Team Shieldworkz
The Thumb Drive That Can Shut Down a Plant
In 2010, a single infected USB drive bypassed air gaps that were supposed to keep Iran's nuclear centrifuges safe. The result was Stuxnet - arguably the most consequential cyberattack in industrial history. More than fifteen years later, removable media remains one of the most exploited and under-controlled attack vectors in operational technology (OT) and industrial control system (ICS) environments.
Why? Because unlike IT networks, OT environments run legacy systems that rarely get patches, depend on manual data transfers via USB drives, and often lack the endpoint controls that enterprise security teams take for granted. A contractor plugs in a personal flash drive to transfer a configuration file. A technician uses the same USB drive across three facilities. An operator downloads a firmware update from the internet onto removable media without scanning it first.
Each of these moments is a potential entry point for malware, ransomware, or nation-state intrusion.
This guide walks you through exactly how IEC 62443 - the international gold standard for industrial cybersecurity - addresses removable media security, and what practical, actionable steps your team can take today to close those gaps before they become incidents.
Before we move forward, don’t forget to check out our previous blog post on What a mysterious New York sewer intrusion reveals about hybrid warfare here
What Is IEC 62443 and Why Does It Matter for USB Security?
IEC 62443 is a series of standards developed by the International Electrotechnical Commission (IEC) specifically for industrial automation and control system (IACS) cybersecurity. It covers everything from risk assessment and system design to ongoing operations and supplier requirements.
Unlike IT-focused frameworks, IEC 62443 is built for the realities of OT environments: high availability requirements, legacy systems, safety-critical processes, and complex supply chains involving multiple vendors.
Within IEC 62443, removable media security is addressed across several components, particularly:
IEC 62443-2-1: Security management system requirements - including policies for portable device use
IEC 62443-3-3: System security requirements and security levels - specifying controls around physical media
IEC 62443-4-2: Component-level technical security requirements - covering device authentication and media controls
The standard defines Security Levels (SL 1–4) based on the sophistication of the threat actor a system needs to defend against. For most critical infrastructure operators, achieving SL 2 or SL 3 is the target - and both levels mandate robust controls around removable media.
Why USB Threats Are So Dangerous in OT Environments
Before diving into controls, it is worth understanding exactly why USB threats are uniquely dangerous in industrial settings.
1. Air Gaps Are Not Enough
Many OT operators believe that physically isolating systems from the internet - the so-called "air gap" - makes them safe. But air gaps create their own problem: data still needs to move. That movement almost always involves removable media. Air gaps don't stop USB threats; they make USB the primary attack vector.
2. Legacy Systems Cannot Be Patched
A Windows XP-based HMI running a critical process cannot simply be updated to the latest OS. These systems are unpatched by design, meaning any malware that reaches them via USB can execute without encountering modern endpoint defences.
3. Industrial Malware Is Built for USB Delivery
Malware families such as Stuxnet, Industroyer, and TRITON/TRISIS have all demonstrated the ability to propagate via removable media. Newer variants continue to target industrial protocols and devices specifically. This is not generic ransomware - this is purpose-built industrial sabotage tooling.
4. OT Environments Lack Endpoint Visibility
Most OT networks were not designed with centralised endpoint detection in mind. When a USB drive is plugged into a PLC workstation or SCADA server, there is often no log, no alert, and no automatic scan. The insertion event is invisible.
IEC 62443 Removable Media Security Controls: What the Standard Requires
Here is a breakdown of the specific controls IEC 62443 mandates that are directly relevant to USB and removable media security.
Control Area 1: Portable and Removable Device Policy (IEC 62443-2-1)
The standard requires organisations to define and enforce a documented policy covering:
Approved and prohibited device types
Registration and authorisation of removable media
Procedures for introducing media into secure zones
Mandatory scanning requirements before use
Actionable task: Draft or audit your current removable media policy against these requirements. If your policy allows any employee to plug in any USB device without prior authorisation, it does not meet IEC 62443-2-1.
Control Area 2: Media Transfer Controls and Scanning (IEC 62443-3-3, SR 2.1)
IEC 62443-3-3 Security Requirement SR 2.1 mandates that only authorised individuals are permitted to connect removable media to IACS components, and that media must be inspected for malware before introduction.
This typically means deploying a dedicated media scanning kiosk - a standalone workstation not connected to the OT network that scans all removable media against up-to-date threat signatures before the media is permitted to cross the zone boundary.
Actionable task: If you do not have a media scanning kiosk at every entry point to your OT network, this is your highest-priority gap. Implement one immediately, and establish a documented procedure requiring every USB device to be scanned before use.
Control Area 3: Physical Port Control (IEC 62443-4-2, CR 1.1)
At the component level, IEC 62443-4-2 requires that USB ports and other physical interfaces on IACS components be disabled or physically blocked when not required for an approved function.
This is one of the most frequently overlooked controls in OT environments. It is common to find live, uncontrolled USB ports on every workstation, HMI, and engineering laptop in a facility.
Actionable task: Conduct a physical port audit across your OT environment. Categorise every USB port as: (a) required for operations, (b) required for maintenance only, or (c) not required. Block or disable categories (b) and (c) by default.
