The Threat Nobody Talks About Enough

You've invested in network segmentation. You've deployed industrial firewalls. You've trained your team on phishing awareness. Your cyber physical systems security posture looks solid on paper.

Then a technician plugs in a USB drive to update a PLC firmware file - and everything changes.

In 2026, USB drives remain one of the most underestimated and persistently dangerous vectors in OT and ICS environments. Unlike sophisticated network-based intrusions, USB-borne threats bypass perimeter defenses entirely. They don't need a network connection. They don't trigger anomaly-based detection. And in many plants, they're still handed out like stationery.

This post breaks down exactly why USB drives continue to defeat modern defenses in cyber physical systems environments, what real-world attack patterns look like, and - most importantly - what your team can do about it right now. Whether you're a plant manager, OT engineer, or CISO, you'll walk away with practical, actionable steps to close one of the most persistent gaps in critical infrastructure security.

Before we move forward, don’t forget to check out our previous blog post on What a mysterious New York sewer intrusion reveals about hybrid warfare here

Why Cyber Physical Systems Are Different From IT Networks

Before we talk USB threats, it's worth grounding why cyber physical systems security is fundamentally different from traditional IT security.

In an IT network, a compromised laptop is a bad day. In a CPS environment - a water treatment facility, a power substation, a chemical plant - a compromised controller or HMI can mean physical damage, production loss, environmental harm, or worse.

Key differences that make CPS environments more vulnerable to USB threats:

• Air-gapped or semi-isolated systems - many OT networks are intentionally disconnected from the internet, which means USB drives become the primary data transfer method for software updates, historian exports, and configuration changes.

• Legacy endpoints - PLCs, DCS controllers, RTUs, and HMIs often run Windows XP, Windows 7, or embedded operating systems with no USB port management or endpoint detection capability.

• Long asset lifecycles - industrial equipment is designed to run for 10–25 years. Patching cycles are slow or non-existent. Autorun features that were disabled years ago in IT environments may still be active on plant floor workstations.

• Operational priority over security - in manufacturing and utilities, uptime is everything. A security policy that slows down a technician during a maintenance window gets ignored, circumvented, or simply not enforced.

• Sparse visibility - passive network monitoring may catch lateral movement, but a USB payload that executes locally never generates network traffic to detect.

These conditions make USB-borne threats uniquely dangerous in cyber physical systems environments. They exploit the operational realities of OT, not just technical vulnerabilities.

How USB Attacks Actually Work in OT/ICS Environments

Let's get specific. Understanding the attack mechanics helps you design better defenses.

Attack Pattern 1: The Infected Vendor USB

A third-party technician arrives on site to service a turbine control panel. They bring a USB drive loaded with firmware files - the same drive they've used at three other plants this month. One of those plants was compromised. The drive now carries a payload designed to spread silently and establish persistence on any Windows-based HMI or engineering workstation it touches.

This is not a theoretical scenario. Variants of this attack have been documented across energy, manufacturing, and water sectors globally.

Attack Pattern 2: The Weaponized Drop Drive

USB drives are left in parking lots, break rooms, or near plant entry points. Curiosity - or helpfulness ("maybe this belongs to someone") - drives insertion. Once plugged in, malicious code executes before the user sees a single file.

In an OT environment where workstations may lack endpoint protection, this one action can introduce ransomware, wiper malware, or a remote access trojan directly into the control network.

Attack Pattern 3: Legitimate Tools, Malicious Modification

Legitimate USB-based tools - vendor diagnostic kits, portable historians, configuration utilities - can be modified or replaced entirely. An insider threat or a compromised supply chain can substitute a weaponised version of a trusted tool without raising suspicion.

Attack Pattern 4: HID (Human Interface Device) Spoofing

Modern USB attack tools can disguise themselves as keyboards. When plugged into an engineering workstation, they inject keystrokes at machine speed - running PowerShell commands, downloading payloads, or modifying configuration files - all before a human operator even notices the device is connected.

These devices bypass USB content filtering entirely because, to the operating system, they look like keyboards, not storage media.

