USB Removable Media Security in ICS Networks - Threats and Controls
USB threats in OT environments - malware, sabotage, data exfiltration. IEC 62443 controls, security kiosk, and policies.
Jozef Sulwinski 
December 11, 2017, at 1:21 AM, a night shift worker at an industrial facility in the Middle East plugged a USB drive into a shared workstation. He wanted to watch the movie “La La Land,” which he had previously downloaded onto the removable media. He did not know that along with the movie, malware was delivered to the workstation, initiating an operation later named Operation Copperfield. The malware, based on the H-Worm (Houdini RAT) trojans, spread across the facility’s network, collecting configuration data and conducting reconnaissance of critical infrastructure.
This incident was not an exception. Removable media remain one of the most frequently exploited attack vectors targeting OT systems - from Stuxnet in 2010, through Agent.BTZ in US Department of Defense networks, to contemporary campaigns targeting energy and water infrastructure. In this article, we discuss current data on USB threats, normative requirements, and practical controls that help mitigate the risk.
Why USB still poses a threat in OT
OT networks have a specific characteristic that makes them vulnerable to attacks via removable media: many of them are isolated from the internet (air-gapped). Paradoxically, this very isolation makes USB the primary data transfer channel - for firmware updates, configuration files, diagnostic logs, and service software.
Employees and external contractors regularly bring to OT networks:
- USB drives with software updates for PLC controllers and SCADA systems
- Service laptops with diagnostic tools
- External drives with configuration backups
- Media with technical documentation and schematics
Each of these media may have previously been in a corporate, home, or another client’s network. If infected - it will carry malware directly past the air gap boundary, bypassing firewalls, IDS systems, and network segmentation.
Scale of the problem - data from Honeywell reports
Honeywell has published reports on USB-borne threats in industrial environments for several years, based on data from the Secure Media Exchange (SMX) system, which scans removable media at facilities worldwide.
of malware designed for USB (6x increase since 2019)
of USB malware capable of disrupting OT processes
Honeywell IR incidents linked to USB
files scanned by SMX (2025)
Source: Honeywell USB Threat Report 2024, Honeywell Cyber Threat Report 2025
Data for 2024 shows that 51% of detected malware was deliberately designed to spread via USB media - a sixfold increase compared to 9% in 2019. More importantly, 82% of this malware is capable of disrupting industrial processes - through loss of view or loss of control.
In the first quarter of 2025, the SMX system detected 1,826 unique USB threats, including 124 never-before-seen variants. One in four incidents handled by the Honeywell Incident Response team involved a USB plug-and-play event.
Three removable media attack scenarios
The following scenarios are worth discussing during training for employees and external contractors servicing OT installations.
Scenario 1: Infected media from a corporate or home network
An employee copies a presentation to a USB drive from a work laptop, then uses the same drive on a personal computer at home. The media becomes infected. The next day, the employee brings it to the facility and plugs it into an engineering workstation on the OT network. The malware crosses the air gap boundary.
This is exactly how Stuxnet spread - via infected USB media and Step 7 project files, carried by companies servicing the Natanz installation. Simply viewing the media contents in Windows Explorer was enough to trigger code exploiting a .LNK file handling vulnerability.
Scenario 2: External contractor’s service laptop
An automation system integrator arrives with a laptop containing service software, configuration files, and diagnostic tools. The same laptop was used at other clients and connected to various networks. If it was infected - it will carry malware to every subsequent installation it connects to.
Scenario 3: Tampered project files or updates
Attackers modify PLC controller project files or firmware update packages, embedding malicious code. When a technician loads such a file onto a controller, the malware gains direct access to the process control layer.
WARNING
USB media are not just USB drives. Threats also include keyboards with hidden payloads (BadUSB), USB cameras with embedded code, network adapters creating unauthorized connections, and external hard drives. Every device connected through a USB port is a potential attack vector.
Normative requirements
IEC 62443
The IEC 62443 standard directly addresses threats related to removable media. Key requirements include:
| Requirement | Description | Reference |
|---|---|---|
| Physical port control | Restricting access to USB ports on devices in critical zones | IEC 62443-2-1, IEC 62443-3-3 |
| Media scanning | Mandatory scanning of media before connecting to OT networks | IEC 62443-2-4 |
| Device whitelisting | Allowing only registered removable media | IEC 62443-3-3 SR 2.3 |
| File type control | Restricting permitted file formats on media | IEC 62443-3-3 |
| Principle of least privilege | Minimum permissions for operations with removable media | IEC 62443-3-3 SR 2.1 |
| Logging and auditing | Recording all operations with removable media | IEC 62443-2-1 |
These requirements should be implemented in the context of zones and conduits - segmentation details are discussed in our article on Defense in Depth in DCS systems.
NIST SP 800-82 Rev. 3 and NIST SP 1334
NIST SP 800-82 Rev. 3 (Guide to Operational Technology Security, September 2023) includes a security control overlay (OT overlay) based on SP 800-53r5, incorporating specific requirements for removable media in OT environments.
