As additive manufacturing (AM) matures and continues to gain popularity, it becomes an increasingly attractive target for cyberattacks. Therefore, being proactive in preparing for these security threats, particularly for high-value targets, is of paramount importance. A recently published paper [1] identifies the importance of developing and implementing a forensic readiness model to prepare for attacks on 3D printers. According to the paper’s authors, current forensic readiness models “do not consider AM processes and may be ineffective” for crimes that involve 3D printers, which motivated their work in developing a forensic readiness framework for AM.
The framework, which the authors refer to as the Forensic Readiness for Material Extrusion-based Printing Process (FRoMEPP), emphasizes the need to establish a “forensically ready” printing environment before an incident occurs in order to allow for the acquisition and preservation of relevant data as an attack is occurring, not after the attack subsides when data can be lost or overwritten. The different components of the framework are shown in Figure 1.
The authors identify several categories of cyber-domain information that are critical to monitor during an attack, including operating system logs, network logs, and application logs. These three log types cover a wide range of activities, from user account sessions and file access activities, to network traffic (e.g., SSH and HTTP connections), and finally to CAD and slicer software usage. By collecting and analyzing multiple logs, investigators can piece together the events of an attack with the assurance that the results of the investigation can be corroborated using multiple data sources.
Similar to investigations in other domains, the paper emphasizes that preserving and archiving evidence related to AM attacks is imperative. According to NIST IR 8387, “Digital Evidence Preservation” [2], digital evidence retention policies may vary between jurisdictions and organizations. However, in the absence of local statutes or policies, organizations should determine for themselves how long evidence should be preserved, which highlights the need for a flexible retention solution.
The proposed FRoMEPP framework [1] goes into much more detail and includes other critical aspects of the forensic readiness model, including the employment of out-of-band sensors and the selection of a suitable monitoring scheme. For the sake of brevity, we can’t cover the entire paper, but interested readers are encouraged to review the rest of the paper using the link in the footer.
Anticipating the demand for a security-hardened device that protects against cyberattacks on additive manufacturing machines, BreakPoint Labs has developed BISON to provide cutting-edge cyber defense capabilities in a small, convenient form factor. BISON captures critical cybersecurity information in the machine-to-machine communications between the controller and printer, and can ingest Windows security event logs and certain application logs for advanced analysis. This data is archived in the system until manually removed by an operator, ensuring that pertinent information is preserved for any post-incident investigations.
If you are interested in learning more about how BISON can secure your AM environment, please contact us at info@breakpoint-labs.com.
[1] https://www.sciencedirect.com/science/article/pii/S2666281723000112
[2] https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8387.pdf