A Department of Defense (DoD) Office of Inspector General (OIG) report found that 3D printers pose a cybersecurity risk to the agency, after discovering DoD employees were not properly securing the IT systems used to develop 3D products, and were unaware the 3D printers even had IT systems that could be hacked.
According to a new report from the Pentagon watchdog, DoD employees considered the additive manufacturing (AM) systems – such as 3D printers and computer workstations – as “tools” to generate supply parts and not IT systems. Therefore, the employees failed to implement cybersecurity controls or consistently secure their AM systems.
“Unless the DoD properly protects the confidentiality and integrity of its AM systems and design data, internal or external malicious actors could compromise AM systems to steal the design data or gain access to the DoD Information Network,” the report says. “The compromise of AM design data could allow an adversary to re-create and use DoD’s technology to the adversary’s advantage on the battlefield. In addition, if malicious actors change the AM design data, the changes could affect the end strength and utility of the 3D-printed products.”
The OIG reviewed five different DoD sites, all of which “incorrectly categorized the AM systems as stand-alone systems and erroneously concluded that the systems did not require an authority to operate.” According to the report, DoD employees were “unaware” that the AM systems posed vulnerabilities that exposed the DoD Information Network to “unnecessary cybersecurity risks.”
The OIG recommended the DoD CIO, in coordination with the Under Secretary of Defense for Research and Engineering (USD[R&E]), and the Under Secretary of Defense for Acquisition and Sustainment (USD[A&S]), include AM systems in their cyber portfolio and establish security controls, require AM system managers to implement security controls, require AM systems “to obtain an authority to operate in accordance with DoD policy,” update AM systems to Windows 10, and regularly scan for vulnerabilities.
The DoD CIO disagreed that the AM systems needed security controls, saying that DoD policy already requires cybersecurity controls for all IT systems, which include AM systems. However, the OIG noted that because DoD employees were unaware the AM systems were considered IT systems, further actions were needed.
Although the DoD CIO disagreed, the USD[R&E] and USD[A&S] agreed with the OIG’s recommendations.