ICS : Infiltration of Malware via Removable Media and External Hardware

Summary

Removable media such as USB flash drives are widely used. Company employees often use them both in the office and ICS networks. Also, they take them home frequently to continue working there or copy the latest music on it for work. In addition, external personnel often carry their own notebook computers with external data and maintenance software, which is used likely at different companies. Regarding the history of ICS, security awareness is mainly limited to the aspects of availability and physical security such as safety, access restrictions and protection from external influences. As a result, employees are often unaware of the effects caused by malware.

Thanks to CSI publications on cyber security[1].

Technical Details

Potential threat scenarios

1. USB flash drives may have been infected in the office network or in private environment. In that way, malware can find its way directly into ICS networks.

2. Notebook computers used for maintenance may have been infected when accessing the Internet, office networks or in the infrastructure of the respective service provider. As soon as they are operated in the ICS network, systems and components become infected with malicious code.

3. Project files or executable applications can contain malicious code leading to an infection or data leakage.

Mitigations

The containment strategy (Remediation / Stop the spread) can be based on following best recommended practices

1. Introduction of strict organisational policies and technical controls with regard to removable media:
   • Taking inventory and whitelisting of approved removable media.
   • Security perimeter for removable media (virus protection and file whitelisting, provided on a computer using a different operating system than the maintenance computers).
   • Exclusive use of in-house, possibly personalised removable media.
   • Exclusive use in the ICS network.
   • Physical barriers preventing (unauthorised) connection of USB devices using resin, USB locks or desoldering from circuit boards.
   • Full encryption of data media.
2. Introduction of strict organisational policies and technical controls with regard to external notebook computers used for maintenance :
   • Exchange of data only via removable media subject to the controls stated above.
   • Introduction of quarantine networks for access of external service providers.
   • Virus Scan of external notebooks before accessing the actual system.
   • Full encryption of maintenance notebook computers are kept by the asset owner.

Analysis

Identification & Scoping of incident is key.

Tips

Know whom to call. Please first ensure you are able to quickly mobilize all the help required and the right contacts have been reached out to. You may need to start on several parallel investigation trails. General actions to Recover If Impacted– Don’t Let a Bad Day Get Worse.

• Work with an experienced advisor to help recover from a cyber attack
• Isolate the infected systems and phase your return to operations
• Apply business impact assessment findings to prioritize recovery
• Fact – how the attackers got access – will likely take time to determine. So have parallel tracks running for immediate containment and investigative/forensic works.