Sheep Dip and the hate-love relationship between USB sticks and Industrial Control Systems

Yes USB sticks are a risk for industrial control environments. In case you need them: better scan them before you plug it in. Or even better, if it’s only extraction from the Industrial control system, use a brand new shrink wrapped USB stick. So make sure you have a supply of 365 USB sticks a year.


In case you want scanning: sheep dip. The term sheep dipping comes from another sector: farming. Farmers are bathing their sheep into some kind of chemical bath to prevent parasites and bacteria from spreading to the rest of the flock.

  1. There is an open source project, last updated 2014 and there is another one on Github. Then there is another open source one for the Raspberry Pi although I can’t figure out how it works since it doesn’t seem to be using a virus/malware scanner.
  2. Commercial solutions are there are as well.
    1. OPSWAT (metadefender before). This is a solution (software or a kiosk) where you can even have it scanned by an x number of virusscan engines
    2. .Symantec (before Norman Shark, then BlueCoat before Symantec bought Bluecoat) has a solution which cryptographically signs the USB stick after scanning it in order to allow it in a workstation.This is the only one that uses a sandboxing technique.


IMHO virus scanning is not enoug. You need some kind of sandboxing technique.  After all a virus scanner would not have stopped Stuxnet.

Or would it? Anyone knows of any other Sheep dip solution that uses Sandboxing? Perhaps some home brewed solution with Cuckoo?

Can you please drop a tweet? @khalasdotqa

The picture is from the Farmers Weekly. © Jeff J Mitchell/Getty Images