USB devices are everywhere. From flash drives you keep on your keychain, to a tool used to update industrial machinery, these small, convenient gadgets have become part of our daily digital lives. But for all their usefulness, USBs can also be a serious cyber security risk, especially in industrial and operational technology (OT) environments.

While IT systems often have strong protections in place, OT environments like factories, power stations, or water treatment facilities often prioritise availability and safety over digital security. That leaves a gap, and USBs can easily sneak threats into those systems. In this blog, we’ll look at how USBs can be used to carry out cyberattacks, walk through a few real-world examples that caused major disruption, and share some practical tips to help protect your systems.

Why USB devices are a serious threat in industrial and OT settings

At first glance, USB drives might seem harmless. They’re affordable, easy to use, and often the go-to solution for transferring files, backing up data, or installing software. In the world of industrial and OT systems, however, they can be one of the most overlooked and dangerous entry points for cyber threats.

1. They can slip past network security

Many industrial systems are kept offline (air-gapped) to stay safe from online attacks. A USB drive doesn’t need the internet – it plugs straight into the machine, giving malware a shortcut past all your firewalls and network defenses.

2. They’re easy carriers for malware

From ransomware to remote access trojans, USBs can carry nasty digital hitchhikers. Some malware even hides deep inside the USB’s firmware meaning antivirus tools might not even spot it. In some cases, all it takes is plugging the drive in.

3. They can cause physical damage

Malware can do more than just steal data or lock up systems. In OT environments, it can go further, targeting physical equipment. A notable example is the Stuxnet attack, where infected USBs damaged real-world nuclear centrifuges.

4. Human habits increase USB dangers

People tend to trust USBs, especially their own. Contractors, engineers, or well-meaning staff might plug in a personal device without thinking twice. Without strong policies or awareness, this kind of mistake can open the door to serious threats.

5. Firmware-level attacks are hard to detect

Some attackers go a step further by reprogramming a USB’s firmware (called a “BadUSB” attack). The drive might look like a keyboard, network adapter, or something else entirely which silently launches commands the moment it’s connected.

These risks combine to make USB devices one of the weakest links in industrial cyber security. They may be small and simple, but without proper controls and awareness, they can lead to very big problems.

Real-world USB risks: Incidents in OT environments

Malware infection at two US power plants (2012)

In 2012, two major power plants in the US unexpectedly impacted by something as seemingly innocuous as a USB flash drive. At the first plant, an employee had a habit of using his personal USB stick to back up control system settings – a routine task. It is reported that one day, he noticed the drive was acting strange and handed it over to the IT team to investigate. They subsequently discovered the problem: the USB was infected with malware.

Within the same year, a similar scenario surfaced at a second facility. A contractor arrived on-site to perform scheduled maintenance and used his own USB drive to upload some software updates. Unbeknownst to him, that drive was already carrying “crimeware”, malicious software designed for cybercrime. Once plugged in, the malware quietly made its way into the plant’s control systems.

Impact

• The impact of these intrusions weren’t limited to corporate PCs – the infected machines were critical parts of plant operations. The malware compromised core control interfaces, and engineers had no choice but to shut systems down completely.
• At one of the plants, the restart process took nearly three weeks, resulting in major delays, unplanned expenses, and reputational damage.
• The incident was a wake-up call for utility providers and infrastructure managers across the country: even one overlooked USB stick could grind an entire facility to a halt.

Lesson

Routine tasks like software updates or data backups may seem harmless, but if USB use isn’t strictly managed and monitored, one small mistake can lead to weeks of disruption and huge operational costs.

Stuxnet: USB-originated cyberattack causes physical damage (2010)

In 2010, cyber security researchers discovered a sophisticated worm that had been deliberately engineered to sabotage Iran’s uranium enrichment efforts. The worm arrived on USB drives, smuggled into high-security, air-gapped systems.

Once inside, Stuxnet quietly targeted Siemens PLCs (Programmable Logic Controllers), specifically those that regulated centrifuges. It manipulated rotational speeds while sending fake feedback to operators making everything look normal on-screen, while the hardware was being destroyed in the background.

Impact

• Stuxnet destroyed roughly 1,000 centrifuges, reportedly setting back Iran’s nuclear program by two years or more.
• It showed the world that a cyberattack could cross into the physical realm, causing destruction without a single bomb or bullet.
• No one has officially claimed responsibility, but credible investigations allegedly link it to a joint operation between the US and Israel.
• It remains one of the most consequential cyber security events in modern history, often referred to as the first cyber weapon.

Lesson

USBs can be delivery vehicles for nation-state-level cyberweapons and can be used to cripple entire national infrastructures.

Fanny Worm and Copperfield Campaign: Stealthy attacks on air-gapped systems

Before Stuxnet made headlines, Fanny worm laid the groundwork for future cyberattacks. Discovered by researchers in the wild, Fanny was like a scout, creeping through air-gapped industrial systems using USB drives as its foot in the door.

