USB you have been pinged

 In ITC's Threat of the Week

Way way back in the last century The Under Sea Boat (Unterseeboot), now commonly known in English as the submarine, was sneakily introduced to naval warfare with a primary aim of disrupting commerce, supply lines and military activity.

The premise is genius. Everyone knows you are there, they probably can’t find you and you pop up and take out the enemy when they least expect it.

What a (slightly tortured) coincidence then that we all have USB ports on our devices, this one standing for Universal Serial Bus.

If you are an attacker attempting to compromise machines unreachable over any network (air gapped), USB or straight down the line physical infiltration are amongst your best options.

If one recalls the Stuxnet worm, which was apparently purpose built to infect the SCADA control systems of nuclear enrichment centrifuges, USB was used to bridge the air gap.

Perimeter control is absolutely no use if an infected USB device is connected to a system on the inside of your network. “AHA” we hear you say in the manner of the master of guile that is Wile.E.Coyote, “we have all this covered by our super next generation endpoint protection with machine learning (yawn) and artificial intelligence (reaches for the service revolver)”.

Well perhaps not if you are running manufacturing machines and supporting infrastructure which is operating on legacy operating systems and communicating using SCADA. Imagine, perish the thought, that these systems had a route to your internal network with no firewall or access control. What could possibly go wrong?

Very interestingly, this week IBM (no less) announced that it has banned all staff from using USB devices. How they are planning to police this remains a question, however where there is smoke there is fire and we think this may be an outlier for USB sourced infections over the next few months.

With the forthcoming enforcement of GDPR on 25/05/2018, policy might speak louder than operating reality, at least in the eyes of the regulator. The exposure and subsequent risk to your business due to legacy devices, especially SCADA and Internet of Ting Tings is a massive attack vector, which might about to be exploited in a big way.

As they say, nobody got fired for buying IBM, which is fairly reasonable in our view. They pretty much designed the post/pull interface with LU6.2. They may well be onto something.

Behavioural analysis vendors such as Darktrace identified monitoring and securing the OT environment as an essential activity in the manufacturing sector some time ago. With systems that are hard or impossible to patch, deployment of these technologies is becoming increasingly necessary.

ITC has a combination of advisors, processes, technologies and managed services, which can help to define and manage your exposure to these new threats. Contact us on enquiries@itcsecure.com or call 020 7517 3900 for more information.

Author: Kevin Whelan

Recent Posts

Leave a Comment