3D opportunity and cyber risk management - Deloitte US · Deloitte Consulting LLP’s Supply Chain...

3D opportunity and cyber risk managementAdditive manufacturing secures the thread

A Deloitte series on additive manufacturing

Deloitte Consulting LLP’s Supply Chain and Manufacturing Operations practice helps companies understand and address opportunities to apply advanced manufacturing technologies to impact their businesses’ performance, innovation, and growth. Our insights into additive manufacturing allow us to help organizations reassess their people, process, technology, and innovation strate-gies in light of this emerging set of technologies. Contact the authors for more information, or read more about our alliance with 3D Systems and our 3D Printing Discovery Center on www.deloitte.com.

SIMON GOLDENBERG

Simon Goldenberg is a specialist senior with Deloitte Advisory’s Cyber Risk Services practice. After moving from physics to information technology, he has 24 years’ experience helping federal and commercial clients comply with cybersecurity standards.

JOHN BROWN

John Brown is a manager in Deloitte Advisory’s Risk & Resiliency practice. He brings deep, practical experi-ence in supply chain, operational, and enterprise risk management, including business continuity and resil-ience, to benefit clients in commercial sectors. Brown served as committee cochair for ANSI/ASIS SCRM.1-2014 Supply Chain Risk Management: A Compilation of Best Practices.

JEFF HAID

Jeff Haid is a senior manager in Deloitte Advisory’s Federal Cyber Risk Services practice. He brings his back-ground in information and cybersecurity to focus on federal clients’ current cybersecurity needs. Haid has over 17 years of experience delivering high-end security solutions to both commercial and federal clients.

JOHN EZZARD

John Ezzard is a specialist leader in Deloitte Consulting’s Technology Service Area and Federal Health Care Practice. He has over 19 years of experience developing and implementing IT strategies to help organiza-tions radically transform and improve business operations. Ezzard has led large, policy-reform–driven IT transformation projects, helping federal government agencies change the way they regulate the health care and telecommunications industries, including one of the first federal e-government initiatives to consolidate payroll and HR services across federal agencies.

ABOUT THE AUTHORS

3D opportunity and cyber risk management

Introduction

Cyber threats are not new. In fact, it is difficult to find an industry sector, tech-nology, or organization that is immune to cyber risks. Examples of particu-larly damaging cyber attacks have been heavily covered in the news, including attacks leveraging such tactics as worms, spear phishing, and hacking. One worm, Stuxnet, was used to infiltrate Iran’s nuclear enrichment program, tak-ing over centrifuges, causing them to spin out of control and become dam-aged.1 Many other examples of cyber attacks exist and can lurk in connected objects or software, including consumer digital equipment, smartphones,2 and USB-connected devices such as e-cigarettes,3 thumb drives, digital picture frames, and USB chargers.4

ADDITIVE manufacturing (AM) is one area where cyber risk poses an especially sig-nificant danger. AM, also commonly known

as 3D printing, alters the way in which physical products are designed and produced. Designs are created digitally, and, via connected printers and production lines, can theoretically be manufactured anywhere, at any time—by anyone with the means to do so.5

The digitalization of physical products through AM may prove to be disruptive, opening up new oppor-tunities to revolutionize the supply chain and create new parts and products that were previously impos-sible using traditional manufacturing. Indeed, the benefits and opportunities provided by AM are sig-nificant and have been explored in depth through-out Deloitte’s 3D Opportunity series.6 Manufactur-ers across sectors—from health care and automotive to aerospace and defense—are realizing AM’s many

benefits in optimizing product designs, printing at or close to point of use, streamlining inventory man-agement, and saving resources and costs through-

AM’s reliance on digital files and connectivity can also open the process up to entirely new types of cyber threats, from product malfunctions to intellectual property theft and brand risk.


2

out the product life cycle.7 Its use is expected to grow significantly, from $4.1 billion in 2014 to more than $21 billion globally by 2020.8

But AM’s reliance on digital files and connectivity can also open the process up to entirely new types of cyber threats, from product malfunctions to in-tellectual property theft and brand risk, along with other new threats conventional manufacturers may not face. For example, the data generated about an object during the AM design and production pro-cesses can be considerable, generating a strand of information that runs through the AM object’s lifes-pan known as the digital thread—and creating a trove of potentially vulnerable information.9

Developing a comprehensive AM cybersecurity approach is further complicated by the fact that cyber risk implications of AM affect multiple par-ties throughout the supply chain, from suppliers to owners, managers, and purchasers of AM systems, to distributors and purchasers of AM products. Cy-ber risk can impact each stage of the digital thread, from design and scan, to quality assurance and printing, to use in the field, and even disposal of the AM objects or printers.10 Indeed, AM’s existence at the intersection of the digital and physical worlds mean that, while companies seeking to apply AM must protect their digital assets, cyber risk extends to both the physical and logical objects associated with the entire process.

THE ADDITIVE MANUFACTURING FRAMEWORKAM’s roots go back nearly three decades. Its importance is derived from the ability to break existing performance trade-offs in two fundamental ways. First, AM reduces the capital required to achieve economies of scale. Second, it increases flexibility and reduces the capital required to achieve scope.11

Capital versus scale: Considerations of minimum efficient scale can shape supply chains. AM has the potential to reduce the capital required to reach minimum efficient scale for production, thus lowering the manufacturing barriers to entry for a given location.

Capital versus scope: Economies of scope influence how and what products can be made. The flexibility of AM facilitates an increase in the variety of products a unit of capital can produce, reducing the costs associated with production changeovers and customization and, thus, the overall amount of required capital.

Changing the capital versus scale relationship has the potential to impact how supply chains are configured, and changing the capital versus scope relationship has the potential to impact product designs. These impacts present companies with choices on how to deploy AM across their businesses.

Companies pursuing AM capabilities choose between divergent paths (figure 1):

Path I: Companies do not seek radical alterations in either supply chains or products, but they may explore AM technologies to improve value delivery for current products within existing supply chains.

Path II: Companies take advantage of scale economics offered by AM as a potential enabler of supply chain transformation for the products they offer.

Path III: Companies take advantage of the scope economics offered by AM technologies to achieve new levels of performance or innovation in the products they offer.

Path IV: Companies alter both supply chains and products in pursuit of new business models.