The Modern Defense Gap: Why Existing Controls Fall Short

You might be thinking: "We have controls in place." Let's examine why common defenses still leave gaps in cyber physical systems protection.

The core problem is that most CPS environments apply IT security controls to OT realities. The tools don't match the environment.

USB Threat Prevention: A Practical CPS Action Plan

Here's where we get actionable. The following framework gives OT security teams a structured approach to USB risk mitigation in cyber physical systems.

Step 1 - Asset and Port Inventory

You cannot protect what you cannot see. Start with a complete inventory of every endpoint in your OT network that has an active USB port.

Actionable tasks:

• Deploy passive agentless discovery (SPAN/TAP-based) to enumerate all connected OT assets

• For each asset, document: OS version, USB port status, connected media history (if logs exist), and criticality zone (Purdue Model Level 0–3)

• Flag all Level 0–2 devices (field devices, controllers, supervisory workstations) as high-priority for USB control remediation

Step 2 - Define and Enforce a Removable Media Policy

A removable media security policy for CPS must go beyond a generic IT policy. It needs to account for operational realities like vendor access, firmware updates, and contractor workflows.

Key policy elements:

• All USB devices must be registered and inventoried before plant entry

• Vendor-supplied media must be scanned in a dedicated offline scanning kiosk before connection to any OT asset

• Personal USB devices are prohibited in all OT network zones (Levels 0–3)

• Any USB device used in an OT environment must be single-purpose and marked accordingly

• USB usage must be logged: who, what device, which asset, when

Step 3 - Deploy OT-Aware USB Device Control

Generic IT-based device control tools frequently fail in OT environments due to compatibility issues with legacy operating systems. You need solutions built for industrial environments.

Capabilities to require:

• Whitelist-only enforcement - only pre-approved device IDs are allowed to connect

• Read-only enforcement - block all write operations to USB media on OT endpoints

• Automatic quarantine scanning on connection

• HID spoofing detection and blocking

• Audit logging compatible with OT historian and SIEM integration

Step 4 - Establish a Secure Media Transfer Process

The secure media transfer process is the operational alternative to ad-hoc USB usage. It replaces "plug it in and hope" with a structured, auditable workflow.

Secure media transfer workflow:

1. Technician or vendor submits a media transfer request (MTR) via ticketing system

2. Designated security team reviews and approves

3. Media is scanned in an isolated kiosk (air-gapped, malware scanning, file-type validation)

4. Approved files are transferred to a secure staging server

5. Files are pushed to the target OT asset via an approved, monitored transfer mechanism

6. Transfer is logged with full audit trail

This process eliminates the need for direct USB connection to production OT assets entirely.

Step 5 - Harden Endpoints in OT Zones

Even with policy and process controls in place, technical hardening reduces your attack surface when controls are bypassed or fail.

OT endpoint hardening checklist:

• [ ] Disable USB autorun/autoplay on all OT workstations

• [ ] Apply application whitelisting to prevent execution of unknown binaries

• [ ] Restrict write permissions on OT workstation file systems to prevent payload persistence

• [ ] Disable unused USB ports via BIOS/UEFI or physical port blockers

• [ ] Segregate engineering workstations from operator consoles at network level

• [ ] Deploy read-only operating system configurations on Level 0–1 field devices where feasible

• [ ] Enable Windows Event Log forwarding (where applicable) for USB connection events

• [ ] Review and harden service accounts that have local admin access on OT workstations

Step 6 - Train for the OT Reality

Your training program must reflect OT-specific scenarios - not IT scenarios repackaged with different stock photos.

Training must cover:

• Why vendor and contractor USB drives are the highest-risk vector

• How HID spoofing attacks work and what they look like to an operator

• The correct process for raising a security concern without causing operational disruption

• Incident response steps if a suspicious USB event is detected

CPS USB Risk: Maturity Assessment Snapshot

Use this quick self-assessment to gauge your current posture. Score 0 (not in place), 1 (partially in place), or 2 (fully implemented) for each control.

Scoring:

• 0–8: High risk. Foundational controls are missing.

