8 Steps for the Safe Use of Removable Storage Devices in Industrial Control Systems

This article is from the March 2017 issue of CONTROL ENGINEERING China, originally titled: How to Safely Use Removable Storage Devices in Industrial Control Systems?

For critical and hazardous environments, the use of removable storage devices can pose significant risks, and companies need to take strict measures to ensure that industrial control systems and other critical components are not compromised.

Recently, a malware intrusion incident occurred at a nuclear power plant in Germany, highlighting the need for increased vigilance regarding the risks associated with the use of removable storage devices in industrial control system (ICS) environments. Such incidents have prompted the development of more practical and comprehensive regulations to manage the risks posed by the use of removable storage devices in critical infrastructure environments equipped with ICS systems. Compliance regulations may include prohibiting or strictly limiting the use of removable storage devices in certain industries.

8 Steps for the Safe Use of Removable Storage Devices in Industrial Control Systems

“Using more advanced defense systems to check every executable file on removable storage devices helps further increase the chances of detecting malware.”

Compliance behavior only describes a beautiful vision, but the reality is harsh, as rules are often broken. Given that the potential damage can be catastrophic, companies and users need stricter usage methods. The following 8 steps can help prevent terrible situations from occurring:

1

Using removable storage devices is like playing with fire.If companies can avoid using them, they should do so. This may not apply to all application scenarios, but at the very least, the use of removable storage devices should be controlled, restricted, and determined based on purpose. Communicate the requirements for using removable storage devices within the organization through policies and regulations, and ensure policy enforcement with administrative and technical controls.

2

Assess the acceptance and maturity of removable storage device usage within the organization. There are many ways to do this, but an effective mechanism is to conduct survey validations. Technical audits can track detailed information about specific removable storage devices that have been inserted into target systems in the past and present. Using appropriate tools, this information can be automatically retrieved from the network. Configure detection systems to alert when removable storage devices are inserted and log these events centrally, creating a more robust continuous monitoring environment.

3

Establish an approved library of removable storage devices, which can be scanned by the system before use in the control system environment to prevent malware tampering. It has been shown that antivirus software is not 100% effective, but even a 40% to 50% effectiveness is better than having no protection. For the removable storage devices you wish to use in the control system environment, limit the use of those that only perform superficial scans, and consider using more advanced defense systems that check every executable file on the removable storage device to further increase the chances of detecting malware. Removable storage devices should also undergo exit scanning, meaning that when users finish using the device, it should be scanned again to ensure that no restricted data has been copied into the “safe” zone. While this may sound a bit time-consuming, if prevention is neglected, recovering from an incident (not to mention the costs) will require even more effort.

4

Implement or integrate authorized systems, utilizing relevant work safety and hazard analysis to identify dangers and potential outcomes, obtain final risk confirmation, and develop work plans to minimize the use of removable storage devices. Conduct a last-minute risk assessment before starting work to ensure that the process is well thought out and aligns with the plan.

5

Provide alternative solutions for using removable storage devices, including file transfer solutions managed by Internet Content Adaptation Protocol (ICAP), or using application layer firewalls that can detect malware in data streams to scan all files and data transmitted across security zones. Choosing this alternative will also force companies to be responsible for encrypted data streams or to use proxy encryption sessions during the input and output of data and files, or to use unencrypted data transmission entirely within secure areas.

6

Implement compensatory controls. Even if effectiveness is limited, antivirus software should still be installed. It is also strongly recommended to use application whitelisting. Physically or logically disable USB mass storage devices at all nodes to prevent unauthorized access and prohibit the casual use of removable storage devices. For outdated systems that cannot support the latest AV engines or patches (such as Microsoft Windows XP), it is recommended to: a. Disable autorun/autoplay; b. Implement application whitelisting, which has proven to be very effective if implemented correctly (although implementation can be challenging).

7

Effectively manage the organization’s expected performance to align with the performance goals set directly for employees. Performance mandated by contract can clearly define requirements and obligations. The U.S. Department of Energy has developed a wealth of documentation resources to assist companies in researching and guiding the procurement of cybersecurity equipment.

8

Establish a company culture that enhances employees’ awareness of the risks associated with the use of removable storage devices. Create written policies, processes, and procedures for allowing the use of removable storage devices. Additionally, implement necessary training to make employees aware of the dangers of violating processes. The organization’s security culture should act as a catalyst to accelerate behavioral change, managing risks like other process safety or health and safety environments.

Author: Steven Paul Romero

8 Steps for the Safe Use of Removable Storage Devices in Industrial Control Systems

Leave a Comment