Monitoring USB Usages in OT Environments
August 16, 2023
Industrial control systems are vital infrastructures that need strict security protocols, particularly those that operate in operational technology (OT) environments. Using USB devices in these settings raises certain red flags as they may bring malware or unapproved access.
Background
Organizations can use event tracing to implement USB monitoring as a solution to this problem. In this article, we will cover the relevance of monitoring USB usages in OT contexts, the benefits of event tracing, and a step-by-step tutorial on setting up an event tracing system. The operating system has a general-purpose, high-speed tracing feature called Event Tracing for Windows (ETW). In order to offer a tracing method for events that are triggered by both user-mode programmes and kernel-mode device drivers, it makes use of a buffering and logging system that is implemented in the kernel. Furthermore, ETW offers the flexibility to dynamically enable and stop logging, making it simple to conduct thorough tracing in production systems without the need for reboots or application restarts. An asynchronous writer thread writes per-processor buffers to disc as part of the logging system. Large-scale server applications may write events with the least amount of disruption because to this buffering.The Significance of Monitoring USB Usages in OT Environments
USB devices are frequently used in OT environments for a variety of tasks, including data transfer, configuration modifications, and software updates. On the other hand, this brings with it security risks like malware introduction, data exfiltration, and illegal access to vital systems. It’s critical to keep an eye on USB usage in OT situations for the following reasons: Threat Detection: By monitoring USB events, managers can notice suspicious actions, such as unauthorized USB device insertion or attempts to access critical information. Compliance and Audit: Monitoring USB activity assists in meeting the compliance criteria that are mandated by several industrial sectors. For future reference, it offers an audit record of all actions pertaining to USB. Incident Response: Examining USB-related event logs can help with forensics and incident response in the case of a security breach. This can help determine the scope and cause of the attack.Setting up USB Event tracing:
Here’s a step-by-step guide to setting up USB event tracing in OT environments:- Ascertain which OT environment systems need to be monitored via USB. Workstations, servers, and crucial industrial control systems may be among them.
- Choose an event tracing programme that is compatible with USB event monitoring. There is “Windows Event Tracing” (ETW) in Microsoft Windows, and there are “ftrace” and “SystemTap” options in Linux.
- To enable USB event logging, configure the event tracing instrument of your choice. Use the “Microsoft-Windows-USB-USBHub” provider in Windows. Use “ftrace” or “SystemTap” on Linux to enable USB event tracing, depending on the tool you’ve selected.
- Configure event filters to record certain USB events of interest, such the insertion of a device, the transfer of files, or any unusual behavior.
- For storage and analysis, forward the gathered event logs to a centralized log management system. This makes sure that all events connected to USB are combined for simpler tracking and searching.
- Set up real-time notifications to alert managers about questionable USB activity based on pre-established patterns or guidelines.