From Power Plants to Oil Rigs, Critical US Infrastructure Taking A Beating from USB Delivered Cyber Attacks – GDF’s Penetration Testing Helps Expose those Kinds of Weak Links in Cyber Security

Share Article

USB sticks can be convenient and practical for many things, but they can also be a devastatingly effective way for attackers to bypass cyber security measures on segmented or non-Internet facing networks. Global Digital Forensics offers comprehensive cyber threat assessments and penetration testing with a strong focus on identifying cyber threat vectors like susceptibility to USB stick malware, cross-device delivery and social engineering vulnerabilities.

News Image

Are you hand delivering malware?

the repercussions of critical infrastructure targets being successfully penetrated by cyber attacks can really ratchet things up on the doomsday scale

Last month it was revealed that two US power plants were crippled by malware attacks stemming from USB-stick delivered malware. And now, just over a week ago, it was revealed that another major sector of the US energy infrastructure too had a couple of casualties on the cyber-war front, in the form of offshore oil rigs being successfully penetrated and incapacitated the same way. Professional network penetration testing is the first important step to identifying the weaknesses in internal policies, procedures and security architecture which can lead to infiltration and the devastating consequences a successful cyber attack can set in motion.

“Losing control of electronic intellectual property information, client data, or other corporate secrets, can be crippling to any organization,” said Joe Caruso, founder and CEO/CTO of Global Digital Forensics, “but the repercussions of critical infrastructure targets being successfully penetrated by cyber attacks can really ratchet things up on the doomsday scale for more than just any single organization, it can have a national and global reach which can affect everyone. Just think about what kind of chaos an attack on the power grid would cause to a society like ours that now relies on technology almost as a basic necessity, or what would happen if airplanes and trains started crashing, or water treatment became unsafe, or massive oil spills decimated the environment and drove up the cost of transportation, and by extension the cost of basically everything we need and buy, or, or, or… I mean the possibilities for real mayhem are endless, and if the attackers are both skilled and coordinated and launch simultaneous attacks on multiple critical infrastructure targets at once, like an actual state-sponsored cyber-warfare attack, let’s just say it certainly wouldn’t bode well for a rosy future for anyone.”

Being Remote or “Unplugged” Does Not Vanquish the Threat Posed by Cyber Attacks

“These kinds of successes with USB delivered malware are unfortunately not as sparse as many people think. And it doesn’t matter if it’s a remote location like an oil rig; we’ve responded to cyber incidents at remote power plants in Africa, research facilities in South America and some very out of the way locations in Asia. The truth is, the fire can start with something as well-intentioned as downloading an update to improve the performance of a segmented internal network and putting it on a USB stick to get it across the “air gap,” or something as innocent as an employee bringing in some of their own music to help while away the off hours at a remote location, if the source system was infected with the right malware, it gets transferred to the USB stick undetected and gets “auto-played” right into the bloodstream of an internal and/or non-outward facing network, incapacitating, destroying, or manipulating anything it was designed to.”

When it Comes to USB Delivered Malware, It’s Time To Quit Curing Symptoms and Fight the Source

“Cyber security does not come in a one-size-fits-all solution. Comprehensive cyber threat assessments and penetration tests by Global Digital Forensics are designed to look at the entirety of the big cyber-security picture. On the cyber threat assessment side it is reviewing and understanding existing policies, procedures and enforcement, looking at any specific regulatory compliance issues a client may face in their particular industry, mapping the digital architecture and addressing the whole scope of it, including the burgeoning problems related to the increasing popularity of BYOD (Bring Your Own Device) policies, understanding the intricacies of the daily data flow and helping clients recognize and remediate any issues using industry best practices.”

“On the penetration testing side, which is actually launching simulated cyber attacks real world attackers would use, the tests get customized to a client’s unique situation, which can include everything from realistic and advanced spear phishing campaigns, to all kinds of devious and clever ways we’ve devised to get a “GDF-infected” USB stick inserted into a target network, and much more. We take great pride in the fact that, so far, we have a 100% success rate when it comes to infiltrating a targeted network. And there is nothing more effective than actually showing an executive, a manager, or even an employee that we did get by them, here’s how and here’s how to fix it. It’s also not unusual for us to then get retained to give cyber security awareness seminars for the entire organization afterward, and I can tell you that all eyes are forward and paying attention when you successfully phished 60-70-80% or more of the company, or can point out how many we fooled into inserting one of our “infected” USB sticks. And if you can raise that awareness and make it stick, you already won more than half to the battle when it comes beating a cyber attack at the source, USB launched or otherwise. Because remember, that USB stick had to get infected somewhere first and then get hand delivered. If you plug the holes leading to that first infection, make everyone aware of their responsibilities and understand the ramifications even a single lapse in judgment can have and show them how to avoid being an unknowing accomplice to a cyber attacker, for both businesses and critical infrastructure alike, everyone will be safer in the long run.”

Regular, professional cyber threat assessments and penetration tests are key in the ever-evolving world of cyber attacks, because relying on yesterday’s solutions to combat today’s threats and anticipate tomorrow’s, will only make for being an easy target.

*Global Digital Forensics is a recognized industry leader in the fields of cyber security and emergency incident response, with years of experience assisting clients in the government, banking, healthcare, education and corporate arenas. For a free consultation with a Global Digital Forensics specialist, call 1-800-868-8189 about tailoring a plan which will meet your unique needs. Emergency responders are also standing by 24/7 to handle intrusion and data breach emergencies whenever and wherever they arise. Time is critical if a cyber incident has occurred, so don’t hesitate to get help. For more information, visit

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Aris Demos
Visit website