Jake Kiser - Dec 15, 2020

Protecting Connectivity in a 3D-Printed World

Disruptive Defenses  IoT

The world of industrial manufacturing is finally stepping into the future by capitalizing on the innovations of the 3D-printing revolution. The resulting field of this technological marriage between the manufacturing and 3D-printing industries—known as additive manufacturing—enables the on-demand fabrication of parts produced to the exact specifications of computer-aided design (CAD) or 3D models. From the larger-than-life creations of the auto and aerospace fields to the microscopic marvels of medical and electronic industries, the possibilities for innovation in the field of additive manufacturing are limitless.

If it sounds too good to be true, it is. All 3D printers contain computers, and all computers that are connected to a network are vulnerable. Connecting industrial manufacturing devices to the web may save time in sending and receiving instructions, but it also opens the door for several forms of malicious attacks. With additive manufacturing quickly becoming the standard in industrial manufacturing, securing all the internet-connected devices involved in production should be a priority rather than an afterthought.

Connecting 3D printers to the Internet is changing manufacturing
The concept is simple: feed a 3D printer custom instructions down to the most fine-tuned specifications, provide the physical inputs (any type of liquid, powder, or polymer), and the machine will print the part on demand. Layer by layer, the fabricating machine will process every zero and one it receives, fusing materials together with precision that not even the most trained human hand could have accomplished 20 years ago. Depending on the types of machines, you could print something as large as the wing of a plane or as small as the valve of a pacemaker, over and over, with robotic accuracy. 

Thanks to recent innovations in open source software, instructions to any 3D printer theoretically can be sent via any web-connected device. You could sit in an office in California and control a fabricator in China, or oversee multiple third-party vendors from a central location. By controlling 3D printers and accessing their data remotely, manufacturers can benefit from lower production and transport costs, greater financial gain, faster production, and access to a more streamlined supply chain from trusted partners. 

But even if every partner within an additive manufacturing collaboration trusts one another, communicating with each other via the web creates opportunities for untrusted, malicious actors to interfere with production. The consequences can be dire, and cost companies more than they stand to gain by employing these innovative new technologies if they’re not careful.

Where new benefits exist, new security vulnerabilities also exist
Say a company is producing an airplane with a new kind of engine and calls on its trusted manufacturing partner to 3D-print a part for the engine. The consequences of a failed component part would extend to the entire plane—not to mention the entire company—if even one component of the engine was not what it should be.

In an ideal world where there were no bad actors, the company would send the specifications to the manufacturing partner, which would send them to their 3D printers, the printers would print the parts, and the parts would be delivered to the company along with data from the 3D printers ensuring the part was produced according to specifications. In the real world, there are opportunities for a bad actor to interfere at every stage in this process by: intercepting the initial specifications before they reached the manufacturing partner to steal or alter them, tampering with the instructions sent within the manufacturing plant in any number of ways (incorrect dimensions, heat, material, or any other variable), or interfering with the readout of the machine to feign accuracy when accuracy was not actually achieved. 

Fortunately, the vulnerabilities exposed in the additive manufacturing process can be addressed by applying computational cryptography, a mature discipline that has proven effective in securing systems run by both governments and businesses over the last twenty years.

We recommend using these four “disruptive defense” strategies to make sure your IIoT ecosystem is protected from the get-go:

1. Ensure confidentiality of sensitive information through data encryption

Whenever information is traveling from Point A to Point B, it is susceptible to interception. But if the data is encrypted, it won’t matter if it’s intercepted because the attacker will not be able to decipher its meaning. Using public key cryptography with standard encryption algorithms  combined with specific hardware to protect the private keys enables you to safely transmit data from Point A to Point B.

2. Ensure the authenticity and integrity of data exchanged between participants through the use of digital signatures

How do you know that Point A is actually Point A, and not Point H inserted by a hacker? If an attacker changes the content of a message, the digital signature will fail to validate. Thus, using digital signatures, which uphold the same cryptographic standards of encryption, will ensure transactions are only being completed by authorized parties—and no one else.

3. Ensure that protected data is accessible only to authorized entities

Maybe your data is protected while traveling from Point A to Point B, but unless everyone on location at Point B is authorized to access the data, you’ll want to take measures to ensure that only authorized individuals have access. This can be achieved by coupling strong authentication with appropriate access control settings on the application. The best strong authentication methods today are the FIDO (Fast Identity Online) protocols. In particular, the FIDO2 standard eliminates vulnerabilities that can occur internally via “shared secret” scenarios—like using a fingerprint for authentication rather than a password, for example.

4. Ensure authorized entities have access to the protected data regardless of who encrypted it

Data protection can occur at five layers: Application, network, database driver, database, operating system, disk drive. Encryption and tokenization deployed at the application layer combined with providing accessibility through strong authentication and FIDO will prevent upwards of 95% of attacks.

Additive manufacturing and IIoT may be the new wild west of Industrial Manufacturing, but by taking responsible security measures, companies can be sure to minimize dangerous surprises, instill confidence in its clients and thus gain the edge over its competitors.