USB Protection & Removable Media Control

Part of the PROTECT Playbook ← Return to Hub

USB Protection & Removable Media Control

Regulatory Context: This module aligns with IACS UR E26 (Section 5.3) and E27 regarding the control of physical access points and the prevention of unauthorized software installation via removable media.

In the maritime environment, USB ports are the “digital gangway” of the vessel. While essential for software updates, log extraction, and chart loading, they represent the most significant physical threat to OT integrity—especially on legacy systems where OS-level protection is outdated or non-existent.

The Challenge: Why “Just Disable It” Isn’t Enough

While standard IT security often suggests a total ban on USB ports, the operational reality of a ship makes this impossible. We face a “Functionality vs. Security” paradox: the very ports used to update critical navigation charts or backup engine parameters are the same ports used by crew members to charge phones or transfer movies. A blind “lockdown” often leads to workarounds—like crew members temporarily bypassing security settings and forgetting to re-enable them—which creates a much higher risk than a managed access policy.

The Maintenance Dependency

OEM technicians frequently require USB access for PLC logic backups and firmware patches. Total port deactivation can lead to critical maintenance delays or “unauthorized” workarounds by contractors.

Legacy Human-Machine Interfaces (HMI)

Older HMIs (e.g., Windows XP/7 based) often lack the ability to run modern Endpoint Detection (EDR). On these systems, a single infected drive can execute a payload via “Auto-run” before an ETO even sees a notification.

Three-Tiered Defense Strategy

To ensure resilience, we apply a Defense-in-Depth approach. We recognize that no single control is foolproof; if a physical blocker is bypassed, an administrative scan must catch the threat. If the scan fails, technical OS hardening acts as the final line of defense.

Control Level	Method	Target Assets
L1: Physical	Physical Port Blockers / Keys	Public workstations, Bridge HMIs
L2: Administrative	“Sheep Dip” Kiosk Scanning	All incoming OEM and Crew media
L3: Technical	GPO / Registry Port Disabling	Server Racks, AMS Main Cabinets

L3 Implementation: Technical Hardening

For vessels with a Domain Controller (e.g., Crew/Business LAN), use Group Policy Management to enforce these settings. For standalone OT workstations, use the Registry Script below.

Method A: Group Policy (Centralized)

Path: Computer Configuration > Policies > Admin Templates > System > Removable Storage Access
Setting: Enable All Removable Storage classes: Deny all access (to lock down completely).
Alternative: Enable All Removable Storage: Allow read access, deny write access to allow updates but prevent data theft.

Method B: Registry Hardening (Standalone HMI)


                    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]

                    "NoDriveTypeAutoRun"=dword:000000ff

                    "NoAutorun"=dword:00000001

3. Enable USB Event Tracking

Enable DriverFrameworks logging to audit physically connected devices:


                    Applications and Services Logs > Microsoft > Windows > DriverFrameworks-UserMode > Operational

TAGSIA PRO-TIP: If you are using GPO, ensure you apply the policy to the OU (Organizational Unit) containing the OT workstations specifically, so you don’t accidentally block the Captain’s printer or office scanners.

Implementation: USB Hardening

Moving from policy to action requires a standardized workflow. The following checklist establishes the mandatory “Clean Media” protocol for all external devices attempting to interface with vessel IACS.

Playbook Checklist

“Sheep Dip” Workflow

Mandate that no USB enters the engine room without being scanned on a standalone station first.

Disable Auto-Run

Apply registry settings to prevent Windows from automatically executing files upon drive insertion.

Tamper-Evident Seals

On legacy assets, use numbered physical seals on ports to detect unauthorized physical access during rounds.

Advisor Tip: If an OEM insists on using their own “unverified” laptop or drive, require them to sign a liability waiver and log the port usage in the ship’s Cyber Security Logbook.

Compliance Documentation Previews

Standardized templates and technical logs. View watermarked previews below; premium SOPs and fillable forms require the Pro Bundle.

TAG-OT-SEP-03

OEM Liability Waiver

View Form

TAG-NET-XLS-05

Removable Media Logbook

Unlock with Pro Bundle

Unlock Full Compliance & Intelligence

Upgrade to the TAGSIA Pro Bundle to get all 40+ fillable documents, editable SOPs, and unlimited access to our real-time Threat Intel feed, CVE Library, and Vendor Advisories.

Upgrade to Pro Bundle

Includes Unlimited Intel Search

Instant access to IACS E26/E27 Templates

PREVIOUS:
iDMZ Deployment

Next Section

RJ45 Port Security & Cabinet Hardening

Network Port Security & RJ45 Hardening Requirement: This module addresses IACS UR E26 (Section 5), mandate for prote...

RJ45 Port Security & Cabinet Hardening →