Inviting the Trojan Horse in Through Your Shipping Bay Doors

A guest post by Ralph Resnick, President and Executive Director, National Center for Defense Manufacturing and Machining (NCDMM) and Founding Director of America Makes looks at cyber security risk in manufacturing.

With increased shop floor connectivity, Manufacturing 4.0 and the introduction of Chinese industrial Additive Manufacturing systems coming to the US market, what should we really be preparing for?

Cyber security risk in manufacturing – the risk of being hacked – is growing. In fact, reports show that in recent years more US manufacturers are getting targeted by cyber threats than energy companies who have traditionally been primary targets. The recent trend to increase connectivity on the shop floor, between supply chains and the use of ‘smart’ tools and mobile applications to drive productivity and growth only increase and accelerate the possibility of those risks. And yet, manufacturers in general are not well-prepared to deal with them and many industrial environments were not designed with cybersecurity in mind – after all, manufacturing was not a target, right?

Indeed, on the surface it would seem that the leading motive for cyber attacks on manufacturers is still financial theft at 45% in a survey by Deloitte, but IP theft was identified as the primary motive in 35% of the survey responses and attacks have doubled in the last few years. And while financial hacking is popular with organized criminals, IP theft is much likelier to be sponsored by a foreign state or competitors.

Malicious theft of product IP has been well documented in recent years, especially in the US military community, including the theft and use of designs for advanced weapons systems such as the F-35 Joint Strike Fighter, Patriot Missile System and the UH-60 Black Hawk helicopter, to name but a few, by China alone.  

F-35 Lightning II instructor pilots conduct aerial refueling.
F-35 Lightning II instructor pilots conduct aerial refueling.

With the increase in connected shop floors, the integration of cyber (digital) tools with physical machinery (Internet of Things or IoT) that threat now has potential far beyond simply IP theft.

Understanding the cyber-physical threat

‘Cyber-Physical Systems’ – those that rely on integrated digital and physical systems on the shop floor – have potential for quite insidious harm if unprotected. Integrated Control Systems (ICSs) are increasingly in use and are driving significant productivity and efficiency rates in American manufacturing. Additive Manufacturing (AM) systems are, by nature, quintessential cyber-physical machines –they operate using a direct link between digital design data and the part being produced – and thus need the same, if not more, scrutiny as other manufacturing systems to ensure a secure production floor.

So why does AM perhaps need more scrutiny? Going forward malicious attacks might not be just focused on financial or IP theft, which is a high concern, but also on disrupting manufacturing operations, design integrity and public safety. The very nature of AM, with its unique digital workflow, can make it even more vulnerable to malicious attack. What if those turbine blades being produced in an AM system had hidden flaws and voids introduced during production that would pass external inspection but cause part failure during flight? Or if a part was secretly scaled in one axis to affect the tensile strength of the part?

So how could this be done? The Georgetown Journal identified 3 classifications of cyber-physical vulnerabilities that have been exploited in the past. They are: Software-based, Insider Threat and Hardware Vulnerabilities. Software-based vulnerabilities can extend along hardcoded passwords embedded in the code known as ‘backdoors’, Remote Code Execution which can be exploited in software such as web browsers, Java applications and others, and also insecure protocols might be in place that enable hijacking of communication channels. Hardware vulnerabilities can be brought in through imported hardware that have malware loaded on them. And exploitation of employees can cause malicious worms and viruses to be introduced into the AM system.

drOWned project drone model interception Image via: Yuval Elovici
Proof of concept drOWned project demonstrated drone model interception Image via: Yuval Elovici

These are not just hypothetical threats: famous incidents are recorded. In 2009 StuxNet was a worm that took over Iranian nuclear centrifuges, causing them to fail but in a way that gave no warning to operators that operations were going awry. In 2013 scanner products imported from China to the US were preloaded with the Zombie Zero malware that was designed to target shipping operations and robotics manufacturers and steal financial and shipping information.

Threat of theft and fake products

The theft of STL files can also give way to the rise of fake products that, while they look the same, may have critical flaws that can affect product safety. And if the chemical composition of printer materials is compromised that could give rise to uncertified and untested materials being used in critical applications.

The risk to known and established additive manufacturing systems is evident: through internal inadvertent actions that introduce a virus, an operation could be compromised. But it pales in comparison to the risk posed by foreign-made systems that could be delivered with in-built malware and backdoors. Once that is in place, malicious hackers could easily steal IP, sabotage part builds, part data, switch off lasers during layer creation or interfere and occupy communications and networks. Access through a network to a company’s PLM system could result not only in IP theft but sabotage of the ‘digital twin’ file used for inspection comparison meaning that even QA checks are affected.

There are a number of steps that manufacturers can, and really have to, take to mitigate and protect all their manufacturing systems including vulnerability testing, air-gapping between systems, automated 25/7 threat monitoring and education of key employees. US Additive Manufacturing OEMs are also working on in-process monitoring solutions for their systems that are tuned to identify and prevent critical flaws in the production process that can happen inadvertently or via sabotage. The National Defense Industrial Association (NDIA), for which I was chairman of its manufacturing division until recently, has produced excellent research that identifies how cyber standards can be applied even for smaller defense manufacturing companies , and the guidelines being created can be easily resourced.

American AM OEMs also work closely with many research labs to work to ensure that systems are certified and validated, and are also working towards chemical ‘tagging’ of materials to prevent use of fake materials.

3D printed lock pick.
But thinking about where your AM systems come from and what risks are involved is therefore critical. DOD and military supply programs require a proven secure, reliable supply chain that is preferably US-sourced. Your customers will start to want written assurances of your security measures to prevent compromise of their IP and may demand knowledge of what foreign-made systems are on your shop floor. You might have to check in with your service bureau to establish what machines they have installed and what security measures are in place so you know whether your data and IP is secure. It comes down to the fact that while foreign-made industrial AM machines might be priced attractively, can you really afford the consequences of making the wrong decision?

This is a guest post by Ralph Resnick, President and Executive Director, National Center for Defense Manufacturing and Machining (NCDMM) and Founding Director of America Makes. For all the latest insights about the 3D printing industry, subscribe to our newsletter and follow our active social media channels.