Organizations spend heavily on firewalls, endpoint detection, email filters, and identity management. Then someone plugs a USB drive picked up at a trade show directly into a workstation, and all of that infrastructure becomes irrelevant in the time it takes the operating system to mount the device.
According to ENISA, CISA, and IBM X-Force, removable media remains one of the most common entry points for malware in operational technology environments. The numbers vary by sector, but the conclusion is consistent: in over half of confirmed OT attacks, a USB drive was involved at some point in the kill chain.
The trade show scenario
Imagine the most ordinary version of this risk.
An employee attends an industry trade show. A vendor hands out branded USB sticks with their latest product presentation and technical specifications. The stick goes into a pocket, then a bag, then back to the office. Once there, the employee plugs it into a company workstation to share the contents with a team.
Nothing about that sequence is unusual. Most organizations have employees doing some version of this every week. And yet at no point did anyone scan the drive, verify its contents, or even ask where it had been between the vendor booth and the workstation.
If the drive carries malware (ransomware, a keylogger, firmware exploits, or a more advanced payload) the company’s perimeter defenses do not see it. The firewall never had a chance. Endpoint detection might catch a known signature after the fact, but by then the malicious code is already executing.
Why traditional defenses miss this
Firewalls inspect network traffic. USB drives bypass the network entirely.
Endpoint protection inspects files after they are written to disk. By the time that scan completes, malware that targets the boot process, the operating system, or human-interface emulation may have already done its work.
Email filters are similar. We invest heavily in scanning attachments, blocking suspicious links, sandboxing payloads. But the same level of scrutiny rarely applies to a physical device that an employee carries through the lobby, past reception, and onto the LAN.
The asymmetry is the problem. Removable media has less security screening than email attachments in most organizations.
What a USB scan station actually does
A USB scanning station is a physical checkpoint for portable media. The architecture is straightforward:
– Two physically separate USB ports. One accepts the untrusted drive. The other accepts a clean, company-approved drive.
– Multiple antivirus engines scan files in parallel, combining signature, heuristic, and behavioral analysis.
– Content Disarm and Reconstruction (CDR) rebuilds documents from scratch, stripping macros, embedded scripts, and hidden payloads. What comes out is functionally identical to what went in, minus any hidden code.
– All scans, blocked files, and clean transfers are logged. Auditors can trace exactly what came in, what was rejected, and what reached the network.
The untrusted drive never touches the destination network. Only sanitized files written to a clean drive cross the boundary.
Compliance is catching up
NIS2 Article 21 requires documented risk management for essential and important entities across 18 sectors. Removable media falls squarely within scope. The Swedish Security Protection Act applies similar reasoning to organizations handling classified information.
A written USB policy is no longer enough. Regulators expect to see a documented, auditable process: how is media inspected, what gets blocked, what gets through, who is accountable. A USB scanning station provides that evidence by design.
The cost equation
For the cost of recovering from a single ransomware incident, an organization can deploy enough scanning stations to cover every entry point for years. It is one of the lowest-effort, highest-impact controls available, particularly for environments that already operate with strong network and endpoint defenses elsewhere.
Next steps
The link22 USB Scan Solution is engineered in Sweden, built on commercial off-the-shelf hardware, and designed for organizations under NIS2, the Swedish Security Protection Act, and equivalent regulations across the EU.
Watch the 3-minute product walkthrough on YouTube, or request a technical briefing to see how it integrates into your existing security infrastructure.
