The Department of Defense’s (DOD) office of inspector general (OIG) has recommended that the chief information officer include 3D printers and other additive manufacturing systems in the portfolio of information technology platforms and establish cybersecurity controls in compliance with DOD and federal guidance.
The DOD CIO should also direct owners of AM systems and 3D printers to implement security controls to help reduce risks, secure an authority to operate, update the operating systems of AM equipment to Windows 10 and screen all AM systems for cyber vulnerabilities, according to OIG’s report publicly released Wednesday.
The OIG assessed five sites and found that officials at DOD component agencies failed to consistently secure their computer workstations used for printing 3D products in order to avoid unauthorized changes and protect their design data from threat actors.
“Unless the DoD properly protects the confidentiality and integrity of its AM systems and design data, internal or external malicious actors could compromise AM systems to steal the design data or gain access to the DoD Information Network,” the report states.
“The compromise of AM design data could allow an adversary to re-create and use DoD’s technology to the adversary’s advantage on the battlefield. In addition, if malicious actors change the AM design data, the changes could affect the end strength and utility of the 3D-printed products,” the OIG noted.
The inspector general also found that DOD components considered 3D printers as “tools” instead of IT systems. Component agencies also called AM systems as equipment that do not need authority to operate.
The Pentagon CIO disagreed with the recommendation that new cyber guidance is needed for 3D printers, saying that DoD Instructions 8500.01 and 8510.01 already require cybersecurity controls for AM systems, according to the report.