The Department of Defense (DoD) released this week a report that its officials at five sites did not consistently secure or manage their additive manufacturing (AM) systems to prevent unauthorized changes and ensure the integrity of the design data. The DoD Component officials did not even have controls in place to update operating systems, scan for vulnerabilities, or control removable media. They also did not identify network or system vulnerabilities on their AM systems, while some of the AM systems were using outdated operating systems.
The audit focused on seven cybersecurity controls that, if not in place, could present a higher risk to DoD Components to protect AM systems from unauthorized changes and modification of the design data.
DoD Component officials at the five sites generally had controls in place to manage user accounts, configure authentication factors, account for AM assets, and implement physical security controls. Apart from reviewing the AM systems, the audit also analyzed security controls in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 and NIST Internal Report 8183 to identify baseline controls for protecting information systems.
The DoD Component sites consisted of one Army, one Marine Corps, two Navy, two Air Force, two Special Operations Commands (Marine Corps and Navy), and one Defense Health Agency (DHA) site. Officials at the sites were unaware of existing AM system vulnerabilities that exposed the DoD Information Network to unnecessary cybersecurity risks.
“Unless the DoD properly protects the confidentiality and integrity of its AM systems and design data, internal or external malicious actors could compromise AM systems to steal the design data or gain access to the DoD Information Network,” according to the findings of the report. “The compromise of AM design data could allow an adversary to re-create and use DoD’s technology to the adversary’s advantage on the battlefield. In addition, if malicious actors change the AM design data, the changes could affect the end strength and utility of the 3D-printed products.”
Additive manufacturing system users print 3‑D products in three phases. During the first phase, the user creates a digital design on a computer for the 3‑D product using computer‑aided design software as an original design or based on output from a 3‑D scanner. Subsequently, the user exports the digital design to a 3‑D compatible printable file and then imports the file to a slicing software that translates the file into instructions that the 3‑D printer can understand. Finally, the user sends the sliced file, including instructions on layering, to the AM system to print the 3‑D product.
The DoD uses AM to improve its logistics support and increase materiel readiness. Materiel includes supplies, equipment, and weapons in military supply-chain management, and supplies and equipment in a commercial supply chain context. The agency, for instance, uses AM to create molds for personal protection body armor, parts for tactical vehicles, brackets for weapons systems, and medical implants and prostheses (artificial body parts).
The DoD components generally had controls in place or corrected the minor deficiencies identified for managing user accounts, configuring authentication factors, accounting for AM assets, and implementing physical security controls. It did not consistently secure or manage its AM systems or design data, as the AM users considered the AM systems as ‘tools’ to generate supply parts instead of information technology systems that required cybersecurity controls.
In addition, the DoD Components, including ISSMs, information system security officers, and AM system users, incorrectly categorized the AM systems as stand-alone systems and erroneously concluded that the systems did not require an authority to operate (ATO). They stated that their AM systems were stand-alone, but none of the five sites had established an authorization boundary to support that statement. In addition, DoD Component AM officials were not aware that connecting the AM systems to local networks, the Internet, or using removable media disqualified the AM systems as stand-alone systems.
Further, compliance with the Risk Management Framework (RMF) process and the requirement to obtain an ATO apply to all systems, stand-alone or not. Had the cybersecurity officials completed the RMF process and obtained an ATO to use the AM systems, they would have identified the cybersecurity controls needed to mitigate the identified risks, the report said.
The DoD Component officials did not perform regular or scheduled operating system updates on their additive manufacturing systems, thereby ignoring the approach that updating operating systems is critical to protecting the AM computers and the printers connected to them.
Vulnerability scans were not conducted and the DoD Component officials did not identify network or system vulnerabilities on their AM systems. The Cybersecurity and Infrastructure Security Agency (CISA) determines that with the increased use of complex, interconnected, and internet-accessible systems, it is important to rapidly remediate vulnerabilities, which could allow malicious actors access to networks.
The security agency also states that according to government and industry partner reports, the average time between discovery and exploitation of a vulnerability is decreasing as malicious actors are more skilled, persistent, and able to use known vulnerabilities. Thus, the additive manufacturing systems must be scanned for vulnerabilities in accordance with DoD guidance, or have exceptions documented in an approved ATO.
DoD Component officials did not properly track or secure removable media used on their AM systems. The report determines that some of the removable media used on the AM computers and printers were not properly labeled, tracked, or secured.
The CISA identifies removable media as appealing to malicious actors because it can be small, readily available, inexpensive, and portable. Malicious actors can use removable media to infect computers so that when other removable media is used, the malware is automatically downloaded to the new removable media and then unknowingly spreads to other computers.
The Inspector General’s report recommends that the DoD Chief Information Officer (CIO), in coordination with the Under Secretary of Defense for Research and Engineering, and the Under Secretary of Defense for Acquisition and Sustainment, include additive manufacturing systems in the information technology systems portfolio, and establish and maintain cybersecurity controls in accordance with federal and DoD guidance.
“We recommend that the DoD Chief Information Officer require AM system owners to immediately identify and implement security controls to minimize risk until obtaining an authority to operate. We recommend that the DoD Chief Information Officer and the DoD Component CIOs, in coordination with designated AM Leads, require all AM systems to obtain an authority to operate in accordance with DoD policy before their use,” according to the report.
The agency also advised the DoD Component Commanders or Director to update all AM computer operating systems to Windows 10, or obtain an approved waiver. They must also scan all AM systems for vulnerabilities, or have exceptions to regularly scanning documented in an approved authority to operate. In addition, steps must be taken to label, secure, and scan, as applicable, all removable media devices connected to AM systems in accordance with DoD guidance.
Last month, the DoD – Defense Industrial Base Collaborative Information Sharing Environment (DCISE) introduced its ‘Krystal Ball’ initiative to provide the defense industrial base with an ‘outside-in’ view of security vulnerabilities. DCISE has joined with LookingGlass, a cybersecurity solutions developer that empowers organizations to meet their missions with tailored, actionable threat intelligence, to offer the Krystal Ball platform that maps public-facing infrastructure, overlays it with threat intelligence sources, and provides a holistic view of the external threat landscape including indicators of compromise and risk.