Governance & Risk Management,
Operational Technology (OT)
In modern industrial environments, SD cards have become ubiquitous, often likened to janitors who hold keys to various access points without supervision. These small devices traverse systems for firmware updates, configuration storage, and data logging without adequate security measures in place. This lack of oversight makes them attractive targets for cybercriminals aiming to infiltrate Operational Technology (OT) systems.
According to Honeywell’s 2025 Cyber Threat Report, there has been a striking 46% increase in transfer and extortion-related threats specifically affecting OT environments, indicating that attackers are intensifying their focus on operational assets. Complementing this alarm, the 2024 Honeywell USB Threat Report revealed that a staggering 51% of industrial malware is designed to propagate through removable media, including SD cards and USB drives. Together, these statistics highlight a growing vulnerability in industries where even the smallest devices could serve as gateways for major security breaches.
To comprehend the scale of this risk, one must consider how malware is leveraging removable media as a preferred conduit for attacks. SD cards are integrated across every facet of industrial operations, including PLCs, sensors, and battery systems. However, their widespread invisibility presents a serious challenge. Maintenance personnel often introduce SD cards into OT environments without any verification of their integrity. This can lead to scenarios where a single compromised SD card bypasses perimeter defenses and introduces malware into sensitive control systems, which are ill-equipped to detect such threats.
Unlike USB drives that may garner heightened scrutiny, SD cards often slip through the cracks, maintaining a precarious balance between essential utility and unmonitored risk. Their critical role in daily operations makes them vulnerable and hazardous, particularly in interconnected environments where a lapse in security can lead to devastating consequences.
Industrial malware has significantly evolved, moving from merely disrupting productivity to causing extensive operational failures. Historically notable incidents, such as Stuxnet, showcased how malware could traverse air-gapped systems via infected media, targeting PLCs and control mechanisms. More recently, the Triton malware incident revealed the potential of malware to not only disrupt operations but also threaten safety protocols in chemical and energy sectors. An instance involving a contractor inadvertently introducing a Triton-infected SD card into a critical infrastructure facility in Australia exemplifies the need for heightened vigilance. Traditional antivirus solutions failed to identify the threat, but advanced tools like the Honeywell Secure Media Exchange successfully flagged the malicious payload during deployment, underscoring the critical nature of monitoring removable media.
This emphasizes a stark reality: removable media remains a significant vector connecting IT and OT networks. If left unchecked, such media can serve as a simple entry point for attackers, allowing them to infiltrate even the most secure environments. As highlighted by the Triton case, a single unverified device can lead to severe compromises in operational integrity.
To mitigate risks, frameworks such as IEC 62443 and NIST provide foundational guidelines, but implementation must be rigorous. Security best practices include meticulous tracking of removable media, mandatory malware scanning before devices connect to production systems, enforced segmentation, and the use of USB firewalls to contain possible infections. Incorporating targeted OT-specific threat intelligence is equally essential for recognizing tactics most applicable to industrial sectors.
By adopting these security measures, organizations can transform removable media from a potential blind spot into a regulated, monitored component of their security architecture, thereby decreasing the likelihood that an overlooked SD card becomes the next attack vector.
The Honeywell Secure Media Exchange (SMX) offers advanced threat detection capabilities, complying with IEC 62443 and NERC CIP standards for removable media. This system mandates malware scans on every SD or USB device before it can connect to production ecosystems, allowing only verified, malware-free media to interface with critical systems. The system also prohibits the use of any unscanned or unauthorized devices, protecting against various cyber threats, including device impersonation. Additionally, the centralized Enterprise Threat Management Portal enhances visibility and policy enforcement across multiple locations.
As cyber adversaries increasingly adopt AI technologies to create more sophisticated and agile malware, the attack surface within OT environments is likely to expand. Emerging capabilities in “agentic AI” could enable automated reconnaissance and lateral movement, posing new threats to industrial security.
Proactive management of removable media will be essential as the battle for OT resilience advances, addressing one of the final vulnerabilities in industrial operations. For expert insights into mitigating hidden risks and equipping organizations against evolving AI-driven threats, businesses are encouraged to consult with Honeywell specialists.
