USB Security for Manufacturing and OT/ICS Environments

Stuxnet changed everything. The worm that destroyed Iranian uranium centrifuges in 2010 didn't arrive over the internet — it crossed an air gap on a USB drive. Fifteen years later, USB devices remain the primary attack vector for industrial control systems, and the threat has only grown more sophisticated. CISA's ICS-CERT has tracked a steady increase in USB-borne malware targeting manufacturing environments, including campaigns like EKANS/Snake ransomware and PIPEDREAM/Incontroller that specifically target industrial protocols.

Yet most manufacturing organizations still treat USB security as an IT problem, applying office-style Group Policy restrictions that don't account for the realities of operational technology. The result is either policies so strict they halt production, or policies so loose they leave critical infrastructure exposed. This guide covers how to build USB security controls that actually work in manufacturing and OT/ICS environments — protecting production systems without stopping production.

Why Manufacturing and OT Are Different

USB security in a manufacturing environment is fundamentally different from a corporate office. Controls designed for knowledge workers at desks don't translate to plant floors, control rooms, and field operations:

• Air-gapped networks depend on USB. Many OT networks are intentionally isolated from the internet. USB drives are the primary mechanism for transferring software updates, patches, configuration files, and data exports. Block USB entirely and you block the only way to maintain these systems.
• Systems can't be rebooted on demand. A PLC controlling a chemical process or an HMI running a production line can't be restarted to apply a policy change. Downtime is measured in thousands of dollars per minute. USB controls must be deployable and configurable without system restarts.
• Legacy operating systems are the norm. Windows XP, Windows 7, Server 2003, and even DOS-based systems run critical processes in manufacturing. These machines may run for a decade or more without OS upgrades because the control software is certified only for that specific OS version.
• Multiple vendors access the same systems. OEMs, integrators, and maintenance contractors all bring their own USB devices to update firmware, pull diagnostic logs, or configure equipment. You can't simply ban all external devices.
• Physical environments are harsh. Ruggedized endpoints, panel-mounted HMIs, and control room workstations may not have conventional IT management agents installed. Some run real-time operating systems that don't support standard Windows security tools.
• Safety is paramount. In IT, a security incident means data loss. In OT, it can mean equipment damage, environmental contamination, or human injury. The consequences of getting USB security wrong in either direction — too permissive or too restrictive — are amplified.

The USB Threat Landscape for Industrial Environments

Understanding the specific threats helps you prioritize controls. USB-borne attacks on manufacturing fall into distinct categories:

The Honeywell USB Threat Report consistently finds that over 50% of USB-borne threats targeting industrial environments are specifically designed to cross air gaps, and nearly 80% could cause disruption to OT systems. These aren't opportunistic office malware — they're purpose-built for industrial targets.

Compliance Frameworks That Require USB Controls

If your manufacturing operation falls under any of these frameworks, USB device control isn't optional:

IEC 62443 (Industrial Automation and Control Systems Security)

The primary international standard for ICS security. Several requirements directly address removable media:

• SR 2.3 — Use control for portable and mobile devices: Requires controls to manage the use of portable and mobile devices in the IACS environment, including USB storage devices.
• SR 2.4 — Mobile code: Requires controls to prevent unauthorized code execution, directly applicable to autorun and USB-delivered executables.
• SR 7.8 — Control system component inventory: Requires maintaining an inventory of all components, including removable media devices used in the environment.

NIST SP 800-82 (Guide to ICS Security)

The U.S. government reference for industrial control system security. Section 6.2.6 specifically addresses portable devices and removable media, recommending:

• Restricting use of removable media on ICS components
• Scanning all removable media before connection to ICS networks
• Disabling autorun/autoplay on all ICS workstations
• Maintaining logs of all removable media usage

NERC CIP (Critical Infrastructure Protection)

Mandatory for electric utilities. CIP-010-4 requires documented processes for managing removable media, including malware scanning before use on BES (Bulk Electric System) Cyber Systems. CIP-007-6 R3 requires malicious code prevention, including controls for USB-introduced malware.

FDA 21 CFR Part 11 (Pharmaceutical Manufacturing)

Requires controls on electronic records and signatures. USB devices that can introduce unauthorized changes to manufacturing execution systems or quality records must be controlled and audited.

6 USB Security Controls for OT Environments

1. Zone-Based USB Policies Using the Purdue Model

Don't apply one USB policy to your entire organization. Map your USB controls to the Purdue Reference Model levels, applying stricter controls as you move closer to physical processes:

2. Dedicated USB Transfer Stations

Instead of allowing USB devices to connect directly to control systems, create designated transfer stations — hardened workstations positioned at the boundary between IT and OT networks. Every USB device coming into the OT environment passes through this checkpoint.

