Manufacturing industries are increasingly adopting additive manufacturing (AM) technologies to produce functional parts in critical systems. However, the inherent complexity of both AM designs and AM processes render them attractive targets for cyber-attacks. Risk-based Information Technology (IT) and Operational Technology (OT) security guidance standards are useful resources for AM security practitioners, but the guidelines they provide are insufficient without additional AM-specific revisions. Therefore, a structured layering approach is needed to efficiently integrate these revisions with preexisting IT and OT security guidance standards. To implement such an approach, this paper proposes leveraging the National Institute of Standards and Technology's Cybersecurity Framework (CSF) to develop layered, risk-based guidance for fulfilling specific security outcomes. It begins with an in-depth literature review that reveals the importance of AM data and asset management to risk-based security. Next, this paper adopts the CSF asset identification and management security outcomes as an example for providing AM-specific guidance and identifies the AM geometry and process definitions to aid manufacturers in mapping data flows and documenting processes. Finally, this paper uses the Open Security Controls Assessment Language to integrate the AM-specific guidance together with existing IT and OT security guidance in a rigorous and traceable manner. This paper's contribution is to show how a risk-based layered approach enables the authoring, publishing, and management of AM-specific security guidance that is currently lacking. The authors believe implementation of the layered approach would result in value-added, non-redundant security guidance for AM that is consistent with the preexisting guidance.

翻译：制造业正越来越多地采用增材制造（AM）技术，在关键系统中生产功能性部件。然而，AM设计与AM工艺固有的复杂性使其成为网络攻击的诱人目标。基于风险的IT与OT安全指南标准是AM安全从业者的有用资源，但若无针对AM的额外修订，这些指南所提供的指导仍显不足。因此，需要一种结构化的分层方法，将这些修订与已有的IT与OT安全指南标准高效整合。为实现这一方法，本文提出利用美国国家标准与技术研究院的网络安全框架（CSF）来制定分层化、基于风险的指南，以实现特定的安全成果。研究首先通过深入文献综述，揭示了AM数据与资产管理对基于风险的安全性的重要性；其次，采用CSF资产识别与管理安全成果作为示例，提供针对AM的具体指南，并明确AM几何与工艺定义，以帮助制造商映射数据流与记录流程；最后，利用开放安全控制评估语言，将AM特定指南与现有IT和OT安全指南以严谨且可追溯的方式整合。本文的贡献在于展示了如何通过基于风险的分层方法，编写、发布和管理当前缺失的AM特定安全指南。作者认为，实施该分层方法将为AM生成与现有指南一致、具有增值价值且不冗余的安全指导。