Once inside, Fanny didn’t cause an immediate stir. Instead, it mapped out network topologies and created backdoors for future attacks. It also exploited two Windows vulnerabilities the same ones later used by Stuxnet. This similarity to the major attack has raised a compelling question: Were these two attacks somehow connected?

As time went on, the Copperfield campaign picked up where Fanny left off, using USB-based remote access trojans (RATs) like H-Worm. These tools allowed attackers to silently infiltrate and control systems across critical Middle Eastern infrastructure.

Impact

• Attackers gained long-term, undetected access to SCADA systems, which control sensitive industrial processes like manufacturing and energy production.
• Over time, they quietly siphoned off valuable blueprints, protocols, and credentials, likely passing them on to foreign intelligence agencies.
• The scariest part? Victim organisations didn’t realise they were compromised for months or even years.

Lesson

USB threats aren’t always loud or obvious. Some are designed to be stealthy, systematically collecting your organisation’s secrets often before you even notice anything’s wrong.

Rising USB-borne threats in industrial systems (2020–2022)

Between 2020 and 2022, the number of USB-borne threats targeting industrial systems surged and the trend isn’t slowing down. According to detailed reports from Honeywell, more than half of the threats detected in 2022 (52%) came through removable media like USB drives.

Unlike earlier attacks like Stuxnet or the Fanny worm, said to be backed by nation-states, today’s USB threats are being deployed by organised cybercriminals. These attackers are financially driven and armed with sophisticated, off-the-shelf malware kits that can cause real damage including:

• Ransomware loaders that target OT systems and lock them down until a ransom is paid.
• Trojans that sneak into networks, stealing critical files like PLC configurations and login credentials.
• Data exfiltration tools that silently copy and send sensitive information without anyone noticing.

Impact

• Industrial facilities across various sectors reported severe disruptions after infected USBs made their way into control systems.
• In some cases, attackers used USB sticks to plant ransomware that shut down operations, locking users out of essential systems and demanding six-figure ransoms to restore access.
• Even more alarming, this malware wasn’t confined to just one area. It had the ability to jump across segmented networks, reaching deeper into critical control layers despite the presence of layered defenses.

Lesson

These kinds of attacks make it clear: USB threats are no longer rare or niche. They’ve become a core part of the cybercrime playbook, and any organisation with OT or ICS systems is fair game. What used to be a nation-state tactic is now a commodity for hire and the consequences are getting more serious by the day.

10 security controls to mitigate USB risks

So, what can be done? Given the severe consequences of USB-based attacks, organisations must implement robust controls to reduce risk:

1. Establish and enforce USB usage policies: Limit USB device usage strictly to authorised personnel and systems. Ban or restrict personal and unknown USB devices in critical environments.

2. Disable autorun and autoplay features: Prevent automatic execution of malicious programs when USB devices are connected.

3. Use endpoint protection with USB activity monitoring: Deploy security tools that can detect, log, and block suspicious USB activity in real time.

4. Encrypt and digitally sign USB content: Ensure that only verified and encrypted data can be loaded from USB devices.

5. Regularly patch and update OT systems: Maintain up-to-date firmware, antivirus software, and security patches on all industrial systems.

6. Physically secure USB ports: Disable or physically block unused USB ports to reduce attack surface.

7. Conduct employee training and awareness programs: Educate staff and contractors on the dangers of USB devices and safe handling practices.

8. Use company-issued secure USB devices: Provide hardened, pre-approved USB devices with access control mechanisms.

9. Implement network segmentation: Isolate OT systems from IT networks to limit malware spread if an infection occurs.

10. Conduct periodic audits and incident response drills: Regularly review USB usage and test response plans for potential USB-borne threats.

Keeping OT safe from USB risks

USB devices are incredibly useful especially in industrial and OT settings where they’re often relied on for updates, data transfers, or quick fixes. But as we’ve seen time and time again, that same convenience can come with a dangerous cost.

From the Stuxnet worm that damaged nuclear centrifuges to recent malware infections that shut down power plants, history has shown us just how devastating a single infected USB can be. These aren’t isolated events and they’re clear warnings that organisations need to take USB security seriously.

The best way forward is a layered defense strategy which includes:

• Setting and enforcing strict USB usage policies
• Implementing the right technical controls (like scanning and access restrictions)
• Ensuring everyone from technicians to top management understands the risks.

Ultimately, it only takes one USB plug-in to cause massive disruptions. With the right safeguards, that risk can be dramatically reduced and critical systems can stay safe from silent threats hiding in plain sight.

OT-SAT, Secolve’s OT security awareness platform, can empower your organisation and employees to uplift their understanding of OT and OT cyber security. Get in touch with us today for a demo to find out how our video-based training on OT-SAT can help you.