DOD's 3D printers are vulnerable to hackers, IG finds

The Defense Department didn’t properly secure additive manufacturing systems, such as 3D printers, from foreign intrusion and data tampering because they were considered tools rather than IT, according to an inspector general report released July 7.

Additive manufacturing systems, which include printers and computers used to create three-dimensional products, are increasingly used -- particularly with the Air Force and national labs, to create prototypes, models, and materials, including replacement parts for military equipment in the field.

But an inspector general report released July 7 found that DOD was inconsistent when securing or managing additive manufacturing systems “to prevent unauthorized changes and ensure the integrity of the design data” because personnel considered them to be “tools” used “to generate supply parts instead of information technology systems that required cybersecurity controls.”

The systems were “incorrectly categorized” as standalone systems and thus assumed to not need authority to operate, even though they connected to DOD’s network. That mislabelling resulted in “vulnerabilities that exposed the DoD Information Network to unnecessary cybersecurity risks,” the report states.

“The compromise of AM design data could allow an adversary to re-create and use DoD’s technology to the adversary’s advantage on the battlefield. In addition, if malicious actors change the AM design data, the changes could affect the end strength and utility of the 3D-printed products.”

The findings come as the nation contends with a spate of cybersecurity attacks, such as SolarWinds and the Colonial Pipeline ransomware attack. DOD has also been trying to mitigate concerns about cyberattacks on its defense contractors and the potential impact to its supply chain.

Moreover, President Joe Biden met with government agency leaders July 7 to talk about the high-profile attacks and ordered intelligence agencies to launch a probe to evaluate a recent attack involving Kaseya, a Florida-based IT firm.

The IG recommended additive manufacturing systems be included in DOD’s IT systems portfolio along with cybersecurity controls, and include authorities to operate. The watchdog also suggested that DOD’s CIO issue specific guidance to clarify that additive manufacturing systems were information systems that needed to be protected and “ to reduce the risk of continued noncompliance” with existing applicable DOD instructions. The DOD CIO disagreed with that recommendation.

The IG also recommended all additive manufacturing systems be upgraded to Windows 10 or get an appropriate waiver.