Navigating Removable Media Compliance: NERC CIP & IEC 62443 for OT/ICS Environments
Team Shieldworkz
Navigating Removable Media Compliance: What NERC CIP and IEC 62443 Actually Require, and What's at Stake If You Get It Wrong
There is a specific class of cyber threat that keeps experienced OT security professionals awake at night, not the sophisticated nation-state attack, not the zero-day exploit, but the humble USB drive. A maintenance technician plugging in a personal flash drive. A vendor connecting a laptop to update firmware. A well-meaning engineer pulling data for an offline report.
Each of these actions, executed without an enforced removable media compliance program, can introduce malware, exfiltrate sensitive operational data, or create a foothold for attacks targeting your most critical industrial assets, your PLCs, your SCADA systems, your Distributed Control Systems, and the physical processes they manage.
For organizations operating within regulated industrial environments, this is not merely a security concern. It is a compliance obligation with measurable legal and financial consequences. NERC CIP standards in the energy sector, and the internationally recognized IEC 62443 framework across broader industrial environments, both contain clear and enforceable requirements around removable media use, authorization, malware scanning, and documentation.
Understanding what these frameworks actually demand , beyond a surface-level reading , is where most organizations encounter their compliance gaps. This blog provides a detailed, practical breakdown of what compliance looks like, what the real-world risks are, and how forward-thinking organizations are building audit-ready removable media programs today.
Why OT Security Leaders Must Prioritize This Now
The 2021 Oldsmar Water Treatment Plant incident in Florida , where an attacker attempted to increase sodium hydroxide levels to dangerous concentrations, reminded the global critical infrastructure community of something important: the attack surface for industrial systems is far broader than firewalls and network perimeters.
What often does not make headlines is that post-incident forensic investigations in comparable cases regularly identify removable media as either a primary vector or a contributing factor in the lateral movement of threats within OT environments. The TRISIS/TRITON attack on a Middle Eastern petrochemical facility, the Industroyer malware that took down sections of Ukraine's power grid in 2016, and numerous manufacturing-focused ransomware campaigns have all shared a common thread: the initial penetration or propagation phase exploited endpoints where physical media controls were absent or ineffective.
Key Industry Statistics: Removable Media Threats in OT Environments • USB-based threats targeting industrial environments increased by over 50% between 2019 and 2023 according to multiple industry security reports • Approximately 52% of attacks on industrial control systems involve some form of removable media as a delivery mechanism or lateral movement method • Energy and utilities sectors account for the highest proportion of removable media-related OT security incidents globally • Over 70% of organizations in asset-intensive industries lack a formally documented and enforced USB device control policy • NERC CIP violations related to removable media and transient cyber assets have resulted in some of the largest individual regulatory penalties in recent years |
For CISOs, plant managers, and ICS engineers who must maintain both operational continuity and regulatory compliance, the question is no longer whether removable media represents a meaningful risk. The question is whether your current controls would hold up under a NERC CIP audit or an IEC 62443 conformance review and what the consequences would be if they did not.
NERC CIP and Removable Media: What the Standard Actua+lly Requires
The North American Electric Reliability Corporation Critical Infrastructure Protection standards were developed specifically to protect the Bulk Electric System from cybersecurity threats. For operators of generation facilities, transmission systems, and distribution assets that meet BES Cyber System classification thresholds, compliance is mandatory, not optional.
Within the NERC CIP framework, removable media and transient cyber assets are governed primarily by CIP-003-8 and CIP-010-4, with supporting obligations under CIP-004-7 and CIP-007-6.
CIP-003-8: Low Impact BES Cyber System Security Controls
For organizations with Low Impact assets, CIP-003-8 Attachment 1 Section 3 mandates specific controls around transient cyber assets and removable media. This includes documented methods to protect against the use of unauthorized removable media, authorization controls, and policies governing physical media when connected to Low Impact BES Cyber Systems.
Many organizations underestimate the scope here. CIP-003-8 applies not just to High and Medium impact assets but extends meaningful obligations to Low Impact classified systems , which often include substations, distributed control points, and field assets that are notoriously difficult to monitor.
CIP-010-4: Configuration Change Management and Vulnerability Management
CIP-010-4 is arguably the most technically demanding standard in the context of removable media compliance. It requires that before connecting any transient cyber asset or removable media to a BES Cyber System, the responsible entity must have an authorized process that includes malware scanning using antivirus or other method.