Depending on their capabilities and how they intend to apply AM within their organization, companies may find themselves along different paths. However, cybersecurity concerns remain applicable no matter the path pursued; risks range from theft of intellectual property to loss of brand value, and even to malfunctioning of finished products in the latter paths. Once companies understand where they lie along the framework, they can begin to determine what they need to protect, consider the steps they can take to do so, and implement a rigorous cybersecurity strategy.


3

Graphic: Deloitte University Press | DUPress.comSource: Deloitte analysis.

Figure 1. Framework for understanding AM paths and value

Path III: Product evolution• Strategic imperative: Balance of growth,

innovation, and performance• Value driver: Balance of profit, risk, and time• Key enabling AM capabilities:

– Customization to customer requirements– Increased product functionality– Market responsiveness– Zero cost of increased complexity

Path IV: Business model evolution• Strategic imperative: Growth and innovation• Value driver: Profit with revenue focus, and

risk• Key enabling AM capabilities:

– Mass customization– Manufacturing at point of use– Supply chain disintermediation– Customer empowerment

Path I: Stasis • Strategic imperative: Performance• Value driver: Profit with a cost focus• Key enabling AM capabilities:

– Design and rapid prototyping– Production and custom tooling– Supplementary or “insurance” capability– Low rate production/no

changeover

Path II: Supply chain evolution• Strategic imperative: Performance• Value driver: Profit with a cost focus, and

time• Key enabling AM capabilities:

– Manufacturing closer to point of use

– Responsiveness and flexibility– Management of demand uncertainty– Reduction in required inventory

High product change

No

supp

ly c

hain

cha

nge

High supply chain change

No product change

Organizations seeking to realize the benefits of AM can benefit from taking a proactive approach to ad-dressing cyber risk. To help organizations that are exploring AM understand the broader impacts of cybersecurity in this environment and potential safeguards, this paper:

• Aims to explain how cyber risk affects AM along the paths of the AM framework

• Examines the characteristics that make AM unique with respect to cybersecurity

• Identifies various existing regulations and stan-dards that can be applied to AM

• Outlines approaches to cybersecurity that or-ganizations seeking to adopt and scale AM can incorporate


4

The special cyber risks for AM

WHEREVER data and information are trans-mitted, used, or accessed, companies must anticipate that someone, some-

where will try to exploit those data and informa-tion for personal gain or to inflict harm or damage. Understanding who executes cyber attacks and why they do so can help manufacturers in general—and additive manufacturers, in particular—anticipate possible threats.

Early on in the digital revolution, incidents of sys-tem breaches were not necessarily for malintent, but rather caused by people curious to see if and how they could gain access to systems.12 Many at-tacks have been focused on accessing what makes the organization competitive; in many cases, com-panies may be unaware that their systems have even been breached.13 Today, however, cyber attacks can

and do cause real and sometimes significant dam-age to companies and individuals—and particularly to manufacturers. Cyber attacks can originate from individuals or organizations who are driven by a va-riety of reasons, including economic gain, the desire to cause damage to a specific company or compa-nies, or as a means to disrupt society. In extreme cases, the objective may be to cause threat to life and safety. (See the sidebar “Applying the lessons of well-known cyber attacks to AM.”)

When it comes to manufacturing, chief threats can include theft of intellectual property by na-tion-states or competitors, especially those able to compromise insiders or business partners. Table 1 provides a conventional manufacturer’s view of six classes of cyber threat actors mapped alongside

Table 1. Cyber threat actors and impacts: Heat map for the manufacturing sector

Impacts

Actors

Financial theft/fraud

Theft of IP or strategic plans

Business disruption

Destruction of critical infra-structure

Reputation damage

Threats to life/safety Regulatory

Organized criminals

Hactivists

Nation- states

Insiders/partners

Competi-tors

Skilled individual hackers

KEY ■ Very high ■ High ■ Moderate ■ Low

Source: Deloitte, “Cybersecurity: A prudent approach,” October 30, 2015.


5

Graphic: Deloitte University Press | DUPress.com

Source: Mark J. Cotteleer, Stuart Trouton, and Ed Dobner, 3D opportunity and the digital thread, Deloitte University Press, March 3, 2016, http://dupress.com/articles/3d-printing-digital-thread-in-manufacturing/.

SCAN/DESIGN + ANALYZE BUILD + MONITOR TEST + VALIDATE DELIVER + MANAGE

Design + scan

CAD �le created

Advanced multi-physics

modeling and simulation

Traditional analysis

Product inception: DTAM begins

Digital twin established

(runs parallel to DTAM)

Build simulation, detailed build plan + machine data

Part fabrication (3D print process)

In-situ monitoring

Build feedback

Per-part post-processing and �nishing

Part inspection

Data veri�cation + twinning

Part end-of-life

Part �eld service sensing + inspection

Digital twin updated

Digital thread

Digital twin

Body of knowledge(grows throughout process)

Quality assurance + part validation/veri�cation information �ow

Continuous improvement information �ow

Figure 2. The digital thread for additive manufacturing

seven impact areas, illustrating where the actors are most likely to operate based on previous incidents.14

The information in this heat map can also apply to companies using AM, as many of the impacts and actors may remain the same.

Framing the cyber challenge for the AM life cycleWith the advent of connected and automated tech-nologies such as AM, new threats—and new oppor-tunities for access—are emerging. Figure 2 depicts the digital thread, the process by which information is created and communicated throughout the AM process, from design, build, and quality assurance monitoring, to testing, delivery, and distribution.15 At each step along this process are cyber risks re-lated to intellectual property, software, firmware, network, IT, design, printers, productions, and the third-party supply chain. In this way, the digital thread can serve as a life cycle of sorts for examining the ways in which connected technologies interact throughout the manufacturing process, and the re-sulting threats that can arise.

The digital thread also illustrates the connectivity inherent in fully realized AM processes, and thus the unique cyber risks the process faces beyond those of conventional manufacturing. Indeed, as AM’s print-ers and systems benefit from becoming ever more connected and networked, cyber risks can affect AM-enabled production and machine functionality in a variety of ways. Table 2 matches some of these AM-specific cybersecurity concerns with some of the potential impacts described in table 1.

