Sertan Selcuk, VP for METAP and CIS, OPSWAT, answers our questions about the cybersecurity risks posed by peripheral devices and removable media, and how organisations can mitigate these threats while maintaining critical infrastructure operations.
What are the security risks associated with peripheral devices and removable media, and why can’t they be fully eliminated in certain sectors?
As attack vectors, peripheral devices and removable media present some tricky challenges for security professionals. According to research, crucial parties are writing more code for USB drop attacks, and the consequences for the victims can be catastrophic, especially if they operate critical infrastructure.
Depending on the business, defenders will have to cover anything from vendor laptops, USB sticks and printers to Bluetooth-connected devices such as headphones and keyboards. Where power exchange or data transport occurs, threat actors are ready to invade. However, removable media cannot be fully eliminated, as it is essential for multiple sectors like nuclear, energy, manufacturing and others, to use it for updates and maintenance of critical systems residing in air-gapped environments.
How can critical infrastructure be protected from the cybersecurity risks posed by peripheral devices and removable media?
Even a quick glance at the industries named here should invoke visions of cataclysm should a USB-drop attack succeed, with financial losses at one end of the spectrum and compromised health and safety at the other. While USB drives can be easily leveraged for attacks, other devices still come with opportunities for compromise at various points along the supply chain.
If they are connected to the corporate environment without rigorous screening, then infiltration has already occurred. The devices we take for granted can be homes for malware and other threats. It is only by implementing multilayered protection measures that we can keep critical infrastructure safe.
At the very least, each device should be thoroughly inspected before it can join a network. This should be done regardless of its history. Even a device that has previously been given the all-clear can be compromised between user sessions. When picturing critical infrastructure, we often visualise machinery humming away, keeping the lights on or the water running. But such systems also rely on data, some of which is sensitive.
The UAE government takes a strong position on this kind of information in its Personal Data Protection Law (PDPL), and fines for non-compliance can reach AED one million. Indeed, UAE enterprises are bound by a range of national, regional and international regulatory frameworks. Cyber-compliance in these frameworks now routinely includes a sensitivity towards peripheral and removable media and the risks they pose.
The on-going merger between IT and OT has expanded the attack surface considerably and all stakeholders recognise the potential harm that can emerge from failing to address vulnerabilities.
But when operating critical infrastructure, the major focus must be on operational continuity. Quite apart from other issues, a critical infrastructure organisation’s operational continuity has direct impact on many other organisations’ ability to continue business operations. Depending on the infrastructure in question, one wrong move with a peripheral device could mean a standstill on a national scale.
What policies and protocols should organisations implement to mitigate the cybersecurity risks associated with peripheral devices and removable media?
The concerns are real. The governance put in place to mitigate or block these vectors must live up to the threat they represent. First, formulate protocols for scanning any media that joins the network. These rules must include determinations of what media is allowed and what users are allowed to connect to them.
Then, uncompromisingly enforce those policies. Some modern scanning solutions can detect known and unknown threats on removable media. These solutions can be supplemented with additional layers of defence such as media firewalls, endpoint protection and managed file transfers.
Scanning at connection time is vital but so is visibility of the environment. ‘Out of sight, out of mind’ is relevant to cybersecurity teams. Half the battle is finding a vulnerable asset. The other half is keeping it in sight so that targeted threats can be identified and neutralised. Regular audits of peripherals and their interaction with the environment will allow defenders to pinpoint protocol violations. Dashboards keep this information current, which is useful for compliance and audits.
Other considerations include the encryption of sensitive data on removable media and on network-permanent storage, and the training of staff and third-party vendors about the risks of peripherals and company protocols on using them. As these governance frameworks continue to shape the industry, all parties should comply with best practice as a matter of muscle memory.
Even when precautions become second nature, security and business leaders should always remember that as the threat landscape evolves, so must the protocols employed to keep it in check. It is worth remembering that exploitation of removable media is one of the oldest methods of cyberattacks. In an age of laser weapons, threat actors will not hesitate to go to extreme measures for them to win, and that goes for the state-backed groups most found to be behind attacks on critical infrastructure.
To overcome the challenges of protecting critical assets, organisations and OT security operators must look to defence-in-depth strategies that mix optimal technologies with open-eyed policies. The first step in fixing anything is acknowledging the problem. Here, we recognise that peripheral and removable media is a threat, and the subsequent steps are up to us.