The standard does not mandate a specific scanning technology, but it does require that the method used be documented, applied consistently, and produce a verifiable record. If a scan is performed but not logged with sufficient detail to demonstrate the asset's status at the time of connection, the control is considered insufficient for audit purposes.
CIP-004-7: Personnel and Training
Compliance with removable media policies is not purely a technical matter. CIP-004-7 requires that all personnel with authorized cyber or physical access to BES Cyber Systems receive cybersecurity awareness training and role-based training , which must explicitly include policies on transient cyber assets and removable media use.
This means that an organization with technically sound controls but inadequate training documentation remains non-compliant. Training records must be current, role-appropriate, and demonstrably delivered before personnel gain access.
IEC 62443 and Removable Media: The Industrial Security Standard That Goes Further
The IEC 62443 series is the globally recognized framework for securing Industrial Automation and Control Systems. Unlike NERC CIP, which is sector-specific to North American electric utilities, IEC 62443 applies across manufacturing, oil and gas, water treatment, chemical processing, and any environment operating industrial automation systems.
Within IEC 62443, removable media controls appear most prominently in IEC 62443-3-3 (System Security Requirements and Security Levels) and IEC 62443-2-1 (Security Management System), with specific foundational requirements defined under Security Requirement 1.3 (Physical Device Authorization) and SR 2.3 (Use of Portable and Mobile Devices).
SR 2.3: Use of Portable and Mobile Device, The Core Control
SR 2.3 requires that a control system shall have the capability to enforce usage restrictions for portable and mobile devices based on the security level assigned to the zone in which the device is being used. At Security Level 2 and above, this requirement escalates to include technical enforcement mechanisms , not just policy documentation.
This is a critical distinction. IEC 62443 does not accept policy-only approaches at higher security levels. If your manufacturing plant operates at SL2 (which most do), you need technical controls that actively prevent unauthorized removable media from connecting to control system workstations, HMIs, or engineering stations, not just a procedure document that says they should not.
Zone-Based Media Controls Under IEC 62443
One of the most operationally significant aspects of IEC 62443's approach is its zone and conduit model. Removable media controls must be defined, enforced, and audited at the zone level, meaning a USB policy that works for the corporate IT environment may be entirely inadequate for the purdue model zones housing your process control network.
Each zone's security level determines the required rigor of media controls. This is not a one-size-fits-all framework, which is precisely why generic IT-centric USB policies consistently fail IEC 62443 conformance reviews when applied to OT environments.
NERC CIP vs. IEC 62443: Side-by-Side Removable Media Compliance Requirements
Requirement Area | NERC CIP Mandate | IEC 62443 Requirement |
Physical Media Authorization | CIP-003-8 / CIP-010-4: Documented approval required before use of any transient cyber asset or removable media | SR 1.3 / SR 2.3: All portable media must be authorized, inventoried, and monitored per zone security level |
Malware Scanning Protocol | Mandatory scan before connection to BES Cyber Systems; results must be logged and retained | ISA-62443-3-3: Scanning required at zone boundary; results reviewed for anomalies and escalated if threats detected |
Policy Documentation & Training | CIP-004-7: All personnel with authorized access must undergo training; policies must be reviewed annually | IEC 62443-2-1: Security management programs must define acceptable use, training schedules, and periodic policy audits |
Incident Logging & Audit Trail | All media usage events on BES Cyber Assets must be retained for minimum 90 days with audit capability | Audit trail for all media activity must be maintained; traceability to individual users and assets required |
Vendor / Third-Party Media | Explicit prohibition on unauthorized vendor media; must follow same approval cycle as internal media | Zone-level controls for third-party media; maintenance windows must include media authorization controls |
Enforcement Consequences | Violations carry NERC penalties up to $1M+ per violation per day; subject to regulatory audit | Non-conformance may affect certification, impact insurance, and trigger mandatory corrective action plans |
Understanding these requirements in parallel is essential for organizations that operate across multiple regulatory jurisdictions, or that are pursuing both NERC CIP compliance and IEC 62443 conformance as part of a broader security maturity program.
