detection that includes OT- OT systems is also a key contribution
process control networks must be specific threat intelligence is strongly to improving incident MTTR.
tightly controlled and be enforced by recommended for maximum efficacy.
network switches, routers and
firewalls.
6 | www.honeywell.comCONCLUSION: Active USB Cybersecurity Controls are Required For the third year in a row, the threats seen attempting to enter industrial/OT environments have continued to increase in sophistication, frequency, and the potential risk to operations. USB-borne malware is clearly being leveraged as part of larger cyber-attack campaigns against industrial targets and has adapted to take advantage of how leveraging the ability of USB removable media to circumvent network defenses and bypass the air gaps upon which many of these facilities depend upon for protection. Continued diligence is necessary to defend against the growing USB threat, and strong USB security controls are highly recommended. 7 | www.honeywell.com
GLOSSARY
AIR GAP COMMAND AND INDUSTRIAL CONTROL
An air gap refers to the purposeful CONTROL, C2 SYSTEMS, ICS, INDUSTRIAL
absence of digital connectivity between a Command and Control typically refers CONTROL AND AUTOMATION
computing environment and any outside to servers used by cyber adversaries SYSTEMS
or untrusted network, such as the that provides the attacker with the Industrial Control Systems refer
internet. In industrial controls, there is ability to communicate with and send to the systems, devices, networks,
typically an approximation of an air gap commands to a compromised system, and controls used to operate and/
or automate an industrial process.
that separates operational and providing control over that system.
automation systems (“OT”) from
MEAN TIME TO
business systems (“IT”). While absolute
CYBER ATTACK REMEDIATION, MTTR
air gaps are rare due to the increasing
CAMPAIGNS Mean Time to Remediate refers to
need for digital communications between
A set of coordinated cyber activities the amount of time required for an
business and operational systems, the
carried out by a cyber adversary, organization to react and recover from
term is still widely used to refer to the
towards a common objective, is often an identified cyber threat or incident.
layer of strict network access policies,
referred to as a cyber-attack campaign. In OT, MT TR typically extends beyond
logical segmentation, and security
Campaigns typically utilize multiple simple computer system and network
controls around OT environments. recovery, to fully operational.
attack techniques over time.
Campaigns are coordinated efforts, and
ATTACK VECTOR sometimes implicate threat actors from OPERATIONAL
An attack vector is any potential path nation states, crime syndicates or other TECHNOLOGY, OT
by which a cyber adversary might organized cyber adversaries. Operational Technology (OT) is
attempt to gain access to a computer analogous to Information Technology
network or system. (IT), referring to the underlying
EARLY THREAT DETECTION,
EARLY-DAY THREAT, ETD technology used in ICS environments.
BACKDOOR While many of the general computing
Early Threat Detection is a service
platforms used in ICS share common
Backdoors provide unauthorized access offered as part of Honeywell’s GARD
hardware, operating systems, and
to computer files, systems, or networks. threat detection offerings. Early Threat
networking technology, OT systems are
Backdoors that provide access over a Detection refers to the curation of
used in fundamentally different ways to
network are often referred to as Remote threat and incident information from
support industrial automation and
Access Toolkits or RATs, although Honeywell as well as public- and
control, and therefore represent a
backdoors may also be specific to private-sector partners, with the intent
unique challenge in terms of
local systems or applications. of providing detection of newly
cybersecurity.
emerging threats as quickly as possible.
BADUSB
An exploitation of certain USB devices GARD ENGINE
allowing the firmware to be overwritten GARD refers to the Honeywell Global
by a hacker, to modify how that device Analysis Research and Defense threat
operates. Typically used to alter detection service, which provides
commercially available USB devices, advanced threat detection and
so that they can be used as a cyber- response capabilities to supported
attack tool. Honeywell cybersecurity products.
