The digitalization of physical products through additive manufacturing (AM)--or 3-D printing--has been widely hailed for its ability to revolutionize the supply chain and create new parts and products that were previously impossible through traditional means. But something less welcoming might also be generated, and that’s the specter of a new class of cyber threats stemming from AM’s reliance on digital files and connectivity.
Organizations pursuing AM, therefore, should also consider layering in processes to help mitigate cyber threats. It’s a mission complicated by the fact that the vulnerabilities can lie like land mines along the entire supply chain, from the suppliers, owners and purchasers of AM systems to the distributors and purchasers of AM products.
Cyber Risks Unique to Additive Manufacturing
The data generated about an object during AM design and production forms a digital thread1, a strand of information that runs through the object’s lifespan from cradle to grave. At each step along the thread are cyber risks, including potential threats involving intellectual property, software, firmware, network, IT, design, printer/production and third-party supply chain areas.
For a deeper exploration of additive manufacturing and cyber risk, please join Deloitte's Kelly Marchese and Deborah Golden for a webinar, The Additive Cyber Risk of Additive Manufacturing: Six Steps Towards Greater Security in the Supply Chain, on Thursday, January 12. Register here to attend.
This reliance on digital data files--and the connectivity to transmit them--has numerous benefits for supply chain optimization. But if a file is stolen, hackers have access to the entire file in all of its intricacy, rather than a physical object manufactured via conventional means that requires reverse engineering to copy illegally.2 So with conventional manufacturing, those looking to steal or copy a design would need the means to produce it--knocking out the majority of would-be thieves. But with AM, possession of the design file and a printer makes it far easier to produce the stolen object. This can pose not only health and safety risks, but also brand and liability concerns should the devices fail or cause injury.3
With access to a full design file, hackers could also build in failure points in critical components that would affect any object printed from that file going forward. The ACAD/Medre.A worm, for example, steals CAD files, while another, CryptoLocker Malware, infects a file and locks it, rendering it inaccessible until the user pays a ransom to unencrypt it.4 In still other cases, toolpath files can be altered to impact placement of materials or layers during the build process, making a product unstable.
Taking Steps Toward AM Cybersecurity
As organizations seek to protect their AM systems and make sense of the vast array of guidelines and regulations that may impact their business, the path can seem daunting. But there are several steps manufacturers can take as they work to establish an AM cybersecurity shield:
- Conduct a thorough risk assessment: This can enable an organization to pinpoint the risks most pertinent to their particular AM scenario, as well as any additional threats that might come into play as they explore other AM applications. AM-specific applications of risk assessments can include examining the entirety of the digital thread, from scan/design to build and monitor, and from test and validate to deliver and manage.
- Adopt a “test once, satisfy many” approach, at least in the short term: As organizations await standards specific to AM, they can address the wide-ranging web of regulations currently in place by adopting NIST, CSF and RMF approaches to address some of the more immediate challenges within the digital thread.
- Protect the design from the start: During the initial scan/design stage, the design is vulnerable to outright theft, locking of the file to prevent its use, or corruption via introduction of malicious flaws.5 The current de facto standard file format for AM design files, STL, is a plain text file that currently has few provisions for preventing threats. Also, most design files are transferred to AM machines via USB drives, which may or may not be encrypted. Adopting an approach to protecting files from theft or tampering is an important part of an AM cybersecurity strategy.
Build protection into the print process: Leading practices are emerging in the area of tracking and tracing, including the use of RFID tags to track AM-produced products throughout the supply chain.6 Another promising development is the use of chemicals to apply unique identifiers to AM products. Further, a robust quality assurance methodology7 can help organizations detect toolpath alterations or other misplacements of materials among other structural adulterations.
Organizations can also consider putting measures in place to protect the machines themselves. AM printers do not typically limit and control who uses them, or what objects are printed. Until AM printer and file standards are developed to address those concerns, organizations using AM printers can adopt change management and change control workflows for printers and objects, including reviews and authorized approvals. AM organizations can model their approach to these workflows on those already in use for other technologies, such as Change Control Boards or Configuration Control Boards commonly used in software management. To ensure an AM printer only prints approved objects, the printer may be isolated on the network, with controls in place to make sure only approved designers can submit files directly to the printer.
- Pick your battles: Simply put, addressing every single challenge may not be feasible or cost effective. However, for manufacturers of particularly critical components in healthcare, automotive or federal applications, more stringent approaches are advisable. Organizations can, however, take a page from their approach to securing conventional manufacturing systems as they address concerns related to AM.
- Remember the most vulnerable asset--people: By conducting a stakeholder analysis, manufacturers can identify parties involved in their AM efforts, both throughout the digital thread and the supply chain. Manufacturers can then work to educate these stakeholders about the importance of cybersecurity and emphasize the risks and the importance of vigilance. Basic awareness-building and ongoing education can mitigate risks by encouraging individuals to exercise care and recognize the importance of using security systems.
The risks involved in adopting innovations like additive manufacturing can be tricky given that they can fall outside an organization’s existing risk process. But that shouldn’t dissuade organizations from considering the possible upside given the magnitude of what 3-D can do. In today’s business climate, the pace and significance of change has grown to a point where not innovating can sometimes be the greatest risk.
1 John Hagel III, John Seely Brown, Duleesha Kulasooriya, Craig Giffi and Mengmeng Chen, The future of manufacturing, Deloitte University Press, March 31, 2015, http://dupress.com/articles/future-of-manufacturing-industry/, December 13, 2015; Mark J. Cotteleer, Stuart Trouton, & Ed Dobner, 3D opportunity and the digital thread, Deloitte University Press, March 3, 2016, http://dupress.com/articles/3d-printing-digital-thread-in-manufacturing/.
2 Matt Widmer and Vikram Rajan, “3D opportunity for intellectual property risk: Additive manufacturing stakes its claim,” Deloitte University Press, January 21, 2016.
3 Matt Widmer and Vikram Rajan, “3D opportunity for intellectual property risk: Additive manufacturing stakes its claim,” Deloitte University Press, January 21, 2016.
4 L. D. Sturm, C. B. Williams, J. A. Camelio, J. White, R. Parker, “CYBER-PHYSICAL VUNERABILITIES IN ADDITIVE MANUFACTURING SYSTEMS,” Proceedings from the Solid Freeform Fabrication Symposium, 2014.
5 L. D. Sturm, C. B. Williams, J. A. Camelio, J. White, R. Parker, “CYBER-PHYSICAL VUNERABILITIES IN ADDITIVE MANUFACTURING SYSTEMS,” Proceedings from the Solid Freeform Fabrication Symposium, 2014.
6 Schneider, Tom and Apel, Emily and Brost, Peter and O'Leary, Jacqueline and Purtill, Michael and Street, Anita and Balazs, Michael and Costigan, Sean S. and Dean, Stephanie and Helal, Abrahem and Hopmeier, Michael and Re, Adam and Webster, Lynne C., 3D Printing: Perceptions, Risks, and Opportunities (November 4, 2014).
7 Ian Wing, Rob Gorham, and Brenna Sniderman, “3D Opportunity for Quality Assurance: Additive manufacturing clears the bar,” Deloitte University Press, November 18, 2015.
Deborah Golden, Principal, Deloitte &Touche LLP, and Kelly Marchese, Principal, Deloitte Consulting LLP