Critical national infrastructure underpins everything. The electricity grid, water treatment facilities, transport networks, hospitals, fuel pipelines, and telecommunications systems all qualify as critical infrastructure because their disruption carries consequences that extend far beyond the organisations operating them. A cyberattack on a power substation does not just affect the utility company. It affects every home, hospital, and business drawing power from that grid.
That reality makes critical infrastructure one of the most consistently targeted sectors in global cybersecurity. Attacks are growing in frequency, sophistication, and consequence. And among the vectors threat actors use to reach these environments, one remains persistently underestimated: removable media.
What is Critical Infrastructure?
Critical national infrastructure (CNI) refers to the assets, systems, and networks so essential to a nation’s functioning that their disruption or destruction would have a significant impact on national security, public safety, economic stability, or public health.
The government designates thirteen sectors as critical national infrastructure: chemicals, civil nuclear, communications, defence, emergency services, energy, finance, food, government, health, space, transport, and water. Each sector contains a mix of public and privately operated facilities, many of which rely on industrial control systems and operational technology to manage physical processes.
Why Critical Infrastructure is a Priority Target
The consequences of a successful attack on CNI are disproportionately large. A ransomware infection in a logistics company disrupts deliveries. The same infection in a water treatment facility disrupts the water supply for an entire region.
Several factors combine to make CNI environments particularly attractive to threat actors.
High Operational Impact
Disrupting a CNI operator creates immediate pressure to pay or comply. Critical services cannot simply be taken offline while a cyber incident is investigated and remediated.
Legacy Technology
Much critical infrastructure runs on operational technology that was installed decades before cybersecurity was a consideration. Systems controlling physical processes, turbines, pumps, valves, and rail signalling frequently run on unsupported operating systems that cannot be patched or updated without significant operational risk.
IT and OT Convergence
The increasing connection of operational technology networks to enterprise IT systems, driven by efficiency and remote monitoring requirements, has created new attack paths into environments that were previously isolated. An attacker who compromises an IT network may now have a route to the OT systems controlling physical infrastructure.
State-Sponsored Interest
Critical infrastructure is a priority target for nation-state threat actors seeking strategic leverage. Documented attacks on energy grids, water systems, and transport networks across Europe and North America demonstrate that CNI is being probed and targeted by well-resourced adversaries.
The Critical Infrastructure Threat Landscape
Ransomware
Ransomware targeting CNI has grown significantly as a documented threat. Operators face pressure to restore services quickly, making them more likely to pay. Attacks on energy infrastructure, water utilities, and healthcare systems have caused real-world service disruption and in some cases forced manual fallback operations.
Supply Chain Attacks
CNI operators rely heavily on third-party vendors, maintenance contractors, and equipment suppliers. Attackers have increasingly targeted the supply chain as an indirect route into CNI environments, compromising a less-secure supplier to reach a high-security operator.
Insider Threats
Whether malicious or accidental, insiders with access to CNI systems present a significant risk. Disgruntled employees, contractors with excessive access, and well-meaning staff making mistakes all feature in documented CNI incidents.
USB and Removable Media
This is the threat vector that gets the least systematic attention in CNI environments and causes some of the most significant documented incidents. Every sector listed above relies on removable media for operational reasons. And every USB drive that enters a CNI environment without being scanned represents an uncontrolled entry point into systems that control physical processes.
Why USB Threats are Uniquely Dangerous in CNI Environments
The properties that make USB-borne threats dangerous in any enterprise environment are amplified in critical infrastructure.
Air-Gapped Systems Depend on Removable Media
Many CNI environments operate air-gapped networks that are deliberately isolated from the internet and from less-trusted environments. The isolation is the security control. But isolated systems still require data: software updates, firmware patches, engineering files, configuration data, and maintenance records all need to move in and out.
In the absence of a network connection, USB drives and removable media become the primary data transfer method. That makes every device that crosses the boundary a potential threat, and makes the scanning process at that boundary one of the most critical security controls in the entire environment.
Stuxnet, the most extensively analysed ICS attack in history, reached an air-gapped nuclear facility through exactly this mechanism. The malware was introduced on a USB drive and caused physical damage to centrifuges before it was detected. The network isolation that was supposed to protect the facility made USB the only available attack vector, and the attacker used it.
Legacy OT Systems Cannot Run Endpoint Security
Industrial control systems frequently run on operating systems that are no longer supported. Windows XP installations are common across the energy, manufacturing, and utilities sectors. These systems cannot run modern endpoint antivirus software, cannot receive security patches, and were never designed with cyber threats in mind.
Software-based USB security tools that rely on the host system being healthy and currently offer limited protection in these environments. The host system itself may be the vulnerability.
