Defense companies that manufacture parts with three-dimensional printers using metal powders might want to heed forthcoming government-issued standards for preventing hacks.
Not only can attackers steal proprietary designs by breaching the machines’ data files – but they can also cause physical damage to production plants and employees.
"A compromise may affect the confidentiality, integrity or availability of both the device and the information it processes," state National Institute of Standards and Technology draft guidelines for avoiding 3-D printer breaches.
Military contractors increasingly are using the machines to mass-produce components for weapons systems, vehicles and other hardware to save time and money. 3-D printing, also called additive manufacturing, creates solid objects by layering thin sheets of material following the instructions of a digital computer file.
Simply frying the printer also is a possibility with data compromises. Hackers can infiltrate networks powering a printer or corrupt the machine’s hard drive to create "a potentially hazardous situation" if configuration settings are altered to allow the device to overheat, according to NIST.
3-D Printer Explosions a Real Threat
3-D printer explosions are not notional. The Occupational Safety and Health Administration in May fined Massachusetts-based printing outfit Powderpart $64,000 after a blast inflicted third-degree burns on a company employee. Powderpart failed to contain known sources of potential ignition, such as titanium and aluminum alloys, before the November 2013 incident, OSHA determined.
“The issue with powders is -- because they are so fine -- they could become volatile depending on the chemical composition,” said PMC Group President Michael Chipley, a specialist in cybersecurity for building control systems. “You probably don’t want to have a whole lot of free particulates in the air that can undergo spontaneous combustions” at a production plant.
The market for 3-D printed parts made from combustible alloys includes aerospace and defense industries, according to OSHA.
It also is possible to compromise large defense systems by messing with 3-D printers, according to cyber analysts.
An adversary with malicious intent could "change the spray material composition to cause stresses and fail, or add features not intended for that particular make or model," Chipley said.
A weakened printed part that makes it into an assembly line, "or even worse, out to a delivered product or system would require a recall and replacement,” he added. Chipley said hopefully quality control processes would catch such errors, but nonetheless the facility would have to be shut down for repairs.
An Open Door to Stuxnet 2.0?
In a graver scenario, a machine could be sabotaged without the operator's knowledge, as was the case with Stuxnet -- a virus that subverted the controls running Iran's nuclear centrifuges and caused them to self-destruct.
"Like all interconnected systems and devices, once a foothold has been established, then all nodes and other systems are at risk,” Chipley said.
The attacker can enter through the machine's hard drive or memory card and manipulate the user display "to then spoof the processes and cause physical damage," as with Stuxnet, he said. Or the attacker can break in through the Web to compromise the company's servers and then drill down to the printer to roil operations, he added.
Other types of mischief hackers can create include "denial of service" attacks, in which a printer server is flooded with useless traffic that knocks the machine offline. A replication device, or RD, such as a 3-D printer, "connected to the Internet may be more vulnerable to this kind of exploit which results in devices being temporarily unusable,” the NIST publication states.
Spies can also intercept unencrypted data flowing through the system -- including print jobs and configurations, according to NIST.
Also, many of these machines are programmed with default passwords that system operators never bother to change. Such passwords "can be easily obtained and used to access configuration panels, stored data, or to control the device locally or remotely via a web interface," the guidance states.