A single USB drive. That's all it took to compromise one of the most secure industrial facilities in the world. The Stuxnet attack-still the most studied ICS cyberattack in history-was delivered via a thumb drive plugged into an air-gapped network. Two decades later, USB-borne threats remain one of the top attack vectors targeting operational technology environments.

For plant managers, OT engineers, and CISOs, this is not a theoretical risk. Every unmanaged USB port on a field device, HMI, or engineering workstation is a potential entry point for malware, data exfiltration, or ransomware. And unlike IT networks, the consequences in an OT environment don't stop at lost data-they can mean unplanned downtime, equipment damage, safety incidents, or worse.

The good news: USB security in industrial control systems is manageable. It doesn't require replacing every legacy device or building a fully air-gapped facility. What it does require is a structured, layered approach-combining policy, process, and technology-that's calibrated to the specific realities of OT environments.

This post walks you through 15 controls that actually reduce USB risk in ICS environments, organized by control category, with checklists and implementation tactics you can put to work immediately.

Why USB Threats Hit OT Environments Harder Than IT

Before diving into the controls, it's worth understanding why USB attacks are so much more damaging in OT environments than in traditional enterprise IT.

Three structural vulnerabilities make OT networks uniquely exposed:

1. Air-gap reliance creates false confidence. Many OT operators assume that because their control networks aren't connected to the internet, they're protected. But air gaps are routinely crossed by contractors, field engineers, and maintenance teams carrying USB drives with firmware updates, configuration files, or diagnostic tools-often without any scanning or verification.

2. Legacy systems can't run endpoint protection. A significant portion of OT assets-PLCs, RTUs, legacy HMIs, historians-run outdated operating systems (Windows XP, Windows 7, embedded Linux variants) that can't support modern endpoint detection and response (EDR) tools. USB ports on these devices are wide open.

3. Operational pressure overrides security hygiene. In a plant environment, production continuity is king. When a contractor needs to upload a firmware patch at 2 a.m. during a maintenance window, there's rarely time for multi-step USB verification. Security shortcuts happen-and attackers know it.

Add to this the fact that OT networks often have poor network segmentation, limited monitoring, and long patch cycles, and you have an environment where a single infected USB drive can propagate laterally for months before detection.

The 15 USB Security Controls for ICS Environments

We've organized these 15 controls across five categories: Policy & Governance, Technical Enforcement, Device & Media Management, Monitoring & Detection, and People & Process.

Category 1: Policy & Governance Controls

Control 1 - Establish a Formal USB and Removable Media Policy

Before you can enforce anything technically, you need a written policy that defines what is and isn't allowed. Your USB and removable media policy should cover:

• Which device types are permitted (USB drives, external hard drives, SD cards, phones)

• Which personnel are authorized to use removable media in OT zones

• Where removable media is and isn't permitted (e.g., banned in Safety Instrumented System zones entirely)

• How media must be scanned before use

• What happens when a violation occurs

Align this policy with IEC 62443-2-1, which requires documented policies for removable media as part of an industrial security management system. If you're working toward NIS2 compliance, documented USB controls are also a demonstrable requirement under Article 21 technical measures.

Quick Checklist - USB Policy Essentials:

Control 2 - Classify OT Zones and Apply USB Rules by Zone

Not every part of your plant has the same risk profile. A USB port on an engineering workstation in the corporate DMZ carries different risk than one on a PLC in a Safety Instrumented System (SIS) zone.

Apply the IEC 62443 zone-and-conduit model to define USB access rules per zone:

• Level 0–1 (Field Devices, Controllers): USB ports physically disabled or blocked. No exceptions.

• Level 2 (Supervisory / HMI): USB access permitted only for authorized, scanned media via a formal approval workflow.

• Level 3 (Operations Network / Historian): USB access permitted for authorized personnel using organization-issued, encrypted media only.

• Level 3.5 / DMZ: Standard IT-grade USB controls apply; all media scanned before use.

Control 3 - Implement a Third-Party and Contractor USB Policy

In most industrial facilities, a significant percentage of USB-related incidents involve contractors, integrators, and OEM service technicians-not internal staff. They arrive with personal laptops, personal USB drives, and little awareness of your security requirements.

Your third-party USB policy should require:

• All removable media used on-site to be organization-issued or pre-scanned at a designated kiosk

• Contractors to sign a removable media agreement before accessing OT systems

• Vendor-supplied software delivered via verified, hash-validated media or secure file transfer-not personal USB drives

• A visitor log that tracks which contractor accessed which device with which media

Category 2: Technical Enforcement Controls

Control 4 - Disable Unused USB Ports at the Physical and OS Level

The most reliable USB security control is also the simplest: if the port doesn't need to be used, disable it.