8 | www.honeywell.comPAYLOAD USB/UNIVERSAL SERIAL BUS as a computer or other digital system
The USB protocol defines how many with a USB interface; or the USB
In general computing a “payload” refers
device types can interconnect to a protocol itself.
to the part of a digital communication
that is the actual content or message. single computer interface, designed to
A malicious payload, or the payload replace many custom computer USB REMOVABLE MEDIA
delivered by a cybersecurity threat, refers peripherals with a single, common USB removable media typically refers
to software that performs a malicious interface. The term “USB” could refer to to data storage devices that connect
activity. Newer and more sophisticated any specific USB device, such as a using the USB standard. Often
malware will typically operate in a mouse, keyboard, removable storage, referred to as flash drives, thumb
modular fashion, where specific network adapter, et. al; a USB host, such drives, USB sticks, et. Al., the most
payloads can be used to execute specific as a computer or other digital system common form of USB removable media
tasks in a cyber-attack campaign. with a USB interface; or the USB utilizes solid state storage (i.e., “flash”)
protocol itself. and connect to USB type-A interfaces
REMOTE ACCESS, RAT
using the USB standard “USBStor”
Remote access refers to the
connectivity to a computer system or
USB ATTACK PLATFORMS, UAPS device classification. However, the
The USB protocol defines how many USB standard is diverse and other
network from a remote location. In the
device types can interconnect to a storage device types are available,
context of cyber threats, remote access
single computer interface, designed to and non-flash USBStor devices
typically refers to backdoors or RATs
replace many custom computer also exist.
(Remote Access Trojans or Remote
Access Toolkits), which are designed to peripherals with a single, common
establish unintended network access to interface. The term “USB” could refer to WORM, WORMABLE
a cyber adversary. any specific USB device, such as a A computer worm is a standalone
mouse, keyboard, removable storage, malware computer program that is
network adapter, et. al; a USB host, such able to self-replicate by spreading
SECURE MEDIA EXCHANGE as a computer or other digital system to and infecting other computers.
Secure Media Exchange (SMX) is a with a USB interface; or the USB As malware continues to evolve, it
commercial industrial cybersecurity protocol itself. becomes harder to strictly classify
technical solution developed by
a particular malware into a single
Honeywell to lower the risk of USB-
USB-BORNE MALWARE category. For example, a trojan
borne threats. For more information,
The USB protocol defines how many might also be able to self-replicate.
visit https://www.hwll.co/SMX
device types can interconnect to a
single computer interface, designed to
TROJAN replace many custom computer
A “trojan” is any malware designed to trick peripherals with a single, common
a user into executing it. Typically this is interface. The term “USB” could refer to
done by masquerading as legitimate any specific USB device, such as a
software, or by embedding malicious mouse, keyboard, removable storage,
code or scripts into everyday documents network adapter, et. al; a USB host, such
9 | www.honeywell.comABOUT HONEYWELL’S GLOBAL ANALYSIS, RESEARCH AND DEFENSE TEAM FOR OT CYBERSECURITY Honeywell ’s Global Analysis, Research, and Defense team (GARD Team) is dedicated to OT-focused cybersecurity research, innovation, and integration. As part of Honeywell Forge Cybersecurity, GARD leverages data curated from 7 Honeywell cybersecurity research centers, and from over 5,000 deployments in over 65 countries–to provide OT threat analysis and threat detection. Proactive threat research, mining, hunting and other techniques can help ensure that targeted OT threats are detected early. Honeywell Forge Cybersecurity better protects industrial assets, operations and people from digital-age threats. With more than 15 years of OT cybersecurity expertise and more than 50 years of industrial domain expertise, Honeywell combines proven cybersecurity technology and industrial know-how to maximize productivity, improve reliability and increase safety. We provide innovative cybersecurity software, services and solutions to better protect assets, operations and people at industrial and critical infrastructure facilities around the world. Our state of-the-art Cybersecurity Centers of Excellence allow customers to safely simulate, validate and accelerate their industrial cybersecurity initiatives. . Honeywell Connected Enterprise 715 Peachtree Street NE Atlanta, Georgia 30308 Industrial Cybersecurity USB Threat Report 2021 | Rev 1 | 6/2021 www.honeywell.com ©2021 Honeywell International Inc.
You can also read