In 2025, NIST additionally published SP 1334 “Reducing the Cybersecurity Risks of Portable Storage Media in OT Environments” - a document dedicated exclusively to the security of portable storage media. It covers four areas of controls:
- Procedural controls - authorization policies, training, media handling procedures
- Physical controls - secure storage, labeling, media inventory
- Technical controls - malware scanning, port blocking, hardware encryption (FIPS)
- Transport and sanitization - integrity verification (hash/checksum), secure data wiping
TIP
When transferring files between an integrator and a facility operator, it is worth using hash or checksum verification. This confirms that the file has not been modified during transport - a simple safeguard that significantly complicates supply chain attacks.
Practical USB security controls
Security kiosk (scanning kiosk)
A security kiosk is a physical station where removable media are scanned before being admitted to the OT network. It acts as a “checkpoint” - every media device must pass scanning before being used in the production zone.
Solutions such as Honeywell Secure Media Exchange (SMX) consist of four components:
- SMX Gateway - physical kiosk for scanning media
- Cyber Threat Engine - threat detection engine
- Enterprise Threat Management Portal - threat management portal
- SMX Client - agent enforcing policies on endpoints
In the first quarter of 2025, the SMX system blocked nearly 5,000 threats, including almost 700 instances of the Ramnit worm.
Checklist: implementing USB controls in an OT environment
The following list covers controls worth implementing as a priority:
- Conduct an inventory of all USB ports on the OT network (more on asset inventory)
- Implement media whitelisting - only registered USB devices permitted for use
- Install a security kiosk for scanning media before entry to the OT zone
- Physically block unused USB ports (caps, locks, or BIOS deactivation)
- Label media with a color code: separate media for OT, corporate, and private networks
- Implement hardware encryption on all media approved for use in OT
- Require external contractors to scan laptops and media before entering the facility
- Implement network quarantine mechanisms for external service provider connections
- Log and audit all USB media connection operations on the OT network
- Conduct regular training for employees and contractors covering USB attack scenarios
Comparison of protection methods
| Method | Effectiveness | Implementation cost | Operational impact | Application |
|---|---|---|---|---|
| Physical port blocking | High | Low | High (hinders legitimate use) | Stations without USB needs |
| Media whitelisting | High | Medium | Medium | All stations with USB |
| Scanning kiosk | Very high | High | Low (checkpoint) | Entrances to OT zones |
| Media encryption | Medium (protects data, not against malware) | Medium | Low | Media with sensitive data |
| USB deactivation in BIOS | Very high | Low | Very high | Systems not requiring USB |
| Endpoint agent (SMX Client) | High | High | Low | OT workstations |
Cases of USB attacks on OT infrastructure
| Year | Incident | USB vector | Impact |
|---|---|---|---|
| 2008 | Agent.BTZ | Infected USB drive in a military base parking lot | Compromise of US Department of Defense networks |
| 2010 | Stuxnet | USB media and Step 7 files through the supply chain | Destruction of ~1,000 centrifuges at Natanz |
| 2017 | Operation Copperfield | USB drive with the movie “La La Land” | Reconnaissance of critical infrastructure in the Middle East |
| 2019 | Kudankulam nuclear power plant attack (India) | Infected media | Compromise of the plant’s administrative network |
| 2024 | Ramnit campaign | USB media in industrial facilities | 3,000% increase in infections in Q4 2024 per Honeywell |
Removable media security policy
Effective protection requires not only technical solutions, but above all a coherent organizational policy. Key elements below:
For employees:
- Prohibition of personal USB media use on the OT network
- Mandatory scanning of every media device before use
- Unique labeling of media designated exclusively for the OT network
- Reporting every instance of connecting an unknown device
For external contractors:
- Data exchange exclusively through approved control mechanisms
- Mandatory antivirus scanning of laptops and media before entering the facility
- Full disk encryption on portable computers used for servicing purposes
- Network quarantine for contractor device connections
NOTE
USB control implementation should be linked to a broader OT security program. USB port inventory is a natural element of ICS asset inventory, and media control policies should be consistent with the OT network segmentation policy and the zones and conduits model.
Summary
Removable media remain one of the most serious attack vectors targeting OT networks. Honeywell data from 2024-2025 confirms that the threat is not diminishing - it is growing, both in terms of malware volume and its ability to disrupt industrial processes.
Protection against USB threats requires a multi-layered approach: organizational policies, physical controls, technical solutions, and regular training. The IEC 62443 standards and NIST SP 1334 guidelines provide frameworks within which an effective removable media control program can be built.
We help industrial organizations assess risks related to removable media, design USB security policies compliant with IEC 62443, and implement technical solutions - from scanning kiosks to whitelisting and port monitoring systems.
Sources
- Honeywell USB Threat Report 2024 - data on 51% malware designed for USB and 82% capable of disrupting OT operations
- Honeywell 2025 Cyber Threat Report - 1,826 USB threats in Q1 2025, 31M scanned files
- NIST SP 1334: Reducing the Cybersecurity Risks of Portable Storage Media in OT Environments - NIST guidelines for portable storage media in OT
- NIST SP 800-82 Rev. 3: Guide to Operational Technology (OT) Security - NIST guide to OT security
- IEC 62443 Compliance and Removable Media (Honeywell) - IEC 62443 requirements for removable media
- Nyotron - Operation Copperfield - details of the Operation Copperfield attack
- NIST Publishes Guide for Protecting ICS Against USB-Borne Threats (SecurityWeek) - overview of NIST SP 1334