Removable media, such as USB drives, external hard drives, and other portable devices, pose a critical and often overlooked threat to OT (Operational Technology) environments. A report by DarkReading revealed that nation-states are returning to USBs, using them in BYOD cyberattacks to compromise highly guarded government organizations, referring to it as “the weirdest trend in cybersecurity.”
Since they bypass traditional network-based defenses, removable media deliver malware directly into air-gapped and segmented systems, exploiting the security model that OT and critical infrastructure environments rely on. In 2024, removable media accounted for 20.3% of initial vectors in cyberattacks targeting ICSs (industrial control systems), while 15.2% of all OT compromises originated from removable media, according to the SANS 2025 ICS/OT Cybersecurity Budget report.
How Threat Actors Exploit Removable Media
Threat actors employ various tactics to deliver malware or extract data from air-gapped environments, using removable media to bypass traditional security controls and evade detection:
- BadUSB: Reprogram a USB device's firmware to mimic a legitimate device, such as a keyboard or a network card, allowing the device to secretly execute malicious commands.
- USB Baiting: Leaving an infected USB drive in a public place with a tempting label, like "Confidential" or "Q4 Plan," that installs malware or requires the user to open a malicious file once connected.
- Data Transfer: Using the same media used to transfer malware to air-gapped systems to secretly carry sensitive data out of secure environments.
- Supply Chain Attacks: Compromising media supplied by vendors and contractors by preloading malware onto USBs during manufacturing or distribution.
Why Critical Systems are More Vulnerable than Ever
Traditional Antivirus is No Longer Effective
A single antivirus engine may only achieve an average of 45.4% detection rate. Since single-antivirus solutions rely on a signature-based detection approach and limited databases of known malware, they fall short against modern, evasive, and AI-driven malware.
Risks of Zero-Day Exploits
With no patches or signatures and a lack of information to detect an attack, zero-day attacks are often detected only after damage is done. Relying solely on detection instead of prevention leaves critical infrastructure highly vulnerable.
Files of Suspicious Origin
Removable media carrying files of suspicious foreign origin can pose further risks than carrying malware by state-sponsored adversaries. While seeming safe to use, processing files or using software that originated from specific locations puts organizations at risk of failing to meet regulatory compliance and leading to hefty fines.
Evasive and AI-Driven Malware
Adversaries continue to use the latest technologies to develop hard-to-detect malware, from common evasive techniques, such as macros and memory ejection, to behavior-changing, AI-driven malware. These layers of sophistication require multi-layered solutions that prioritize prevention over detection.
Human Error and Data Breaches
Removable media carrying sensitive data, such as passwords, critical business data, and top-secret content, can lead to damaging data leakage. Such practices are a major cause for data breaches and compliance violations.
Stopping Malware at the Point of Entry
With 5 form factors that meet the requirements of various operational environments, even under the harshest conditions, MetaDefender Kiosk™ acts as a physical gatekeeper to ensure all removable media is scanned and validated before use, especially in critical air-gapped environments. Supporting 20+ media types, MetaDefender kiosk scans a wide range of removable media, including USB drives, memory cards, hard drives, CDs, and DVDs.
It is equipped with proven, globally trusted technologies to provide protection to secure OT assets against the most sophisticated removable media threats.
Advanced Threat Detection with Multiple Engines
With detection rates that reach up to 99.2% with 30+ malware engines, Metascan™ Multiscanning provides enhanced protection from a variety of cyberthreats, reduces outbreak exposure times, and decreases the chance of false positives.
Preventive Technology to Defend Against Undetected Threats
While traditional scanning solutions fail to detect unknown threats, Deep CDR™ is a technology that defends against these threats by sanitizing and regenerating files while keeping their functionality. It helps prevent undetected threats, including zero-day exploits and evasive malware, with 200+ file types supported.
Detect File Origins to Avoid Compliance Violations
The Country-of-Origin technology detects the geographic source of files by analyzing metadata and fingerprints. Verifying the geographical origin of a file helps organizations avoid compliance violations.
Prevent Sensitive Data Leakage
To protect sensitive data, Proactive DLP™ checks files before being transferred to and from critical air-gapped networks and blocks sensitive and secret data by using custom regular expressions.
Detect Known File Vulnerabilities
With 3,000,000+ data points collected from active devices and 30,000+ associated CVEs with severity information, MetaDefender Kiosk checks files and software for common vulnerabilities before letting them pass through air gaps.
Integrated Peripheral and Removable Media Protection and Beyond
MetaDefender Kiosk combines its capabilities with other MetaDefender platform solutions to provide multi-layered security for removable and peripheral media. It seamlessly integrates with MetaDefender Managed File Transfer™ to provide secure transfers for safe, sanitized files.
My OPSWAT™ Central Management enables configuring appliances, setting and enforcing scanning policies, and generating detailed audit logs over multiple kiosks, all from a single pane of glass. With centralized, auditable logs and consistent policy enforcement, on top of its advanced scanning capabilities, MetaDefender Kiosk aids compliance with rigorous OT-specific regulatory standards, including NIST, IEC 62443, ISO 27001, and NERC CIP. MetaDefender Netwall provides access to real-time OT data and enables secure data transfer to OT environments, while defending the OT environment from network borne threats
MetaDefender Media Firewall™ ensures that boot sectors and file contents of inserted portable media are inspected, audited, sanitized, and approved by a MetaDefender KioskTM before use. MetaDefender Endpoint Validation™ or Media Validation also can verify that removable media was scanned under enforced policies.
End-to-End Removable Media Protection
With its proven track record with over 1,900 critical infrastructure organizations, OPSWAT continues to provide a strategic advantage against evolving removable media threats. MetaDefender Kiosk acts as a checkpoint for data on USB drives and other media devices to analyze, control, and sanitize digital data before it enters or leaves a secure network.
To learn more and see a live demo of how MetaDefender Kiosk can protect your OT environment against modern cyberthreats, schedule a demo with one of our experts today.
その他のリソース
Explore real-life use cases where MetaDefender Kiosk helped protect organizations against removable media threats, and learn more about OPSWAT’s preventive technologies:
- Solution Guide: Why Traditional Antivirus is Not Enough
- eBook: Proven Deployments in Manufacturing
- eBook: Proven Deployments in Energy & Utilities
- Brochure: MetaDefender Kiosk Series