Understanding the Real Risk: Removable Media Threat Categories in OT Environments
Risk Category | Industrial Impact | Severity Level | Compliance Gap |
Unauthorized USB Insertion | Direct pathway for malware into isolated OT/SCADA environments; can bypass air-gap controls entirely | CRITICAL | CIP-010-4, IEC SR 1.3 |
Unscanned Vendor Media | Third-party maintenance USBs have historically been the entry point for destructive ICS attacks | HIGH | CIP-003-8, IEC 62443-2-1 |
No Endpoint Control | Without device control policies, any USB port becomes an open attack vector on PLCs and HMIs | HIGH | CIP-003-8, SR 2.3 |
Missing Audit Logs | Inability to detect, investigate, or prove compliance during regulatory review | MEDIUM-HIGH | CIP-007-6, IEC Audit Requirements |
Employee Policy Gaps | Untrained staff connecting personal devices , even unintentionally , to control system workstations | MEDIUM | CIP-004-7, IEC 62443-2-1 |
Legacy System Exposure | Older PLCs and DCS platforms lack native USB controls, creating blind spots in protection architecture | HIGH | Zone-level enforcement required |
Building a USB Security Policy for OT: What Decision-Makers Must Get Right
A USB device control policy for industrial environments is fundamentally different from an IT-focused removable media policy. The operational realities of OT environments , including legacy systems that cannot accept agents, maintenance requirements that demand occasional physical media access, and air-gapped architectures that make cloud-based scanning impractical, require a purpose-built approach.
Five Pillars of a Compliant OT Removable Media Program
• Asset-Based Authorization: Every removable media device that interacts with OT systems must be registered, assigned to an authorized user or function, and approved through a documented process before first use. This is not optional under either NERC CIP or IEC 62443.
• Pre-Connection Malware Scanning: Scanning must occur before connection, not after. For regulated environments, post-connection scanning does not satisfy compliance requirements because the potential damage occurs at the moment of connection if malware is present.
• Device Restriction at the Endpoint: Technical controls must limit which devices can connect to which systems. Whitelisting by device serial number, vendor ID, or cryptographic certificate ensures that only approved media can interface with protected assets.
• Audit-Ready Logging and Retention: Every connection event, scan result, and authorization decision must be logged with sufficient detail to reconstruct the chain of custody during a compliance audit. Minimum retention periods under NERC CIP are 90 days; organizational best practice often exceeds this.
• Training and Awareness Integration: Personnel who interact with OT systems must receive documented, role-appropriate training on removable media policies. This includes contractors and vendors , a frequently overlooked compliance gap.
The Vendor and Third-Party Challenge
One of the most significant and consistently underaddressed removable media risks in industrial environments is vendor-introduced media. Maintenance windows, firmware updates, and configuration changes routinely involve third-party technicians connecting their own laptops, USB drives, or diagnostic tools to critical assets.
The Stuxnet worm, which targeted Iran's nuclear enrichment program and is widely considered the first industrial-grade cyberweapon, was introduced via a USB drive, believed to have been connected by a contractor or supply chain participant. The sophistication of Stuxnet is less important for this discussion than the simplicity of its initial delivery mechanism: a physical device plugged into an isolated network by a trusted party.
Both NERC CIP and IEC 62443 explicitly require that third-party media be subject to the same authorization and scanning requirements as internal media. Organizations that apply robust controls to their own personnel but allow vendor exceptions are creating the most dangerous gap in their compliance posture.
Where Industrial Organizations Most Commonly Fail Compliance Audits
Based on operational experience across energy, manufacturing, and critical infrastructure environments, the following gaps appear repeatedly during compliance reviews and post-incident investigations:
• Undocumented authorization processes that rely on informal verbal approvals rather than recorded, traceable decisions
• Scanning procedures that use consumer-grade antivirus tools that lack OT-specific signature sets and cannot detect ICS-targeted malware variants
• Incomplete coverage of Low Impact BES Cyber Assets under NERC CIP, organizations often apply controls to High and Medium assets but overlook the extended obligations for Low Impact systems
• Absence of technical enforcement, policies documented on paper but with no technical mechanism to prevent unauthorized media from connecting at the endpoint level
• Gaps in vendor and contractor coverage, third-party personnel operating under different, less rigorous standards than internal staff
• Insufficient training records, documented policies that cannot be linked to specific personnel awareness records for audit demonstration
• Legacy system blind spots, older control system platforms that lack native USB management capabilities and have never had compensating controls implemented
How Shieldworkz Supports Organizations in Achieving Removable Media Compliance
Shieldworkz brings deep, specialized expertise in OT and ICS cybersecurity to help industrial organizations build removable media programs that satisfy regulatory requirements, withstand audit scrutiny, and operationally protect critical assets. Our approach is practical, evidence-based, and built for the realities of industrial environments, not adapted from IT frameworks.
