Honeywell’s Advanced Monitoring and Incident Response (AMIR) service, part of its broader Managed Security Services (MSS) offering, emphasized the importance of consistent policy enforcement and ongoing system hardening to strengthen risk management across operational environments. During the most recent reporting period, AMIR detected 107 unique security incidents, reflecting the diversity and persistence of threats targeting industrial systems.
Separately, Honeywell’s Secure Media Exchange (SMX) platform identified 1,826 unique threats, many of which involved trojans and worms. These types of threats require continuous attention and frequent updates through automated tools and scripts to maintain effective defenses. The findings underscore the need for proactive threat intelligence and regular system updates to mitigate malware risks introduced through removable media.
Telemetry data from the AMIR service highlights the growing scale and intensity of cyber threats targeting operational environments. Over the fourth quarter of last year and the first quarter of this year, AMIR analyzed 89.9 billion logs. From this dataset, the service flagged 54,098 alerts, out of which 1,008 incidents were triaged by Honeywell’s security team. Notably, these included 107 unique incidents, highlighting the depth and variety of threats encountered during this period.
The findings reinforce the value of consistent policy enforcement and security hardening across industrial systems. Honeywell’s AMIR team emphasizes that strengthening baseline configurations and applying uniform security controls can significantly improve risk management outcomes, especially in complex, high-volume environments.
As part of its 2025 Cyber Threat Report, Honeywell reviewed the top four types of incidents identified among the 107 unique events and offered recommendations for future remediation. The most common incidents included unauthorized USB plug-and-play activity, the addition of an account to a local security group, a change in CB-AppControl enforcement level from high to low, and the addition of a member to a domain controller’s security group.
“Among the incidents identified by Honeywell AMIR, 25% of the top 10 incidents were triggered by USB plug and play. A USB plug-and-play incident can pose a significant cybersecurity risk, especially when an unauthorized or malicious device is connected to a system,” the Honeywell report identified. “For example, an employee might unknowingly insert an infected USB drive into a corporate computer, triggering an automatic execution of malware designed to steal sensitive data or deploy ransomware.”
In a recent case, Honeywell revealed that a company experienced a security breach when a seemingly harmless promotional USB stick, distributed at a trade show, contained a hidden payload that installed a keylogger on the network. Modern operating systems often auto-detect and interact with USB devices without user intervention, allowing attackers to exploit this feature to execute scripts or alter system settings.
Defending against Trojans, worms, and other types of malware requires constant updates through automated tools and scripts. These threats are persistent and evolve rapidly, often exploiting vulnerabilities regardless of how old the technique or system may be. Attackers targeting industrial control networks will use any vector available, and removable media such as USB drives remain a common and effective delivery mechanism. These devices can carry malware that slips past traditional defenses, going undetected until damage is done.
To address this threat, organizations must implement technical and physical controls that support strict policy enforcement. One example is Honeywell’s Secure Media Exchange (SMX) solution, designed to detect and block malicious activity on USB devices. During the latest reporting interval, SMX scanned 31.4 million files across global installations in the fourth quarter of last year and the first quarter of this year, marking an increase of over 5 million files compared to the same period the previous year.
From the 31.4 million scanned files, Honeywell identified 4,984 files that were blocked or prohibited from running on customer endpoints. These blocked files contained 1,826 unique threats, underscoring the continued risk posed by USB-borne malware. The data highlights the importance of maintaining up-to-date defenses and deploying layered controls to protect operational systems from evolving and persistent threats.
It also disclosed that 37 percent of files blocked by Honeywell SMX during the report period contained W32[dot]Worm[dot]Ramnit, marking a 3,000 percent increase since it was last observed in the second quarter of last year. The W32[dot]Rmnit is primarily a banking trojan used to steal account credentials; however, given its saturated presence in Honeywell industrial customers’ ecosystems, it can likely be assumed that it has been repurposed to extract control system credentials.
Honeywell recommended that strong endpoint security is essential for reducing risk. Organizations should disable USB ports when not in use, enforce strict device control policies, deploy secure media scanning kiosks, and train employees on the dangers of using unknown USB drives or other removable media.
Representing 16 percent of the Honeywell AMIR recorded top incidents, the report said that adding accounts to local security groups can create security risks because it grants elevated access to a system. “Adding users to privileged groups like ‘Administrators’ can potentially allow unauthorized users to make critical changes or access sensitive data if compromised, especially when not managed centrally through a domain environment. This can be particularly concerning if too many accounts are added to these groups, leading to excessive permissions and potential for misuse.”
Honeywell recommended establishing clear criteria for determining which accounts qualify as privileged and non-privileged. Organizations should implement enforcement mechanisms to uphold these distinctions and conduct regular audits to review account lists for changes in privilege levels or the addition of new privileged accounts.
Highlighting that the Center for Internet Security (CIS) Benchmarks are globally recognized security standards that help organizations defend their IT/OT (operational technology) systems and data from cyberattacks, the Honeywell report identified that they are created by a community of cybersecurity experts, compliance, and security professionals. They create a checklist of best practices that can be applied to multiple technologies.
It recommends that organizations keep track of configuration changes and address configuration drift in programmatic ways as part of a detection-in-depth approach. They must also adjust enforcement policies and strategies based on their environment, particularly domain expertise level, and consider the use of application control solutions to track changes. Downgrading from a high to a lower enforcement level is not typically recommended. They must also configure customized rules, such as execution control or file write, for files lacking publisher or certificate information to allow execution in a controlled manner.
Honeywell advised organizations to implement strong alternative controls for systems that cannot be patched quickly. Key steps include using network segmentation with firewalls and VLANs to isolate vulnerable assets, disabling autorun features, and enforcing strict controls on removable media through scanning and port restrictions.
It also suggests limiting access to network shares, applying application allowlisting, and deploying vendor-approved security tools with updated threat signatures can reduce risk. Intrusion Prevention Systems with virtual patching can offer additional protection. Regular system hardening, least privilege enforcement, and continuous monitoring for anomalies are essential. Honeywell also emphasized the need for a tested, OT-specific incident response plan to isolate threats and restore operations with minimal impact.
The AMIR data comes as Honeywell reports on sharp and growing ransomware threats against industrial operators and manufacturers. Ransomware attacks jumped by 46 percent in the first quarter of 2025, with the Cl0p ransomware group emerging as the most active threat actor. During that same quarter, the Honeywell 2025 Cyber Threat Report reported 2,472 new ransomware victims, adding to the 6,130 incidents documented in 2024.
