According to a Honeywell report, malicious actors understand industrial and critical infrastructure systems and are using that knowledge to compromise those systems. 82% of the malware detected was found to have the potential to severely impact operations. And more often than not, malicious actors deploy “Living Off the Land” tactics to disrupt those systems.
As noted in the Honeywell 2024 USB Threat Report, malware frequently targets document vulnerabilities and uses scripting and command-line techniques. These LotL, or “silent residency” attacks define the ability of malware or attackers to remain persistent within a system for extended periods of time without detection. In the context of cyber-physical system (CPS) attacks, malicious software remains dormant or operates unobtrusively within industrial control systems (ICS) and operational technology (OT), only becoming active at specific times or under specific conditions.
This tactic differs from traditional cyberattacks in several ways, explained Chris Warner, senior security consultant, operational technology at Guidepoint Security. These attacks focus on remaining undetected for long periods of time (stealth or covert reconnaissance), remaining present over time despite reboots and updates (persistence), and activating based on specific triggers like dates or operational states (trigger-based action). “This approach often uses legitimate processes and tools, making it difficult to distinguish and blend into normal operations,” Warner said.
LotL attacks pose a significant threat
LotL attacks are becoming a major threat to industrial and critical infrastructure facilities because they exploit legitimate tools and software already in the environment. “They blend into normal operations, making them difficult to detect and difficult to mitigate,” Warner said.
These attacks may leverage existing system capabilities, administrative tools, and scripts to carry out reconnaissance, corporate espionage, or malicious activity without introducing new suspicious files or processes.
In industrial and critical infrastructure environments, where systems often rely on specialized legacy software, LotL attacks can be devastating as the monitoring and detection capabilities required may not be as advanced or comprehensive.
The report also found that USB-borne malware poses an increasing risk to industrial environments, with the majority of malware (51%) designed to spread via USB, up from 9% in 2019.
Warner explained that USB devices play a key role in facilitating LotL attacks because of their widespread use in industrial environments and the ease with which they can transfer data and execute code. “USB devices are an effective vector because they can easily connect to critical systems, especially in environments with heavy network segmentation and limited internet access,” Warner said. “USB devices can circumvent network-based security controls and deliver malware directly to isolated networks.”
Organizations can reduce the risk of malware spreading through USB devices by implementing USB port controls to only allow authorized devices and turning off autorun and autoplay features to prevent automatic execution of malicious software. “It's important to routinely scan USB devices on standalone machines with updated antivirus software before connecting them to critical systems,” Warner said. “Educate employees about the risks of using unknown or untrusted devices.”
Additionally, to limit the spread of malware, networks should be segmented to isolate critical systems from systems that interact with USB devices. “Finally, strict policies regarding the use and handling of USB devices should be developed and enforced,” advises Warner.
Industry disruption, major economic impact
Disruptions to industrial processes can have significant economic impacts, explains Jose Seara, CEO and founder of DeNexus, including lost revenue if production chains are halted, contract penalties for manufacturers that can't fulfill their contractual obligations, and interruptions to essential services if power grids are disrupted.
“Other factors could include reputational damage, service charges for a transport system that does not meet set expectations, or higher physical damage to people and resources,” Ceará said.
While it's nearly impossible to air-gap an industrial environment, Seara said strict network segmentation with least privilege access is absolutely necessary: ”Limiting the use of USBs to read documents and other digital materials is clearly a must.”
Monitoring and inspecting systems and networks for integrity and anomalous behavior can help detect potentially malicious activity. “Malware being introduced via USB appears to be behavior that can be thwarted with proper cybersecurity awareness training,” says Seara.
First and foremost, understanding cyber risk can help industrial companies stay ahead of threats: By quantifying cyber risk and identifying where a potential cyber event would result in the greatest financial loss, they can direct resources and budgets to the most effective risk mitigation strategies.
Seara said that IT systems and operational technology (OT) in industrial environments are converging. “Using modern, internet-connected applications and systems to pilot physical assets creates new efficiencies but also brings with it the cyber threats that IT faces,” he explained. CISOs responsible for industrial environments must apply the same strict rules to OT that they apply to IT, avoiding the limitations of legacy systems that are hard to patch.
Photo by Markus Winkler on Unsplash
Recent articles by the author