AM’s reliance on digital data files—and connectivity to transmit them—has numerous benefits for sup-ply chain optimization. But it also means that once a file is stolen, hackers have access to the entire file in all of its intricacy, rather than simply to a physical object manufactured via conventional means that requires reverse engineering to create unauthorized or pirated copies. Whereas with conventional man-ufacturing, those looking to steal or copy a design would still need the means to produce it—knocking out the majority of would-be thieves—with AM, pos-session of the design file and a printer can make it far easier to produce the stolen object. This can pose risks related not only to health and safety but also to


6

Table 2. Examples of AM-specific cybersecurity concerns

AM-SPECIFIC CYBERSECURITY CONCERNS POTENTIAL IMPACTS

Design files stolen • Theft of IP or strategic plans• Reputation damage

Design files changed to build flaws in parts• Destruction of critical infrastructure• Reputation damage• Threats to life/safety

Unauthorized objects printed • Theft of IP or strategic plans (counterfeiting)• Reputation damage

Altering toolpath to deposit materials incorrectly• Destruction of critical infrastructure• Reputation damage• Threats to life/safety

Printers taken offline • Business disruption

IP-protected objects printed without payment or permission • Theft of IP or strategic plans (counterfeiting)• Financial theft

Dangerous or illegal objects printed (e.g., weapons) • Threats to life/safety

Digital twin hacked (e.g., to compromise maintenance)• Destruction of critical infrastructure• Business disruption• Threats to life/safety

Digital thread hacked (e.g., to affect quality control) • Reputation damage• Threats to life/safety

brand and liability should the devices fail or cause injury.17

Further, with access to a full design file, hackers could conceivably build in failure points in criti-cal components without the designers’ knowledge, which would then be included in any object printed from that file. For example, the ACAD/Medre.A worm steals CAD files; another example, Cryp-toLocker Malware, infects a file and locks it, render-ing it inaccessible to the user until she pays a ran-som to unencrypt it.18 In other cases, toolpath files can be altered to impact placement of materials or layers during the build process, making a product unstable.

AM also possesses multiple other facets that make its cybersecurity concerns unique: a broad set of stakeholders, unique supply chain considerations, and a breadth of AM applications, leading to a com-plex web of regulations. We examine each below.

A broad set of AM stakeholdersAM can include a larger, more diverse group of stakeholders than conventional manufacturing, in-cluding owners, managers, and purchasers of AM systems, and suppliers of AM print materials. With a product life cycle extending beyond design and production, stakeholders can also comprise design-ers, vendors, purchasers, maintainers, and dispos-ers of AM products, among others. This breadth can, in turn, translate to increased cyber risks. Some stakeholders may not have experience with cyber-security issues, even if those issues, overall, are not new. This is particularly true for those who operate in makerspaces producing small-batch runs, and who may have limited experience with the cyber risks that accompany digital production. (See the sidebar “The maker movement and cyber risk.”)


7

APPLYING THE LESSONS OF WELL-KNOWN CYBER ATTACKS TO AM

Examining real-life cyber attacks in other connected, complex systems may illustrate some of the potential threats faced by AM-specific organizations or processes. These examples span sectors and illustrate the breadth of cyber risks.

Manufacturing: In one particular example of spear phishing—a tactic in which access to a network is obtained via email or other forms of communication—attackers infiltrated production networks of an IoT-enabled German steel mill and caused breakdowns of control components and entire installations. Ultimately, they caused an uncontrollable shutdown of a connected blast furnace and massive (although unspecified) damage.19

Automotive: Documented hacking techniques—including rewriting firmware on a critical chip in a connected car’s entertainment system—were used to give attackers wireless control of an automobile via the Internet. The hackers were able to control entertainment systems, windshield wipers/washers, transmissions, acceleration, and brakes.20

Retail: A major retailer endured a breach in which hackers gained access to customers’ personal data, finding a way into payment systems via the company’s remotely accessible HVAC system.21

Health care: Hackers broke into a connected, Bluetooth-enabled insulin pump to control insulin dosages, underlining the potential for harm to the patient.22

Unique supply chain considerations AM’s strong impact on the supply chain has been examined extensively in the 3D Opportunity se-ries.23 In many ways, the supply chain for AM can consist of a design file, transmitted to the point of need for printing. This ability to print at or close to the point of need, on or close to the time of need, has tremendously positive implications for the supply chain in general as well as other implications for cy-bersecurity. To maintain the integrity of this largely digital supply chain, organizations must think be-yond the file itself to consider all the other potential points of entry into the system and throughout the digital thread—something conventional manufac-turers may not have to take into account. This can include tracking, tracing, and controlling distribu-tion of certain materials, particularly those used to manufacture potentially dangerous products such as weapons; maintaining the integrity of design files; and controlling the distribution of design files to prevent counterfeiting. Some AM manufacturers have also considered tagging products with markers

to indicate that products have been manufactured by design files, machines, and ingredients that have not been tampered with.24

As AM’s printers and systems benefit from becoming ever more connected and networked, cyber risks can affect AM-enabled production and machine functionality in a variety of ways.


8

THE MAKER MOVEMENT AND CYBER RISK

AM is an important part of the “maker movement,” which is founded on the principle that making things is fundamental to the human condition and something everyone should do.25 AM democratizes manufacturing by radically reducing the costs of manufacturing and putting the power of “making” into the hands of many. For example, in the “makernurse” movement, nurses harness AM to solve problems and innovate. A hospital in Galveston, Texas, has opened a “medical maker space,” where nurses have used AM to customize materials for individual patients.26 Some medical professionals are also looking to reduce the costs and delivery time of simple, yet critical, supplies by using AM to make the supplies themselves.27

While the maker movement offers tremendous potential across a variety of industries, it introduces new forms of cybersecurity risk. Design files are typically unsecured, and quality control may also be an issue. While these risks are, in many ways, traditional to a manufacturing process, the operating context and participants’ skills and knowledge are radically different. This area is, perhaps, AM’s most underrated cybersecurity challenge.

