Six steps to securing additive manufacturing

Imagine the national security implications of a foreign adversary introducing a design flaw into a jet, a weapon or component parts during the additive manufacturing (AM) process. Even the tiniest of changes, which might be nearly impossible to detect, could significantly affect the reliability of the end product -- potentially compromising the agency’s mission and jeopardizing the safety of military personnel.

Unfortunately, as anyone following the news knows, cyberattacks are on the rise, increasing both in number and sophistication. While AM technologies create significant opportunities for the Defense Department -- making it possible, for example, to manufacture replacement parts on site, on demand, in near-real time and even in combat zones without existing parts inventory -- those opportunities also could open the door to substantial risks.

In fact, as described in a recent report, AM’s reliance on digital files and connectivity make it a prime target for cyberattacks. The data generated during an object’s AM design and production forms a digital thread -- a strand of information that runs through the object’s lifespan from conception to production. At each step along the thread are cyber risks, including potential threats to intellectual property, software, firmware, networks, design files, printing and production and third-party supply chains.

Military leaders looking to embrace AM should understand how to mitigate those risks and take steps to get ahead of potential attackers. Navigating the complexities of securing AM technologies, however, can be daunting. As a starting point, we offer several steps agencies can consider as they work to establish a robust AM cybersecurity strategy:

1. Understand the federal regulatory framework. There are myriad regulatory bodies and regulations that impact AM cybersecurity, which will continue to evolve as the technology matures. 3D printers can be considered IT systems, and their use by the federal government is regulated by Federal Information Security Management Act and the policies supporting it, such as the National Institute of Standards and Technology Risk Management Framework and the associated authorization to operate certification.

The NIST Cybersecurity Framework, which applies to critical infrastructure, is also being considered for application to federal programs. In the defense environment, additional DOD-specific policies and requirements should also be weighed, including several focused on IT and acquisition policies. The Committee on National Security Systems policies should also be considered.

2. Conduct a thorough risk and threat assessment. One of the first steps any organization should take is to conduct a security risk and threat assessment. Often coordinated with multiple offices and agencies, these evaluations can help agencies pinpoint the risks most pertinent to their particular AM scenarios as well as any additional threats that might come into play as they explore other applications. This approach can also help to focus initial cybersecurity efforts on the highest risk areas and identify and prioritize the various points of vulnerability throughout the digital thread or digital supply network.

3. Protect the design from the start. The AM process -- and the flow of digital information -- begins at the scan/design phase. During this stage, the design is vulnerable to outright theft, so it is critical to lock the file to prevent its use or corruption via introduction of malicious flaws. Standards are just beginning to emerge for encrypting .STL files -- the current de facto standard file format for AM design. Organizations may also want to consider a data loss prevention strategy to help protect sensitive AM data from unintended, inappropriate or unauthorized use.

4. Build protection into the print process. Standards are also emerging to protect AM processes during the build process, including the use of radio frequency ID tags to track AM-produced products throughout the supply chain and the use of chemicals to apply unique identifiers to AM products. A robust quality-assurance methodology can also help agencies detect toolpath alterations, identify misplacement of materials and address other structural bugs. Higher assurance methods, such as blockchain technologies, are also emerging as a way to securely and transparently track assets.

5. Remember the most vulnerable asset -- people. The breadth of stakeholders involved in AM -- from agency leadership, program managers and purchasers of AM systems to materials suppliers and other vendors, not to mention printing facilities in different physical locations -- can create a host of cybersecurity vulnerabilities. By conducting a stakeholder analysis, agencies can identify parties involved in their AM efforts, both throughout the digital thread and the supply chain, and educate them about cybersecurity risks and best practices for protecting systems. Basic awareness building and ongoing education can go a long way toward mitigating security risks.

6. Don’t drop your guard. Awareness and planning are vital, but once a program is in place, it’s important to take steps to mitigate risks on an ongoing basis. Leverage advanced testing techniques -- including red teaming or ethical hacking -- to expose vulnerabilities and establish a baseline of normal behavior. Continuous monitoring will help ensure anomalous activity gets flagged in systems and networks, giving agencies an opportunity to respond and take steps to protect the network.

AM holds so much promise for the unique needs of the Defense Department, and addressing cyber risk is critical to realizing its benefits. While there is much work to be done in terms of identifying comprehensive and sustainable AM cyber risk practices and developing industry standards, these initial steps can go a long way toward understanding and addressing AM cybersecurity concerns in the present.