Control Area 4: Device Whitelisting and Access Control (IEC 62443-4-2, CR 1.3)
Not every USB device that passes a malware scan should be permitted on every system. IEC 62443-4-2 CR 1.3 requires that access to resources be restricted to authorised users, devices, and functions.
In practice, this means deploying software-based USB device control that enforces whitelisting at the device identity level - only pre-registered, organisation-issued drives can connect, and only to authorised systems.
Actionable task: Implement a USB device control solution that enforces hardware-level whitelisting. Maintain a register of all approved removable media assets, including device serial numbers, assigned users, and approved use cases.
Control Area 5: Audit Logging and Monitoring (IEC 62443-3-3, SR 6.1)
IEC 62443-3-3 SR 6.1 requires that audit records be generated for security-relevant events - including removable media insertions, file transfers, and access attempts. These logs must be protected from tampering and reviewed regularly.
Actionable task: Ensure your OT security monitoring tools capture USB insertion events, file copy events, and failed access attempts. Route these logs to your Security Operations Centre (SOC) or OT-aware SIEM platform for correlation and alerting.
IEC 62443 Removable Media Security: Compliance Checklist
Use this checklist to assess your current posture against IEC 62443 requirements:
Control | IEC 62443 Reference | Status |
Documented removable media policy in place | 62443-2-1 | ☐ Complete / ☐ Gap |
All USB devices require prior authorisation | 62443-2-1 | ☐ Complete / ☐ Gap |
Dedicated media scanning kiosk deployed at OT zone entry | 62443-3-3 SR 2.1 | ☐ Complete / ☐ Gap |
Scanning results logged and retained | 62443-3-3 SR 6.1 | ☐ Complete / ☐ Gap |
Physical USB ports audited and disabled where not required | 62443-4-2 CR 1.1 | ☐ Complete / ☐ Gap |
Device whitelisting enforced (hardware-level) | 62443-4-2 CR 1.3 | ☐ Complete / ☐ Gap |
USB insertion events logged and monitored | 62443-3-3 SR 6.1 | ☐ Complete / ☐ Gap |
Contractor and third-party media procedures defined | 62443-2-1 | ☐ Complete / ☐ Gap |
Annual removable media risk assessment completed | 62443-2-1 | ☐ Complete / ☐ Gap |
Staff trained on removable media policy | 62443-2-1 | ☐ Complete / ☐ Gap |
Step-by-Step: Building an IEC 62443-Aligned USB Security Programme
Let's walk through what a practical, phased implementation looks like for an industrial organisation starting from a baseline posture.
Phase 1 - Assess and Discover (Weeks 1–4)
Start with visibility. You cannot control what you cannot see.
Conduct a full removable media risk assessment across all OT zones and conduits
Map every physical USB port in your environment - HMIs, engineering workstations, historian servers, PLCs, DCS consoles
Identify all current instances of removable media use, including contractor workflows, firmware update procedures, and data export routines
Review existing policies and identify gaps against IEC 62443-2-1 requirements
Output: A prioritised risk register of removable media vulnerabilities, mapped to IEC 62443 Security Levels.
Phase 2 - Control and Harden (Weeks 5–12)
Close the most critical gaps first.
Deploy media scanning kiosks at all OT zone entry points
Implement USB port control software with hardware-level whitelisting
Physically disable or block all non-required USB ports
Establish a formal removable media register - every approved device tracked by serial number, user, and zone access
Update contractor onboarding procedures to enforce media scanning before any device enters your facility
Output: Documented controls mapped to IEC 62443-3-3 SR 2.1 and 62443-4-2 CR 1.1/CR 1.3.
Phase 3 - Monitor and Respond (Ongoing)
Build detection and response capability around removable media events.
Integrate USB event logs into your OT-aware SIEM or monitoring platform
Define alert thresholds for: new unregistered device insertions, large file transfers via USB, repeated scan failures
Include removable media scenarios in your OT incident response playbook
Establish quarterly reviews of the removable media register to remove stale or unused device authorisations
Output: Continuous monitoring coverage aligned with IEC 62443-3-3 SR 6.1 and your broader OT detection programme.
Phase 4 - Validate and Improve (Quarterly / Annually)
Compliance is not a one-time event.
Conduct annual removable media risk assessments
Test your scanning kiosk against current threat signatures, including novel USB attack tools
Run tabletop exercises simulating a USB-delivered malware scenario in your OT environment
Review and update your removable media policy following any significant change to your environment, supply chain, or threat landscape
Common Mistakes OT Teams Make with Removable Media Security
Even well-intentioned teams fall into these traps. Knowing them in advance helps you avoid them.
Mistake 1: Relying on a single antivirus scan A single AV engine will not catch everything. Media scanning kiosks should use multi-engine scanning and include checks for suspicious file types, scripts, and autorun configurations - not just known malware signatures.
Mistake 2: Treating all OT zones the same A USB policy appropriate for a low-risk maintenance zone is not appropriate for a zone containing safety-instrumented systems. Apply IEC 62443 security levels correctly and scale your controls accordingly.
