According to a report published on by Honeywell, malware-based attacks against industrial facilities mostly leverage USB removable storage devices

Experts from Honeywell analyzed data collected with the Secure Media Exchange (SMX), a product it has launched in 2017 and that was designed to protect industrial facilities from USB-borne threats.

The experts analyzed attacks against energy, oil and gas, chemical manufacturing, pulp and paper, and other sectors, they collected data from 50 locations in four continents.

In 44% of the analyzed locations, the SMX product had blocked at least one suspicious file, experts pointed out that of the neutralized threats, 26% could have caused major disruptions to ICS systems.

“While the volume of malware discovered in this research was small relative to the total sample size volume, the malware potency was significant.” states the report.

“Of those threats blocked by SMX, 1 in 4 (26%) had the potential to cause a major disruption to an industrial control environment, including loss of view or loss of control, and 16% were targeted specifically against Industrial Control System (ICS) or Internet of Things (IoT) systems.”

16% of the malware detected by the product was specifically designed to target ICS or IoT systems, and 15% of the samples belonged to high profile families such as Mirai (6%), Stuxnet (2%), Triton (2%), and WannaCry (1%).

“These findings are worrisome for several reasons. That high-potency threats were at all prevalent on USB drives bound for industrial control facility use is the first concern. As ICS security experts are well aware, it only takes one instance of malware bypassing security defenses to rapidly execute a successful, widespread attack,” continues the report.

“Second, the findings also confirm that such threats do exist in the wild, as the high-potency malware was detected among day-to-day routine traffic, not pure research labs or test environments. Finally, as historical trends have shown, newly emerging threat techniques such as TRITON, which target Safety Instrumented Systems, can provoke copycat attackers.”

The report shows that most of the attacks involved not targeted threats, most of the malware detected by the Honeywell product were Trojans (55%), followed by bots (11%), hacking tools (6%), and potentially unwanted applications (5%).

The analysis of malware functionalities revealed that 32% of malicious code implemented RAT features, 12% dropper capabilities and 10% DDoS abilities.

Of the malware discovered, 9% was designed to directly exploit flaws in the USB protocol or interface.

“Of the malware discovered, 9% was designed to directly exploit USB protocol or interface weaknesses, making USB delivery even more effective — especially on older or poorly configured computers that are more susceptible to USB exploits.” continues the report.

“Some went further, attacking the USB interface itself. 2% were associated with common Human Interface Device (HID) attacks, which trick the USB host controller into thinking there is a keyboard attached, allowing the malware to type commands and manipulate applications. This supports earlier Honeywell findings that confirmed HID attacks such as BadUSB as realistic threats to industrial operators,”

Pierluigi Paganini