Walk the floor of any modern industrial facility and you will find USB ports on engineering workstations, historian servers, PLC programming laptops, and HMI panels. Those ports are convenience. They are also one of the most exploited entry points in operational technology environments today.

Removable media threats have matured well beyond the era of infected flash drives dropped in parking lots. In 2026, threat actors targeting industrial control systems use firmware-level manipulation that survives reformatting, USB baiting campaigns designed around social engineering rather than random luck, and BadUSB payloads that turn a thumb drive into a fully functional attack platform - one that bypasses every endpoint security tool watching for malicious files.

For plant managers, OT engineers, and CISOs responsible for critical infrastructure, this evolution demands a sharper, more technical response than "disable autorun" and "train employees." This post breaks down exactly how these attacks work, what makes ICS environments uniquely vulnerable, and what a layered defense looks like in practice.

Before we move forward, don’t forget to check out our previous blog post on A deep dive into the Cal Water cyber attack here

Why ICS Environments Are the Ideal Target for Removable Media Attacks

Before you can defend against these threats, you need to understand why industrial control systems attract them.

OT networks are not like enterprise IT environments. Many ICS installations run legacy hardware and software that cannot accept patches without risking production continuity. Engineers routinely transfer data, firmware updates, and configuration files using USB drives because air-gapped or segmented networks leave few other practical options. Maintenance windows are narrow. Downtime is expensive. Workarounds become habits.

That combination - legacy systems, infrequent patching, and cultural dependence on removable media - creates a threat surface that is genuinely difficult to close.

The Purdue Model creates an illusion of separation. IT/OT segmentation at Layer 3.5 (the demilitarized zone) is designed to contain threats, but a single infected USB drive carried across that boundary by an authorized user collapses the architecture entirely. The attacker does not need to breach your perimeter. Your own personnel bring the payload in.

Asset diversity amplifies the problem. A single industrial facility might host Siemens, Rockwell, Emerson, Yokogawa, and Honeywell systems simultaneously - each with proprietary firmware formats, different removable media handling behaviors, and varying endpoint visibility. Security tools that work on Windows workstations often have zero insight into what happens when a USB device connects to a Distributed Control System (DCS) console running a 15-year-old operating system.

Safety systems are now in scope. Safety Instrumented Systems (SIS) - the last line of defense against catastrophic physical failures - were historically isolated. Modern hybrid architectures increasingly connect SIS components to operational networks for monitoring. A removable media attack that reaches SIS firmware can compromise the systems designed to prevent industrial accidents.

BadUSB: When the Device Itself Is the Weapon

BadUSB is not a malware variant. It is an attack class. The term describes what happens when an attacker reprograms the microcontroller inside a USB device so that it presents itself to the host system as something other than what it appears to be.

Plug in what looks like a thumb drive. The host OS recognizes it as a Human Interface Device - a keyboard, to be precise. The HID sends a rapid sequence of keystrokes. Within seconds, it opens a command prompt, downloads a payload from a staging server, and closes without leaving visible evidence. The entire sequence takes under 30 seconds. No file to scan. No executable to flag. No antivirus alert.

How BadUSB Works at the Firmware Level

Every USB device has a microcontroller that handles communication with the host. The firmware on that controller defines how the device identifies itself during the USB enumeration process. In commercial-grade USB hardware, that firmware was not designed with security in mind. It can be reprogrammed using tools that are freely available.

When a BadUSB device enumerates as a keyboard or network adapter, the host OS trusts it. Endpoint Detection and Response (EDR) tools watch for suspicious processes and file system activity - they are not watching for keyboard input arriving at machine speed from a device that was just plugged in.

In an ICS context, the attack surface expands dramatically. Engineering workstations running Windows XP, Windows 7, or early Windows 10 builds without current patches are particularly vulnerable. Many OT environments disable USB ports at the physical level or through group policy - but those controls are rarely applied consistently across every asset in a complex industrial facility.