Mistake 3: Ignoring contractors and third parties Your employees are not the only people bringing removable media into your facility. Maintenance contractors, system integrators, and OEM service technicians often arrive with personal laptops and USB drives. Your policy must explicitly cover third-party media, and your scanning procedures must be enforced regardless of who is presenting the device.
Mistake 4: No exception management process Banning all USB use outright often leads to shadow workarounds that are far less secure. Establish a formal, documented exception process for cases where removable media is genuinely required - with compensating controls, time limits, and post-use audit requirements.
Mistake 5: Treating USB security as an IT problem OT environments have unique constraints that IT USB controls do not account for: legacy operating systems, proprietary industrial protocols, safety implications of system downtime, and operational continuity requirements. Your USB security programme must be designed by people who understand both the cybersecurity requirements and the operational realities of your specific industrial environment.
How Removable Media Threats Map to Wider OT Risk Frameworks
IEC 62443 does not operate in isolation. If your organisation is also working toward NIST SP 800-82, NERC CIP, or NIS2 compliance, removable media security is a shared requirement across all of them.
Framework | Removable Media Requirement |
IEC 62443-2-1 / 3-3 / 4-2 | Policy, scanning, device control, logging |
NIST SP 800-82 Rev 3 | Media protection controls (MP family) |
NERC CIP-003-8 / CIP-007-6 | Physical security, port control, patching via media |
NIS2 Directive | Supply chain and endpoint risk management |
NIST SP 1334 | Removable media in industrial environments specifically |
If your team is building toward multi-framework compliance, a well-designed removable media programme built on IEC 62443 principles will create significant lift across all of these requirements simultaneously.
What to Look for in an OT Removable Media Security Solution
When evaluating technology and services to support your IEC 62443 removable media security programme, prioritise the following capabilities:
Multi-engine malware scanning at the media kiosk level, with OT-specific threat intelligence
Hardware-level USB device control that enforces whitelisting by device identity, not just file type
OT-aware logging and SIEM integration that understands industrial protocols and doesn't generate excessive noise
Support for legacy operating systems, including Windows XP, Windows 7, and other unsupported platforms common in OT environments
Vendor-agnostic deployment that works across multi-vendor OT environments including Siemens, Rockwell, Honeywell, ABB, and Schneider Electric assets
Audit-ready reporting that maps directly to IEC 62443 control requirements for assessors and regulators
Operational continuity design - controls that do not introduce latency or availability risk into safety-critical processes
USB Threats Are Preventable - With the Right Controls in Place
Removable media is not going away from OT environments any time soon. The operational realities of industrial facilities - legacy systems, air-gapped networks, on-site maintenance requirements - mean that USB drives, laptops, and portable storage devices will continue to be part of how your teams do their jobs.
That is not the problem. The problem is operating without the controls, policies, and monitoring that IEC 62443 exists to provide.
The good news is that the path forward is clear. IEC 62443 gives you a structured, risk-based framework. The controls are well-defined. The technology to implement them exists. What most organisations are missing is the expertise to translate the standard into a practical programme that fits their specific industrial environment - without disrupting operations or overwhelming already-stretched OT security teams.
Key takeaways from this guide:
USB threats remain one of the top attack vectors in OT environments, including in air-gapped facilities
IEC 62443 mandates specific, actionable controls for removable media across policy, technical, and monitoring layers
A phased approach - assess, control, monitor, validate - is the most effective way to build compliance without operational disruption
Multi-framework environments (NIST SP 800-82, NERC CIP, NIS2) benefit significantly from an IEC 62443-aligned removable media programme
Contractor and third-party media is a frequently overlooked gap that must be explicitly addressed
Ready to Close Your Removable Media Gaps?
At Shieldworkz, we specialise exclusively in OT/ICS and IIoT cybersecurity. We work with plant managers, OT engineers, and CISOs to build IEC 62443-aligned security programmes that are designed around the realities of industrial environments - not adapted from IT playbooks. Request a demo to see how Shieldworkz helps industrial organisations identify removable media risks, implement IEC 62443-aligned controls, and build the monitoring capabilities needed to stay ahead of USB-delivered threats.
Additional resources:
OT Cyber Threat Intelligence Advisory - Middle East here
NIS2 Directive Achieving NIS2 Compliance Through IEC 62443 here
What Is Removable Media? Risks, Policies, and Industrial OT Security Solutions here
Free Removable Media Policy Template for OT and IT Teams here
Remediation Guides here
Get Weekly
Resources & News
See How Our Industry-Leading OT Security Solutions Address Critical Security Challenges
You may also like
13 Removable Media Policy Requirements for OT and Industrial Networks
Team Shieldworkz
What "Appropriate Security Measures" Actually Mean Under NIS2
Team Shieldworkz
Cyber Physical Systems Security: How USB Drives Still Bypass Modern Defenses in 2026
Team Shieldworkz
How Media Scan Technology Detects Malware Targeting OT Systems
Team Shieldworkz
USB Security in Industrial Control Systems: 15 Controls That Actually Reduce Risk
Team Shieldworkz
What a mysterious New York sewer intrusion reveals about hybrid warfare
Prayukth K V
