New guidance from NIST (via its NCCoE) warns that USB and other removable storage media pose serious cybersecurity risks in industrial control system (ICS) environments. Because USB drives are often used for maintenance, firmware updates, and data transfers in operational technology (OT) settings, an infected device can easily introduce malware or other threats into critical systems. The document emphasizes that treating external storage as inherently untrusted is essential to prevent disruptions or compromises in safety, integrity, or availability.

To mitigate these risks, the guidance recommends a mix of procedural, physical, technical, and transport/sanitization controls. Procedurally, organizations should limit use of portable media only to authorized personnel and define clear policies for acquisition, usage, and disposal. Physically, media should be inventoried, labeled, and stored in secure locations with access controls. Technically, systems should disable unused ports, enforce allow-listing, require malware scanning, disable autorun, and encrypt data on media; write protection should be used when feasible. During transport or disposal, devices should be encrypted or locked, and sanitization steps—such as reformatting or secure wiping—should be enforced to avoid residual threats.

‍

Source: https://industrialcyber.co/nist/nist-publication-warns-that-usb-devices-pose-serious-cybersecurity-threats-to-ics-offers-guidance-for-mitigation/