


Team Shieldworkz
Every plant manager has seen it happen. A vendor arrives for scheduled maintenance, plugs a USB drive into an HMI to load a firmware update, and walks away without a second thought. Nobody stops to ask what else might be riding along on that drive. This single, routine moment is one of the most persistent and underestimated entry points for cyber incidents in industrial environments today.
Removable media has been the delivery method behind some of the most disruptive attacks on industrial control systems in history. It remains one of the few pathways capable of bridging an air-gapped network, bypassing perimeter defenses entirely. This is precisely why IEC 62443, the internationally recognized standard for industrial automation and control systems (IACS) security, places direct emphasis on controlling and scanning portable media before it ever touches operational technology.
Before we move forward, don’t forget to check out our previous blog post on SMastering NIST SP 800-18 Revision 2: here
This guide breaks down what media scanning actually means in an OT context, why IEC 62443 treats it as a foundational control rather than an afterthought, and what a mature, compliant media handling program looks like in practice. Whether you are building a compliance roadmap, preparing for an audit, or simply trying to close a known gap in your defenses, this is the ground-level understanding every OT security leader needs.
What Is Media Scan in OT Cyber Security?
Media scanning, in the context of operational technology, refers to the structured process of inspecting removable storage devices, USB drives, external hard disks, SD cards, CDs, and any portable data-carrying device, before they are permitted to connect to control system networks or endpoints.
Unlike a typical enterprise IT scan, which usually runs silently in the background on a corporate laptop, OT media scanning has to account for a very different environment. Control systems often run legacy operating systems, proprietary protocols, and equipment that cannot tolerate unplanned reboots or performance overhead. A media scan solution for OT needs to detect malicious payloads, unauthorized file types, and policy violations without ever putting availability or safety at risk.
At its core, media scanning in industrial environments typically involves:
Malware and signature detection – identifying known malicious code, including OT-specific malware families designed to target PLCs, RTUs, and SCADA systems
Behavioral and heuristic analysis – flagging suspicious file behavior even when no known signature exists
File type and content validation – ensuring only approved file formats and configurations are permitted
Policy enforcement – blocking unauthorized devices outright, regardless of scan results
Logging and audit trail creation – recording every scan event for compliance and forensic purposes
The objective is simple to state but difficult to execute well: nothing enters the OT environment through removable media unless it has been verified safe, authorized, and logged.