A breadth of AM applicationsPotential uses for AM span numerous industries, as well as both the public and private sector. Indeed, AM is currently an area of great interest for the US Department of Defense (DoD) and other federal en-tities as a way to address supply chain challenges associated with unpredictable inventory and expen-sive-to-produce parts in remote locations.28 How-ever, cyber risk is a concern: A printer breach can render it unable to produce crucial parts; a design file that is tampered with to introduce flaws to a jet, a weapon, or its component parts can affect national security. In the private sector, AM can be used in the automotive,29 health care and medical devices,30

aerospace,31 end-use product,32 and even food sec-tors.33 Design files can be illegally downloaded to print anything from IP-protected objects without obtaining permission, to dangerous or illegal ob-jects such as weapons.

Terrorism, tampering, theft, and consumer safety are four areas of AM cyber risk for the public sector. While 3D printing of complex weapons is probably not a near-term threat, terrorists using distributed AM to manufacture smaller-scale weapons, such as guns, explosives, and ammunition, is of greater con-cern.34

Tampering is another area of concern. By subtly tampering with design files, hackers could intro-duce flaws into mass-produced items such as medi-cations or medical devices that could be hard to de-tect, causing large-scale harm. Counterfeiting and theft are also big risk areas. In one example, cargo thieves used AM printing to make counterfeit cop-ies of devices such as ISO 17712 high-security cargo seals, locks, and padlocks, in some cases in as little as 10 minutes.35 A 3D scanner created CAD techni-cal specifications needed to produce near-perfect replicas, allowing thieves to hide signs of tamper-ing and making it difficult to identify the location or time of the theft. In one example, thieves posted a CAD master file for replicating keys to open freight padlocks on a website approved by the Transporta-tion Security Authority (TSA), allowing anyone to access the information.36

A complex web of regulations Due to the breadth of objects produced using AM across different industries, the technology is also beholden to a broad array of industry regulatory standards—as well as IT regulations that conven-tional manufacturers may not yet have to deal with, due to AM’s reliance on digital technologies.


9

Table 3. Sample of cyber regulations and regulatory bodies by sector

SECTOR REGULATORY FRAMEWORK OR BODY

Aerospace• Federal Aviation Administration• National Transportation Safety Board

Automotive• National Transportation Safety Board• National Highway Traffic Safety Administration• Environmental Protection Agency

Federal systems• National Institute of Standards and Technology• Department of Homeland Security• Federal Information Systems Management Act

Food • Food and Drug Administration

Medical devices• Food and Drug Administration• Health Insurance Portability and Accountability Act

Pharmaceuticals• Food and Drug Administration• Health Insurance Portability and Accountability Act

Thus, an organization’s cyber approach may need to be tailored to the specific regulation(s) needed to achieve compliance. For example, in the aerospace industry, AM use falls under Federal Aviation Ad-ministration (FAA) regulations. AM used in aviation or other transportation industries, including auto-motive, would have to comply with National Trans-portation Safety Board rules, but AM parts used in automotive exhaust systems would have to comply with Environmental Protection Agency rules. AM’s use in medical devices and pharmaceuticals can fall under Food and Drug Administration (FDA) and Health Insurance Portability and Accountability Act (HIPAA) rules. The FDA has been reviewing the use of AM in medical devices, and issued draft guidance around this in May 2016.37 To date, the FDA has ap-proved more than 85 medical devices produced via AM.38

In this way, each AM application may require a dif-ferent set of regulatory requirements with respect to cybersecurity (table 3). Regulatory guidelines can become further tangled as organizations leveraging AM navigate between the public and private sec-tor—each of which come with their own attendant concerns.

While the many cybersecurity frameworks, laws, and regulations listed before can help protect design files, the question remains how to ensure that they can work together, and whether or not they go far enough toward protecting AM systems and machinery.


10

Further complicating matters, AM printers can be considered IT systems, and their use by the federal government is regulated by Federal Government Information Security Act (FISMA) and policies sup-porting it, such as the National Institute of Stan-dards and Technology’s Risk Management Frame-work (NIST RMF) and the associated Authorization to Operate (ATO) certification.39 More recently, the NIST Cybersecurity Framework (NIST CSF), which applies to critical infrastructure, is also being con-sidered for application to federal programs. Fed-eral cybersecurity regulations have been in place for nearly 20 years,40 yet federal agencies struggle with effective compliance.41 Indeed, the National Defense Industrial Association acknowledges that relatively less action has been taken to protect technical data.42 For their part, commercial vendors who may supply or contract with the government may be slow to react to cyber requirements. Adding to the chal-lenge, some of these standards and rules date back to the 1980s, and much has changed technologically since their inception, particularly to AM and its at-tendant systems.43

Beyond the public sector, cyber risks associated with AM have implications within the health care space, where 3D printers are increasingly used to produce customized medical devices, drugs, implants, tis-sue, and even organs. Apart from obvious health-related concerns should security be compromised, machines that print medical devices or organs may also qualify as handling electronic protected health information and thus can be subject to the HIPAA security rule, adding additional layers of complex-

ity. The ability to produce individualized products presents still more potential issues.44

The number of industries with their own governing bodies highlights that developing new cybersecurity standards and regulations for AM is a critical area for policy makers to explore. As with any emerg-ing technology, policy gaps currently exist that may prevent stakeholders from implementing the most appropriate measures to protect AM data. Further, while the many cybersecurity frameworks, laws, and regulations listed before can help protect de-sign files, the question remains how to ensure that they can work together, and whether or not they go far enough toward protecting AM systems and ma-chinery. However, the development of new policies can take a long time—starting with identifying and testing leading practices, developing and testing standards, working with the US Congress to draft and pass new legislation where needed, and going through the rulemaking process, which can take several years45—all before finally educating the pub-lic and enforcing the regulations.

With this in mind, AM stakeholders can get a head start by examining and applying existing standards, laws, and regulations. In particular, FISMA and NIST regulations can provide useful, actionable guidance, based on the risk management approach and supporting control infrastructure, along with other internationally accepted guidelines put forth by the International Organization for Standardiza-tion (ISO) and Institute of Electrical and Electronics Engineers.


11

AS organizations seek to navigate the myriad regulatory bodies and regulations that im-pact AM cybersecurity, they can begin to

consider how to address the many requirements potentially impacting any one organization and its supporting processes. Addressing every single regulatory framework individually can be neither effective nor efficient—nor, indeed, likely even pos-sible. Shifting one’s mind-set, however, to look at the commonalities between the regulations can help make the process more feasible. In this way, organi-zations can take an overarching approach to which many regulations may align.

