
NIST Special Publication
NIST SP 1334
https://doi.org/10.6028/NIST.SP.1334
September 2025 1
REDUCING THE CYBERSECURITY RISKS
OF PORTABLE STORAGE MEDIA IN OT
ENVIRONMENTS
Portable storage media continue to be useful tools for transferring data physically to and from Operational
Technology (OT) environments. For example, media can be used for updating firmware for a device in an isolated
OT network or retrieving log data for offsite diagnostics. Universal Serial Bus (USB) flash drives are commonly
used, in addition to external hard drives, CD or DVD drives, and other removable media.
Though portable storage media are convenient, their usage poses cybersecurity risks for operational
environments. Procedural, physical, and technical controls are important for minimizing the likelihood of a
cyberattack from portable storage media usage. The National Cybersecurity Center of Excellence (NCCoE) has
developed cybersecurity considerations to be integrated into a broader cybersecurity risk management program
to help OT personnel use portable storage media securely and effectively.
An organization should develop policies that support asset
management and enforce:
• Purchasing, authorizing, and managing organization-
owned media. Devices provided by other sources should
be considered untrusted.
• Procuring devices that support hardware-based
encryption standards such as FIPS.
• Prohibiting media usage unless expressly authorized.
Authorization should be limited to specific personnel
and purposes.
• Procedures for provisioning, usage, storage, sanitization,
and destruction.
• Enabling logs for traceability (e.g., system and user
identity, device serial number, date and time).
• Training staff on policy and procedures.
One way to minimize risk when using portable storage media
is to apply physical controls for accessing, labeling, and
storing the media.
• Media should be stored in a physically secure location
where only authorized individuals have access.
• Approved portable storage media should be inventoried
and labeled. Labels may indicate:
o Who may use it
o On which network/system it may be used
o Its functional purpose
Having a designated space to store approved media, in
conjunction with access control and labeling, is a foundation
for a well-implemented set of physical controls. This can be
part of a larger asset management program.