The USB in Your Pocket Is a Loaded Weapon

A maintenance engineer walks into a substation with a USB drive to update firmware on a protection relay. The drive was used at another site last month. Nobody scanned it. Nobody logged it. Within hours, a dormant piece of malware silently maps the network, phones home, and begins its work.

This is not a hypothetical. Variants of this scenario have caused some of the most damaging industrial cyberattacks in history. And yet, removable media remains one of the least governed entry points in OT environments.

The reason is cultural. In IT, security teams have largely eliminated or tightly controlled USB use. In operational technology environments-where air-gapped systems, legacy PLCs, and vendor-supplied maintenance tools still depend on USB drives and portable media-the assumption has always been: "We know who's bringing the drive. It's fine."

Zero trust says otherwise. It says: trust nothing, verify everything, and assume every USB is untrusted by default.

This blog breaks down exactly what zero trust for removable media means in an OT/ICS context, what it looks like in practice, and the specific controls your team can put in place today.

Before we move forward, don’t forget to check out our previous blog post on A deep dive into the Cal Water cyber-attack here

Why Removable Media Is Still a Top OT Threat Vector

Before we get into controls, let's be clear about the threat landscape. Removable media threats in OT environments are not declining-they are evolving.

The Three Attack Categories You Need to Know

1. Malware Delivery via USB Infected USB drives introduce ransomware, wipers, and remote access trojans into isolated OT networks. This works even against air-gapped environments because operators physically carry the infection past every perimeter control you have.

2. BadUSB and Firmware Manipulation A USB device can be reprogrammed at the firmware level to impersonate a keyboard, a network adapter, or other trusted peripherals. When plugged in, it executes commands automatically-before any antivirus can respond. The host sees a "keyboard," not malware. Standard endpoint defences are blind to this.

3. Data Exfiltration Sensitive configuration files, HMI logic, engineering workstation data, and plant schematics can be copied to an unauthorized USB and walked out the door. No network detection tool will catch it.

Who Is Most Exposed?

In every one of these sectors, a single uncontrolled USB drive can bypass years of network segmentation work. This is why zero trust for removable media is no longer a "nice to have"-it is a foundational control.

What Zero Trust Actually Means for Removable Media

Zero trust is an architecture principle, not a product. Applied to removable media, it means one thing clearly: no USB device is trusted simply because a person you trust is holding it.

Traditional OT thinking operated on implicit trust: "That's our contractor's laptop. That's our vendor's USB. We trust them." Zero trust replaces implicit trust with continuous verification, least privilege access, and strict device authentication.

The Three Zero Trust Principles Applied to USB

1. Verify Before You Connect Every removable media device must be authenticated and verified before it is allowed to interface with any OT asset. Who owns the device? Has it been registered in your device inventory? Has it been scanned and cleared by a dedicated kiosk? If the answer to any of these is "no," the device does not connect. No exceptions.

2. Least Privilege Access Even when a USB device is authorized, access should be scoped to the minimum required. A vendor updating firmware on one PLC does not need read/write access to the historian. A USB device cleared for transferring configuration files should not be able to auto-run executables. Least privilege applies at the device level, not just the user level.

3. Assume Breach Even after a device passes verification, your posture should assume it could still be malicious. This means logging every file transfer, flagging anomalous behavior, and having a clear response plan if a device that passed inspection is later found to carry a threat.

Building a Zero Trust Removable Media Policy: Step by Step

Policy is the backbone. Technology enforces it, but without a written, enforced policy, no toolset will hold.

Step 1: Classify Your Assets and Zones

Your first task is understanding where USB ports exist and what systems they connect to. Map every asset in your OT environment that has a USB port-PLCs, HMIs, engineering workstations, historian servers, DCS nodes, portable test equipment.

Then assign a risk tier:

Step 2: Establish a Device Registration and Approval Process

You cannot control what you have not catalogued. Build a removable media registry that captures:

• Device manufacturer and model

• Serial number and cryptographic identifier (if supported)

• Assigned owner and department

• Approved use cases (which zones, which asset types)

• Approval date and renewal date

• Scan history and last cleared date

Only devices in this registry should ever be allowed into a Tier 1 or Tier 2 zone. This is your administrative control layer.

