Monitoring removable media devices in Operational Technology environments

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Industrial environments control critical systems and are used to handle sensitive data. A security breach caused by a connected removable media device (for example, a USB device) can cause significant financial loss, data theft, and operational disruption.

Avoiding the use of removable media devices can help reduce potential methods to bypass other security control. In some cases, completely eliminating removable media drives might be impractical, however, monitoring their usage, especially for unapproved removable media devices, can help you understand how security controls can be bypassed. This article explains how you can use the Splunk platform to detect connected removable media devices in your critical system environments.

Data required

You'll need to collect data from hosts to monitor the Windows registry. In some cases, the Windows event store might also log removable media share access. To bring in events from the Windows registry it is recommended to use the Splunk Add-on for Microsoft Windows, which already ensures these events are Common Information Model (CIM) compliant. The add-on is most often used with a Splunk universal forwarder on the host.

How to use Splunk software for this use case

Stage 1: Identify OT devices

In this stage, you'll identify source or destination hosts located within the OT environment. This is done by creating a macro called is_ot_device which takes in a host and then returns true or false to confirm whether the device is in the OT environment.

To do this, you can:

Use a lookup table that has a list of OT hosts.
Use a lookup table that has a list of IP ranges for OT devices (for example, when VLANs are used).
Use a static list of OT devices or characteristics (such as host name pattern or asset type).

Stage 2: Monitor Windows registry for external media devices

Windows hosts modify the registry when external media devices are used. By monitoring the Windows registry for specific keys, you can monitor the use of external USB devices, even on older legacy systems.

Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype=WinRegistry key_path="HKLM\\system\\*controlset*\\enum\\usbstor\\*"  registry_type=CreateKey
| rex field=key_path ".*[(USBSTOR)|(usbstor)]{1}\\\(?<DeviceType>.*)&(V|v)en_(?<Vendor>.*)&(p|P)rod_(?<Product>.*)&(r|R)ev"
| search DeviceType=”Disk” `is_ot_device(dvc)`=true

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search	Explanation
`sourcetype=WinRegistry`	Search only Windows registry logs.
`key_path="HKLM\\system\\controlset\\enum\\usbstor\\*" registry_type=CreateKey`	Search only for newly created entries in the registry.
`\| rex field=key_path ".[(USBSTOR)\|(usbstor)]{1}\\\(?<DeviceType>.)&(V\|v)en_(?<Vendor>.)&(p\|P)rod_(?<Product>.)&(r\|R)ev"`	Extract the device type, vendor of the device, and product name of the device.
`\| search DeviceType=”Disk”`	Narrow the results down to only external media drives.
`is_ot_device(dvc)`=true	Narrow the results down to hosts within the OT environment.

Stage 3: Allowlist approved devices

Where the use of some external media devices are allowed, you might not want approved devices showing up on dashboards. By leveraging an allowlisting technique that eliminates approved devices, you can identify only the unauthorized use of removable media devices. This example assumes that approval is based on device type and is also limited to particular hosts.

To create the allowlist, you can:

Create a lookup table.
Create a lookup table alias.
Modify the search to identify only approved devices.

Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype=WinRegistry
| rex field=key_path ".*[(USBSTOR)|(usbstor)]{1}\\\(?<DeviceType>.*)&(V|v)en_(?<Vendor>.*)&(p|P)rod_(?<Product>.*)&(r|R)ev"
| search DeviceType=”Disk”
| eval device_id=Vendor + “ “ + Product
| inputlookup device_id, host OUTPUT is_approved
| fillnull is_approved value=”false”
| search is_approved=”false”

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search	Explanation
`sourcetype=WinRegistry`	Search only Windows Registry Logs.
`\| rex field=key_path ".[(USBSTOR)\|(usbstor)]{1}\\\(?<DeviceType>.)&(V\|v)en_(?<Vendor>.)&(p\|P)rod_(?<Product>.)&(r\|R)ev"`	Extract the device type, vendor of the device, and product name of the device.
`\| search DeviceType=”Disk”`	Narrow the results down to only external media drives.
`\| eval device_id=Vendor + “ “ + Product`	Create a `device_id` to look up.
`\| inputlookup device_id, host OUTPUT is_approved`	Search in the lookup table to see if the specific `device_id` and `host` combination are approved. This assumes the combination of host and device id are unique.
`\| fillnull is_approved value=”false”`	If the host and device are not in the table, assume the use of external media devices is not approved.
`\| search is_approved=”false”`	Filter down to only devices that are unapproved.

Next steps

The dashboard below shows an example of how you can monitor removable media devices to identify all usage of USB removable media devices.

You might want to consider using additional correlations to create more proactive processes around the use of removable media. For instance, an alert could be set up to email or create a service ticket to investigate immediately. It might be useful to append data from an additional search to identify the current user logged into a machine in order to reduce investigation time.

Using sysmon with the Splunk Add-on for Sysmon can also provide additional logs to help monitor OT systems for other suspicious activity related to removable media.

Other resources you might find helpful include:

The OT Security Add-on for Splunk provides additional dashboards for monitoring the usage of removable media. The add-on also provides specific correlation searches to generate notables or leverage risk based alerting, as well as detections from endpoint protection products and monitoring of file share access.
The CISO’s guide to complete security for industrial control systems might be useful to identify key areas of focus for protecting OT and industrial control system environments.
Use case: Removable devices connected to a machine
Use case: File added to the system through external media