Removable media remains one of the most common attack vectors in OT (operational technology) and ICS (industrial control system) environments. A recent special publication issued by NIST (National Institute of Standards and Technology), NIST SP 1334, provides practical recommendations for organizations operating OT and ICSs. Titled “Reducing the Cybersecurity Risks of Portable Storage Media in OT Environments,” the document includes guidelines to reduce cybersecurity risks related to the use of peripheral and removable media devices.
According to a 2025 ICS/OT Cybersecurity Report by SANS, 27% of attacks were initiated by compromised removable media and transient devices. In air-gapped environments, portable media are often used to transfer data such as firmware updates, configuration files, and logs. This increases the risk of malware, zero-day exploits, and supply chain tampering bypassing existing defenses. NIST SP 1334 aims to help OT operators and manufacturers manage the risks associated with portable storage media, including USBs, SD cards, and portable hard drives, in OT/ICS environments.
Why It Matters for OT Environments
Unlike IT environments, OT/ICS environments often face challenges and constraints when it comes to cybersecurity due to common isolation and network segregation requirements. Aligning cybersecurity practices with the NIST SP 1334 guidelines helps organizations reduce the attack surface, support their defense‑in-depth protection measures, and better govern usage and file transfers via portable media.
The most common challenges for OT/ICS environments include:
- Using Legacy Systems: Many OT devices and systems are still reliant on legacy systems that lack modern cybersecurity measures and can no longer be upgraded. Replacing these systems can be costly and out of reach.
- High Availability Requirements: Downtime and service disruptions can cause physical damage, safety risks, or huge operational losses.
- Operating Air-Gapped Environments: OT networks are often segregated, isolated, or air-gapped, introducing limitations to network-based defenses.
- Inevitable Removable Media Use: The use of removable media is often unavoidable for software updates, diagnostics, and data transfer.
Key Takeaways from NIST SP 1334
NIST SP 1334 emphasizes layering controls across four key domains: procedural, physical, technical, and transportation.
Procedural Controls
Organizations should develop clear policies to govern media usage. These include purchasing organization-owned media with hardware encryption (FIPS-certified), prohibiting unauthorized devices, and establishing strict procedures for provisioning, sanitizing, and disposing of media. Logging usage details such as user identity, device serial number, and timestamps; and training staff on policies are also essential.
Physical Controls
The physical controls in the NIST SP 1334 guidelines include storing portable media in a physically secure, access-controlled location and inventorying and labeling approved media with usage details as a foundational part of their asset management program to minimize risk.
Technical Controls
Organizations are advised to establish technical controls for media protection. These controls include disabling unnecessary ports, using allowlisting to restrict devices and file execution, scanning media before and after use, reformatting devices before reuse, enabling write-protection for read-only files, turning off autorun, using encrypted devices, and configuring alerts for removable media activities.
Transportation and Sanitization Controls
Additional physical and logical controls are required to mitigate the risk of transporting media. These controls include using encryption or locked containers for secure internal transport, performing hash or checksum verification when transferring files between parties, and conducting thorough sanitization (as detailed in NIST SP 800-88, Revision 2) before disposing of the media.
How OPSWAT Helps Prevent Peripheral and Removable Media Attacks
OPSWAT offers a range of solutions designed to protect critical OT environments against peripheral and removable media threats. These solutions help organizations achieve compliance with regulatory guidelines, including NIST, ISA/IEC 62443, NEI 18-08, NERC CIP, ISO27001, ANSSI, NIS2, and GDPR.
Removable Media Threat Mitigation at the Point of Entry
Designed to secure the most challenging environments, MetaDefender Kiosk™ scans and sanitizes removable media at the point of entry of air-gapped environments, securing data flows into OT systems. MetaDefender Kiosk also helps organizations enhance operational resilience, reducing the risk of unplanned downtimes, production interruptions, and safety incidents. It was recognized as part of Emerson's DeltaV Silver Alliance, proving its effectiveness in multiple environments and use cases.
Pre-Run Endpoint Protection and Device Control
MetaDefender Endpoint™ strengthens endpoint security and provides advanced protection for operational environments. It actively scans and detects removable and peripheral media upon insertion, before they are made accessible to critical systems. This capability helps organizations align with the cybersecurity requirements for portable storage media outlined in NIST SP 1334. It also enables users to wipe removable media data securely, helping meet the standards’ media sanitization requirements.
Protection Monitoring from a Single Pane of Glass
When integrated with My OPSWAT™ Central Management, MetaDefender Endpoint and MetaDefender Kiosk support centralized policy enforcement to control device access, monitoring and managing portable media usage, and activity logging.
Media Validation as an Extra Layer of Defense
OPSWAT also offers a range of solutions to enhance your defense-in-depth strategy. MetaDefender Endpoint Validation, OPSWAT Media Validation Agent, and MetaDefender Media Firewall™ provide an additional layer of security by enforcing scanning and sanitization policies.
MetaDefender Endpoint Validation and OPSWAT Media Validation Agent are lightweight tools installed on endpoints that work in both air-gapped and connected environments. They serve as a checkpoint to ensure that only files scanned by MetaDefender Kiosk can be opened, copied, selected, and accessed by the endpoint.
MetaDefender Media Firewall is a plug-and-play hardware solution to protect critical host systems from threats carried by removable media. It works with MetaDefender Kiosk as an easy-to-use, physical layer to secure OT environments and guarantee that no unscanned removable media can bypass entry points. This solution also helps organizations to enforce scanning policies that align with regulatory compliance standards.
Industry-Leading Core Technologies
MetaDefender Kiosk and MetaDefender Endpoint are powered by globally trusted, industry-leading technologies, including:
- Metascan™ Multiscanning: Achieves up to 99.2% malware detection rates with 30+ anti-malware engines
- Deep CDR™: Recursively sanitizes files to remove potential threats without compromising their functionality to prevent unknown threats, including zero-day exploits, with 200+ file types supported
- File-Based Vulnerability Assessment: Detects known vulnerabilities with 3,000,000+ data points collected from active devices and 30,000+ associated CVEs with severity information
- Proactive DLP™: Utilizes AI-powered models to locate and automatically redact sensitive information like PII, PHI, PCI in 110+ file types
- Country of Origin: Detects the geographic source of files to identify restricted locations and vendors, supporting regulatory compliance
Protect Critical Infrastructure Against Removable Media Attacks
Discover why critical infrastructure organizations trust OPSWAT’s solutions to fortify their OT/ICS environments against peripheral and removable media threats. Schedule a demo today by talking to one of our experts.
