The vulnerability of industrial IoT systems has generated a lot of discussion about cybersecurity in the last few years, but most of that discussion has centered on protecting against network-based outside attacks. An equally important attack vector, however, uses a more (literally) pedestrian approach: malware hand-carried in on USB drives. Now Honeywell is introducing a system that can help protect industrial networks against such “sneakernet” attacks.
The danger that flash drives pose to computer systems has been known for many years. Most systems that protect against outside attack have no such protection against someone who is working within the firewall. It’s all too easy for an employee or contractor to upload malware using a simple flash drive inserted into the USB port of a computer that’s inside the network’s security perimeter. It doesn’t even have to be a deliberate attack. An employee who finds a (planted) flash drive lying around in the parking lot or lunchroom could inadvertently upload malware simply by plugging in the drive to see what’s on it.
For many industrial networks, the main effort at protection against such security breaches is a company policy that forbids on-site personnel from using any personal flash drives or bans portable media altogether. While this provides some protection against inadvertent infections, it doesn’t help prevent deliberate action. Some kind of active security barriers against potentially infected USB drives being used inside the firewall are essential.
Simply locking out USB ports is impractical, however. Many industrial systems depend on such portable media as carriers for critical system software updates. Ports need to stay open but also need to be protected.
Enter Honeywell’s SMX (Secure Media Exchange) system. The SMX system, which works with Windows-based computing devices, uses a two-prong approach to providing security by following a simple check-check-go process. According to Honeywell’s product news release, with SMX, a USB drive must first be checked in at an SMX Intelligence Gateway before it can be used in a protected network. When the drive is later inserted into a protected system, that computer then verifies the drive’s check-in status before it allows the system to access the drive. A drive that has not been properly checked in will simply not register as available to the system. And all drive usage, from check-in to final check-out, is logged so that IT administrators can track the activity.
Speaking at a group press conference, Honeywell’s lead product technologist, Seth Carpenter, gave more details on how the system works. The SMX Intelligence Gateway, he explained, links to Honeywell’s cloud-based ATIX (advanced threat intelligence exchange) software, which uses a combination of techniques to validate the files on the drive that is being checked in. Like many antivirus systems, it checks the files against known threats and uses heuristic checks to help identify unknown threats. These steps lead to three classifications for files, he said — known good, known bad, and unknown. If the file is known good, such as a pre-approved software update, it is approved for system use. If a file is known bad, he noted, it is quarantined in an encrypted ZIP file so that the protected systems cannot access them.
If the initial check classifies the file as unknown, however, the SMX system can go beyond normal antivirus actions. Unknown files are subject to policies that the system’s IT administrator can control. The files can be approved for system use, can be quarantined, or can be forwarded to the ATIX system for in-depth analysis. This analysis, Carpenter said, can include such steps as running the unknown file in a “sandbox” system configured to match the user’s own systems, then looking for deviant behavior. The sandbox approach helps to ensure detection of targeted malware, such as the Stuxnet virus that only acts when it finds a specific system configuration.
The two-part approach of SMX carries several advantages, Carpenter pointed out. The gateway’s connection to the cloud-based ATIX ensures that the SMX system is using up-to-date threat information without burdening the user’s IT department. The protection agents on the individual systems within the protected network are simple replacement USB drivers for Windows, which allows the SMX system to work even in a heterogeneous network. Once installed on the target computers, the agents will automatically verify that any inserted drive has been properly checked in through the gateway before acknowledging it, and then can access only the files marked as approved. This behavior is independent of the gateway, so there is no need to update the agents with threat information nor is there a need for the gateway to interact with the protected network.
One final note that Carpenter brought up: Checking in a flash drive results in “some obfuscation of drive contents” that make the drive temporarily unusable outside of an SMX system. That process, he said, is reversed when the drive is checked out through the gateway. At that same time, the system verifies that no unauthorized changes have occurred in the drive’s contents, helping to protect against information theft as well.
Advertisement
Learn more about Electronic Products Magazine