What Shieldworkz Delivers for Your Organization • NERC CIP Gap Assessment: Comprehensive evaluation of your current removable media controls against CIP-003-8, CIP-010-4, CIP-004-7, and CIP-007-6 requirements, with a structured remediation roadmap • IEC 62443 Conformance Review: Zone-by-zone analysis of your removable media posture against SR 1.3, SR 2.3, and supporting security management requirements under IEC 62443-2-1 • OT-Specific USB Security Architecture: Design and implementation guidance for device control policies that work within the operational constraints of industrial environments, including legacy systems and air-gapped networks • Malware Scanning Program Development: Selection, configuration, and integration of scanning solutions with OT-appropriate signature sets for ICS and SCADA environments • Vendor and Contractor Media Management: Development of third-party media authorization programs that close the most common compliance gap in industrial security • Audit-Ready Documentation and Evidence Packages: Creation of the policies, procedures, training records, and log management frameworks needed to demonstrate compliance during regulatory reviews • Personnel Awareness and Training Programs: Role-based training materials developed specifically for OT operators, engineers, and personnel with access to industrial control systems • Ongoing Compliance Monitoring Support: Continuous advisory support to maintain compliance posture as frameworks evolve and operational environments change |
Our engagements are designed to deliver measurable compliance outcomes, not just recommendations. Shieldworkz works alongside your operations and security teams to ensure that implemented controls are sustainable, operationally sound, and defensible under audit conditions.
Conclusion: Compliance Is Not a Checkbox, It Is an Operational Imperative
Removable media compliance under NERC CIP and IEC 62443 is not an administrative burden to be managed at minimum effort. It is a foundational element of industrial cybersecurity that directly correlates with your ability to protect process integrity, avoid regulatory penalties, and maintain operational continuity in the face of a threat landscape that continues to target physical media as one of its most reliable entry points.
The organizations that navigate this successfully are not those with the most sophisticated technology stacks. They are the ones that have invested in understanding their specific compliance obligations, built programs that meet the technical and documentary requirements of the applicable frameworks, and created a culture where removable media management is treated as a critical operational control, not an inconvenience.
For energy utilities managing NERC CIP obligations, for manufacturers pursuing IEC 62443 conformance, and for every critical infrastructure operator whose industrial assets represent both regulatory risk and physical-world consequence, the time to build a defensible removable media compliance program is before the audit, and long before the incident.
Book a Free Consultation with Our OT Security Experts
Your OT environment carries compliance obligations that standard IT security tools are simply not equipped to meet. Removable media risks are growing, and the regulatory window for compliance is not forgiving.
Shieldworkz specializes exclusively in OT/ICS cybersecurity, including removable media compliance, NERC CIP gap analysis, and IEC 62443 program implementation. Our experts have supported energy utilities, manufacturing plants, and critical infrastructure operators in building compliant, resilient, and audit-ready security postures.
Additional resources:
NERC CIP Security Gap Diagnosis Checklist here
NIS2 Directive Cybersecurity Gap Assessment and Control Checklist here
NERC CIP Remediation Checklist Using OT Security NDR here
Remediation Guides here
Wöchentlich erhalten
Ressourcen & Nachrichten
Erfahren Sie, wie unsere branchenführenden OT-Security-Lösungen kritische Sicherheitsherausforderungen gemäß KRITIS-Anforderungen bewältigen
Dies könnte Ihnen auch gefallen.
The Ultimate Guide to Zero Trust Security for Industrial Control Systems
Team Shieldworkz
SCADA Security: Why Removable Media Is One of the Biggest Attack Vectors in OT Environments
Team Shieldworkz
Securing the Distributed Grid: Lessons from the First Coordinated Cyberattack on Wind and Solar Infrastructure
Team Shieldworkz
How to Create a Removable Media Security Policy Template
Team Shieldworkz
The Stuxnet USB Attack: Why Removable Media is Still a Threat
Team Shieldworkz
USB Malware Protection: Defending ICS & OT Environments
Team Shieldworkz
