Most asset owners who have been working on OT security for 5+ years have dealt with the removable media risk. My preference is USB drives and other media dedicated to the OT environment; never used on another network.
All needed software / firmware is brought through a data transfer server in the OT DMZ where it is assessed before being made available.
This prevents the walk around the protection and detection issue, and it relies less on the users following more complex processes to test media before it enters the OT environment. It also doesn’t prevent bringing new firmware in, loading it on a USB drive, and bringing it to devices deep in the OT environment that might not have a network connection.
A larger number of asset owners take the approach of having a process to scan removable media brought in from outside of OT. There are dedicated OT security products for this that take a kiosk approach, like Honeywell’s Secure Media Exchange or OPSWAT’s MetaDefender Kiosk. Some asset owners build their own scanning station using software from malware detection vendors.
The kiosk / scanning station approach is better than relying on the endpoint protection in each computer to detect and prevent malware. Many asset owners go with a combination of turning off or protecting USB drives on most computers and relying on endpoint detection on the remaining computers. There are a lot of approaches, and they have significantly reduced the introduction of malware into OT by removable media in asset owners with an active OT security program.
Portable computing, most often laptops although tablets are increasing, are a harder problem to solve. The asset owner employees can, and should, have a dedicated laptop for OT. It never leaves OT. It gets its updates and any required software in OT. It’s a bit of a hassle and cost, but not difficult.
The harder problem I see frequently is support vendor laptops that are brought into OT after being connected to many networks. Most security conscious asset owners have a procedure to assess and scan the laptop prior to connection to OT. This process is likely to only catch mass market malware.
By nature these support vendor laptops have the technician logged in with admin privileges, are loaded with a lot of tools of varying providence, are one offs because each technician has their preferred kit, and are connected to a lot of networks. Letting them connect to your OT environment is not a small risk.
So why let them connect? Because the system is down or needs some troubleshooting. The asset owner can’t figure it out and needs assistance. The technician with the expertise can’t do their job without connecting a system with typically an eclectic set of tools organized in a way that makes sense to the technician. The laptop is scanned, the technician / company has to sign something say they don’t have malware, and the connection to OT occurs.
How often does this happen in your OT environment?
A minority of asset owners, in the US primarily the bulk electric sector, will go through the trouble of having OT dedicated laptops available for support vendors to use when they come in. This requires pre-planning and isn’t easy. You need to know who will come in, get all the tools loaded, maintain the tools, and even then it will likely make the support vendor’s job harder. It may be impossible for emergency support … do you want me to connect and fix your system or not? If I use your laptop it will at least take me longer and I might not be able to fix it.
Many of OT security vendors and consultants have been through this dichotomy. You tell the asset owner do not allow anything that was connected to an external network to connect to their OT environment, and let me connect my laptop to your OT environment.
I wish I had an easy answer to address this risk.