Every day, across power plants, water treatment facilities, oil refineries, and manufacturing floors, engineers plug in USB drives to update firmware, transfer configuration files, or share diagnostic data. It is a routine task, practical, fast, and deeply familiar.

It is also one of the single most dangerous actions an organization can allow without strict controls.

Removable media, USB drives, SD cards, external hard disks, vendor-supplied flash devices, represents a persistent and frequently exploited attack vector in operational technology (OT) and industrial control system (ICS) environments. Unlike traditional IT networks where endpoint detection tools are widely deployed and continuously updated, OT environments often operate with legacy systems, limited monitoring capabilities, and a foundational principle that prioritizes uptime over security.

That combination creates the perfect conditions for removable media threats to go undetected, sometimes for years.

This Blog explores why removable media continues to be exploited in SCADA and ICS environments, what the real-world consequences look like, and what a robust OT removable media security policy framework needs to include to protect your organization.

Why Removable Media Is Particularly Dangerous in OT and SCADA Environments

The fundamental challenge in OT security is that industrial control systems were not originally designed with cybersecurity in mind. They were engineered for reliability, deterministic performance, and operational longevity. Many of the systems running today were commissioned before modern cybersecurity frameworks even existed.

This creates a unique risk profile that makes removable media far more dangerous in an OT context than in an equivalent IT setting:

Air-Gapped Systems Are Not Actually Air-Gapped

One of the most persistent misconceptions in industrial cybersecurity is that air-gapped systems , those physically isolated from external networks, are inherently secure. In practice, the air gap is regularly bridged by the very thing meant to preserve it: removable media.

Engineers transfer patches via USB. Vendors deliver firmware updates on pre-loaded drives. Contractors connect laptops for diagnostics. Each of these actions introduces the possibility of malware transfer from an external environment into a supposedly isolated system.

The Stuxnet attack , arguably the most consequential cyberattack ever documented against industrial infrastructure, exploited exactly this vector. It entered the Iranian nuclear enrichment facility at Natanz through infected USB drives, bypassing all network-level defenses. The facility was air-gapped. The attackers knew that and targeted the human behavior that made the air gap irrelevant.

Legacy Systems Cannot Run Modern Security Software

A significant portion of SCADA and ICS environments still operate on platforms running Windows XP, Windows 7, or proprietary embedded operating systems that have not received a security patch in years , sometimes decades. These systems cannot support modern antivirus or endpoint detection tools even if the organization wanted to deploy them.

When a USB drive is connected to one of these systems, there is often no automated mechanism to scan for threats. The malware can execute, persist, and propagate before any human operator notices unusual behavior.

Slow Detection Windows Amplify Impact

In IT environments, the average dwell time of malware , the period between initial compromise and detection, has been steadily decreasing thanks to improved threat intelligence and detection tooling. In OT environments, dwell times are often dramatically longer. Some documented incidents have involved attackers residing in industrial networks for 18 months or more before discovery.

During that time, a piece of malware introduced through a USB drive can map the network, establish persistence, exfiltrate process data, or silently modify control logic, waiting for activation.

Real-World Incidents: The Cost of Inadequate Removable Media Controls

The threat landscape around removable media in industrial environments is not hypothetical. Several high-profile incidents demonstrate precisely what happens when organizations treat this risk as a low priority.

The Stuxnet Precedent (2010)

Stuxnet remains the gold standard reference for removable media attacks on industrial systems. Developed as a highly sophisticated cyber weapon, it specifically targeted Siemens Step 7 software used to program industrial PLCs. The malware was introduced via infected USB drives into the Natanz facility's engineering workstations. Once inside, it subtly reprogrammed centrifuge controls while reporting normal operation to the monitoring systems, a masterclass in industrial sabotage.

The Stuxnet incident demonstrated that even organizations with significant security awareness and physical isolation measures are vulnerable when removable media controls are absent or inconsistently enforced.

The Ukraine Power Grid Attacks (2015–2016)

The coordinated attacks on Ukrainian energy distribution infrastructure , which caused real power outages affecting hundreds of thousands of people , involved a multi-stage intrusion that included spear-phishing for initial access, but subsequent lateral movement and payload delivery relied on tools and techniques consistent with insider-facilitated media-based infection vectors. The BlackEnergy and Industroyer malware families used in these attacks were designed specifically to interact with industrial control systems and SCADA protocols.

These incidents underscored that removable media risk does not exist in isolation, it is part of a broader attack chain that sophisticated adversaries plan and execute methodically.

Triton/TRISIS Safety System Attack (2017)

The Triton malware, discovered targeting a petrochemical facility in the Middle East, was specifically engineered to compromise Safety Instrumented Systems (SIS), the last line of defense against physical catastrophe in industrial plants. While the primary infection vector involved remote access, the malware was designed to be deployed via engineering workstations commonly accessed through removable media and external contractor devices. The intent was to disable safety systems during a simultaneous control system disruption, a scenario that could have resulted in an explosion or mass casualties.