Step 3: Deploy Removable Media Inspection Kiosks

A kiosk is a dedicated, hardened scanning station that sits at the perimeter of your OT environment. Every USB drive-whether brought by an internal engineer or an external vendor-gets scanned at the kiosk before entering the plant floor.

A properly configured kiosk will:

• Run multi-engine malware scanning against updated threat signatures

• Detect file-type mismatches (e.g., a file named "firmware.exe" masquerading as a configuration file)

• Flag suspicious files for manual review

• Issue a time-limited clearance certificate tied to the device's serial number

• Log every scan result to a central security event management system

The kiosk is your mandatory entry checkpoint. No kiosk scan, no entry into OT zones. This single control closes a significant portion of your removable media risk exposure.

Step 4: Enforce Device Whitelisting at the Endpoint

Beyond the kiosk, your OT endpoints should enforce USB device whitelisting at the operating system or endpoint protection level. This means:

• Only pre-registered device serial numbers or cryptographic identifiers are allowed to mount

• Any unregistered USB device triggers an alert and is blocked from mounting

• Auto-run and auto-play are disabled across all OT endpoints

• Read-only mode is enforced where write access is not required

For legacy PLCs and embedded devices that lack endpoint agent support, the compensating control is physical port lockdown-USB ports are physically disabled or filled with port blockers, with access only granted through a formal work order process.

Step 5: Implement Continuous Monitoring and Alerting

Zero trust does not stop at the access decision. You need to know what happens after a device is connected. At a minimum, your monitoring should capture:

• Every USB connection event: device ID, timestamp, workstation name

• Every file transfer: file name, file type, file size, direction (read/write)

• Every execution attempt on removable media

• Any attempt to connect an unregistered device

These events should flow into your OT security operations centre or SIEM, where alert rules can flag anomalies-such as a device connecting at 2 a.m., a volume of file transfers that exceeds normal patterns, or an executable file being run from a USB on an engineering workstation.

Zero Trust Removable Media Controls: Quick-Reference Checklist

Use this checklist to audit your current posture. Each item maps to a control layer in a zero trust removable media framework.

Policy & Governance

• [ ] A formal removable media policy exists and is reviewed at least annually

• [ ] The policy defines approved device types, approved use cases, and prohibited uses

• [ ] Third-party and vendor USB use is explicitly covered in the policy

• [ ] Roles and responsibilities for removable media management are assigned

• [ ] Policy violations have defined consequences and a documented response process

Asset & Device Inventory

• [ ] All OT assets with USB ports have been inventoried and risk-tiered

• [ ] A removable media device registry exists and is maintained

• [ ] Device registration includes serial number, owner, approved use cases, and scan history

• [ ] Approval and renewal periods are defined and tracked

Technical Controls

• [ ] USB device whitelisting is enforced on all Tier 1 and Tier 2 endpoints

• [ ] Auto-run and auto-play are disabled on all OT workstations

• [ ] USB ports are physically disabled or blocked on systems where no removable media use is authorized

• [ ] Removable media inspection kiosks are deployed at all entry points to OT zones

• [ ] Kiosks run multi-engine scanning with regularly updated threat signatures

• [ ] File-type filtering prevents unauthorized file types from being transferred

• [ ] Write-protect controls are applied to systems where read-only USB access is sufficient

• [ ] Encrypted removable media is required for any sensitive data transfer

Monitoring & Detection

• [ ] All USB connection events are logged with device ID, timestamp, and workstation

• [ ] All file transfer events from removable media are logged

• [ ] Alert rules exist for unregistered device connections

• [ ] Alert rules exist for after-hours USB activity

• [ ] Log data flows to a centralized SIEM or OT security monitoring platform

• [ ] Removable media logs are retained for a minimum period aligned to your regulatory requirements