What BadUSB Can Do in an OT Environment

• Deploy reconnaissance tools that map network topology, enumerate PLCs and DCS endpoints, and exfiltrate configuration files

• Inject malicious ladder logic or function block diagrams by scripting interactions with engineering software running on the compromised workstation

• Establish persistence through scheduled tasks, startup scripts, or firmware modifications on connected devices

• Move laterally from the IT-connected engineering workstation into Level 2 OT systems by exploiting trust relationships between networked hosts

The most dangerous BadUSB deployments in ICS environments are not loud. They do not trigger alarms. They operate quietly, gathering the intelligence an adversary needs to execute a targeted, high-impact attack weeks or months later.

USB Baiting: Social Engineering at the Physical Layer

USB baiting is exactly what it sounds like. An attacker leaves a prepared USB device somewhere the target is likely to find it. The target picks it up, plugs it into a workstation, and the payload executes.

The technique sounds unsophisticated. In 2026, it remains one of the most effective initial access methods in industrial environments, and it has grown significantly more targeted.

The Evolution of USB Baiting Campaigns

Early USB baiting was opportunistic - attackers scattered drives in parking lots and hoped someone would plug one in. Modern campaigns targeting ICS operators are operationally planned. Threat actors conduct physical reconnaissance of facilities, identify personnel who handle removable media routinely (maintenance technicians, contractors, I&E engineers), and tailor the bait accordingly.

A drive left near a PLC programming laptop in a control room break area is far more likely to be plugged into an ICS asset than one dropped in a general office parking lot. A drive labeled "2026 Salary Review - Confidential" targets curiosity. A drive labeled "SCADA Firmware Update - Rev 4.2.1" targets professional habit. Both exploit a fundamentally human vulnerability: the assumption that physical proximity equals trust.

Contractor and supply chain vectors compound the risk. Maintenance contractors often bring their own laptops and USB drives onto facility floors. They plug into historian servers, DCS consoles, and engineering workstations with levels of access that would alarm most security teams - and with endpoints that are entirely outside your organization's control.

Why ICS Personnel Are Particularly Vulnerable

OT engineers are trained to solve operational problems quickly. When production is at risk, the fastest path to a solution wins. That urgency is an attack surface. A drive that appears to contain a firmware patch or configuration backup will be plugged in because waiting to verify its origin might mean additional downtime.

The same applies to third-party maintenance windows. When a specialist is on-site for a narrow service window, asking them to submit a USB device for pre-inspection feels obstructive. In many facilities, it simply does not happen.

Firmware Manipulation: The Threat That Survives Everything

Of the three attack categories covered here, firmware manipulation is the most technically sophisticated and the hardest to detect and remediate. It is also the most consequential in an ICS context.

What Firmware Manipulation Means

Every device in your OT environment - PLCs, HMIs, RTUs, DCS controllers, protection relays - runs firmware. That firmware controls how the device behaves at the most fundamental level. If an attacker can modify it, they control the device.

Firmware attacks targeting ICS assets typically follow one of two paths:

Path 1: Malicious firmware delivered via removable media. An attacker prepares a modified firmware image for a specific device model. They deliver it via USB - either through a BadUSB device that silently initiates the update process, or through social engineering that convinces an engineer to apply an "updated" firmware file. The modified firmware executes attacker-defined behaviors while presenting normal status information to operators.

Path 2: Exploitation of the firmware update mechanism. Many ICS devices accept firmware updates through manufacturer-supplied USB tools. These mechanisms were designed for usability, not security. They often lack cryptographic verification of the firmware image. An attacker who understands the update protocol can craft a malicious firmware package that the device will accept as legitimate.

Why Firmware-Level Attacks Are Particularly Dangerous in ICS

They survive reimaging. If an attacker achieves persistence at the firmware level, wiping and reinstalling the operating system on a connected workstation does not remove the threat. The compromised firmware continues to execute on the device itself.

They can cause physical damage. A PLC running malicious firmware can send incorrect commands to motors, valves, actuators, and other physical components. This is not theoretical - industrial history includes incidents where firmware-level manipulation caused physical equipment destruction and, in some cases, created conditions that endangered personnel.