These are not edge cases or theoretical scenarios. They are documented, investigated, and published incidents that industrial security professionals study precisely because the consequences of failure in OT environments extend beyond data loss into physical harm, environmental damage, and public safety risk.

OT Removable Media Attack Vectors: Risk and Detection Overview

The following table summarizes the primary removable media attack vectors in OT and SCADA environments, their relevance to industrial operations, and the associated risk and detection profile:

Understanding which vectors are most likely to be exploited in your specific environment is the foundation of an effective OT removable media security policy.

The OT Removable Media Security Policy Gap: Where Organizations Fall Short

Many industrial organizations recognize that removable media poses a risk. Far fewer have addressed it with a policy framework that is fit for purpose in an OT context.

IT Policies Do Not Translate Directly to OT

Organizations that have invested in IT security often assume their existing removable media policies extend to their operational technology environments. This is a dangerous assumption. IT removable media policies are typically built around data loss prevention, preventing the unauthorized extraction of sensitive files. OT removable media policies must be built around a fundamentally different threat model: preventing the introduction of malicious code into systems that control physical processes.

The controls, workflows, and enforcement mechanisms are different. The systems being protected are different. The consequences of failure are different. An IT-centric removable media policy applied to an OT environment will leave critical gaps.

Vendor and Contractor Access Is Systematically Under-Controlled

One of the most consistently underestimated risks in industrial removable media security is the vendor and contractor access model. Third-party technicians routinely arrive at industrial facilities with their own laptops, USB drives, and diagnostic tools. They may have visited multiple customer sites with the same equipment. Their devices may not have been scanned recently, if ever.

Without a formal process for vetting, scanning, and controlling the media that vendors introduce into the OT environment, organizations are effectively outsourcing their security risk to parties over whom they have limited visibility.

Absence of Dedicated OT Media Scanning Infrastructure

Even organizations with stated removable media policies often lack the physical infrastructure to enforce them at the point of entry. A policy that requires scanning all media before use in the OT environment is unenforceable if there is no dedicated, OT-aware scanning station available at the facility. Generic IT scanning tools may not recognize threat signatures relevant to industrial systems, and may not be deployed in locations that make them accessible to OT personnel during their actual workflow.

OT Removable Media Security Policy: Controls and Compliance Alignment

Effective OT removable media security policies integrate technical controls, procedural requirements, and compliance alignment. The table below outlines key policy areas and their corresponding frameworks:

OT Compliance and Governance: Regulatory Expectations Around Removable Media

Removable media security is not just a best practice , for many industrial organizations, it is a regulatory requirement. Several major compliance frameworks directly address media control requirements in OT and critical infrastructure environments.

NERC CIP Standards

For organizations in the North American electric utility sector, the NERC Critical Infrastructure Protection (CIP) standards include specific requirements under CIP-010 and CIP-007 that address configuration management and system security management respectively. These standards require documented processes for controlling physical media, including removable media, in environments containing Bulk Electric System (BES) Cyber Systems.

IEC 62443

The IEC 62443 series, the international standard for industrial cybersecurity, addresses removable media controls as part of its security level framework. IEC 62443-2-1 specifies requirements for establishing and maintaining a cybersecurity management system for industrial automation and control systems, including policies governing portable and removable media. IEC 62443-3-3 includes system security requirements that address the control of removable media at the system level.

NIST SP 800-82

The National Institute of Standards and Technology's Guide to Industrial Control Systems Security (SP 800-82) specifically identifies removable media as a significant threat vector and provides guidance on implementing controls appropriate for ICS environments, including scanning requirements, authorization processes, and physical security measures for media management.

Organizations that fail to address removable media security in their OT environments face not only operational risk but potential compliance findings, audit failures, and in regulated sectors, significant financial penalties.

Practical Recommendations: Building an Effective OT Removable Media Security Program

Translating policy intent into operational reality in an OT environment requires a structured, phased approach that accounts for the unique constraints of industrial systems. The following recommendations reflect the practical realities of implementing effective removable media controls without disrupting industrial operations.

1. Establish a Removable Media Asset Registry

Every piece of authorized removable media used in the OT environment should be registered, labeled, and tracked. This includes media provided to vendors for use during maintenance activities. The registry should record device identifiers, authorized users, approved use cases, and the systems in which each device is permitted to operate.

2. Deploy Dedicated OT Media Scanning Kiosks

Physical scanning stations , standalone kiosks with OT-aware threat intelligence , should be deployed at all facility entry points and in proximity to OT work areas. Every piece of removable media entering the environment must be scanned and cleared before connection to any industrial system. This is the single most impactful control an organization can implement for removable media threat prevention in an OT context.