Vendor & Third-Party Controls

• [ ] Vendors are required to use company-provided or pre-approved devices only

• [ ] All vendor USB devices are registered before site access

• [ ] Vendor USB activity is monitored and logged during site visits

• [ ] Vendor contracts include removable media security obligations

Incident Response

• [ ] A removable media incident response runbook exists

• [ ] Staff know how to report a suspected removable media incident

• [ ] Containment procedures for a USB-introduced malware event are documented and tested

• [ ] Post-incident reviews include removable media policy evaluation

Aligning Zero Trust USB Controls to IEC 62443 and Other Frameworks

Zero trust for removable media is not just good practice-it directly supports compliance with the frameworks your organisation is likely measured against.

IEC 62443

IEC 62443-3-3 (System Security Requirements) and IEC 62443-2-1 (Security Management System) both address removable media controls as part of zone and conduit management. Key alignment points:

• SR 1.1 (Human User Identification and Authentication): Device registration and kiosk scan requirements support authenticated access to removable media.

• SR 3.2 (Malicious Code Protection): Kiosk scanning and endpoint whitelisting directly satisfy this requirement.

• SR 6.2 (Continuous Monitoring): USB connection and file transfer logging supports the continuous monitoring mandate.

NIST SP 800-82 (Guide to ICS Security)

NIST SP 800-82 explicitly recommends restricting removable media use, implementing scanning procedures, and logging media usage. Your zero trust removable media programme maps directly to the recommended controls under the media protection (MP) control family.

NERC CIP (for Energy Sector)

NERC CIP-003-8 includes removable media controls as a required element for low-impact BES cyber systems. The requirements include having a policy in place that addresses the use of transient cyber assets and removable media. Your device registry, kiosk scanning, and endpoint controls satisfy these requirements.

NIS2 (for European Operators)

NIS2 requires essential entities to implement measures covering supply chain security and physical security. Vendor USB controls and media inspection kiosks directly address both.

What Vendors and Contractors Must Understand

Third-party removable media is where most industrial organisations have the greatest gap. Your internal engineers may follow the policy. Your vendors often do not-because nobody told them to.

Here is what your vendor onboarding and site access process must include:

Before Site Access

• Vendors must declare any devices they intend to bring to site

• All USB drives must be pre-registered or replaced with company-issued devices

• Vendors must be briefed on the removable media policy and sign an acknowledgment

At the Site Perimeter

• All vendor devices go through the kiosk scan before entering OT zones

• No clearance, no entry. This is non-negotiable regardless of urgency or contract pressure

• Vendor devices are added to a session log tied to their site visit record

During the Visit

• Vendor USB activity is monitored in real time where technically feasible

• Vendor engineers should never connect a device to an OT asset without a designated company escort

• Any file transfers should be documented in the work order

After the Visit

• The session log is reviewed for anomalies

• Any files transferred to or from a vendor device are archived for a defined retention period

• Vendor access records are retained for audit purposes

This is not about distrust of your vendors as individuals. It is about recognising that a vendor's device may have been through five other customer sites this month. Zero trust applied to removable media is agnostic to identity-it trusts the verified device, not just the person holding it.

Common Mistakes OT Teams Make with USB Security

Even teams with good intentions often fall short in predictable ways. Avoid these pitfalls.

Mistake 1: Treating the Kiosk as the Only Control A kiosk catches known threats. It does not catch zero-day firmware attacks, BadUSB devices, or data exfiltration. The kiosk is one layer in a multi-layer programme, not a complete solution.

Mistake 2: Exempting "Trusted" Vendors The phrase "but they're our OEM vendor" is one of the most dangerous sentences in OT security. Your OEM's laptop may be perfectly trustworthy. The USB drive their field engineer grabbed from a shared bin this morning is not. No exemptions.

Mistake 3: Logging Without Alerting Many teams enable USB logging and then never look at the logs. Logging has no value without defined alert thresholds, someone responsible for reviewing them, and a process for acting on anomalies. Connect your USB logs to your monitoring platform with active alerting.

