USB devices are the oldest and most persistent infection vector for isolated OT networks. Stuxnet used USB as a primary distribution mechanism in 2009. Seventeen years later, we continue to observe USB-based attacks against industrial facilities because the vector remains effective. Air-gapped networks have no email, no internet, and no web browsing—but almost all have USB ports.
USB attacks take multiple forms. Some involve deliberately crafted malicious devices left at facility gates or in parking lots, relying on curiosity to drive insertion. Others involve legitimate USB devices stolen from integrators or vendors that contain backdoors installed during manufacturing. Still others exploit auto-run features or vulnerable file systems to execute code automatically when connected.
Why USB Controls Remain Difficult
USB devices are genuinely necessary for maintenance, firmware updates, and data transfer in many industrial environments. Completely disabling USB is operationally infeasible. However, many organizations have not implemented the middle ground—controlled USB usage with authentication, encryption, and logging. The gap between blocking USB entirely and allowing unrestricted access is where most facilities remain vulnerable.
Some facilities rely on physical security alone, assuming attackers cannot reach USB ports. This assumption fails when insiders are involved or when attackers have physical access during maintenance windows.
Detection and Prevention Strategies
- USB device filtering: Whitelist only specific USB devices by manufacturer ID and serial number. Block all others at the OS and hardware level.
- Data logging: Log all USB device connections, disconnections, and data transfers. Alert on unauthorized reads or writes to control systems.
- Isolated USB networks: Maintain dedicated, isolated workstations for USB-based data transfer. Use air-gapped analysis and verification before transferring data to OT systems.
- Firmware verification: Verify digital signatures and integrity of any code or firmware transferred via USB before execution on control systems.
Operational Hardening
USB security requires balancing operational necessity with attack prevention. Few facilities have achieved that balance well. If you'd like to discuss USB hardening, device authentication, or air-gap protocols for your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.