• 9–16: Moderate risk. Key gaps remain in technical or process controls.

• 17–24: Strong posture. Focus on consistency and continuous monitoring.

Compliance Alignment: What the Frameworks Say About USB in CPS

Regulatory and compliance frameworks are increasingly specific about removable media controls in OT and critical infrastructure environments.

If your organisation is subject to any of these frameworks, USB device control isn't optional - it's an audit requirement. And in most cases, the audit evidence required goes beyond policy documentation to include technical enforcement logs.

What an OT USB Attack Response Looks Like

Detection and response matter as much as prevention. Here's a condensed incident response workflow for a suspected USB-borne threat in an OT environment.

Phase 1 - Detect

• USB connection event triggers alert in SIEM or OT security monitoring platform

• Operator or technician reports suspicious device or unexpected system behaviour

• Endpoint logs flag execution of unknown process post-USB insertion

Phase 2 - Contain

• Isolate affected workstation or endpoint at the switch level (VLAN isolation)

• Do not shut down controllers or field devices without OT engineering sign-off - assess operational impact first

• Preserve logs and USB device for forensic analysis

• Notify OT security team and CISO within defined SLA

Phase 3 - Investigate

• Forensic image of affected workstation

• Review USB connection logs, process execution logs, and network traffic anomalies in the window around the event

• Cross-reference IOCs with MITRE ATT&CK for ICS (Technique T0856 - Spearphishing Attachment via Media)

Phase 4 - Recover

• Restore from known-good configuration backup (not from the potentially compromised media)

• Re-image affected workstations before returning to service

• Validate control system integrity before resuming production

Phase 5 - Learn

• Root cause analysis: How did the device enter the environment?

• Update policy, technical controls, or training based on findings

• Document and report per applicable regulatory requirements

The Shieldworkz Approach to USB and Removable Media Security in CPS

At Shieldworkz, we work with organisations across energy, manufacturing, utilities, and oil and gas to build OT/ICS security programs that are grounded in operational reality - not just compliance checkboxes.

Our approach to USB and removable media security in cyber physical systems environments includes:

• OT asset visibility - passive agentless discovery to enumerate every endpoint with USB exposure across your Purdue Model zones

• Policy and process design - removable media policies, secure media transfer workflows, and contractor access protocols built for your operational environment

• Technical control deployment - OT-compatible device control, endpoint hardening, and USB scanning kiosk integration

• Compliance alignment - mapping your USB controls to IEC 62443, NERC CIP, NIST SP 800-82, and NIS2 requirements

• Incident response readiness - OT-specific USB incident response playbooks and tabletop exercises

We don't parachute in IT solutions and hope they work in your plant. We engineer controls that fit your environment, your assets, and your operational constraints.

Conclusion

USB drives are not a legacy threat. In 2026, they remain one of the most reliable and widely exploited vectors against cyber physical systems - precisely because the controls designed to stop them in IT environments don't translate cleanly to OT.

Here's what to take away from this post:

1. USB attacks in CPS environments bypass network perimeter defenses by design - they execute locally and generate no network traffic

2. Air gaps increase USB reliance, paradoxically expanding the attack surface

3. Legacy endpoints, operational pressures, and vendor workflows create persistent gaps that policy alone cannot close

4. A layered approach - asset visibility, formal policy, technical controls, secure transfer processes, and training - is the only reliable path to USB risk mitigation

5. Compliance frameworks including IEC 62443, NERC CIP, and NIS2 mandate specific removable media controls with audit evidence requirements

Your next steps don't have to be complicated. Start with the maturity assessment scorecard in this post. Identify your highest-risk gaps. Then prioritise the technical controls that close the largest exposure with the least operational disruption.

Ready to take action? request a demo with our OT security experts at Shieldworkz. We'll walk you through a structured assessment of your CPS USB risk posture and show you exactly where to focus first.

Additional resources:

What Is Removable Media? Risks, Policies, and Industrial OT Security Solutions here
Free Removable Media Policy Template for OT and IT Teams here
Remediation Guides here