Perspective: cybersecurity standards for digital manufacturing supply chains

Cybersecurity standards have evolved to protect IP data as it moves along the digital supply chain. How can these new standards be applied to meet the needs of digital manufacturing business models?

IP and design theft costs businesses billions—if not trillions—of dollars every year. IP theft cost in the US alone was estimated at $600B in 2017[1] and brand theft including counterfeit goods reached $1.2T in 2017[2]. Many of these incidents begin with the targeted misappropriation of an IP design file.

To combat fast-evolving cyber threats, organizations typically turn to traditional security standards such as NIST 800-53, the Center for Internet Security, and perhaps even industry-specific standards such as ISO 28000. These standards offer excellent guidance to manage risk around users and devices, including user identity management, vulnerability management, threat assessment, risk management, intrusion detection, log management, and incident response.

However, while these cybersecurity standards have been in circulation for years (in some cases, decades), IP theft continues to rise. Three significant factors are the reason for this: the distributed nature of the digital supply chain, increasing automation, and the trend toward digital manufacturing. How can we mitigate the risk associated with these factors?

Securing the perimeter is not enough

Existing prescriptive cybersecurity control standards, which are designed for securing infrastructure and users, are a key element of any good cybersecurity program. However, these are not sufficient to combat IP and design theft because they are not designed to control digital IP as it traverses digital supply chains beyond the secure perimeter.

To address the risk of IP theft or misappropriation, a return to the foundational elements of the practice of cyber security and a “follow the data” model, is warranted. Most cyber-security standards trace their roots to a protection model known as CIA.

  • Confidentiality
  • Integrity
  • Availability

To ensure data integrity along the digital supply chain, a new protection model has emerged. Reformulated by NIST 800-161[3] for the more horizontal, geographically distributed manufacturing supply chain,. This is based on:

  • Security
  • Integrity
  • Resilience
  • Quality
A new cyber-security model for digital manufacturing

The SIRQ model, as implemented by Identify3D, offers a framework to ensure protection of engineering digital IP assets and to guarantee the quality of digitally manufactured parts. Here’s how it works.

  • Security: Only those users and companies with permission to “see” the IP are allowed to do so.
  • Integrity: The engineering IP file contains the exact content that is intended to be distributed and received.
  • Resilience: The engineering IP file always arrives at its destination on time and uncorrupted.
  • Quality: Only what should be made is made, and it is made according to its specified characteristics.

This new model is specifically designed to secure valuable IP information as it moves from engineering to manufacturing and then to use. The Identify3D platform achieves this by enforcing an authentication, verification, and authorization policy on each and every engineering file by user, device, utilization, and organization. At each step of the manufacturing process, Identify3D inspects, verifies, and validates users, applications, and machines.

By implementing a consistent authorization model that follows the engineering files through the entire lifecycle, an IP owner can be confident that its IP will be used as prescribed in the agreement with both its supply chain providers and its customers.

NIST-161 ensures data integrity throughout the digital supply chain

As manufacturers embrace Industry 4.0, the movement of parts along the supply chain simultaneously involves the movement of valuable data. The transmission and sharing of design files and digital assets among industrial companies, suppliers, and contractors are an opportunity for bad actors to jeopardize the security and integrity of that data.

Identify3D’s product suite encrypts, distributes, and traces the digital flow of parts, preventing counterfeits and ensuring that maliciously modified, substandard, or uncertified parts cannot enter the physical supply chain — and achieves this by meeting the Security, Integrity, Resilience, and Quality goals of NIST-161.

  • The Identify3D authorization model means IP owners can specify down to the individual user who, when and how the user is allowed to access the engineering data: Security.
  • Identify3D’s secure solution ensures confidentiality across organizational boundaries, from engineering data delivery to fabrication: Integrity.
  • By integrating directly with digital manufacturing machines (including processes such as additive and subtractive), Identify3D provides fine-grain authorization for each engineering file, including machine type, serial number and operating parameters as well as material used or post-processing steps like coordinate measuring: Quality.
  • Realtime monitors and alerts, integrated PKI security, and optional Identify3D cloud delivery facilitates Resilience.

Further assurance is offered through detailed auditing and reporting, available both on premise and through the Identify3D cloud, thereby empowering manufacturers and engineering IP owners to have confidence in the entire production process — from design to completed product.

The combined capabilities of Identify3D enable provable adherence for each supply chain participant to its contractual commitments. Identify3D also offers both manufacturers and engineering IP owners capabilities to comply with regulations such as ITAR and to meet internal risk-reduction goals such as data-loss prevention, misappropriation, accidental or intentional integrity corruption, and quality errors.

To learn how this approach can be applied to address your manufacturing needs, contact our team to schedule a demo.

[1] IP Commission Report 2017

[2] Global Brand Report 2018

[3] NIST 800-161 Supply Chain Risk Management