Third-Party Contractors Bring Unscanned Devices
CNI sites receive regular visits from equipment vendors, maintenance contractors, calibration engineers, and system integrators. Each arrives with laptops and USB drives that have been used across multiple other sites and facilities. Without a controlled process for scanning those devices before they connect to operational systems, every contractor visit is an uncontrolled entry point.
The Consequences Extend Beyond Data
In an office IT environment, a USB-borne malware infection typically means data loss, potential ransomware, and recovery costs. In a CNI environment, it can mean a physical process running out of control, a safety system being disabled, or an entire production facility going offline. The stakes are categorically different.
Sector-Specific USB Threat Context
| Sector | USB dependency | Primary risk |
| Energy and utilities | Firmware updates to substation equipment, ICS patches | Malware disrupting grid management or safety systems |
| Nuclear | Strictly controlled data transfers to isolated systems | Catastrophic if a malicious payload reaches reactor control systems |
| Water and wastewater | Remote site updates via portable media | Treatment process manipulation or operational shutdown |
| Transport and rail | Signalling system updates, maintenance data | Safety-critical system compromise affecting train operations |
| Oil and gas | Offshore and remote site updates, contractor devices | Production shutdown, safety system compromise |
| Maritime | Chart updates, ECDIS data, maintenance tools | Navigation system infection, operational disruption |
| Healthcare | Medical device firmware, diagnostic equipment updates | Patient safety risk, NHS system compromise |
| Manufacturing | PLC updates, engineering files, production data | Production line shutdown, safety incident |
For sector-specific guidance, Tyrex has dedicated pages covering oil and gas cybersecurity, maritime cybersecurity, healthcare cybersecurity, and industrial control systems security.
Protecting Critical Infrastructure Against USB Threats
Hardware-Based Scanning at the Network Boundary
The most effective control for USB-borne threats in CNI environments is a dedicated hardware scanning station positioned at the boundary between external devices and the protected network. Every device that enters the environment, whether brought by staff, contractors, or visitors, is scanned before it reaches any operational system.
Sheep Dip Station
This is sometimes referred to as a sheep dip station in defence and industrial contexts. The device is scanned in a completely isolated hardware environment. The operational system is never exposed during the process. If a threat is detected, it is quarantined before it can execute. The scan is logged for audit and compliance purposes.
Unlike software AV running on a host system, hardware scanning stations do not require the host to be healthy or current. They operate in their own isolated environment, run multiple independent scanning engines simultaneously, and function fully offline. For industrial environments running legacy infrastructure, this is the only scanning approach that can be deployed reliably.
K-Rex
Tyrex K-REX stations run five antivirus engines and two anti-malware engines simultaneously in a hardened hardware environment, operating fully offline and producing a scan log for every device inspected. For CNI operators needing portable scanning capability at remote or field sites, the K-REX Mobile operates on battery power and is built to withstand harsh environmental conditions.
Removable Media Policy and Process
Technical controls are only as effective as the processes surrounding them. A formal removable media security policy defines which devices are permitted, who can use them, and what the mandatory steps are before any device connects to any operational system.
For CNI environments, the policy should specifically address contractor and third-party device management, since this is the most consistent gap in practice.
Staff and Contractor Awareness
Everyone who brings a device into a CNI environment should understand the process and why it exists. This includes permanent staff, contractors, maintenance engineers, and equipment vendors. The process must be simple enough to follow under operational pressure without exceptions.
Find out more about why USB devices represent one of the biggest hidden cyber threats across industrial and enterprise environments.
FAQs: Critical Infrastructure Cyber Security
Why are USB Threats Particularly Dangerous in CNI Environments?
CNI environments combine several factors that amplify USB risk: air-gapped networks where USB is the primary data entry method, legacy OT systems that cannot run modern endpoint security software, heavy reliance on third-party contractors with uncontrolled devices, and consequences that extend to physical safety systems and public services rather than just data.
What is the Most Effective Control for USB Threats in CNI?
A hardware-based scanning station positioned at the network boundary, scanning every device before it reaches any operational system. This approach works regardless of host system age, does not require network connectivity, and provides a logged audit trail for compliance purposes.
Does IEC 62443 Address Removable Media Security?
Yes. IEC 62443 is the primary international standard for industrial automation and control system security and includes specific controls for removable media in OT environments. Our dedicated post on IEC 62443 USB security requirements covers what those requirements mean in practice.
The Bottom Line
Critical infrastructure cyber security is a discipline that spans network architecture, access controls, incident response, and supply chain management. No single control addresses every risk.
But among the consistent, documented, and underestimated threats to CNI environments, USB and removable media stands out. It’s operationally necessary in most CNI sectors. It bypasses perimeter security entirely and works against air-gapped networks that are otherwise impenetrable. In environments running legacy OT systems, the standard software-based defences simply do not apply.
A hardware-enforced scanning process at the boundary between external devices and operational systems closes the gap that no firewall, network monitor, or endpoint tool can reach.
