Unpacking NIST Special Publication SP 1334 ipd on Protecting Operational Technology from Portable Storage Media Risks

The first draft of National Institute of Standards and Technology (NIST) SP 1334 was issued by NIST for public consultation a few weeks back. This draft outlines many measures to reduce cybersecurity risks emerging from the use of portable storage media in Operational Technology environments.

Unique OT security problem

Portable storage media, including USB flash drives, external hard drives, and even CDs in some instances, are being used for transferring data in and out of Operational Technology (OT) environments and for patching air gapped systems. However, their convenience also introduces significant cybersecurity risks. To minimize the likelihood of a cyberattack, the National Cybersecurity Center of Excellence (NCCOE) has recomended a series of cybersecurity controls for OT personnel through the NIST Special Publication SP 1334 ipd.

Before we dive into the recommended controls, it is essential to understand why portable storage media poses a unique threat to OT systems.

· Use of USBs and/or other portable storage media is often not highlighted by users on the shop floor. Thus its usage is often not governed by any policy guideline

· USBs are not tested for OT malware or not tested at all before they are introduced into a network

· We have seen security audit reports where the use of portable storage media was not mentioned at all in the OT network whereas it did find a mention in the audit report on IT. All the more reasons why you need to talk to the right OT security assessment and audit vendor. 

· In most of the Incident response simulations and security drills, an incident emerging from the use of a USB drive is often not considered and this becomes a blind spot for OT security teams and leaders. This is also why you need to talk to an Incident Response simulation vendor who understands your unique environment and OT security maturity.

· Portable storage media are often used across systems and environments increasing the probability of the cross introduction of malware and/or. Other threats.  

Now lets look at some of the cybersecurity controls proposed by NIST in SP 1334 and some of the suggestions we would like to offer to strengthen the controls.

Procedural Controls

Organizations should implement policies to manage the use of portable storage media. This includes:

· Developing policies for purchasing, authorizing, and managing organization-owned media. Devices from external sources should be considered untrusted.

· Procuring devices that support hardware-based encryption standards.

· Limiting media usage to specific authorized personnel and purposes.

· Creating procedures for provisioning, usage, storage, sanitation, and destruction of media.

· Enabling logging to track system and user identity, device serial numbers, and usage dates.

· Training staff on all policies and procedures.

Recommendations from Shieldworkz:

· USB drives should be decommissioned within a certain period of time

· In addition to logging the usage, the specific reason for which the portable storage device was used should also be documented

· Devices from external sources should not be used

Physical Controls

Physical controls are essential for managing access, labelling, and storage of portable storage media.

· Media should be stored in a physically secure location accessible only to authorized individuals.

· Approved media should be clearly labelled, indicating who can use it, on which network or system it can be used, and its functional purpose.

· A designated storage space for approved media is a key part of a strong physical control system.

Recommendations from Shieldworkz:

· The labelling should be tamper-proof

· The designated storage system should be inventoried periodically and all devices accounted for

Technical Controls

Organizations should establish technical controls consistent with NIST SP 800-82. These include:

· Blocking or disabling unauthorized ports, such as USB ports and CD/DVD drives, using physical blocks or logical disabling.

· Scanning media with updated malware detection software before and after use. For devices that don't support scanning, kiosk solutions can be used.

· Reformatting devices before reusing them on different equipment or environments.

· Using write-protection when files only need to be read.

· Disabling Autorun features.

· Encrypting data on portable media using a FIPS-compliant algorithm.

Recommendations from Shieldworkz:

· The scanning should be done using a malware detection software that can detect OT specific malware as well

By implementing a combination of secure physical, procedural, and technical controls, organizations can significantly reduce the cybersecurity risks posed by portable storage media in OT environments. This includes securing the access, storage, and usage of devices, as well as providing training on safe and effective utilization.