3. Implement USB Port Lockdown on OT Systems

Where operationally feasible, USB ports on OT systems that do not require removable media access should be physically disabled or locked using port-blocking devices. For systems that do require media access, software-based controls should enforce whitelist policies that permit only specifically authorized device identifiers.

4. Formalize Vendor and Contractor Media Protocols

No third-party media should be permitted in the OT environment without pre-authorization and documented scanning. Vendor-supplied media, including firmware updates delivered on USB or SD card, should be treated with the same level of scrutiny as any other external device. Consider providing pre-scanned, organization-controlled media for contractor use rather than permitting the use of contractor-owned devices.

5. Implement Comprehensive Audit Logging

All media connection events in the OT environment should be logged with timestamps, device identifiers, and user information. These logs should be reviewed regularly and retained in accordance with applicable compliance requirements. Anomalies, unexpected media connections, connections outside normal working hours, or connections to systems not in an individual's authorized scope, should trigger immediate investigation.

6. Conduct Role-Specific Security Awareness Training

Security awareness in the OT environment must be operationally relevant. Generic cybersecurity training developed for IT audiences often fails to resonate with plant operators, maintenance technicians, and field engineers. Training programs should use scenarios drawn from actual OT environments, address the specific risks associated with removable media in industrial settings, and provide clear, actionable guidance on the organization's policies and enforcement procedures.

How Shieldworkz Supports Organizations in Strengthening Removable Media Security

At Shieldworkz, we work exclusively within the OT, ICS, and critical infrastructure security domain. We understand that securing industrial environments requires more than applying IT security frameworks to OT contexts , it requires purpose-built expertise, operational awareness, and deep familiarity with the industrial systems and processes at stake.

When organizations engage us to address removable media security and broader OT compliance requirements, our approach is grounded in the operational reality of each client's unique environment. Our support includes:

• Conducting in-depth OT removable media risk assessments that map actual media usage patterns, identify unauthorized devices, and evaluate the effectiveness of existing controls against current threat intelligence.

• Developing comprehensive OT removable media security policies tailored to the specific operational requirements, system architecture, and compliance obligations of each facility , including policies for vendor and contractor media access.

• Designing and implementing dedicated media scanning infrastructure, including OT-aware kiosk solutions positioned within operational workflows to maximize adoption and minimize disruption.

• Performing technical hardening of OT endpoints to enforce authorized device controls, port lockdown, and audit logging in environments ranging from modern SCADA platforms to legacy ICS systems.

• Delivering compliance gap assessments aligned with IEC 62443, NERC CIP, NIST SP 800-82, and sector-specific regulatory frameworks , providing organizations with a clear roadmap to achieving and maintaining compliance.

• Providing OT-specific security awareness training programs that equip plant operators, maintenance teams, and security operations personnel with the practical knowledge to identify and respond to removable media threats.

• Supporting ongoing security monitoring and incident response planning for OT environments, ensuring that when a media-related incident does occur, organizations can detect, contain, and recover rapidly.

Our engagements are designed to be practical, non-disruptive, and results-driven, focused on measurable improvement in your organization's security posture rather than theoretical compliance exercises.

Conclusion: The Risk Is Real, and It Is Manageable

Removable media is not a new threat. It is a persistent, well-documented, and consistently exploited attack vector in SCADA and ICS environments , one that has contributed to some of the most consequential industrial cybersecurity incidents in history.

The organizations that have suffered the most significant consequences are not those that lacked the resources to address the risk. They are organizations that underestimated it, delegated it to IT teams without OT expertise, or allowed operational convenience to override security governance.

Effective OT removable media security is achievable. It requires the right policies, the right controls, the right infrastructure, and the right organizational culture , built specifically for the industrial environment. It requires treating every USB drive, every contractor laptop, and every vendor-supplied device as a potential entry point until it has been properly vetted.

The consequences of getting this wrong extend beyond financial loss and regulatory penalty. In industrial environments, they can extend to operational shutdown, environmental harm, and physical injury. The standard of care has never been higher and the tools to meet it have never been more accessible.

Book a Free Consultation with Our Experts

Your industrial environment deserves more than a generic cybersecurity approach. Removable media threats in OT and SCADA environments require specialized expertise, purpose-built policy frameworks, and ongoing vigilance, not just off-the-shelf software.

Our team at Shieldworkz works directly with OT security leaders, plant managers, CISOs, and ICS engineers to assess your current removable media exposure, design a policy framework aligned with your regulatory requirements, and implement practical, scalable controls, without disrupting your operations.

Additional resources      

2026 Shieldworkz OT Security Threat Landscape Report here

IEC 62443 - Practical guide for OT/ICS & IIoT security here

Remediation Guides here