media scan workflow- device insertion, isolation, scanning, verification, logging, and authorized transfer
Why IEC 62443 Treats Removable Media as a Priority Control
IEC 62443 was developed specifically because traditional IT security frameworks do not translate cleanly to industrial environments. The standard is organized across several parts, covering governance (62443-2-1), system requirements (62443-3-3), and component-level requirements (62443-4-2), and removable media control threads through multiple layers of this structure.
The reasoning is straightforward. Air gaps, long considered the gold standard of OT protection, are rarely absolute in practice. Maintenance activities, firmware updates, engineering workstation transfers, and third-party vendor visits all create legitimate reasons for physical media to cross the boundary between IT and OT, or between an isolated OT network and the outside world. Every one of those legitimate crossings is also a potential attack vector.
IEC 62443's foundational requirements (FRs) most relevant to media handling include:
Foundational Requirement | Relevance to Media Scanning |
FR 1 – Identification and Authentication Control | Ensures only authorized personnel and authorized devices can initiate a media transfer |
FR 3 – System Integrity | Requires mechanisms to detect and prevent unauthorized software or configuration changes introduced via media |
FR 5 – Restricted Data Flow | Governs how data, including files from removable media, moves between zones and conduits |
FR 6 – Timely Response to Events | Requires logging and alerting when scan violations or malicious content are detected |
FR 7 – Resource Availability | Ensures scanning processes do not compromise system uptime or safety functions |
Rather than mandating one specific technology, IEC 62443 focuses on outcomes: control what enters your environment, verify it before it connects, and maintain a documented trail proving the process was followed consistently. This is what makes media scanning a compliance requirement in substance, even in cases where it is not always spelled out by that exact name in every clause.
Risks, Challenges, and Industry Insights
The Real-World Precedent: How Removable Media Has Shaped Industrial Cyber History
Media-borne threats are not theoretical. Several of the most consequential ICS security events in the past two decades trace back to portable storage devices.
One of the earliest and most widely studied cases involved sophisticated malware engineered specifically to target industrial control systems, discovered around 2010. It was designed to spread through infected USB drives, allowing it to jump across air-gapped networks that had no direct internet connectivity. This single characteristic, the ability to move physically rather than over a network, was what made the attack so effective against facilities that believed isolation alone was sufficient protection.
Years later, malware specifically engineered to interfere with industrial safety instrumented systems demonstrated a similar lesson: attackers understand that safety and engineering workstations, often the same machines used to load configurations from removable media, are high-value targets precisely because they sit at the intersection of convenience and critical function.
Even outside of malware-specific incidents, insider-driven events involving unauthorized access to control systems, such as the well-documented case of a disgruntled former contractor manipulating a wastewater system in Australia in the early 2000s, reinforce a related principle: access control and monitoring around control system interfaces, including physical and removable interfaces, cannot be an afterthought.
These cases share a common thread. In each one, the compromise did not begin with a sophisticated network intrusion. It began with something physical, something an employee or vendor considered routine, and something that had no verification step in place.
Why This Risk Persists in Modern Facilities
Despite widespread awareness of these historical incidents, removable media risk has not disappeared. If anything, it has evolved.
Vendor and OEM dependency: Most industrial facilities rely on third-party vendors for firmware updates, diagnostics, and maintenance, and many of those vendors still use USB drives as their default transfer method
Legacy system constraints: Older PLCs, HMIs, and engineering workstations frequently lack native antivirus support or the processing headroom for real-time scanning, leaving media transfer as one of the few practical update paths
Air-gap assumptions: Many facility teams still treat network isolation as a complete security boundary, when in practice it only addresses network-based threats, not physical ones
Inconsistent policy enforcement: Even where a media policy exists on paper, enforcement often relies on manual compliance rather than technical controls
Visibility gaps: Without dedicated scanning infrastructure, security teams frequently have no record of which devices were connected, when, or by whom
The Business Impact of Getting This Wrong
For decision-makers evaluating where to invest limited security budget, it helps to frame removable media risk in terms of operational and financial consequence rather than purely technical terms.
Impact Category | Potential Consequence |
Production Downtime | Malware introduced via media can force emergency shutdowns, halting production lines for hours or days |
Safety System Compromise | Malicious payloads targeting safety instrumented systems can disable protective functions, creating physical safety risk |
Regulatory Exposure | Non-compliance with IEC 62443 or sector-specific mandates can result in penalties, lost certifications, or contract disqualification |
Reputational Damage | Publicized OT incidents erode customer and stakeholder trust, particularly in critical infrastructure sectors |
Recovery Cost | Incident response, forensic investigation, and system restoration following an OT compromise routinely run into significant unplanned expenditure |
Insurance and Contractual Risk | Increasingly, cyber insurance underwriters and supply chain partners require documented evidence of controls like media scanning as a condition of coverage or contract |
None of these consequences require a nation-state-level attacker. A single infected USB drive, introduced by a well-meaning employee or vendor, is enough to trigger any one of them.

