3D printing opens DOD to cyber risks, IG finds

Even as 3D printing is gaining momentum in the military, unless the systems are properly secured, they can be vulnerable to unauthorized changes to designs and open up the Defense Department’s networks to unnecessary cybersecurity risk, DOD’s inspector general said in a July 7 report.

Additive manufacturing (AM) systems, which include printers and computers, are used to create three-dimensional prototypes, models and materials, including replacement parts for military equipment in the field.

DOD, however, has been inconsistent when it comes to securing these systems because personnel considered them to be “tools” used “to generate supply parts instead of information technology systems that required cybersecurity controls.”

The systems were “incorrectly categorized” as standalone systems and thus assumed to not need authority to operate, even though they connected to DOD’s network. That mislabeling resulted in “vulnerabilities that exposed the DoD Information Network to unnecessary cybersecurity risks,” the report states.

“The compromise of AM design data could allow an adversary to re-create and use DoD’s technology to the adversary’s advantage on the battlefield. In addition, if malicious actors change the AM design data, the changes could affect the end strength and utility of the 3D-printed products.”

The IG recommended additive manufacturing systems be included in DOD’s IT systems portfolio along with cybersecurity controls, and include authorities to operate. The watchdog also suggested that DOD’s CIO issue specific guidance to clarify that additive manufacturing systems were information systems that needed to be protected and “reduce the risk of continued noncompliance” with existing applicable DOD instructions. The DOD CIO disagreed with that recommendation.

The IG also recommended all additive manufacturing systems be upgraded to Windows 10 or get an appropriate waiver.

This article was first posted on FCW, a sibling site to Defense Systems.