A transfer station should:

• Run multiple malware scanning engines (not just one AV product)
• Allow only approved file types (e.g., .csv, .plc, .fw — not .exe, .dll, .ps1)
• Log every file transfer with timestamp, source device serial number, file hash, destination system, and operator identity
• Enforce default-deny device policy — only IT-provisioned drives connect to the station
• Be physically secured in a controlled access area

This approach means USB devices never touch production systems directly. The transfer station acts as a decontamination chamber for data entering the OT network.

3. Vendor and Contractor USB Management

Third-party access is one of the biggest USB risks in manufacturing. Equipment vendors, system integrators, and maintenance contractors routinely bring USB devices to update firmware, collect diagnostics, or configure equipment. Without controls, you're trusting every vendor's USB hygiene — and their entire supply chain.

Implement a vendor USB protocol:

1. No personal USB devices in the OT zone. Vendors must use facility-issued devices or transfer files through the USB transfer station.
2. Pre-register vendor devices. When a maintenance visit is scheduled, the vendor submits device serial numbers in advance. IT adds them to a temporary whitelist that expires when the maintenance window closes.
3. Escort and witness. All USB connections to Level 0–2 systems are witnessed by plant operations staff and logged in the change management system.
4. Post-visit audit. After vendor work, review USB event logs for any unexpected connections or file transfers.

4. Physical Port Controls for Legacy and Unmanaged Systems

Not every system in a manufacturing environment can run a software agent. Legacy PLCs, embedded HMIs, and real-time controllers often have USB ports that can't be protected with software. For these systems, physical controls are necessary:

• USB port blockers. Physical plugs that fill USB ports and require a special tool to remove. Simple, tamper-evident, and effective for systems that should never have USB devices connected.
• Locked USB port covers. For systems that occasionally need USB access (firmware updates), use lockable port covers. The key stays with the control room operator or plant engineer, creating a physical access control layer.
• Port inventory. Document every USB port on every device in the OT network. For each port, record whether it's blocked, locked, or actively monitored. This inventory is required by IEC 62443 SR 7.8 and is the first thing an auditor will request.

5. Offline-First Policy Enforcement

Air-gapped OT networks can't rely on cloud-based policy engines. Your USB security solution must enforce policies locally, without any network connectivity, and sync logs when a connection is available.

This means:

• Device whitelist and policy rules are cached locally on the endpoint
• Allow/block decisions happen at the driver level, not via network lookup
• USB event logs are stored locally and forwarded to the central console when network connectivity is restored
• Policy updates are distributed via the same controlled USB transfer process used for other OT updates

Solutions that require real-time cloud connectivity for policy decisions are a non-starter for manufacturing environments. If the agent can't enforce policy when disconnected, it can't protect an air-gapped network. Read our guide on USB security for disconnected endpoints for more on offline enforcement architecture.

6. USB Event Monitoring and Anomaly Detection

Logging isn't just for compliance — it's your early warning system. In OT environments, USB anomalies are often the first indicator of an attack or insider threat. Monitor for:

• New device serial numbers. Any USB device not previously seen in the environment should trigger an alert.
• After-hours connections. USB activity during non-production hours (nights, weekends, holidays) is suspicious in a manufacturing context where USB use should correlate with maintenance schedules.
• High-frequency connections. A device connecting and disconnecting rapidly may indicate automated data exfiltration or an HID spoofing attack.
• Device class mismatches. A device that identifies as a keyboard but has the VID/PID of a storage device (or vice versa) is a red flag for a spoofing attack.
• Connections to critical systems. Any USB event on Level 0–2 systems should generate an immediate alert, regardless of whether the device is whitelisted.

Feed USB event data into your existing OT security monitoring — whether that's a SIEM, a historian-based monitoring system, or a dedicated OT security platform. Correlate USB events with other indicators: a USB connection followed by a PLC program change is a much higher-priority event than either alone.

Manufacturing USB Security Policy Template

Adapt this template to your specific environment. The structure maps to IEC 62443 and NIST 800-82 requirements:

Section 1: Scope and Zones

This policy applies to all USB-capable devices within the OT network boundary (Purdue Levels 0–3.5), including PLCs, HMIs, SCADA servers, engineering workstations, historians, MES terminals, and any Windows or Linux endpoint connected to the industrial control network. Enterprise IT systems (Levels 4–5) are covered by the corporate USB policy.

Section 2: Default Posture

All USB mass storage devices are blocked by default on all OT endpoints. USB Human Interface Devices (keyboards, mice) are allowed only on endpoints where they are required for operation. All other USB device classes (wireless adapters, network adapters, imaging devices) are blocked unless specifically approved.

Section 3: Approved Devices and Transfer Procedures

USB storage devices used in the OT environment must be procured, provisioned, and tracked by the IT/OT security team. Each device is registered by serial number and assigned to a specific use case (e.g., historian data export, PLC firmware update). All data transfers to OT systems pass through the designated USB transfer station for malware scanning and file-type validation.