This strategy, “test once, satisfy many,” can enable organizations to consider the applicable regula-tions in the same vein to avoid duplicating efforts, particularly when used in concert with design ap-proaches that incorporate security directly into the design of products. They can then create a compre-hensive risk management framework to evaluate their regulatory environment to best address their specific cybersecurity footprint. Given the fact that AM processes include both digital and physical components, a combination of strategies focused on both IT systems and physical objects may provide the most comprehensive initial approach. Figure 3

Test once, satisfy manyPrioritizing the web of standards

Graphic: Deloitte University Press | DUPress.com

Source: Mark J. Cotteleer, Stuart Trouton, and Ed Dobner, 3D opportunity and the digital thread, Deloitte University Press, March 3, 2016, http://dupress.com/articles/3d-printing-digital-thread-in-manufacturing/.

SCAN/DESIGN + ANALYZE BUILD + MONITOR TEST + VALIDATE DELIVER + MANAGE

Design + scan

CAD �le created

Advanced multi-physics

modeling and simulation

Traditional analysis

Product inception: DTAM begins

Digital twin established

(runs parallel to DTAM)

Build simulation, detailed build plan + machine data

Part fabrication (3D print process)

In-situ monitoring

Build feedback

Per-part post-processing and �nishing

Part inspection

Data veri�cation + twinning

Part end-of-life

Part �eld service sensing + inspection

Digital twin updated

IT systems IT systems and physical object

Physical object

Figure 3. Cyber risks along the digital thread


12

depicts the creation and movement of digital infor-mation during the AM process via the digital thread and specifies the stages that involve consideration of IT systems, the physical object itself, or some com-bination of both.

With this in mind, the NIST RMF and NIST CSF may provide foundational frameworks with which to start this process of aligning controls to objectives and ultimately organization-specific execution.

Protecting IT systems: FISMA and NIST RMFGiven AM’s unique position that often transcends private and public sectors, organizations seeking to enact an AM cybersecurity plan may also need to consider the NIST RMF. The NIST RMF is a process developed for FISMA requirements, to allow orga-nizations to assess IT security risks and make man-agement decisions. FISMA requires that any new federal system complete an assessment and autho-rization review of the cybersecurity requirements of the NIST RMF before initial deployment and obtain ATO certification signed by a designated agency official.47 Although the NIST RMF was designed for federal government agencies, any organization may adopt it. Since FISMA also requires the same cybersecurity standards to apply to any IT system connected with a federal system, any organization working for or with the federal government can ben-efit from understanding the NIST RMF.

The NIST RMF defines a series of controls, grouped within control families or areas in which organi-zations must consider the security and privacy concerns within the systems. An organization can change the security categorization levels to which each control applies, rather than automatically ac-cepting the NIST recommendations. Organizations can also add controls of their own to customize se-curity to their needs. The NIST RMF can perhaps be most relevant during the scan/design and analyze, and build and monitor phases; during quality assur-ance; and potentially throughout the digital twin.

Beyond federal regulatory frameworks, organiza-tions may also want to consider other global secu-rity standards such as ISACA’s Control Objectives

for Information and Related Technologies (COBIT), ISO/IEC 27000, and ITIL, as well as cybersecurity standards from the European Telecommunications Standards Institute. The ISO 27000 and COBIT standards are already embedded as informative ref-erences within the NIST CSF, so application of the NIST CSF to an organization’s program can leverage existing work done with those standards.

Protecting the physical object: NIST CSFGiven AM’s unique position at the cross-section of physical object and digital thread, organizations seeking to enact an AM cybersecurity plan may also need to consider the NIST CSF in addition to the IT systems angle.48 The NIST CSF is rooted in a 2013 executive order focused on “improving criti-cal infrastructure cybersecurity,”49 and is perhaps uniquely suited to AM cyber risk needs because it was developed jointly by the public and private sectors, across which many AM systems span. The NIST CSF is voluntary and allows organizations to take a broad, high-level view of their cyber risk program, incorporating existing standards and con-trols that are already in place, such as ISO 27000. In contrast, the NIST RMF is used to specify detailed controls that should be implemented at the system level. The NIST CSF was published in February 2014, along with a roadmap for additional aspects to be considered.50 NIST continues to maintain the CSF and periodically engages with the private sector through workshops to share implementation les-sons learned. In addition, the Department of Home-land Security’s Critical Infrastructure Cyber Com-munity C³ Voluntary Program “supports owners and operators of critical infrastructure, academia, federal government, state, local, tribal, and territo-rial governments, and business in their use of the National Institute of Standards and Technology’s Cybersecurity Framework.”51

The NIST CSF could potentially gain relevance in the latter phases of the AM process: quality assur-ance and in situ monitoring of the build process during the build and monitor phase, as well as dur-ing testing, validation, delivery, and management of the physical part.


13

Taking steps toward AM cybersecurity

AS organizations seek to protect their AM systems and make sense of the vast array of guidelines and regulations that may impact

their business, the path can seem daunting. Below are several steps manufacturers can take as they work to establish a robust AM cybersecurity strategy.

Conduct a thorough risk assessmentOne of the first steps any organization can take is to conduct a security risk assessment. By doing so, it can pinpoint the risks most pertinent to its particu-lar AM scenario, as well as any additional threats that might come into play as it explores other AM applications. This approach can, in turn, enable the organization to focus initial cybersecurity efforts on the highest-risk areas, and identify and prioritize the various points of vulnerability throughout the digital thread or digital supply network. AM-specific applications of risk assessments can include exam-

ining the entirety of the digital thread, from scan/design to build and monitor, from test and validate to deliver and manage.

Adopt a “test once, satisfy many” approach, at least in the short termAs organizations await standards more specific to AM, they can address the wide-ranging web of regu-lations currently in place by adopting NIST CSF and RMF approaches discussed in the previous section to address some of the more immediate challenges within the digital thread.