Bar chart illustrating average downtime cost per hour across manufacturing, energy, and utilities sectors
Practical Recommendations and Best Practices for Removable Media Security in OT
Building a media scanning program that satisfies IEC 62443 expectations is less about buying a single product and more about designing a layered, enforceable process. The following practices reflect what mature OT security programs typically implement.
1. Establish a Dedicated Media Scanning Station (Kiosk Model)
Rather than allowing removable media to connect directly to any OT endpoint, leading organizations deploy dedicated scanning kiosks positioned at the boundary between the outside world and the OT network. Every device, whether brought by an employee, vendor, or auditor, is scanned at this station before any file is permitted to move forward.
This approach isolates the scanning function from production systems entirely, meaning even if a device carries malicious content, the scanning station itself absorbs the risk rather than an operational endpoint.
2. Enforce a Default-Deny Device Policy
A strong media control policy assumes no device is trusted until proven otherwise. This means:
Disabling USB ports on engineering workstations, HMIs, and PLCs by default
Requiring explicit authorization for any exception
Using device whitelisting so only registered, known-serial-number devices can connect, even after scanning
3. Combine Signature-Based and Behavioral Detection
Signature-based scanning alone is not sufficient against novel or targeted threats. A resilient media scanning process layers signature detection with behavioral and heuristic analysis, catching suspicious activity even when no known malware signature matches.
4. Sanitize, Don't Just Scan
In higher-risk environments, some organizations go a step further than scanning by implementing content disarm and reconstruction (CDR) processes, which rebuild files into clean, verified versions rather than simply flagging malicious content. This is particularly valuable for engineering files and firmware packages, where even a "clean" scan result may not fully account for embedded macros or scripting risks.
5. Maintain Detailed, Tamper-Resistant Logs
IEC 62443's emphasis on timely response and accountability means every scan event, pass or fail, needs to be logged with:
Device identifier and owner
Timestamp and location
Scan result and any detected anomalies
Authorized personnel who approved the transfer
These logs become essential during compliance audits and, if an incident does occur, during forensic investigation.
6. Train Personnel and Vendors as a Core Control, Not an Afterthought
Technology alone cannot close this gap. Vendors, contractors, and employees need clear, repeated training on why media scanning matters and what the process requires of them. A scanning kiosk that vendors routinely bypass because it slows them down provides no real protection.
7. Align Media Policies with Zone and Conduit Architecture
IEC 62443's zone and conduit model segments networks based on risk and function. Media handling policies should reflect this segmentation, meaning a device authorized for a lower-risk zone should not automatically be trusted in a safety-critical or high-consequence zone without re-verification.
8. Periodically Test and Audit the Program
A media scanning program should not be a "set it and forget it" control. Regular internal audits, tabletop exercises simulating a media-borne incident, and periodic reviews of scan logs help confirm the program is functioning as intended and adapting to new threats.
Best Practice | Primary Compliance Benefit |
Dedicated scanning kiosks | Supports FR 5 – Restricted Data Flow |
Default-deny device policy | Supports FR 1 – Identification and Authentication Control |
Signature + behavioral detection | Supports FR 3 – System Integrity |
Content disarm and reconstruction | Strengthens integrity assurance beyond basic scanning |
Detailed audit logging | Supports FR 6 – Timely Response to Events |
Vendor and staff training | Reinforces policy adherence across FR 1 and FR 3 |
Zone-aligned media policy | Supports overall zone and conduit segmentation requirements |
How Shieldworkz Supports Organizations
Shieldworkz works alongside OT security leaders, plant managers, and compliance teams to design and implement removable media controls that align directly with IEC 62443 requirements, without disrupting operational continuity. Our approach is built around the practical realities of industrial environments, not generic IT security assumptions.
Comprehensive OT risk assessments that identify every point where removable media currently enters your environment, including undocumented or informal pathways
Custom media scanning architecture design, tailored to your existing network segmentation, legacy equipment constraints, and operational workflows
IEC 62443 gap analysis and compliance roadmapping, mapping your current media handling practices against relevant foundational requirements and security levels
Policy development and enforcement guidance, including default-deny frameworks, device whitelisting strategies, and vendor access protocols
Staff and vendor training programs designed specifically for plant floor realities, not generic cybersecurity awareness content
Audit-ready documentation support, helping your team maintain the logging and evidence trail needed for both internal governance and external certification audits
Ongoing advisory support, ensuring your media security posture evolves alongside new threats, new equipment, and new regulatory expectations
Our goal is not to hand you a product and walk away. We work as an extension of your team, helping build a media security program that holds up under real operational pressure and real audit scrutiny.
Conclusion
Removable media will remain a part of industrial operations for the foreseeable future. Vendors will continue bringing USB drives for firmware updates. Engineers will continue transferring configuration files between systems. The question is not whether this activity will happen, but whether your organization has the controls in place to ensure it happens safely, visibly, and in alignment with IEC 62443 expectations.
A well-designed media scanning program closes one of the most historically exploited gaps in OT security, while simultaneously building the documentation and process maturity that compliance frameworks, insurers, and business partners increasingly expect to see. This is not a control to defer until after an incident forces the issue. It is a foundational piece of a resilient industrial cybersecurity posture, and one that reflects directly on how seriously your organization takes the protection of its physical operations.
The organizations that get ahead of this risk are not the ones with unlimited budgets. They are the ones that treat every USB drive, every external device, and every vendor laptop as a potential entry point worth verifying, every single time.
Book a Free Consultation with Our Experts
If you are evaluating your organization's current media handling practices, preparing for an IEC 62443 audit, or simply want an honest, expert assessment of where your removable media risk stands today, our team is ready to help.
Book a free consultation with Shieldworkz's OT cybersecurity experts and take the next step toward a more resilient, compliant, and confidently protected industrial environment.
Additional resources:
OT Cyber Threat Intelligence Advisory - Middle East here
NIS2 Directive Achieving NIS2 Compliance Through IEC 62443 here
What Is Removable Media? Risks, Policies, and Industrial OT Security Solutions here
Free Removable Media Policy Template for OT and IT Teams here
Recibe semanalmente
Recursos y Noticias
Vea cómo nuestras soluciones de seguridad de OT líderes en la industria abordan los desafíos de seguridad críticos
También te puede interesar

NIS2 Requirements for Critical Infrastructure

Team Shieldworkz

Complete NERC CIP Standards Overview for Security Teams

Team Shieldworkz

Mastering NIST SP 800-18 Revision 2:

Team Shieldworkz

Real-Time CPS Monitoring Strategies That Reduce Operational Risk

Team Shieldworkz

Securing critical infrastructure operations during geo-political events and beyond

Team Shieldworkz

Understanding NDR Architecture for Modern Security

Team Shieldworkz

