The Defense Department inspector General’s office recently published a report – Audit of the Cybersecurity of Department of Defense Additive Manufacturing Systems – warning of the potential security risks when using 3D printing – also called additive manufacturing (AM).
AM creates 3D physical objects by building up layers of material from a digital description of the product’s design. It’s used to build physical models, prototypes, patterns, and production parts in plastic, metal, ceramic, and glass. The DoD uses AM to improve its logistics support and increase materiel readiness, and to create spare parts on demand.
The 5 agencies who were evaluated for the report include the 1st Marine Expeditionary Force, the Navy Fleet Readiness Center Southwest, Naval Information Warfare Center Pacific, the Air Force 60th Maintenance Group, and Walter Reed National Military Medical Center. The study showed that the 5 sites did not consistently secure or manage their AM systems to prevent unauthorized changes and ensure the integrity of the design data. The officials at the sites were able to put controls in place and/or correct the minor deficiencies that were identified.
The study concluded that the DoD Components did not consistently secure or manage their AM systems or design data because they considered the AM systems as “tools” to generate 3D products instead of information technology systems that required cybersecurity controls. They also incorrectly deemed the AM systems as stand-alone and concluded that the systems did not require an authority to operate. This led them to be unaware of existing AM system vulnerabilities that exposed the DoD Information Network to unnecessary cybersecurity risks – such as malicious actors compromising AM systems to steal the design data or gain access to the DoD Information Network, allowing them to re-create and use DoD’s technology to the adversary’s advantage on the battlefield.
The report recommends that the DoD Chief Information Officer (CIO), in coordination with the Under Secretary of Defense for Research and Engineering (USD[R&E]), and the Under Secretary of Defense for Acquisition and Sustainment (USD[A&S]), include additive manufacturing systems in the information technology systems portfolio and establish and maintain cybersecurity controls in accordance with Federal and DoD guidance.