Protect the design from the start The AM process—and the flow of digital informa-tion—begins at the scan/design phase, when the object is either designed using computer modeling or scanned via 3D scanning.52 During this stage, the design is vulnerable to outright theft, locking of the file to prevent its use, or corruption via introduc-tion of malicious flaws.53 The current de facto stan-dard file format for AM design files, .STL, is a plain text file.54 Currently, .STL has few provisions for supporting confidentiality (such as by allowing for encryption), integrity (such as by supporting digi-tal signatures and checksums), authorization (such as by including license keys), or traceability to the original designers (such as by supporting digital sig-natures and public key infrastructure).55 However, standards are starting to emerge for encryption. Currently, most .STL design files are transferred to AM machines via USB drives that may or may not be encrypted. This is changing, however; organiza-

AM-specific applications of risk assessments can include examining the entirety of the digital thread, from scan/design to build and monitor, from test and validate to deliver and manage.


14

tions are developing encryption techniques to pro-tect .STL files. Adopting an approach to protecting files from theft or tampering is an important part of an AM cybersecurity strategy.

Build protection into the print processManufacturers can look to emerging standards to protect their AM processes during the build pro-cess. Leading practices are emerging in the area of tracking and tracing, including the use of RFID tags to track AM-produced products throughout the sup-ply chain.56 Another promising development is the use of chemicals to apply unique identifiers to AM products; in one case, chemical tags were added to a composite during the jetting process.57 While the costs and business processes associated with us-ing these emerging solutions need to be examined, they may show promise in terms of securing prod-ucts throughout the supply chain and reducing the likelihood of tampering, theft, and counterfeiting. Further, a robust quality assurance methodology can help organizations detect toolpath alterations or other misplacement of materials, among other structural adulterations.58

Beyond adding traceable materials during the build process or monitoring quality assurance, organi-zations can consider putting measures in place to protect the machines themselves. AM printers do not typically limit and control who uses them, or what objects are printed. Until AM printer and file standards are developed to address those concerns, organizations using AM printers can adopt change management/control workflows for printers and objects, including reviews, and authorized approv-

als. This allows organizations to have some level of confidence that any objects printed comply with IP rights, license agreements, and other security con-cerns, as well as that viruses will not be introduced to impact the printer’s function, as with Stuxnet’s impact on centrifuges. AM organizations can model their approach to these workflows on those already in use for other technologies, such as change con-trol boards or configuration control boards com-monly used in software management. To ensure an AM printer prints only approved objects, the printer may be isolated on the network, with controls in place to make sure only approved designers can submit files directly to the printer.

While changes to the technology itself may be im-practical, if not impossible, changes to AM-related policies and procedures can help address many of these issues. There is precedent for these sorts of policy changes. For example, the entertainment industry was ultimately able to limit file-sharing technology largely by ensuring that incentives and advantages for compliance outweighed the difficul-ties.59 While those engaged in AM may not be able to force all printers and machinery to comply with proposed procedures, they can emulate the enter-tainment industry by providing powerful incentives to smooth compliance.

Pick your battlesSimply put, addressing every single challenge may not be feasible; companies using AM must pick and choose their battles. For example, stopping every maker from printing copyrighted toys may not be possible, nor worth the effort. However, for produc-ing particularly critical components for health care,

Leading practices are emerging in the area of tracking and tracing, including the use of RFID tags to track AM-produced products throughout the supply chain. Another promising development is the use of chemicals to apply unique identifiers to AM products.


15

automotive, or federal applications, more stringent approaches to securing AM machines, designs, and products are advisable. Organizations can, however, take a page from their approach to securing conven-tional manufacturing systems as they address con-cerns related to AM. For example, regulators such as the FAA may be able to require that AM printers and products used in their industries meet new reg-ulations in the same way they ensure conventionally manufactured products meet current regulations.

Remember the most vulnerable asset: PeopleThe breadth of stakeholders involved in AM—from owners, managers, purchasers of AM systems, and printing facilities in different locations, to materi-als suppliers and other vendors—can contribute to a host of potential cybersecurity threats and vulner-abilities. Some individuals may be new participants in the manufacturing process and may not under-stand the full implications of what they are doing

and the security issues involved. Others, such as suppliers or printing facilities, may be using dif-ferent systems or employ varying levels of security. Indeed, at a symposium held by NIST in February 2015, experts observed that “the biggest challenge to building cybersecurity . . . is culture.”60

By conducting a stakeholder analysis, manufactur-ers can identify parties involved in their AM efforts, both throughout the digital thread and the supply chain. Manufacturers can then work to educate these stakeholders about the importance of cyberse-curity, and emphasize the risks and the importance of vigilance. Basic awareness building and ongoing education can go a long way toward mitigating se-curity risks, encouraging individuals to exercise care and take precautions, and recognize the importance of using security systems. At the same time, it is important to note that when conducting awareness and education, tone matters. The intent should be to encourage AM participants to use leading security practices, not to discourage use of AM technology or appropriate security practices.


16

Conclusion

AM offers great promise in terms of democ-ratizing and distributing manufacturing, re-ducing waste, and enabling rapid production

of new and specialty products. Some of the possi-bilities, such as printing organs for those in need, are truly astounding. The use of AM is likely only going to grow in importance as its potential ben-efits for mass customization in health care; design innovation in automotive, health care, aerospace, and defense; and supply chain impacts in all sectors continue to be realized. Therefore, proactively ad-dressing cyber risk is critical.

Indeed, the very nature of this new technology, with its focus on value in information rather than end product, leaves it open to significant security risks, ranging from securing design files to tracking and tracing authenticity of products made. There is much work to be done in terms of identifying com-prehensive and sustainable AM cyber practices and promulgating them through standards and, where appropriate, additional regulation. Immediate steps such as conducting security risk assessment, devel-oping mitigation plans, encrypting design files, pro-tecting printers, and educating stakeholders can go a long way toward understanding and addressing AM cybersecurity concerns now. Those using AM need to monitor the development of new standards and solutions closely, and government and trade groups need to work diligently to identify concerns and develop and promote the use of leading stan-dards to address these concerns.

The use of AM is likely only going to grow in importance as its potential benefits for mass customization in health care; design innovation in automotive, health care, aerospace, and defense; and supply chain impacts in all sectors continue to be realized. Therefore, proactively addressing cyber risk is critical.


17

1. David Kushner, “The real story of Stuxnet,” IEEE Spectrum, February 26 2013, http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet.

2. Ponemon Institute, The economic risk of confidential data on mobile devices in the workplace, February 2016, https://info.lookout.com/rs/051-ESQ-475/images/Ponemon%20Report%20Enterprise%20FINAL.pdf.

