Cyber Safe Removable Memory Devices

Cyber securityAs Coronavirus COVID-19 continues to challenge our industry it’s important we don’t lower our guard against digital viruses. Michael Barrett, MD of Nexus Industrial Memory, explains how ‘going industrial’ can improve the security of applications that use removable memory devices.

Cybersecurity is a growing concern in all sectors and the electronics industry is considered particularly at risk because it comprises many SMEs, sole traders, freelancers and consultants that, unlike large organisations, are less likely to have robust cybersecurity measures in place.

These SMEs and individuals are essential links in the supply chain. Whether they are trading commodities, such as materials and components, or offering support services, all have essential roles to play. They are also parts of the increasingly ‘cloud-based machine’ that keeps the industry alive and well.

Even though all businesses have been severely disrupted by Coronavirus COVID-19 it is important that we do not become complacent where digital viruses and the role they play in cyber-attacks are concerned. Digital threats have not gone away. Indeed, they are on the increase, as is the level of sophistication of the attacks.

Risk Management

The UK Government’s Cyber Security Breaches Survey 2020 reported that 46% of UK businesses had been hit by a cyberattack in the past year – noting that the survey was conducted in late 2019 – and that almost half of those lost data or money as a result.

On the plus side, the survey also identifies “…a growing resilience to cyber-attacks, based on the changes that businesses have made over the last five years.” Increased awareness partly fuelled that trend, and a prime example is the National Cyber Security Centre’s 10 Steps to Cyber Security, at the heart of which is the recommendation that all companies establish a risk management regime.

The guide offers all the advice expected around network security, AVS on computing platforms and increased vigilance. One of the 10 steps is to control the use of removable media, the most common form factor of which is the USB drive/stick, and to secure against data loss. Again, the National Cyber Security Centre has advice to give, this time in its Secure Sanitisation of Storage Media. It defines sanitisation as “…the process of treating data held on storage media to reduce the likelihood of retrieval and reconstruction to an acceptable level.”

For removable media the sanitisation must be more than a standard ‘erase’ as there are ways of recovering deleted data. Device re-formatting is one sanitisation option, but it may damage the device. That may not be a problem though as the guide also talks of destruction as a sure-fire means of sanitation.

The guide also acknowledges the importance of data encryption for devices at risk of loss or theft. Standard USB drives can be encrypted using tools like BitLocker, which is included within Windows 10, for example.

Under Attack

Another security risk around the use of USB drives in industry is the introduction of programs that steal data. A targeted data theft attack would work as follows. An executable program is placed on several USB drives which are then left at venues frequented by the employees of a targeted company. The program executes automatically as soon as the drive is plugged into a computer. A second program copies to the computer which executes and provides the hacker with remote access to the company’s network.

However, some hackers are not interested in accessing your data. They don’t want you to either. Increasingly favoured by cyber-criminals, ransomware prevents users from accessing their files by encrypting them. A key is needed to decrypt the files which will be supplied (though there’s no guarantee) upon receipt of payment through a mechanism, such as cryptocurrency Bitcoins, affords the hacker a high degree of anonymity.

Moreover, ransomware can lie dormant for a specific time period or until certain conditions are met. This means it might get backed up. Some viruses, like ‘Locker’ are sleepers. Also, it was reported in 2019 that the WannaCry ransomware worm that hit the UK’s NHS and many businesses so hard in 2017 is still around on the internet.

An even more malicious virus is one that hunts a network for specific controller software with the aim of shutting down key hardware. For example, the Stuxnet virus (though many now regard it as weaponised malware) was designed to spread through PCs running Windows and hunt for Siemens Step 7 software, which runs on programmable logic controllers (PLCs). The malware provides instructions to the PLCs that cause damage to hardware and it is believed that power stations were a target, with many of Iran’s nuclear centrifuges damaged in 2010.

Industrial for a ReasonIndustrial form factor USB

As mentioned, if you are worried about the loss or theft of a USB drive containing sensitive data, encryption is an option. However, to counter the other threats discussed in this article it is worth considering moving away from the USB form factor. Note: a USB port, whether on an office PC or an industrial controller, is a data interface. Subject to the levels of security (both physical and software) on the platforms, a portable computing device and a USB cable might be enough to steal data or introduce malware.

Industrial removable memory devices are available that are still USB ‘inside’, i.e. they contain Flash memory and the communication protocols are the same. However, the form factor is different. For example, Datakey UFX memory tokens (see figure 1) employ the USB 2.0 high speed comms protocol and have memory capacities ranging from 4 to 64Gbyte.

If a UFX drive containing sensitive information were to be lost or stolen it is extremely unlikely the finder would have a receptacle with which to interface with the device. Similar, equipment fitted with UFX receptacles will only interface with UFX drives. Moreover, unlike consumer USB drives, the UFX has a fixed USB vendor address and Product ID that can be used for authentication. Another option is to move away from the USB comms protocol, in which case devices that use serial interfaces like SPI or SD are available but have an industrial form factor.

Where removable memory devices are used for access control and controlling user privileges – and where a high memory capacity tends not to be a requirement – devices are available that employ Microchip’s CryptoAuthentication™ ICs – see figure 2.

In summary, it is the wide availability of USB drives that makes them attractive to hackers, and an ideal vehicle for introducing malware into a company from within its IT firewall. As a minimum, if your operations rely on removable memory devices, move away from the USB form factor. Industrial applications warrant industrial devices.

This article appeared in the June 2020 issue of Electronics Components Sourcing magazine.  It appeared in print, is online and is reproduced on our site here.