They are nearly invisible to standard monitoring tools. Your SIEM receives logs from Windows hosts, network devices, and firewalls. It does not receive logs from PLC firmware. Process historians record plant data, not firmware integrity. An attacker operating at the firmware level sits below the visibility plane of most industrial security architectures.

They exploit the trust placed in manufacturer processes. Engineers and technicians apply firmware updates because they trust the source. Attackers exploit that trust by compromising the update supply chain or by making malicious firmware appear to originate from the manufacturer.

The 2026 Threat Landscape: What Has Changed

The threat actors targeting OT environments have professionalized. Nation-state groups with documented ICS capabilities - those operating in the interest of strategic disruption to critical infrastructure - have moved beyond opportunistic intrusions. Their campaigns are long-cycle, intelligence-driven operations that use removable media as an initial foothold in networks that are otherwise difficult to penetrate remotely.

AI-assisted payload development has lowered the barrier to creating targeted BadUSB scripts. What once required specialized offensive security knowledge can now be accelerated with AI tooling, making sophisticated USB attack capabilities accessible to a broader range of threat actors including lower-tier criminal groups.

Commodity hardware enables advanced attacks. Devices capable of executing BadUSB attacks are commercially available as penetration testing tools, sold openly, and cost under $100. The technical barrier to deploying a BadUSB attack against an OT target has essentially disappeared.

Supply chain compromise has become a standard vector. Rather than targeting the facility directly, sophisticated adversaries target the vendors, contractors, and component suppliers who regularly bring removable media into industrial environments. Compromising one contractor's laptop or update drive can provide access to dozens of facilities.

Regulatory pressure is intensifying. IEC 62443, NIST SP 800-82, NERC CIP, and NIS2 all address removable media security with increasing specificity. In 2026, regulators are not satisfied with policy documents - they want evidence of implemented controls, audit logs, and demonstrated incident response capability.

What a Layered Defense Against Removable Media Threats Actually Looks Like

Defending against BadUSB, USB baiting, and firmware manipulation in an ICS environment requires controls at multiple levels simultaneously. A single policy or a single tool is not sufficient.

Layer 1: Physical and Administrative Controls

Enforce a removable media policy with teeth. Document which assets are authorized to use removable media, under what conditions, and with what pre-approval process. Require all external USB devices to be scanned on a dedicated, air-gapped inspection workstation before they touch any OT asset. This includes contractor devices.

Use physically locked USB ports. For assets where removable media is not operationally necessary, deploy physical USB port blockers. These are low-cost, high-effectiveness controls that eliminate the risk of accidental or unauthorized connection entirely.

Classify your OT assets by risk tier. Not every device in your environment carries the same consequence if compromised. SIS components, primary PLC clusters, and historian servers warrant tighter removable media controls than secondary monitoring workstations. Apply controls proportional to the consequence of compromise.

Log every removable media connection event. Your endpoint security or device control solution should generate an alert every time a USB device is connected to an OT asset. That log should feed into your Security Information and Event Management (SIEM) platform and be reviewed within a defined SLA.

Layer 2: Technical Controls

Deploy OT-aware device control software. Enterprise USB blocking tools built for IT environments often fail in OT contexts - they may conflict with proprietary industrial software, require internet connectivity for updates, or simply be incompatible with legacy operating systems. You need device control solutions that are validated for ICS environments.

Implement USB device whitelisting. Rather than trying to block all malicious devices, define a positive list of approved USB devices by hardware ID, serial number, and device class. Anything not on the whitelist cannot connect. This approach directly counters BadUSB attacks because even if a malicious device presents as a HID, it will not match an approved hardware ID.

Use write-blocking hardware for data transfer. When removable media must carry data into OT environments, use hardware write blockers during the inspection process. This prevents the inspection workstation from being compromised by an infected drive during the scanning process itself.

Verify firmware integrity before and after maintenance. Establish a baseline firmware hash for every OT device in your environment. After any maintenance window that involves removable media, verify that firmware has not changed. This requires tooling that can communicate with your specific device types - not a generic file integrity monitor.

