USBs Still a Major OT Infection Vector

  • Removable media represents the second greatest threat to operational technology (OT) systems so far this year, according to new data from IBM X-Force.

    The vendor analyzed its incident response and managed security services (MSS) data in light of the ongoing threat from Russia and a fast-expanding digital attack surface for many OT asset owners and operators.

    It revealed that phishing was the number one initial access vector for attackers in 2021, and was present in 78% of incidents analyzed over January-June 2022. However, tying for second place were scanning and exploitation of vulnerabilities and use of removable media (both 11%).

    IBM said that use of personal laptops by workers in the field often leads to infected USBs, which are then plugged into operator workstations.

    “Ideally, USB flash drives should be prohibited when possible,” the vendor argued. “If absolutely necessary, strictly control the number of portable devices approved for use in your environment and disable autorun features for any removable media.”

    The research highlighted other threats to OT environments. For organizations with OT monitoring tools installed, 57% of alerts concerned the continued use of the outdated and insecure TLS 1.0 encryption method.

    An additional 42% of OT alerts related to attempted and successful brute force attacks. The remaining 1% was accounted for by a variety of “enumeration alerts” including Modbus function code, illegal parameters and things like weak/default passwords on devices.

    Manufacturing was the most attacked sector in terms of OT threats in 2021, and it remains so this year, accounting for 23% of total incident response cases and 65% among OT industries in the first half of 2022, IBM said.

    Malicious spam (malspam) was flagged as the biggest OT threat so far this year, appearing in 44% of IBM engagements, with the majority of emails attempting to deliver the notorious Emotet Trojan.

    Remote access trojans (RATs) came in second at 19%, followed by ransomware (13%), business email compromise (BEC) and server access attacks (6% each).