Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible.
Operators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet.   The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility.       The plant has since checked for infection and cleaned up more than 1,000 computers.  An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution. 
Conficker exploits Windows drive shares. Once it has infected a computer, Conficker automatically copies itself to all visible open drive shares on other computers inside the network.  Nuclear power plant officials suspect someone brought in Conficker by accident on a USB thumb drive, either from home or computers found in the power plant's facility. 
Stuxnet was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment.  The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened. 
|M0942||Disable or Remove Feature or Program||
Consider the disabling of features such as AutoRun.
|M0934||Limit Hardware Installation||
Enforce system policies or physical restrictions to limit hardware such as USB devices on critical assets.
|M0928||Operating System Configuration||
Harden the system through operating system controls to prevent the known or unknown use of malicious removable media.
|ID||Data Source||Data Component||Detects|
Monitor for newly constructed drive letters or mount points to removable media.
Monitor for files accessed on removable media, particularly those with executable content.
Monitor for newly constructed files copied to or from removable media.
Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery.