Removable media decontamination tools – success factors for effective security gain and successful deployment
Because of their accessibility and ease of use, USB sticks and other USB storage devices are widespread and commonly used. In this article, all these devices will be referred to as ‘removable media’.
Industrial networks also called ‘OT’ (Operating Technology) or ‘Production Networks’ include: production networks in factories, test benches, research laboratories or embedded networks in technological products: trains, cars, planes, etc.
USB flash drives, the real swiss army knives of industrial it, are proving to be formidable vectors for cyber attacks
Particularly vulnerable industrial networks
Industrial systems have long service lifecycles lasting for several decades. These service lifecycles are much longer than those in traditional IT and often lead to problems of hardware or software degradation. These legacy systems are then no longer maintained by their suppliers as they stop publishing security updates for them. Maintaining their security is therefore complex or even impossible.
Even when updates are published, there are issues. For example, they require a maintenance window which can have an operational impact. In some cases, it may also be necessary to requalify the system or perform technical and functional testing before restarting.
In addition, system standardisation has become the norm. Windows or Linux operating systems are commonly found with fewer security patches and therefore may be more easily exploited by computer viruses.
The degradation of industrial systems, the difficulty of maintaining them in a secure state and their standardisation make them increasingly vulnerable to cyber threats. However, it is still necessary to access the industrial network to exploit these vulnerabilities, as they are historically less exposed….
These vulnerabilities are regularly exploited using removable media as a vector
Removable media is often used as a bridge between the internal office network or an external network and the industrial network. For example:
- USB storage devices can be used to deploy configurations or patches on disconnected systems. These configuration files or patches come from workstations that have an internet connection via the company network. These workstations are exposed to cyber threats, and as a result so are the USB storage devices, and through them, the disconnected systems.
- Many service providers operating on the industrial network use USB sticks to deliver configuration files, debugging tools and other software. The multitude of subcontractors means there are many data exchanges from uncontrolled networks to industrial networks, each potentially representing a threat vector that can be exploited.
These exchanges expose the industrial network to several types of threats:
- There are many viruses designed to exploit Windows vulnerabilities by spreading through removable media. One of the best-known ones is the Conficker virus, which exploits the automatic task launch mechanism of removable media and thus manages to automatically launch a virus or viral payload when the media is connected. Once a computer is infected, it can spread to other hosts through the network.
- The original intended use of storage devices can also be maliciously changed; this type of attack is called a “Bad USB”. Rubber Ducky is an example: it makes a USB key look like an input device such as a keyboard, and then launches commands when connected to a computer.
- When connected to a computer, USB killers, which look like ordinary USB sticks, store energy until they reach a high voltage, they then release this energy into the host computer to destroy its physical components.
However, the use of these removable media devices is difficult to circumvent
Removable media has several common uses such as data storage, backup, transfer or information sharing.
These different use cases have gradually emerged, often at the ingenuity of users without any real supervision from the IT department or the business. When we study these different scenarios, we can classify them into two categories:
- Those that can be easily removed by offering either a more secure alternative or an improved way of working. For example, with two industrial networks connected to each other, the implementation of a file sharing space on the network can replace a direct exchange by removable media.
- Those that could be eliminated with major investment or be very difficult to remove immediately. For example, using an isolated network to install a new computer whereby the deployment of a master image by USB can be difficult to replace.
It is difficult to do without removable media entirely, but their use remains problematic. Faced with these threats, solutions are beginning to emerge.
Multiple technical solutions exist but provide only a partial solution
A myriad of increasingly available technical solutions
There are different technical solutions for controlling the content or use of removable media. They can be categorised into several families of solutions:
- Decontamination terminals or boxes, using one or more antivirus databases, allow us to analyse the USB key content, and if necessary, (re)format or quarantine files if they are considered malicious. Several manufacturers offer this type of solution, including KUB, HOGO, Orange and SOTERIA.
- More complex ones can issue a certificate to the key after it has gone through the decontamination terminal. This certificate validates (to the host) that the key has been scanned. This requires that an agent is deployed on all workstations to enable certificate authentication. OPSWAT and FACTORY Systems are among the manufacturers. Previously mentioned KUB, also offers this more complex option on these boxes.
- Lastly, there is a solution to group the devices that are used as filters, effectively acting as security airlocks between the host and the removable media. This is a small piece of equipment, connected directly to the USB port of the host on one side, and to the USB key on the other side. Its operation is based on white-list filtering and/or blocking writing from the workstation to the removable media. SECLAB is an example of a manufacturer for this solution.
Since all solution offers have different characteristics, it is necessary to identify the one that best meets the security requirements and constraints of the user.
These technical solutions create additional steps and require time, which may hinder their adoption
Depending on the technical solution, the cleansing of removable media is a step that can be time-consuming. For example, if the key contains lots of small files that must all be checked, the processing time will increase. This task is also highly dependent on the performance of the media being tested.
Additionally, a problem of sizing the terminal arises if the removable media is used to push several large updates (Microsoft for example) or even a complete WSUS database (Windows Server Update Services) between 2 networks (this can reach a 100GB of data). If this time is not controlled and limited, removable media users will stay clear of this technology.