Deploy unidirectional security gateways for data transfer. Where data must flow from OT to IT, hardware-enforced unidirectional gateways eliminate the possibility of return channel exploitation. They are more effective than software-based data diodes and remove the removable media requirement for many data transfer use cases entirely.

Layer 3: Monitoring and Response

Extend your OT monitoring to include anomalous USB activity. Your industrial network monitoring solution should be capable of detecting unusual behavior that follows a USB connection event - unexpected outbound traffic, new processes launching on engineering workstations, changes to PLC programming files.

Integrate OT alerts with your SOC. USB-related incidents in OT environments should not be handled exclusively by operations teams. Your security operations function needs visibility and the ability to escalate rapidly.

Test your incident response against USB attack scenarios. Tabletop exercises that include a BadUSB or USB baiting scenario are valuable. Most OT security teams have never actually walked through the response process for a firmware-level compromise. Understanding your detection and response gaps before an incident is far preferable to discovering them during one.

Aligning Your Removable Media Controls to IEC 62443 and NIST SP 800-82

Both IEC 62443 and NIST SP 800-82 Rev. 3 provide specific guidance on removable media security in industrial environments. Understanding the alignment between your controls and these frameworks matters increasingly in 2026 as regulatory enforcement tightens.

IEC 62443-3-3 System Security Requirements SR 1.3 addresses the use of portable and mobile devices, requiring that organizations define and enforce policies on which devices may connect to which zones. The standard's zone and conduit model maps directly onto the removable media control architecture: higher-security zones require stricter device controls and more rigorous inspection procedures.

NIST SP 800-82 Rev. 3 addresses removable media under its broader guidance on OT system security controls, referencing the NIST SP 800-53 control families MP (Media Protection), SC (System and Communications Protection), and SI (System and Information Integrity). The MP family specifically requires media sanitization, media access restrictions, and media use controls.

For organizations operating under NERC CIP, CIP-003-8 and CIP-010-4 address physical security of cyber assets and configuration change management respectively - both of which have direct implications for removable media handling at high-impact BES cyber systems.

NIS2 (applicable to EU operators of essential services) requires that organizations implement appropriate technical and organizational measures to manage cybersecurity risk, including risks arising from physical access vectors. Removable media policies and controls fall squarely within NIS2's scope.

If your current removable media controls consist primarily of a policy document, you are not compliant with any of these frameworks. Compliance requires demonstrable implementation, audit logs, and evidence of enforcement.

A Practical Checklist: 10 Controls to Implement Before Your Next Audit

Conclusion: The Removable Media Threat Is Not Going Away - But It Is Defensible

BadUSB attacks, USB baiting campaigns, and firmware manipulation represent a maturing, coordinated threat to industrial control systems. The good news is that these threats are defensible when you apply the right controls at the right layers. The bad news is that most industrial facilities have not yet done so.

The combination of physical controls, OT-validated technical tools, continuous monitoring, and framework-aligned policies creates a posture that significantly raises the cost and complexity of removable media attacks against your environment. No single control is sufficient. Depth of defense is not optional.

In 2026, regulators, insurers, and boards are all asking the same question: can you demonstrate that you have implemented effective controls against the removable media threat vectors documented in IEC 62443, NIST SP 800-82, and NERC CIP? The answer requires more than a policy. It requires evidence.

Shieldworkz works with OT security teams and CISOs to design and implement removable media security programs that align to IEC 62443, NIST SP 800-82, NERC CIP, and NIS2 requirements. Our OT-native approach means we understand the operational constraints of your environment - we do not apply IT security thinking to industrial problems.

Ready to assess your current removable media posture? Request a demo with our OT security experts to see how Shieldworkz industrial USB security controls work in environments like yours.

Additional resources:

OT Cyber Threat Intelligence Advisory - Middle East here
NIS2 Directive Achieving NIS2 Compliance Through IEC 62443 here
What Is Removable Media? Risks, Policies, and Industrial OT Security Solutions here
Free Removable Media Policy Template for OT and IT Teams here