Posted on May 27th, 2022
It is often said that OT (operational technology) systems are incredibly fragile and even small changes to the environment can cause process disruptions. Simple network mapping can be enough to crash production. This is a reason why operational technology is more often than not outdated or unpatched. Even if a security team is aware of what vulnerabilities exist on the shop floor it does not mean they have the ability to fix the problem. The nearest scheduled down time for other maintenance might be the first window of opportunity to patch.
A practical example of this fragility in OT systems will be highlighted using a representative additive manufacturing (AM) machine and a commonly used solution to bring network connectivity and server print management to the AM device using a Raspberry Pi. In this scenario the cyber intruder does not have any knowledge of AM and simply stumbles upon this OT print server while performing other reconnaissance. Unfortunately, this lack of knowledge could lead to a fire hazard in the target’s environment due to the fragility of OT cyber-physical interactions. If the malicious attacker pulls various tools onto the Raspberry Pi to assist in their non-AM related goals the Pi will need to be rebooted. This introduces a physical safety concern depending on the physical construction of Z-Axis (up/down, height).
On our test system the Z-Axis is constructed with two belts, one per side and held and moved by stepper motors. The issue here is that with any momentum in the gantry (extruder and X-Axis that gets moved up as a job prints), a loss of power (depolarization) of the Z motors will crash the hot end assembly from its current height down into the print bed. This situation is extremely dangerous as the heated nozzle will be sunk into any material that has been deposited. The high temperature heating element is melted into a pile of combustible materials.
You might wonder what this has to do with a cyber intruder rebooting a Pi after downloading toolkits for furthering their network intrusion. The issue arises with how the printer responds to a loss and reestablishment of communication to the print server while interrupted mid print. The printer does shutdown in a safe state when the print server unexpectedly goes offline. The fire hazard is introduced when the communication is regained upon the reboot. During the boot process the Z motors slip causing a drop condition if the gantry was not homed to the magnetic holds at the top of the axis.
Departing from the scenario where a hacker accidentally intrudes into AM environments, we will explore this same cyber-physical interaction from a knowledgeable adversary perspective with direct intent to disrupt manufacturing and damage equipment. A Gcode command exists to depolarize specific stepper motors. This can be used to easily induce the aforementioned dual-belt-gantry-drop by abusing the shutdown procedures (end statements) in the slice engines. Instead of homing to the magnet hold at the upper most extend of the Z-axis the shutdown sequence can be altered to include an M18 at the end of every print job – ruining the final product in the best case, causing environmental destruction in the worst case if combined with max temperature commands in the shutdown sequence. Luckily it is easy to combat this if you have a machine that is constructed in this vulnerable state. It is possible to remove M18 from the dialect of acceptable Gcode commands the machine’s firmware is able to parse. Another Gcode command to consider removing that produces similar effects is M81 (turns PSU off).
The important takeaway is that AM equipment becomes a physical environment hazard from the intentional or unintentional actions of cyber intrusion. Luckily BISON provides AM operators an efficient way to collaborate and detect both of these intrusion methods. Event monitoring on engineering workstations and endpoint computing devices will detect the anomalous Pi logins and reboots while the Gcode Diff feature will detect Gcode commands inserted mid print as discussed in the second scenario that do not match original specification files. This will allow for more efficient troubleshooting and faster
recovery from malicious AM threats.
If you are interested in learning more about securing AM or a demonstration of the BISON capability, please contact us at firstname.lastname@example.org