site-logo
site-logo
site-logo

Media Scan Requirements for IEC 62443 Compliance

Media Scan Requirements for IEC 62443 Compliance

Media Scan Requirements for IEC 62443 Compliance

Media Scan Requirements for IEC 62443 Compliance
Shieldworkz logo

Team Shieldworkz

Every plant manager has seen it happen. A vendor arrives for scheduled maintenance, plugs a USB drive into an HMI to load a firmware update, and walks away without a second thought. Nobody stops to ask what else might be riding along on that drive. This single, routine moment is one of the most persistent and underestimated entry points for cyber incidents in industrial environments today.

Removable media has been the delivery method behind some of the most disruptive attacks on industrial control systems in history. It remains one of the few pathways capable of bridging an air-gapped network, bypassing perimeter defenses entirely. This is precisely why IEC 62443, the internationally recognized standard for industrial automation and control systems (IACS) security, places direct emphasis on controlling and scanning portable media before it ever touches operational technology.

Before we move forward, don’t forget to check out our previous blog post on SMastering NIST SP 800-18 Revision 2: here

This guide breaks down what media scanning actually means in an OT context, why IEC 62443 treats it as a foundational control rather than an afterthought, and what a mature, compliant media handling program looks like in practice. Whether you are building a compliance roadmap, preparing for an audit, or simply trying to close a known gap in your defenses, this is the ground-level understanding every OT security leader needs.

What Is Media Scan in OT Cyber Security?

Media scanning, in the context of operational technology, refers to the structured process of inspecting removable storage devices, USB drives, external hard disks, SD cards, CDs, and any portable data-carrying device, before they are permitted to connect to control system networks or endpoints.

Unlike a typical enterprise IT scan, which usually runs silently in the background on a corporate laptop, OT media scanning has to account for a very different environment. Control systems often run legacy operating systems, proprietary protocols, and equipment that cannot tolerate unplanned reboots or performance overhead. A media scan solution for OT needs to detect malicious payloads, unauthorized file types, and policy violations without ever putting availability or safety at risk.

At its core, media scanning in industrial environments typically involves:

  • Malware and signature detection – identifying known malicious code, including OT-specific malware families designed to target PLCs, RTUs, and SCADA systems

  • Behavioral and heuristic analysis – flagging suspicious file behavior even when no known signature exists

  • File type and content validation – ensuring only approved file formats and configurations are permitted

  • Policy enforcement – blocking unauthorized devices outright, regardless of scan results

  • Logging and audit trail creation – recording every scan event for compliance and forensic purposes

The objective is simple to state but difficult to execute well: nothing enters the OT environment through removable media unless it has been verified safe, authorized, and logged.

media scan workflow- device insertion, isolation, scanning, verification, logging, and authorized transfer

Why IEC 62443 Treats Removable Media as a Priority Control

IEC 62443 was developed specifically because traditional IT security frameworks do not translate cleanly to industrial environments. The standard is organized across several parts, covering governance (62443-2-1), system requirements (62443-3-3), and component-level requirements (62443-4-2), and removable media control threads through multiple layers of this structure.

The reasoning is straightforward. Air gaps, long considered the gold standard of OT protection, are rarely absolute in practice. Maintenance activities, firmware updates, engineering workstation transfers, and third-party vendor visits all create legitimate reasons for physical media to cross the boundary between IT and OT, or between an isolated OT network and the outside world. Every one of those legitimate crossings is also a potential attack vector.

IEC 62443's foundational requirements (FRs) most relevant to media handling include:

Foundational Requirement

Relevance to Media Scanning

FR 1 – Identification and Authentication Control

Ensures only authorized personnel and authorized devices can initiate a media transfer

FR 3 – System Integrity

Requires mechanisms to detect and prevent unauthorized software or configuration changes introduced via media

FR 5 – Restricted Data Flow

Governs how data, including files from removable media, moves between zones and conduits

FR 6 – Timely Response to Events

Requires logging and alerting when scan violations or malicious content are detected

FR 7 – Resource Availability

Ensures scanning processes do not compromise system uptime or safety functions

Rather than mandating one specific technology, IEC 62443 focuses on outcomes: control what enters your environment, verify it before it connects, and maintain a documented trail proving the process was followed consistently. This is what makes media scanning a compliance requirement in substance, even in cases where it is not always spelled out by that exact name in every clause.

Risks, Challenges, and Industry Insights

The Real-World Precedent: How Removable Media Has Shaped Industrial Cyber History

Media-borne threats are not theoretical. Several of the most consequential ICS security events in the past two decades trace back to portable storage devices.

One of the earliest and most widely studied cases involved sophisticated malware engineered specifically to target industrial control systems, discovered around 2010. It was designed to spread through infected USB drives, allowing it to jump across air-gapped networks that had no direct internet connectivity. This single characteristic, the ability to move physically rather than over a network, was what made the attack so effective against facilities that believed isolation alone was sufficient protection.

