In a 3D-printing supply chain, the assets that are most valuable are also the most vulnerable: Unless they’re properly protected, digital designs and intellectual property will be easy prey for hackers. Illustration by Jordon Cheung
Earlier this year, Queen Nefertiti returned to Egypt after spending more than a century in Germany. Her ancient, iconic bust, which German archaeologists discovered in 1912, has been on display in Berlin’s Neues Museum ever since.
Two German artists, however, decided the bust belonged back in Egypt. They managed to covertly scan the statue and create a 3D computer-aided design (CAD) file, which they plan to exhibit in Cairo. They also uploaded the file online, so that anyone with an internet connection can torrent the file to study or 3D-print their own copies of the priceless original.
This is a wonderful example of how a transformative new technology can be put to interesting and purposeful uses even by non-experts. But it also demonstrates the disruptive force of 3D printing, and some of the people who see that potential will likely have more ominous plans than those two artists.
Additive manufacturing—the creation of a 3D object by layering 2D cross-sections of material—has already allowed a wide range of companies to create, customize, and produce everything from jewelry, auto parts, and construction materials to prescription drugs, prosthetics, and even food. If you can get the file, you can make it. As a result, the digital blueprints for such products are magnets for hackers. There are plenty of innocent and important ways 3D printing can be used, but experts say that even those who seek to take advantage of it with the best of motives could be in trouble if they fail to pay serious attention to cybersecurity. For all the inventors and innovations 3D printing has inspired and will inspire, its appeal is also its danger.
“Eventually, anyone will be able to make almost everything,” wrote John Hornick of the Finnegan IP law firm in Intellectual Property Watch. “No one else will know they made it or be able to control it, which I call 3D printing away from control.”
Industry expert Cindy Slubowski, Zurich North America’s vice president of manufacturing, likens 3D printing’s effects on society and commerce to that of the 20th century’s assembly lines. “The question for most manufacturers today is not when to adopt 3D printing but how fast they can move to capitalize on its efficiencies and understand the risks,” Slubowski said in an article earlier this month.
Already making headway in an increasing number of industries, with simplified versions becoming increasingly available, 3D-printer shipments, according to Gartner, will more than double every year between 2016 and 2019, by which time worldwide shipments are expected to reach more than 5.6 million units. But as 3D printing becomes a bigger part of the manufacturing market, the implications for that market’s security are increasing as well. The connectivity of the entire 3D-printing process, from design to manufacturing, makes it much easier for criminals with the right set of technical skills to invade and take advantage of the supply chain.
Counterfeiters have a lot to gain from 3D printing: Not only can they steal the design files to create cheap knock-offs (saving them R&D and material costs), they can also create their own 3D-printable design files from pre-existing objects, just as the German artists did with the bust of Nefertiti.
Since assets in a 3D-printing supply chain are largely digital—software, design files, blueprints, and so on—they’re more vulnerable in some ways than if they were physical. Hackers can do more than just steal: They can intentionally sabotage the designs of 3D-printed objects, whether in the interest of profit, sabotage, or simple mayhem. “Somebody could very easily get in, change that blueprint, and then all of the sudden, you're manufacturing something, and you have just created risk you probably didn’t realize you would encounter,” Slubowski says.
Last year, for example, the U.S. Food and Drug Administration began approving 3D-printed prescription drugs. Slubowski notes that if hackers change a drug’s blueprint by even a milligram, the effects could have devastating health consequences: “If nobody touches that [altered design], we now have millions of false prescription drugs out there that are affecting people.”
Even national security is at risk. A 2014 Defense One article said that the Department of Defense and major contractors, such as General Electric and Lockheed Martin, have begun using 3D printing to produce parts for the military. But the Department of Defense is no stranger to cybercrime. One 2013 report reported that the agency and its contractors “have sustained staggering losses of system design information incorporating years of combat knowledge and experience.”
The Washington Post obtained the confidential version of the report, which listed designs for the PAC-3 missile system, the F/A-18 fighter jet, and the Black Hawk helicopter—among other defense systems—as having been digitally compromised. Boeing is already using 3D printing to create more than 20,000 non-metallic parts, 150 of which are made for the F/A-18. Anyone gaining access to Boeing’s blueprints would gain a deep knowledge of the makeup, capabilities, and vulnerabilities of weapons that multiple countries use in their military forces.
Despite its enormous impact on industries and products, 3D printing as yet has no reliable guidelines or a uniform body of legal opinion to govern its use. According to Slubowski, defective 3D-printed products that were modified by hackers expose companies to legal liability even if the item that fails is a counterfeit—simply “because they didn’t have the appropriate protocols in place to protect that information or check that information to make sure it was not modified.
“The reality is that none of this technology has seen a lawsuit—none of it has been tested in the courts,” Slubowski adds. “Until something like that happens, we don’t have a precedent.”
The promise of 3D printing is that everyone will eventually be able to make just about anything. The threat is that cybersecurity will not be of sufficiently urgent concern, especially to startups and small-business players.
Nevertheless, Slubowski advises companies that are looking to grab a piece of the $11 billion 3D-printing market that they must protect themselves from cybercrime by implementing robust counterfeit-detection measures, by establishing vigilant internal security policies, and by rigorously enforcing them. Otherwise the next 3D-printing hack may be targeting something even more valuable than the bust of a queen.
The information in this publication was compiled from sources believed to be reliable for informational purposes only. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. Zurich North America assumes no liability in connection with this publication, including any information, methods or safety suggestions contained herein. Zurich North America undertakes no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.
©2016 Zurich American Insurance Company