USB Port Security

There is an interesting blog posting over on InternationalAcademy.blogspot.com about the problems associated with USB port data theft and the new generation of cell phones that use the ubiquitous USB port for cell phone charging. This posting by a British security management training organization concentrates on the potential for data theft; and that is certainly a security concern for any organization. What about the potential for the use of these ports for a terrorist attack? Sound far fetched? Here is a scenario that any counter-intelligence professional will find all too familiar. USB Attack Scenario A high-risk chemical facility, because of the economic downturn, has announced layoffs that will affect the manufacturing team. Employees are given a generous advance notice with severance pay incentives to stay on during the down-sizing operations. One of the notified employees with existing financial problems is approached by a ‘competitor’ representative with a ‘job offer’. The ‘competitor’ will provide him with a job at the end of the transition with a signing bonus if he will plug in a Blue tooth device into the USB port on the back of one of the control room computers. The employee is assured that his new employer is just trying to find out some process details that will allow them to remain competitive in the current environment. Instead of being a data collection device, it will actually be a back-door into the process control system allowing a terrorist access to process controls that will allow them to engineer a runaway reaction in a monomer storage tank. The confusion resulting from such a process upset would allow a more devastating physical attack on a toxic chemical storage tank on the same site. USB Access Not Necessary Of course, anyone knowledgeable about the state of control system security today will realize that access to a USB port is probably not required to carryout the attack described. Many control systems are already connected to the Internet and a knowledgeable hacker could probably conduct the same attack using those connections. But, if DHS did listen to some of the comments on their draft Risk-Based Performance Standard Guidance document, perhaps the current DHS site security plan process will protect against those internet hacks.