Years later, malware specifically engineered to interfere with industrial safety instrumented systems demonstrated a similar lesson: attackers understand that safety and engineering workstations, often the same machines used to load configurations from removable media, are high-value targets precisely because they sit at the intersection of convenience and critical function.

Even outside of malware-specific incidents, insider-driven events involving unauthorized access to control systems, such as the well-documented case of a disgruntled former contractor manipulating a wastewater system in Australia in the early 2000s, reinforce a related principle: access control and monitoring around control system interfaces, including physical and removable interfaces, cannot be an afterthought.

These cases share a common thread. In each one, the compromise did not begin with a sophisticated network intrusion. It began with something physical, something an employee or vendor considered routine, and something that had no verification step in place.

Why This Risk Persists in Modern Facilities

Despite widespread awareness of these historical incidents, removable media risk has not disappeared. If anything, it has evolved.

  • Vendor and OEM dependency: Most industrial facilities rely on third-party vendors for firmware updates, diagnostics, and maintenance, and many of those vendors still use USB drives as their default transfer method

  • Legacy system constraints: Older PLCs, HMIs, and engineering workstations frequently lack native antivirus support or the processing headroom for real-time scanning, leaving media transfer as one of the few practical update paths

  • Air-gap assumptions: Many facility teams still treat network isolation as a complete security boundary, when in practice it only addresses network-based threats, not physical ones

  • Inconsistent policy enforcement: Even where a media policy exists on paper, enforcement often relies on manual compliance rather than technical controls

  • Visibility gaps: Without dedicated scanning infrastructure, security teams frequently have no record of which devices were connected, when, or by whom

The Business Impact of Getting This Wrong

For decision-makers evaluating where to invest limited security budget, it helps to frame removable media risk in terms of operational and financial consequence rather than purely technical terms.

Impact Category

Potential Consequence

Production Downtime

Malware introduced via media can force emergency shutdowns, halting production lines for hours or days

Safety System Compromise

Malicious payloads targeting safety instrumented systems can disable protective functions, creating physical safety risk

Regulatory Exposure

Non-compliance with IEC 62443 or sector-specific mandates can result in penalties, lost certifications, or contract disqualification

Reputational Damage

Publicized OT incidents erode customer and stakeholder trust, particularly in critical infrastructure sectors

Recovery Cost

Incident response, forensic investigation, and system restoration following an OT compromise routinely run into significant unplanned expenditure

Insurance and Contractual Risk

Increasingly, cyber insurance underwriters and supply chain partners require documented evidence of controls like media scanning as a condition of coverage or contract

None of these consequences require a nation-state-level attacker. A single infected USB drive, introduced by a well-meaning employee or vendor, is enough to trigger any one of them.

Bar chart illustrating average downtime cost per hour across manufacturing, energy, and utilities sectors

Practical Recommendations and Best Practices for Removable Media Security in OT

Building a media scanning program that satisfies IEC 62443 expectations is less about buying a single product and more about designing a layered, enforceable process. The following practices reflect what mature OT security programs typically implement.

1. Establish a Dedicated Media Scanning Station (Kiosk Model)

Rather than allowing removable media to connect directly to any OT endpoint, leading organizations deploy dedicated scanning kiosks positioned at the boundary between the outside world and the OT network. Every device, whether brought by an employee, vendor, or auditor, is scanned at this station before any file is permitted to move forward.

This approach isolates the scanning function from production systems entirely, meaning even if a device carries malicious content, the scanning station itself absorbs the risk rather than an operational endpoint.

2. Enforce a Default-Deny Device Policy

A strong media control policy assumes no device is trusted until proven otherwise. This means:

  • Disabling USB ports on engineering workstations, HMIs, and PLCs by default

  • Requiring explicit authorization for any exception

  • Using device whitelisting so only registered, known-serial-number devices can connect, even after scanning

3. Combine Signature-Based and Behavioral Detection

Signature-based scanning alone is not sufficient against novel or targeted threats. A resilient media scanning process layers signature detection with behavioral and heuristic analysis, catching suspicious activity even when no known malware signature matches.

4. Sanitize, Don't Just Scan

In higher-risk environments, some organizations go a step further than scanning by implementing content disarm and reconstruction (CDR) processes, which rebuild files into clean, verified versions rather than simply flagging malicious content. This is particularly valuable for engineering files and firmware packages, where even a "clean" scan result may not fully account for embedded macros or scripting risks.

5. Maintain Detailed, Tamper-Resistant Logs

IEC 62443's emphasis on timely response and accountability means every scan event, pass or fail, needs to be logged with:

  • Device identifier and owner

  • Timestamp and location

  • Scan result and any detected anomalies

  • Authorized personnel who approved the transfer

These logs become essential during compliance audits and, if an incident does occur, during forensic investigation.