3. Alex Hern, “Health warning: Now e-cigarettes can give you malware,” Guardian, November 21, 2014.

4. Globalscape, “IRS data breach linked to USB drive,” April 7, 2014, https://www.globalscape.com/blog/2014/4/7/irs-data-breach-linked-to-usb-drive.

5. Mark Cotteleer and Jim Joyce, “3D opportunity: Additive manufacturing paths to performance, innovation, and growth,” Deloitte Review 14, January 17, 2014, http://dupress.com/articles/dr14-3d-opportunity/.

6. For further information, see http://dupress.com/collection/3d-opportunity/.

7. Beth Mcgrath et al., 3D opportunity for life cycle assessments: Additive manufacturing branches out, Deloitte Univer-sity Press, October 16, 2015 http://dupress.com/articles/additive-manufacturing-in-lca-analysis/.

8. Terry Wohlers, Wohlers report 2015: Additive manufacturing and 3D printing state of the industry, 2015.

9. John Hagel III et al., The future of manufacturing, Deloitte University Press, March 31, 2015, http://dupress.com/articles/future-of-manufacturing-industry/, December 13, 2015; Mark J. Cotteleer, Stuart Trouton, and Ed Dobner, 3D opportunity and the digital thread, Deloitte University Press, March 3, 2016, http://dupress.com/articles/3d-printing-digital-thread-in-manufacturing/.

10. Cotteleer, Trouton, and Dobner, 3D opportunity and the digital thread.

11. Cotteleer and Joyce, “3D opportunity: Additive manufacturing paths to performance, innovation, and growth.”

12. Jose Pagliary, “The evolution of hacking,” CNNMoney.com, June 4, 2015.

13. James Cook, “FBI director: China has hacked every big US company,” Business Insider, October 6, 2014, http://www.businessinsider.com/fbi-director-china-has-hacked-every-big-us-company-2014-10.

14. Sean Peasley and Alex Miller, “Cybersecurity: A prudent approach,” presented to Manufacturers Alliance for Productivity and Innovation Information Systems Management Council on October 30, 2015.

15. For further information about the digital thread, see Cotteleer, Trouton, and Dobner, 3D opportunity and the digital thread.

16. Matt Widmer and Vikram Rajan, 3D opportunity for intellectual property risk: Additive manufacturing stakes its claim, Deloitte University Press, January 21, 2016, http://dupress.com/articles/3d-printing-intellectual-property-risks/.

17. Ibid.

18. L. D. Sturm et al., “Cyber-physical vulnerabilities in additive manufacturing systems,” proceedings from the Solid Freeform Fabrication Symposium, 2014.

19. Federal Office for Information Security, The state of IT security in Germany 2014, November 2014, https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3.

20. Andy Greenberg, “Hackers remotely kill a jeep on the highway,” Wired, July 21, 2015.

21. Brian Krebs, “Target hackers broke in via HVAC company,” Krebsonsecurity.com, February 5, 2014.

ENDNOTES


18

22. Sturm et al., “Cyber-physical vulnerabilities in additive manufacturing systems.”

23. For example, see Kelly Marchese, Jeff Crane, and Gray McCune, 3D opportunity for the supply chain: Additive manufacturing delivers, Deloitte University Press, September 1, 2015, http://dupress.com/articles/additive- manufacturing-3d-printing-supply-chain-transformation/.

24. Widmer and Rajan, 3D opportunity for intellectual property risk.

25. Mark Hatch, The Maker Movement Manifesto: Rules for Innovation in the New World of Crafters, Hackers, and Tinkerers (McGraw-Hill, January 2013).

26. Anna Young, “Do-it-yourself health: How the Maker Movement is innovating health care,” Robert Wood Johnson Foundation, November 16, 2015, http://www.rwjf.org/en/culture-of-health/2015/11/do-it-yourself_healt.html.

27. Brenna Sniderman, Parker Baum, and Vikram Rajan, “3D opportunity for life: Additive manufacturing takes humanitarian action,” Deloitte Review 19, Deloitte University Press, July 25, 2016, http://dupress.com/articles/3d-printing-for-humanitarian-action/.

28. Matthew J. Louis, Tom Seymour, and Jim Joyce, 3D opportunity for the Department of Defense: Additive manufacturing fires up, Deloitte University Press, November 20, 2014, http://dupress.com/articles/additive- manufacturing-defense-3d-printing/.

29. Craig A. Giffi, Bharath Gangula, and Pandarinath Illinda, 3D opportunity for the automotive industry: Ad-ditive manufacturing hits the road, Deloitte University Press, May 19, 2014, http://dupress.com/articles/additive-manufacturing-3d-opportunity-in-automotive/.

30. Glenn H. Snyder, Mark J. Cotteleer, and Ben Kotek, 3D opportunity in medical technology: Additive manu-facturing comes to life, Deloitte University Press, April 28, 2014, http://dupress.com/articles/additive- manufacturing-3d-opportunity-in-medtech/.

31. John Coykendall et al., 3D opportunity for aerospace and defense: Additive manufacturing takes flight, Deloitte Uni-versity Press, June 2, 2014, http://dupress.com/articles/additive-manufacturing-3d-opportunity-in-aerospace/.

32. Jeff Crane, Ryan Crestani, and Mark Cotteleer, 3D opportunity for end-use products: Additive manufacturing builds a bet-ter future, Deloitte University Press, October 16, 2014, http://dupress.com/articles/3d-printing-end-use-products/.

33. Kim Porter et al., 3D opportunity serves it up: Additive manufacturing and food, Deloitte University Press, June 18, 2015, http://dupress.com/articles/3d-printing-in-the-food-industry/.

34. Martin Bagot, “Fears ISIS terrorists could soon print 3D guns for just £100 thanks to anarchist weapons fanatic,” Mirror, January 24, 2016, http://www.mirror.co.uk/news/world-news/fears-isis-terrorists-could-soon-7239042

35. Kira, “Fake 3D printed security seals used to mask pharmaceutical heist,” 3ders, September 8, 2015, http://www.3ders.org/articles/20150908-fake-3d-printed-security-seals-used-to-mask-pharmaceutical-heist.html.

36. Andy Greenberg, “Lockpickers 3-D print TSA master luggage keys from leaked photos,” Wired, September 9, 2015, https://www.wired.com/2015/09/lockpickers-3-d-print-tsa-luggage-keys-leaked-photos/.