Mistake 4: Forgetting Air-Gapped Systems Teams sometimes believe that if a system is air-gapped, USB is not a concern. The opposite is true. Air-gapped systems depend heavily on removable media for updates, data transfer, and configuration-which makes them more exposed to USB threats, not less. Air-gapped environments need the strongest removable media controls, not the weakest.

Mistake 5: No Policy for Personal Devices Employees and contractors regularly bring personal USB drives, charging cables with data capability, and personal laptops. If your policy does not explicitly address personal devices, you have a gap. "No personal devices" is a simple rule to write. Enforcing it requires physical access controls and consistent application.

Building the Business Case: What Zero Trust USB Security Costs You to Ignore

For plant managers and CISOs making the case internally, here is the risk picture in practical terms.

A single USB-introduced malware event in an OT environment can result in:

• Production shutdown lasting hours to weeks

• Emergency response costs covering forensics, remediation, and OT system restoration

• Regulatory penalties if the incident triggers a NERC CIP, NIS2, or IEC 62443 audit finding

• Reputational damage with customers and regulators

• Physical safety risks if safety instrumented systems are affected

The cost of a structured zero trust removable media programme-including kiosk infrastructure, endpoint controls, policy development, and staff training-is a fraction of the cost of a single significant incident.

When framing this for leadership, position it this way: zero trust for removable media is not a new cost. It is a risk transfer from uncontrolled exposure to a managed, auditable programme with a known cost and measurable outcomes.

How Shieldworkz Helps OT Security Teams Implement Zero Trust for Removable Media

At Shieldworkz, we work with critical infrastructure operators, plant managers, and OT security teams globally to design and implement OT cybersecurity programmes that are practical, enforceable, and aligned to IEC 62443, NERC CIP, and NIS2 requirements.

Our approach to removable media security includes:

OT-Specific Risk Assessment We assess your current removable media posture across your entire OT asset landscape-mapping USB-enabled devices, identifying ungoverned entry points, and quantifying your exposure. Our assessments are grounded in IEC 62443 security levels and give you a clear, prioritised remediation roadmap.

Policy and Governance Development We develop removable media policies and supporting procedures that are written for your environment, your regulatory context, and your operational realities. These are not generic templates-they are documented, enforceable controls that can withstand an audit.

Technical Control Design and Implementation Support Whether you are deploying media inspection kiosks, implementing USB device whitelisting on OT endpoints, or building a monitoring and alerting programme, our OT security engineers work alongside your team to design controls that do not disrupt operations.

Vendor and Third-Party Programme Integration We help you build third-party removable media controls into your supplier onboarding, contract language, and site access procedures-closing the gap that most organisations leave open.

Ongoing Monitoring and Advisory For organisations that want continuous assurance, Shieldworkz provides OT cyber threat intelligence advisory services that keep your removable media programme current as the threat landscape evolves.

Conclusion: Treat Every USB as Untrusted-Because It Is

Zero trust for removable media is not a technology project. It is a shift in mindset, backed by policy, enforced by technology, and sustained by culture.

The assumption that a USB drive is safe because a trusted person is carrying it has proven, repeatedly, to be wrong. The devices themselves can be compromised, reprogrammed, or infected at any point in the supply chain. Zero trust says: verify the device, not just the person. Restrict access to the minimum required. Log everything. Alert on anomalies. Assume that even a cleared device could still carry a threat.

Your OT environment cannot afford to operate on implicit trust when a single removable media incident can take down production, compromise safety systems, or trigger regulatory action.

The time to treat every USB as untrusted is now-before an incident forces the decision.

Take the Next Step with Shieldworkz

Request a Demo with Our Experts to see how Shieldworkz approaches OT removable media risk assessment and what a zero trust USB security programme looks like for your environment.

Additional resources:

OT Cyber Threat Intelligence Advisory - Middle East here
NIS2 Directive Achieving NIS2 Compliance Through IEC 62443 here
What Is Removable Media? Risks, Policies, and Industrial OT Security Solutions here
Free Removable Media Policy Template for OT and IT Teams here