Section 4: Vendor and Contractor Access

Third-party personnel must use facility-issued USB devices or transfer files through the USB transfer station. Personal USB devices are prohibited in OT zones. Vendor device serial numbers must be submitted 48 hours before scheduled maintenance. Temporary whitelist entries expire at the end of the maintenance window. All vendor USB activity is logged and reviewed within 24 hours.

Section 5: Incident Response

Any unauthorized USB device detected in the OT environment triggers the following response: (1) Immediate isolation of the affected endpoint from the control network, (2) Notification to the plant operations manager and IT/OT security team, (3) Forensic capture of the USB event log and device metadata, (4) Assessment of whether the device accessed or modified any control system configuration, (5) Root cause analysis and corrective action documented in the change management system.

Implementation Roadmap for Manufacturing

Deploying USB security in a production environment requires careful planning. You cannot afford a policy change that halts a production line. Here's a phased approach:

1. Weeks 1–3: Discovery and inventory. Deploy agents in audit-only mode on all Windows endpoints in the OT network. Catalog every USB device that connects, every port that's active, and every workflow that depends on USB. Simultaneously, physically inventory USB ports on unmanaged systems (PLCs, embedded HMIs). This phase produces your baseline: how many devices, which vendors, what workflows, and where the gaps are.
2. Weeks 4–5: Policy design. Map your findings to the Purdue Model. Define zone-specific policies. Build your device whitelist from the audit data. Identify which ports need physical blockers. Design the USB transfer station workflow. Get buy-in from plant operations, maintenance, and engineering — they will be the ones most affected.
3. Weeks 6–7: Transfer station deployment. Set up the USB transfer station at the IT/OT boundary. Train maintenance and engineering staff on the new workflow. Run both old and new processes in parallel during the transition.
4. Weeks 8–10: Phased enforcement. Enable blocking on Level 4–5 (enterprise) endpoints first. Then Level 3 (operations/historian). Then Level 2 (HMI/SCADA). Level 0–1 gets physical port controls. At each level, run in warn mode for one week before switching to block mode. Monitor for production impact and adjust the whitelist as needed.
5. Weeks 11+: Ongoing operations. Monthly whitelist reviews. Quarterly vendor access audits. Annual port inventory updates. Continuous monitoring for anomalous USB events. Every maintenance window that involves USB gets a pre-approved device list and a post-visit log review.

Common Mistakes in Manufacturing USB Security

Avoid these pitfalls that derail OT USB security programs:

• Applying IT policies to OT without modification. Corporate IT's USB blocking approach doesn't account for air-gapped networks, vendor access, or legacy systems. OT needs its own policy framework.
• Blocking USB without providing an alternative. If engineers can't transfer PLC programs via USB, they'll find a workaround — often one that's less secure than the original USB workflow. Always provide a sanctioned transfer mechanism before blocking the unsanctioned one.
• Ignoring physical ports. Software-based USB control is critical, but it can't protect a PLC running a proprietary RTOS. Physical port blockers are not a "nice to have" — they're required for systems that can't run agents.
• Treating vendor USB as trusted. A reputable vendor's USB device can still be compromised. The 2023 3CX supply chain attack demonstrated that even legitimate software vendors can unknowingly distribute malware. Every external USB device must be scanned, regardless of source.
• No change management integration. USB events in OT should be tracked in the same change management system as PLC program changes and configuration updates. An untracked USB connection to a control system is an untracked change to a control system.

Building the Business Case

Justifying USB security investment to plant leadership requires speaking their language — production uptime, not cybersecurity jargon:

• Ransomware cost: The average manufacturing ransomware incident costs $1.2 million in recovery and causes 12 days of production downtime. USB is the primary vector for malware entering air-gapped OT networks.
• Compliance penalties: NERC CIP violations carry penalties up to $1 million per day. IEC 62443 certification increasingly requires documented USB controls for industrial environments.
• IP protection: A single PLC program or manufacturing recipe can represent millions in R&D investment. Uncontrolled USB access is an open door for data exfiltration.
• Insurance requirements: Cyber insurance underwriters increasingly require evidence of USB device control in OT environments as a condition of coverage.

Frame USB security as production continuity insurance, not an IT project. The question isn't whether you can afford USB controls — it's whether you can afford not to have them when a contractor plugs an infected drive into your SCADA server.

Moving Forward

Manufacturing and OT environments are where USB security matters most and where it's hardest to get right. The combination of air-gapped networks, legacy systems, vendor access requirements, and safety-critical processes creates constraints that don't exist in typical IT environments.

But those constraints don't make USB security impossible — they make it require a different approach. Zone-based policies mapped to the Purdue Model, dedicated transfer stations, physical port controls for unmanaged systems, and offline-first enforcement address the specific realities of manufacturing. Start with audit mode to understand your environment, build your policies around what you find, and enforce gradually from the enterprise level down to the plant floor.

The threat isn't theoretical. USB-borne attacks on industrial environments are increasing in frequency and sophistication. The organizations that act now — before an incident forces their hand — are the ones that maintain both security and production continuity.