Difficult access also discourages users. In the industrial sector, there are many constraints depending on where users are located. A change of area may require a change of protective equipment, clothing or special controls. Insufficient equipment could lead to the same accessibility problem.
It is necessary to place the right equipment where decontamination is taking place or is unavoidable (reception, security office), and to find the right compromise between the different implementation of solutions: e.g. a solution applied centrally (terminal) vs. distributed (box or filter).
These technical solutions often require maintenance in operational condition (MOC) and maintenance in safety condition (MSC) which must not be neglected
To properly function, the technical solutions must be maintained by updating them, updating their viral databases for when the solution integrates an anti-virus, updating the filtering rules, as well the certificate database for more complex systems. It is also useful to be able to issue reports and alerts when the tool permits.
For this purpose, the decontamination terminals require several types of access:
- antivirus updates on servers;
- internal operating system updates on servers;
- the supervision network for issuing reports and alerts;
- Sometimes to a dedicated server that will manage the certificate database and centralise administration.
These terminals can therefore be integrated into a more, or less complex architecture as required.
Decontamination terminals are equipped with an operating system and often standard applications, hence the importance of hardening their configurations so they themselves are not the victim of an attack.
It is necessary to conduct a study on the possible technical solutions by putting into perspective the reliability, utility, efficiency and cost of each option. Similarly, it is essential to review the governance of these facilities, which are at the crossroads between the management information system and the industrial information system. This should avoid problems of underestimating the implementation of these solutions and stop users turning away from the chosen solution.
The protection of industrial systems against USB-related threats requires a careful choice of technical solution and availability for users. Without this and without awareness of the cybersecurity issues, systems are exposed, and the impacts of an attack can be significant.
These tools must be the subject of a full project: from the consideration of use cases and change management
The use cases must be known to decide between the different solutions or even eliminate the use of the removable media
Before proposing a technical solution, the first question to ask yourself is why do we need to use the removable media? To answer this question, you must list all the different use cases.
In each case, it must be determined whether their use is appropriate and whether there is no more effective and/or safe alternative. Here are some examples of commonly encountered situations for which alternative solutions exist:
- If a USB key is used as storage for config. files, then a centralised solution or at least storage on suitable equipment can be used.
- In the case of media being used between two devices that are connected to a network, the implementation of an exchange server, for example using a secure protocol such as SFTP, can be considered.
- For maintenance teams working on connected systems that use removable media to update configuration files, an MFT (Managed File Transfer) exchange gateway with antivirus control can be used. This application ensures the safety of a file from an external source before making it available internally. A third-party solution would be able to make secure removable media available to staff or maintenance teams by only allowing editing of media from workstations.
In the remaining cases, an appropriate solution should be considered. The solution should be presented to users and its interest explained. For better adoption, it should have as little influence as possible on the pre-existing business process, and as a minimum, it should not lead to an excessive workload or time commitment.
In addition to being integrated with the business use case, the technical solution must meet the intended security objectives
2 selection criteria must be taken into account when deploying a removable media security solution: the business use case and the security objectives targeted.
The security objectives are often the same: check that a storage device is genuinely a storage device (i.e. not a “Bad USB”) and check that it does not contain a virus or viral payload. These 2 objectives are covered by most solutions on the market.
It is therefore the business use case that will influence the ergonomics of the chosen solution:
- A fixed monobloc terminal integrates well into the entrance of an area reserved for operations such as a laboratory or workshop. On the other hand, a tablet will be much more mobile and can be used in several situations.
- A certificate solution requiring an equipment agent on standard workstations without specific qualifications will not be difficult but can be problematic in qualified or already obsolete environments.
- Mobiles always need a way to control; a filter solution can be considered for this.
Once the type of solution has been chosen, the possibilities of integrating the solution into the existing ecosystem with proposed security measures will make it easier to select the most appropriate one.
The chosen solution must integrate administration and incident reporting functions while guaranteeing an appropriate level of security
The chosen tool must be easily manageable and have a centralised administration function if there is a significant number of facilities being planned. It is also necessary that the following elements of the solution can be updated: the operating system, the embedded applications, antivirus applications, and the signature databases.
These features mean that the solution will need a connection to the administration network and an external connection to retrieve these updates. These connections must be secure, and the update server systematically identified.
In addition, it is necessary to take precautions to ensure that the solution has been hardened and that only the useful functions are available, especially at the operating system level. It would be pointless if the key decontamination tool itself was the vector of key contamination!
Finally, it is preferable that the generated reports and event logs can be sent in a standard Syslog format, centralised and also analysed by an existing SIEM to detect and track any suspicious activities.
In conclusion, the implementation must be approved by the people who will actually use the terminal every day
There are many technical solutions that, by analysing and decontaminating these devices, can reduce exposure by removable media in industrial networks. There are 2 success factors for good implementation:
- A solution designed for business use cases with end users in mind; and
- A solution where administrative factors, the update process and security aspects have been considered upstream.
In addition to these, there is a 3rd success factor: change management, which must ensure that the new tool is properly integrated into existing processes with appropriate communication to end users.
It is necessary to formalise a procedure in case there is a virus or any other abnormality. Detecting is ultimately only the first step towards an appropriate response.