Cybersecurity risks in 3D printing
3D printing (i.e. additive manufacturing) is a $4 billion business set to quadruple by 2020.
Additive manufacturing builds a product from a computer assisted design (CAD) file sent by the designer. The manufacturing software deconstructs the design into slices and orients the printer head. The printer then applies material in ultra-thin layers.
One day, manufacturers may print everything from cars to medicines, disrupting centuries-old production practices. The Federal Aviation Administration recently certified the first 3D-printed part for GE commercial jet engines, and companies like Ford Motor Company are using AM to build products and prototypes.
But the new technology poses some of the same dangers unearthed in the electronics industry, where trusted, partially trusted, and untrusted parties are part of a global supply chain, a team of cybersecurity and materials engineers at the NYU Tandon School of Engineering has pointed out.
What could go wrong?
The researchers examined two aspects of 3D printing that have cybersecurity implications: printing orientation and insertion of fine defects.
“These are possible foci for attacks that could have devastating impact on users of the end product, and economic impact in the form of recalls and lawsuits,” said Nikhil Gupta, noted materials researcher and an associate professor of mechanical engineering at the New York University Tandon School of Engineering.
The researchers reported that the orientation of the product during printing could make as much as a 25 percent difference in its strength. However, since CAD files do not give instructions for printer head orientation, malefactors could deliberately alter the process without detection.
Gupta explained that economic concerns also influence how a supplier prints a product. “Minus a clear directive from the design team, the best orientation for the printer is one that minimizes the use of material and maximizes the number of parts you can print in one operation,” he said.
When the researchers introduced sub-millimeter defects between printed layers, they found that the defects were undetectable by common industrial monitoring techniques, such as ultrasonic imaging, which do not require destruction of the sample. Over time, materials can weaken with exposure to fatigue conditions, heat, light, and humidity and become more susceptible to these small defects.
“With 3D printed components, such as metallic molds made for injection molding used in high temperature and pressure conditions, such defects may eventually cause failure,” Gupta said.
“With the growth of cloud-based and decentralized production environments, it is critical that all entities within the additive manufacturing supply chain be aware of the unique challenges presented to avoid significant risk to the reliability of the product,” noted Ramesh Karri, a professor of electrical and computer engineering at NYU who participated in the research, and who’s also a cybersecurity researcher known for improving the trustworthiness of the microchip supply chain.
He pointed out that an attacker could hack into a printer that is connected to Internet to introduce internal defects as the component is being printed. “New cybersecurity methods and tools are required to protect critical parts from such compromise,” he said.
The paper’s lead author Steven Eric Zeltmann, a graduate student in mechanical engineering, told Michael Kan that companies should disconnect their 3D printers from the Internet so that they can’t be compromised and manipulated by remote attackers.
Also, that manufacturers would do well to encrypt their design files in such a way that only their printers can decrypt them and use them.
It seems to me that setting up the printers to accept and produce items only from files that have been encrypted in a particular way or “signed” by the company might also be a good idea.
All these steps can protect the manufacturers’ intellectual property (design files) and the integrity of the printed components.