Operational technology is rapidly becoming a target of ransomware operations due to the business impact of taking these essential systems down and how this pressure can lead to companies paying the criminals in order to restore operations. The manufacturing industry is making significant investments in AM hardware and materials (approximately $17B in 2021). The growth of capital in this technology will attract cyber criminals. This article examines the potential targeting approach that may be used by ransomware criminals to value a company’s assets, even those not on a network.

Suppose that a ransomware group decides that organizations who can afford 3D printing are good targets of ransomware due to the need to prepare print jobs through a Windows based engineer workstation. The group realizes that most CAD (computer aided design) capable computers are fairly expensive in addition to the expense of the additive manufacturing hardware. They can use open source intelligence (OSINT) gathering from a passive perspective. Once attackers gain access to your network, they can use the tools, etc. described in the following to enumerate these engineering workstations and the corresponding OT equipment, even those that are offline but rely on digital-thread dependent processes.

After some time, a phishing attempt goes through and access is gained to engineering workstations. Now they simply have to launch ransomware tools to encrypt the workstation, locking the end user from being able to use or recover their files. This is where a note is left with instructions on how to pay the group to unlock the computer, typically through a cryptocurrency transfer. The amount requested from a victim is a critical factor for achieving the ransomware group’s goals. If the amount is too high the victim will simply ignore the ransom and cut their losses. This is where a little homework post-phishing access and pre-encryption can pay off.
Some techniques to automate this asset research can be done using the command line to extract the pertinent information. First, the workstation itself is a valuable resource that needs to be taken into consideration when setting a ransomware value. In the example table above the Command MSInfo32 /report report.txt is used to get the make and model of the compromised AM Workstation.

Next up is researching OT resources. This is a little more difficult and requires more prep and background knowledge of the AM process. Many 3D printers lack network capabilities so one would think a remote attacker with zero physical access would struggle to determine what assets a manufacturer has. This is not the case. Running this hardware requires leaving “digital footprints” on the engineering workstation of these expensive, non-networked hardware items. One method to detect the OT hardware is to open and inspect the slicers, such as in the image below.

This method works but is time consuming and can be a step whereby the end user discovers the intrusion. A better solution is to again use the Command Line to gather this information for us in the background. A database containing the standard directories used by the most common slicing utilities and versions would be the best method to automate this task. The blind spot here is that non-networked assets do not have an instance number. For example, an AM operation could have 10 Taz Pro printers but only reflect one in the slicing utility / RoamingData.

The ability to detect and prevent this type of fact gathering intrusion extends a company’s security posture beyond protecting against ransomware. This post focuses on setting a monetary value for ransomware purposes but there are many other pivots an attacker could achieve with this information depending on their end goals. If they wanted to achieve destructive attacks on manufacturing they could use this information to create relevant attack strategies based on the available attack surface. If a machine is found to have G-code articulated stepper motor drivers those printers would be candidates for current overheating based attacks compared to machines that rely on trimpot physical adjustments. Knowledge stolen from the slicer configs also tells an attacker what firmware a device uses so they can research the developers and if open-source obtain a copy to maliciously modify for gaining persistence on a non-networked device. It will be easy to identify the transfer media (USB, SD card) based on the printer information to jump the “air-gap” to a resource that is supposed to be unreachable.

The impact of intellectual property theft in the prototyping / R&D phases where these AM assets are most leveraged is incredibly large. One of the best ways to protect or respond against this threat is to recognize that AM operations are at risk and the information to subvert these processes is widely available due to the reliance on open-source-software. This is amplified by the “insecure by design” equipment manufacturers tend to adopt as cybersecurity is not a topic in the development of physical manufacturing equipment. This leads to no native visibility into the environment from a security perspective. These facts fueled the development of BISON to gain the visibility needed to secure R&D / intellectual property during manufacturing stages.
If you are interested in learning more about securing AM or a demonstration of the BISON capability, please contact us at info@breakpoint-labs.com
Ref: Ginter, Andrew, and Greg Hale. “OT Security Incidents 2021 Trends and Analyses.” ICS STRIVE, 2022, pp. 4–4., Accessed 12 June 2022.