Last week we gave an overview of the cost of knowledge and IP theft as well as the cost of security breaches. We centered on the preparation for IP protection and security measures. According to Accenture, the average annual cost of cybercrime for a US corporation in 2018 was over $27mm (see chart below). For a German Corporation this number is over $13mm. If it seems high, consider that Accenture claims that the average corporation suffered 145 security breaches in 2018 (though many are caught by security measures that are in place). Imagine the costs if no measures were in place – hard to fathom! Because Additive Manufacturing (AM) enables a mostly digital supply chain, it is highly susceptible security vulnerabilities. A weakness in one part of the corporation may enable access to the rest of the company’s digital assets and network – an even bigger headache. So, what prevention and mitigation steps can we take? That’s what this part 2 is all about.
Prevention to be Secure
Of course the best way to minimize breaches and vulnerabilities is to address vulnerabilities, secure the supply chain and workflow, and prevent breaches from happening in the first place. Prevention has many dimensions to address in order to be effective. First and foremost, we have to prevent theft – even if somehow a digital asset makes its way to an outsider, it should be useless for him. This is important because access control is never foolproof – there is no such thing as Fort Knox in digital. Similarly, there is no air-tight protection possible but if you make it hard enough to get to the real data that is enough to deter hacks as they become prohibitively expensive. Often the reason behind the theft is financial so if it costs to obtain more than it’s worth – your security lane has done its job.
Second we have to prevent changes to the correct, approved, and sometimes certified digital asset. If an attacker can change a file for a part the harm to the corporation’s reputation can be enormous. Researchers in Israel, Alabama, and Singapore collaborated on just such a project and they managed to change a drone spare part so the change is not detectable to the eye and causes the drone to fail high up (not immediately) causing maximum damage. They called it dr0wned – a cyber-physical attack. In a certified part it is enough if a hacker manages to create a deviation from the certification – finding one such part (that is certified but is not actually made as certified) may be enough to trigger recalls which are extremely costly and have in the past cost CEOs their jobs. A security lane, as LEO Lane offers, is even more important in these cases to enforce correct manufacturing and prevent tampering. Part of tracking certification compliance in real time is interfacing with 3D printers through their APIs, so that is an important responsibility of the 3D printer manufacturers: allowing partners to access their APIs is especially important with remote work but also for security purposes.
Another prevention challenge is controlling who can handle and who can print a given 3D printable digital asset. Companies should be able to indicate for every secured digital asset if it can only be handled by the internal organization or also outside it and by whom. This means specifying service providers that have been vetted but also which models of 3D printers or even specific 3D printers (in the case of certification especially) are allowed to produce the item. Again, it is important to enforce this even if the asset itself (the file) somehow ends up outside the organization – a good security lane should be able to address this seamlessly for the organization and clearly for any unauthorized person. This is true of the entire workflow and workflow management. A lot has been written about the Octoprint hack in 2018 – it was enabled because people didn’t pay attention to security not because of a fault in Octoprint and it was easy to remedy if one bothered to secure it. This falls back in the preparation column (see part 1).
Mitigate and Repeat
Avoiding any kind of theft or attack is the best possible outcome and if we prepare and prevent with excellent solutions this is possible (though not at 100% – remember, there is no Fort Knox, just a defense that is very hard to hack). If, however, the measures taken were insufficient (using weak solutions or solutions that don’t cover the entire process, for example) failures are possible and then something will seem off or alternatively, your IP shows up on some free sharing site like Thingiverse. What to do? First and foremost try to contain the problem – it is very hard to contain after it is on a sharing site (as people have downloaded it and may post it elsewhere without knowing that it’s stolen) but if it isn’t (yet?) and you’ve put some security measures in place you may be able to disable the asset altogether, if your solution allows for that.
In these situations, you also need to see if there is a wider breach – for that you need an incidence response (IR) company (again, my go to would be Sygnia, they’re amazing). Any IR company worth its salt will follow the handling of the incidence with suggestions for tightening up your security to avoid future problems (they call this Posture). However, many IR companies still do not consider AM in their assessment so it’s important to actively let them know you are using additive manufacturing and digital inventories and how you’re securing those.
When all is said and done, companies adapt their preparation and prevention to ensure a secure corporate network and secure data and IP. They do this to avoid being in a compromised situation ever. Our security experts at LEO Lane know a thing or two about this – if there are any questions, you can email them to us (info at leolane.com) and mention this post, we’re happy to share our knowledge whenever possible.
For more insights and information follow us on LinkedIn or subscribe to our newsletter for weekly updates. Pictures from top to bottom: 3D printed Cryptex on Instructables; Chart from Accenture; 3D printed Stealth Key by Urban Alps; 3D printed key that claims to bump any lock.