37. Food and Drug Administration et al., Technical considerations for additive manufactured devices: Draft guidance for industry and Food and Drug Administration staff, May 10, 2016, http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM499809.pdf.

38. Food and Drug Administration, “3D printing of medical devices,” http://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/3DPrintingofMedicalDevices/default.htm, accessed August 11, 2016.

39. National Institute of Standards and Technology, “Risk Management Framework (RMF) overview,” http://csrc.nist.gov/groups/SMA/fisma/framework.html, accessed August 11, 2016. The Department of Defense’s cybersecurity framework (Department of Defense Information Assurance Certification and Accreditation Framework, or DIA-CAP) is transitioning to NIST RMF in 2016. Further information can be found at Department of Defense, Instruc-tion: Risk Management Framework (RMF) for DoD Information Technology (IT), March 12, 2014, http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf.


19

40. The US Department of Defense’s Information Technology Security Certification and Accreditation Process frame-work dates from 1997, and the earlier Department of Defense Trusted Computer System Evaluation Criteria were released in December 1985. For further information, see Department of Defense, Instruction: DoD Information Technology Security Certification and Accreditation Process (DITSCAP), December 30, 1997, http://www.acqnotes.com/Attachments/DoD%20Instruction%205200.40.pdf; and Department of Defense, Trusted Computer System Evaluation Criteria, December 26, 1985, http://csrc.nist.gov/publications/history/dod85.pdf.

41. SecurityScorecard, 2016 U.S. Government Cybersecurity Report, April 2016, https://cdn2.hubspot.net/hubfs/533449/SecurityScorecard_2016_Govt_Cybersecurity_Report.pdf?t=1460656738045.

42. National Defense Industrial Association, Cybersecurity for advanced manufacturing, May 5, 2014.

43. The US Department of Defense standard for ATO processes can be traced to 1988. See Bruce Brown, “Brief his-tory of C&A,” January 17, 2014, http://diarmfs.com/brief-history-ca/, and sources in endnote 40.

44. Gail Greatorex, “3D printing and consumer product safety,” Product Safety Solutions, January 2015, http://www.a3dma.org.au/wp-content/uploads/2015/03/3D-printing-and-Consumer-Product-Safety-White-Paper-v1.0.pdf.

45. Maeve P. Carey, “The federal rulemaking process: An overview,” Congressional Research Service, June 17, 2013.

46. “Federal Information Security Management Act of 2002,” 44 U.S.C., sec. 3541, et seq.

47. National Institute of Standards and Technology, “Guide for applying the Risk Management Framework to federal information systems,” http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf.


49. National Institute of Standards and Technology, Executive order 13636: Cybersecurity Framework, http://www.nist.gov/cyberframework/, accessed August 11, 2016.

50. National Institute of Standards and Technology, NIST roadmap for improving critical infrastructure cybersecurity, February 12, 2014, http://www.nist.gov/cyberframework/upload/roadmap-021214.pdf.

51. Department of Homeland Security, “Critical Infrastructure Cyber Community C³ Voluntary Program,” October 14, 2015, https://www.dhs.gov/ccubedvp.



54. Preeta M. Banerjee and Paul Sallomi, 3D opportunity for technology, media, and telecommunications: Addi-tive manufacturing explores new terrain, Deloitte University Press, December 7, 2015, http://dupress.com/articles/3d-printing-in-technology-media-telecom-tmt-industry/.


56. Tom Schneider et al., 3D printing: Perceptions, risks, and opportunities, November 4, 2014.

57. Sharon Flank, Gary E. Ritchie, and Rebecca Maksimovic, “Anticounterfeiting options for three-dimensional print-ing,” 3D Printing and Additive Manufacturing 2, no. 4 (2015): pp. 180–89.

58. Ian Wing, Rob Gorham, and Brenna Sniderman, 3D opportunity for quality assurance: Additive manu-facturing clears the bar, Deloitte University Press, November 18, 2015, http://dupress.com/articles/ 3d-printing-quality-assurance-in-manufacturing/.

59. Widmer and Rajan, 3D opportunity for intellectual property risk.

60. Jack Karsten and Darrell M. West, “Additive manufacturing builds concerns layer by layer,” Brookings, December 8, 2015, http://www.brookings.edu/blogs/techtank/posts/2015/12/08-additive-manufacturing-builds-concerns.


20

Deloitte’s Center for Integrated Research focuses on critical business issues that cut across industry and function, from the rapid change of emerging technologies to the consistent factor of human behavior. We uncover deep, rigorously justified insights, delivered to a wide audience in a variety of formats, such as research articles, short videos, or in-person workshops.

The authors would like to thank Deborah Golden, Colin Soutar, and Sean Peasley with the Cyber Risk Services practice at Deloitte & Touche LLP. The authors also wish to thank Brenna Sniderman, Deloitte Services LP, for her assistance in preparation of this article.

ACKNOWLEDGEMENTS

CONTACTS

Kelly MarchesePrincipal Supply Chain & Manufacturing OperationsDeloitte Consulting LLP+1 404 915 [email protected]

Deborah GoldenPrincipal, Deloitte AdvisoryFederal Cyber Risk Services Deloitte & Touche LLP+1 571 882 [email protected]


21

About Deloitte University Press Deloitte University Press publishes original articles, reports and periodicals that provide insights for businesses, the public sector and NGOs. Our goal is to draw upon research and experience from throughout our professional services organization, and that of coauthors in academia and business, to advance the conversation on a broad spectrum of topics of interest to executives and government leaders.

Deloitte University Press is an imprint of Deloitte Development LLC.

About this publication This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or its and their affiliates are, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your finances or your business. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser.

None of Deloitte Touche Tohmatsu Limited, its member firms, or its and their respective affiliates shall be responsible for any loss whatsoever sustained by any person who relies on this publication.

About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2016 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited

Follow @DU_Press

Sign up for Deloitte University Press updates at DUPress.com.

3D opportunity and cyber risk management - Deloitte US · Deloitte Consulting LLP’s Supply Chain...

Documents

Transcript of 3D opportunity and cyber risk management - Deloitte US · Deloitte Consulting LLP’s Supply Chain...