The National Cybersecurity Center of Excellence (NCCoE) in the U.S. National Institute of Standards and Technology (NIST) on Tuesday released a draft of the first publication in its new OT Security Series. The document provides key guidance for manufacturers and OT (operational technology) operators on managing the use of USB (universal serial bus) storage devices, essentially tools that, while useful for transferring data in isolated environments, pose serious cybersecurity risks if not properly controlled.
The two-page draft is part of NIST’s broader effort to deliver concise, actionable resources tailored to the specific challenges of securing OT systems. Public comments on the draft are open through Aug. 14.
Titled ‘Special Publication (SP) 1334, Reducing the Cybersecurity Risks of Portable Storage Media in OT Environments,’ the two-page guidance document highlights that USB devices are commonly used to move data in and out of OT environments where network connectivity is limited or prohibited. But they also create pathways for malware, data leakage, and other forms of compromise. SP 1334 emphasizes practical controls, both physical and logical, to mitigate these risks and support more secure OT operations.
The NCCoE developed cybersecurity considerations to help OT personnel use portable storage media securely and effectively, covering procedural controls, physical controls, technical controls, and transport and sanitization.
As part of procedural controls, the SP 1334 guidance identified that an organization should develop clear policies that enforce secure handling of portable storage media across its lifecycle. All media should be purchased, authorized, and managed by the organization. Devices obtained from outside sources should be treated as untrusted and prohibited from use.
Organizations should prioritize procuring storage devices that support hardware-based encryption standards, such as FIPS-validated encryption, to protect sensitive data. The use of portable media should be strictly prohibited unless explicitly authorized. Additionally, authorization should be limited to designated personnel and defined purposes, reducing unnecessary exposure.
Comprehensive procedures should be established for provisioning, usage, secure storage, sanitization, and final destruction of media to maintain control throughout the device’s lifespan. Systems should be configured to enable logging for traceability, including details such as user identity, device serial number, and the date and time of access or use. Finally, all staff should be trained on these policies and procedures to ensure proper handling and reduce the risk of human error or policy violations.
The OT Security Series document identified one way to minimize risk when using portable storage media would be to implement strong physical controls for accessing, labeling, and storing the devices. All media should be kept in a physically secure location that is accessible only to authorized individuals. Access should be restricted and monitored to prevent unauthorized handling or tampering.
The SP 1334 guidance added that approved portable storage media should be clearly labeled. Labels can indicate who is authorized to use the device, which network or system it is permitted on, and its specific functional purpose. This helps ensure devices are only used as intended and by the right personnel. Establishing a designated storage area for approved media, paired with strict access controls and clear labeling, lays the foundation for a strong and well-enforced set of physical controls.
The OT Security Series publication recommends aligning media protection with the guidance provided in NIST SP 800-82, particularly when implementing technical controls to reduce cybersecurity risks. Organizations should establish technical controls that block or disable ports, such as USB ports and CD/DVD drives, on machines that are not authorized to use portable storage media. This can be achieved either through physical port blockers or by logically disabling ports via system settings or device management tools.
All media should be scanned both before and after use. Automated malware scanning should be performed using up-to-date detection software. For devices that do not support on-device scanning, alternative methods such as kiosk-based scanning solutions should be considered.
Before reusing portable storage devices across different systems or environments, the media should be reformatted to prevent cross-contamination. If files only need to be read, write-protection should be enabled to prevent unauthorized changes or malware infection. Also, autorun features should be disabled to prevent automatic execution of potentially malicious code when media is inserted. Finally, any data stored on portable storage media should be encrypted using a FIPS-compliant algorithm to ensure data confidentiality, even if the device is lost or stolen.
The SP 1334 document also explains that transporting portable storage media within or between organizations introduces additional risk, which can be mitigated through both physical and logical controls. To secure USB devices during internal transport, organizations should use encryption or locked containers to prevent unauthorized access. When files are transferred, such as between an integrator and an asset owner, hash or checksum verification should be performed to ensure file integrity and detect tampering.
Before disposing of any storage media, proper sanitation must be carried out. This process should involve monitoring, reviewing, approving, tracking, and documenting all actions related to media sanitization.
In conclusion, the initial NCCoE OT Security Series publication underscores that organizations can reduce the cybersecurity risks of USB device use in OT environments by enforcing secure physical and logical controls over access, storage, and usage, along with providing targeted training on safe and effective USB handling.
Last month, NIST noted a growing convergence between OT and IT, driven by the rise of the Internet of Things (IoT) and internet-connected equipment that were once isolated. OT infrastructure covers programmable systems and devices that directly interact with or control the physical environment. Covering industrial control systems (ICS), building automation, transportation networks, access control, and systems for monitoring or measuring physical conditions, these systems have longer life cycles, are sometimes difficult to access, and increasingly connect to broader networks rather than operating in isolation.