6. Train Personnel and Vendors as a Core Control, Not an Afterthought

Technology alone cannot close this gap. Vendors, contractors, and employees need clear, repeated training on why media scanning matters and what the process requires of them. A scanning kiosk that vendors routinely bypass because it slows them down provides no real protection.

7. Align Media Policies with Zone and Conduit Architecture

IEC 62443's zone and conduit model segments networks based on risk and function. Media handling policies should reflect this segmentation, meaning a device authorized for a lower-risk zone should not automatically be trusted in a safety-critical or high-consequence zone without re-verification.

8. Periodically Test and Audit the Program

A media scanning program should not be a "set it and forget it" control. Regular internal audits, tabletop exercises simulating a media-borne incident, and periodic reviews of scan logs help confirm the program is functioning as intended and adapting to new threats.

Best Practice

Primary Compliance Benefit

Dedicated scanning kiosks

Supports FR 5 – Restricted Data Flow

Default-deny device policy

Supports FR 1 – Identification and Authentication Control

Signature + behavioral detection

Supports FR 3 – System Integrity

Content disarm and reconstruction

Strengthens integrity assurance beyond basic scanning

Detailed audit logging

Supports FR 6 – Timely Response to Events

Vendor and staff training

Reinforces policy adherence across FR 1 and FR 3

Zone-aligned media policy

Supports overall zone and conduit segmentation requirements

How Shieldworkz Supports Organizations

Shieldworkz works alongside OT security leaders, plant managers, and compliance teams to design and implement removable media controls that align directly with IEC 62443 requirements, without disrupting operational continuity. Our approach is built around the practical realities of industrial environments, not generic IT security assumptions.

  • Comprehensive OT risk assessments that identify every point where removable media currently enters your environment, including undocumented or informal pathways

  • Custom media scanning architecture design, tailored to your existing network segmentation, legacy equipment constraints, and operational workflows

  • IEC 62443 gap analysis and compliance roadmapping, mapping your current media handling practices against relevant foundational requirements and security levels

  • Policy development and enforcement guidance, including default-deny frameworks, device whitelisting strategies, and vendor access protocols

  • Staff and vendor training programs designed specifically for plant floor realities, not generic cybersecurity awareness content

  • Audit-ready documentation support, helping your team maintain the logging and evidence trail needed for both internal governance and external certification audits

  • Ongoing advisory support, ensuring your media security posture evolves alongside new threats, new equipment, and new regulatory expectations

Our goal is not to hand you a product and walk away. We work as an extension of your team, helping build a media security program that holds up under real operational pressure and real audit scrutiny.

Conclusion

Removable media will remain a part of industrial operations for the foreseeable future. Vendors will continue bringing USB drives for firmware updates. Engineers will continue transferring configuration files between systems. The question is not whether this activity will happen, but whether your organization has the controls in place to ensure it happens safely, visibly, and in alignment with IEC 62443 expectations.

A well-designed media scanning program closes one of the most historically exploited gaps in OT security, while simultaneously building the documentation and process maturity that compliance frameworks, insurers, and business partners increasingly expect to see. This is not a control to defer until after an incident forces the issue. It is a foundational piece of a resilient industrial cybersecurity posture, and one that reflects directly on how seriously your organization takes the protection of its physical operations.

The organizations that get ahead of this risk are not the ones with unlimited budgets. They are the ones that treat every USB drive, every external device, and every vendor laptop as a potential entry point worth verifying, every single time.

Book a Free Consultation with Our Experts

If you are evaluating your organization's current media handling practices, preparing for an IEC 62443 audit, or simply want an honest, expert assessment of where your removable media risk stands today, our team is ready to help.

Book a free consultation with Shieldworkz's OT cybersecurity experts and take the next step toward a more resilient, compliant, and confidently protected industrial environment.

Additional resources:

OT Cyber Threat Intelligence Advisory - Middle East here
NIS2 Directive Achieving NIS2 Compliance Through IEC 62443 here
What Is Removable Media? Risks, Policies, and Industrial OT Security Solutions here
Free Removable Media Policy Template for OT and IT Teams here

Recibe semanalmente

Recursos y Noticias

Vea cómo nuestras soluciones de seguridad de OT líderes en la industria abordan los desafíos de seguridad críticos

También te puede interesar

BG image

Comienza ahora

Expande tu postura de seguridad CPS

Póngase en contacto con nuestros expertos en seguridad CPS para una consulta gratuita.

BG image

Comienza ahora

Expande tu postura de seguridad CPS

Póngase en contacto con nuestros expertos en seguridad CPS para una consulta gratuita.

BG image

Comienza ahora

Expande tu postura de seguridad CPS

Póngase en contacto con nuestros expertos en seguridad CPS para una consulta gratuita.