Imagine you’re 3D printing parts for a drone. A hacker uses a phishing attack to get access to the PC on which the design files of the drone’s propellor are stored. They download the file and modify the design, then replace the original with the manipulated file. The printed propellor looks normal to the naked eye – but cavities within the blades mean that they break under normal use, causing the drone to crash.
In collaboration with his partners from Israel and Singapore, this hypothetical scenario was demonstrated by Mark Yampolskiy, an Associate Professor at Auburn University, working in the field of Additive Manufacturing (AM) Security. Yampolskiy is working with the ASTM International AM Center of Excellence (CoE) to deliver vital training in cybersecurity for the AM community, with support from America Makes. At its core, the course aims to change the AM mindset:
“One of the challenges for the community is that they are really nice people. But in security, you need an adversarial mindset. You have to look at a situation from the perspective that you want to do harm. That’s absolutely alien to most engineers.”
Early applications of AM were limited to low-volume production, such as prototyping, due to the high costs of the technology. But as AM has evolved, innovations and a falling cost base have seen increasingly widespread adoption, and 3D printing of increasingly sophisticated products. Paul Bates, AM Lead Project Engineer at ASTM International, has witnessed this shift first-hand:
“I first started using AM at Reebok as a way of producing rapid prototypes – sample parts that were used for sales and marketing. So there were no requirements other than it had to look good. Now, we’re seeing AM used in safety-critical parts, for example in aircraft, or in sensitive industries like defense. That’s completely changed the security landscape.”
Big enough to be targets for attack, but dominated by SMEs who lack the resources to tackle threats alone, the sector has tended to neglect security issues, according to Bates. A survey sent to manufacturers and other stakeholders as part of developing the training showed that while nearly all respondents were aware of the issue, almost none had done anything to address it. Companies have been reluctant to talk about security incidents, for fear of reputational damage. But sharing this information will be crucial to helping the sector to reduce its vulnerability and become more resilient.
It’s here that the AM CoE can play a vital role. With a mission to accelerate standards development, the Center takes a strategic approach to identify what’s needed for the industry to advance to the next level. As well as coordinating and funding research to close standards gaps, it is building partnerships and programs to help create the collaborative ecosystem and skilled workforce needed for the industry to thrive. The planned cybersecurity training is just one part of a continuously developing training, qualification and certification program.
Those who attend are likely to find it eye-opening. From sabotage to technical data theft, production of illegal goods and even covert communications, the nature and mode of potential attacks are highly complex, and constantly evolving. In turn, defenses against them go way beyond firewalls and virus protection.
Participants in the two-day course will learn about the different types of threat, and the different options available to counter them. That might be detecting and preventing sabotage attacks through integrity checks of software or design files, or using physical information from the manufacturing process to identify if something is going wrong – for example through acoustic examinations or monitoring power consumption. The training will also explore common misconceptions – including the idea that implementing cybersecurity measures will achieve total protection. Yampolskiy explains:
“People think that if they implement cybersecurity, all the problems will be solved. But nothing can offer 100% protection. Counter-measures are there to make it harder for an attacker to be successful. We want to harden our systems so that attackers have to spend an enormous amount of money and time to achieve their objective. So maybe they will say ‘ok, I’ll just look for an easier target’.”
With the training set to run from Spring 2022, the team hope to equip engineers across the AM community with the knowledge and skills to tackle cybersecurity threats. But they believe the scale of the change needed means understanding of the fundamentals must extend well beyond the factory floor.
“We need decision-makers to understand the value of cybersecurity,” says Bates. “If leaders aren’t aware, they won’t be making the right investment, and that will make it impossible for operators tackling the problem on the ground to be effective.”
It’s why they’ve designed a half-day executive version of the course, which will be offered alongside the full technical training.
Bates and Yampolskiy hope that the training will prompt conversation and encourage more information-sharing across the sector, helping the whole AM community to better recognize and counter cyberthreats. By collaborating to develop shared approaches to protection, and disseminating these through training, the industry may be able to overcome remaining barriers to growth in safety-critical and sensitive industries, and continue to accelerate its adoption around the world.