AM Botnet as a Vector for Energy Market Manipulation

Posted on August 21st, 2023

The Federal Energy Regulatory Commission (FERC) reported 16 potential market manipulation cases in 2018.  The 1990’s saw a restructuring of the electric grid in the USA with a shift from government owned infrastructure to privatized.  This introduced trading markets for electricity featuring a day-ahead market and a real-time market.  14 of the 16 suspected market manipulation cases were closed with no action. Not enough evidence / visibility was available to address the threat.  This lack of evidence combined with the fact that a 1% level of real-time demand can be naturally induced through a sporting event or concert creates an opportunity for attackers to go undetected. A short sale trade in the real-time market has massive profitability with as little as a 1% change in demand.  Existing research into high wattage botnets have focused on consumer synchronous on/off of high draw appliances such as EV chargers or HVAC equipment.  BreakPoint Labs has extended this research with a focus on additive manufacturing equipment being the vector for energy trading market manipulation.  Not only have we identified the threat but we have developed the necessary visibility to detect this type of attack.  An additive facility protected with BISON will be one of the few cases where a suspected energy market manipulation will be detectable.

The thermal history below was captured using a PID autotune Gcode.  This is a common maintenance command but should not be issued during normal or idle operations.  This can easily pop a fuse if multiple printers are on a circuit. 

Issued Command: M303 E-1 s110. The power consumption was monitored on our test printer. M303 PID Autotune Electrical Draw; Idle Wattage: 10 watts. High Point PID Autotune Wattage: 146

Above is a view from the BISON detection rule for the M303 Gcode.  This rule will alert to mass PID autotuning attempts that would indicate a high-wattage botnet might be in use.

Important Caveat: This testing was performed on a Lulzbot Taz SideKick 289, the smallest build envelope printer offered by this OEM.  The larger the build envelope the larger the electrical draw is.  It has been noted that the current X & Y dimensions on the larger format Lulzbot models are maxed out as a function of how efficient current silicone pad bed heaters are.  A larger build envelope would require the use of two 120V outlets to accommodate the larger bed heater demands or more efficient heaters.  There are FDM printers that require 240V power to heat the bed (the 3D Platform series as an example).  These large format printers still rely on the same Gcode language to change PID setpoints and have the same lack of even basic cybersecurity measures.  

It is common for industrial users of additive manufacturing to operate a fleet consisting of dozens of FDM printers and a handful of larger format machines.  Slant 3D has taken this to an extreme and based their manufacturing facility at an old train station primarily due to the amount of electric supply to the facility as the key fleet consideration.

At facilities like Slant 3D’s train maintenance facility, a 3000-5000 unit print farm, it’s not hard to imagine that an attacker would be able to hit the critical mass of high-wattage smart-devices required for a botnet to be able to impact energy trading markets.  We cannot allow attackers to profit from these market manipulations at the expense of increased electric bills for the end operators. A Georgia Tech study concluded that there would be a 7% increase for impacted devices.  The potential economic impact is massive.  In an attacker scenario where a market player (electric plant owner) operates the botnet, it is estimated up to $24 million extra profit.  In the case of nation state attackers it is estimated at $350 million in economic damages.  This attack happens while remaining within the forecasting error for these markets in order for the attackers to maintain stealth.

Do you operate connected high-wattage devices and are interested in securing them from botnet attacks?  If so, please contact us at to learn more about how BISON can secure your AM environment.


Georgia Tech BlackHat 2020