Two-layer approach:

• Physical: Use port blockers (tamper-evident USB port locks) on devices where USB access should be permanently prohibited. This prevents plugging in even if OS-level controls are bypassed.

• OS-level: Use Group Policy Objects (GPOs) on Windows-based HMIs and engineering workstations to disable USB storage class devices entirely. On Linux-based systems, blacklist the usb-storage kernel module.

Important: Disabling USB ports via OS settings alone is insufficient on legacy systems where BIOS/firmware controls may allow bypasses. Always combine with physical controls for high-risk zones.

Control 5 - Deploy USB Device Whitelisting (Allow-List Enforcement)

Rather than trying to block every possible threat, allow-list enforcement flips the model: only pre-approved USB devices can connect to OT systems. Everything else is blocked by default.

This is implemented through endpoint protection platforms that support device control policies. For each authorized USB device, you define:

• Vendor ID and Product ID (VID/PID)

• Serial number (for individual device tracking)

• Permitted systems (which assets the device can connect to)

• Permitted operations (read-only vs. read/write)

In OT environments, read-only enforcement is a critical control: even if a device is whitelisted, it cannot write data back to removable media unless explicitly authorized. This prevents data exfiltration.

Control 6 - Enforce Endpoint USB Scanning via Dedicated Kiosks

For environments where you can't eliminate USB use entirely-firmware updates, configuration file transfers, diagnostic tools-deploy dedicated USB scanning kiosks at all entry points to OT zones.

A USB scanning kiosk is a standalone, hardened workstation with multiple AV engines and threat intelligence feeds that scans removable media before it's permitted into the OT environment. Key capabilities to look for:

• Multi-engine malware scanning (at least 2 independent AV engines)

• File type analysis and extension verification

• Macro and script detection in office-format files

• Scan logs with operator ID, timestamp, device serial number, and result

• Integration with your SIEM for centralized visibility

Kiosk Placement Checklist:

Control 7 - Implement Encrypted, Organization-Issued USB Devices

For authorized use cases that require removable media, issue organization-controlled, hardware-encrypted USB drives. These devices enforce:

• Hardware encryption (AES-256): Data is encrypted at rest; if the drive is lost or stolen, data is unreadable without the correct PIN or authentication credential.

• Remote wipe capability: Some enterprise-grade devices allow IT/OT administrators to remotely disable or wipe a lost drive.

• Asset tagging and serial number tracking: Every issued drive is logged in your asset inventory with an assigned owner and authorized use cases.

Never allow personally owned USB devices on OT systems-even for routine tasks. The risk of pre-infected consumer drives is too high.

Control 8 - Apply Application Whitelisting on OT Endpoints

USB-delivered malware typically executes via autorun, script execution, or by dropping executables on accessible system directories. Application whitelisting prevents this by ensuring that only pre-approved, signed executables can run on OT endpoints-regardless of where they came from.

For OT environments, application whitelisting solutions need to be lightweight, compatible with legacy OS versions, and able to operate without cloud connectivity. Look for solutions that support:

• Static whitelisting by file hash, publisher signature, or file path

• Change management workflows for updating the whitelist

• Legacy OS support (Windows XP, Windows 7, Windows 2008)

Category 3: Device & Media Management Controls

Control 9 - Maintain a Removable Media Asset Register

You can't control what you can't track. Every piece of removable media used in OT zones should be inventoried and tracked:

Audit this register quarterly. Retire any media that hasn't been scanned in the last 90 days before reuse.

Control 10 - Establish a Secure Media Lifecycle and Disposal Process

USB drives don't last forever, and retired drives that aren't properly disposed of are a data exfiltration risk. Your media lifecycle process should cover:

• Issuance: Log, format with secure wipe, assign to individual

• Active use: Require re-scanning every 30–90 days depending on risk zone

• Retirement: Trigger a secure wipe (DoD 5220.22-M standard or physical destruction for highest sensitivity)

• Documentation: Maintain disposal log with date, method, and authorizing personnel

Category 4: Monitoring & Detection Controls

Control 11 - Enable USB Event Logging on All OT Endpoints

Every USB connection event-plug-in, plug-out, file transfer, access denial-should generate a log entry. In OT environments, this is often disabled by default to reduce system overhead. Turn it on.

At minimum, capture:

• Timestamp of connection/disconnection

• Device VID/PID and serial number

• Host system name and IP

• Files transferred (where endpoint DLP is available)

• Whether the device was permitted or blocked

Forward these logs to your SIEM or OT security monitoring platform for correlation.

Control 12 - Monitor for USB-Specific IOCs in Your OT Network Traffic

Even if a USB drive successfully loads malware onto an OT endpoint, that malware will often attempt to:

• Reach command-and-control infrastructure

• Spread laterally via industrial protocols (Modbus, DNP3, OPC-UA)

• Exfiltrate data via DNS tunneling, HTTP/S, or removable media

Network traffic analysis (NTA) tools tuned for OT protocols can detect these behaviors passively, without agents on legacy endpoints. Define detection rules and alerts for:

• Unexpected new connections from HMIs or engineering workstations

• Protocol anomalies that suggest lateral movement

• Large or unusual data transfers on historian systems

• Known USB malware families (e.g., INDUSTROYER/CRASHOVERRIDE payloads)

Control 13 - Conduct Regular USB Security Audits

Policy and technical controls degrade over time without regular validation. Build a quarterly USB security audit into your OT security program:

USB Security Audit Checklist:

Category 5: People & Process Controls

Control 14 - Deliver Role-Specific USB Security Awareness Training

The most sophisticated technical controls can be bypassed by a well-meaning engineer who doesn't understand the risk. Every person who touches OT systems should receive USB security training that is specific to their role:

• Plant operators: Recognize suspicious USB drives; never plug in found or unverified media; report incidents immediately.

• Maintenance and contractors: Understand site-specific USB policies; use organization-issued or kiosk-scanned media only; complete mandatory sign-in/sign-out procedures.

• OT engineers: Understand the technical risks of USB-borne threats; follow change management procedures for firmware and configuration updates; know how to verify media integrity via hash validation.

• Management and CISOs: Understand USB risk as a reportable OT security metric; ensure budget and staffing for enforcement and monitoring.

Run tabletop exercises that include USB-based attack scenarios (e.g., a contractor unknowingly brings an infected drive to a maintenance window).

Control 15 - Integrate USB Controls into Your OT Incident Response Plan

What happens when a USB incident occurs? If your answer is "we'd figure it out," you have a gap. Your OT incident response plan should include a dedicated USB incident playbook:

• Detection triggers: How do you know a USB incident has occurred? (Kiosk alert, SIEM event, user report)

• Containment: Isolate the affected host; disable network access; preserve volatile memory if possible.

• Investigation: Retrieve USB event logs; identify affected files; scope lateral movement.

• Eradication: Remove malware; restore from clean backup if necessary; re-scan all media that touched the system.

• Post-incident: Update whitelist, policy, or controls based on findings; document and report.

Practice this playbook. A USB incident during a production cycle is not the time to figure out your response.

How Shieldworkz Approaches USB Security in OT Environments

At Shieldworkz, we work with industrial operators across critical infrastructure sectors-energy, manufacturing, chemicals, water, and more-to build practical, scalable OT security programs.

USB security is rarely a standalone problem. In our experience, it sits at the intersection of asset visibility, endpoint protection, network monitoring, and policy governance. Our approach:

• OT Asset Discovery & Visibility: We start by identifying every endpoint, connection, and communication path in your OT environment-so you know exactly where USB exposure exists before you start blocking or monitoring.

• IEC 62443-Aligned Policy Development: We help you build zone-specific USB and removable media policies that align with IEC 62443-2-1 and meet NIS2 and NERC CIP documentation requirements.

• Endpoint & Device Control Deployment: We deploy and tune endpoint protection and USB device control solutions that are compatible with legacy OT systems-without disrupting production.

• OT SOC Monitoring: Our OT Security Operations Center monitors USB event logs, network traffic, and behavioral anomalies 24/7, with playbooks built for ICS-specific threat scenarios.

• Compliance Readiness Assessments: Need to demonstrate USB security controls to an auditor, regulator, or board? We provide gap assessments and evidence packages aligned to IEC 62443, NIST SP 800-82, NIS2, and NERC CIP.

Conclusion: 15 Controls, One Consistent Message

USB security in industrial control systems doesn't require a rip-and-replace of your OT infrastructure. It requires discipline, structure, and a layered approach that matches the actual risk profile of your environment.

Here's a quick recap of the 15 controls:

Start with the controls that address your highest-risk zones and most frequent use cases. Even implementing five of these consistently will measurably reduce your USB attack surface.

Ready to Strengthen Your OT Security Posture? If you're looking to move from policy intention to operational enforcement, Shieldworkz can help. Request a Demo with the Shieldworkz OT Security Team - We'll walk you through how our platform addresses USB risk in environments like yours

Additional resources:

What Is Removable Media? Risks, Policies, and Industrial OT Security Solutions here
Free Removable Media Policy Template for OT and IT Teams here
Remediation Guides here