Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
As it expands additive manufacturing all over, the Defense Department is also adding cybersecurity risk. That’s because operators of networked 3D printers aren’t always securing the machines or the files that drive them. For more, Federal Drive with Tom Temin turned to Karla Roark, program director for Audit Cyberspace Operations in the DoD Office of Inspector General.
Tom Temin: Ms. Roark, good to have you on.
Karla Roark: Thanks for having me, Tom.
Tom Temin: And let’s set the scene here for a moment. Just give us a sense of the scope of additive manufacturing going on in DoD this is a fairly widespread practice now, isn’t it?
Karla Roark: It is definitely. So the DoD has issued two key strategic documents that discuss how additive manufacturing is using the DoD. There was one that was issued back in 2016. And that was a roadmap in how to coordinate these AM activities across DoD. And then most recently in January, they issued additive manufacturing strategy. And in fact, it did align the additive manufacturing goals with the mission of DoD. So the DoD has integrated the use of additive manufacturing mainly in its sustainment and research and development efforts. Additive manufacturing systems, like you just mentioned, are widely used throughout the DoD. It’s not just in the military services, we have seen it a lot of DoD components using them. And when you look at what the DoD is using 3D – I mean, they can be using it from anything from aircraft and submarine parts to most recently masks in support of COVID-19 efforts. Also, I think it’s worth noting that the DoD is using 3D printing to produce obsolete parts that are not made anymore, which is one of those sustainment type issues that 3D printing is assisting with.
Tom Temin: Yeah, I think the Navy just made its first 3D additive steam trap for actual using on a ship. And that’s something I guess new for them to have an operational part. But in your investigation from the DoD IG office, what were you specifically looking at in this investigation?
Karla Roark: For this audit, our purpose was to determine if the DoD components secured, the additive manufacturing systems in a way that will prevent unauthorized changes and ensure the integrity of the design data. And specifically, we look at how the computers and the 3D printers connected and how the data was transferred between both of them. So we focus on logical and physical controls, because they’re both really important, right. So when you talk about logical controls that we looked at, we looked at the additive manufacturing system computers, right. And for those, we look at whether the operating systems were updated, if they were scanned for vulnerabilities. And we also look at if they had access controls in place, were they properly managing the user accounts, did they properly configured the systems and had authentication factors embedded to them. And then on the physical side, we look at the accountability of this systems. You cannot protect what you don’t know you own. So were they keeping track of this systems, where they physically protecting them. Did they have enclosures to make sure that nobody could access the system, only the people that should have access to. And then on the removable media side, and by this, I mean the SD cards, the thumb drives – we look at whether they were basically protecting them, but also if they were scanning them for vulnerabilities before connecting them to the 3D printers or their computers. So that’s kind of in a nutshell what we tackle with this audit.
Tom Temin: All right. And what are your top line findings here? Are they securing these data files and the physical media and the machines themselves?
Karla Roark: So we had a couple findings on this one, right. First, we found that the additive manufacturing systems or 3D printing systems, they were not being recognized as information technology systems, and instead they were treated as manufacturing systems that did not require cybersecurity considerations. And therefore, even though this systems were required to go through a process to obtain an authority to operate, that means that they will be authorized to be using our networks, they did not follow that. Another issue that we found was that some of these additive manufacturing systems were incorrectly categorized as standalone systems, and therefore assumed that they did not need to go through this process. And then from the controls that we just talked about, there were a couple of these controls, we just found minimal issues with them that were corrected either on site or shortly after. But there were three major controls that we found issues with. The first one wasn’t about operating systems. I just mentioned if they were being updated, the department requires that the computers operate in Microsoft Windows 10 or have a waiver to them. And we found that 76% of the systems that we look at, they did not have the correct operating system or a waiver to them. The other finding that we had was on the vulnerability scanning, right. 70% of the systems that we looked at, they were were not scanned for vulnerabilities. And finally, the removal media, they were not scanning them or properly securing them. So those were the main areas that we include recommendations in our report for
Tom Temin: All right. We’re speaking with Karla Roark. She’s program director for audit cyberspace operations in the DoD Office of Inspector General. And I guess the underlying situation here is that these 3D printers are like any other printer. They’re on a network, they’re connected to computers, they have hard drives, so they should be treated the same way you treat the copier, which I think has long been recognized as something people need to button up. Fair way to put it?
Karla Roark: Yes. Like any printer, AM printers come in a vast range of capabilities and functionalities, right. They’re very similar in that most can be connected to your network, like you just mentioned. Or you can just access them directly through an external computer. But they’re different in the sense that the size, right. You can have capabilities for a small desktop model that you can put in maybe plastic in your office. But then you have large outdoor machines that can print a building and concrete, right. So what is really important is that we understand the environment on where these printers are and the system itself. And again, it’s more than just a printer, there’s a system associated with it. So you need to understand that environment so that you can properly secure it.
Tom Temin: And the custody of the files, whether in digital form or as mounted on a hard drive or thumb drive, as you mentioned, or SD card. That’s really critical, I would think, because you don’t want unauthorized people making mischief, and therefore you’re producing the wrong part or the file gets away from you and goes to China.
Karla Roark: Yeah, absolutely. I mean, design data integrity is critical when it comes to 3D printing, like just shifting a little bit of design will affect and compromise the integrity of the product that you’re printing. But it’s also bigger than that. When you think about this 3D printers in the systems, they become access points, right. So every time that you add one of these systems to your network, you’re expanding your attack surface because each one of these devices are endpoints that now are points of access. And if not protected, it allows people with nefarious intent to come into our network.
Tom Temin: All right. So what are your major recommendations and how did DoD react to them?
Karla Roark: Well, like I said, the key thing that we identify here is that you have to protect the systems at each step of the additive manufacturing process, right. There are cybersecurity risks to the design data. There’s also cybersecurity risk to our network. The design data, like you mentioned, it could be that you would allow adversaries to recreate our own technology, that could be compromised, as it could affect the integrity. And malware can be introduced. So our recommendations actually tackle all of those controls that we identified, the DoD had issues with. And it was really well received, I would say. We had full concurrence in our recommendations regarding the controls. And most recently, about a month ago, DoD came out with the policy for additive manufacturing. And it was really reassuring to see their how they assigned the CIO their responsibility to develop cybersecurity requirements and standards recognizing the systems as information technology system, which was what we found that was not occurring. And it also put the responsibility into DoD components as they use them to make sure that they protect them and they do cybersecurity threat testing. So definitely it was well received, most of the things that we identified were corrected. And for those things that we identified issues with, they are taking corrective action.
Tom Temin: And I guess this will only become more important as they make more and more strategic parts and get closer to crucial types of things as opposed to MRO and experimental parts in the future.
Karla Roark: Yes, definitely. And, Tom, it’s really important that we take into consideration what this report does, right. This report brings attention to the need of a culture change, right. As we increase the use of emerging technologies, we increase the use of additive manufacturing. It is crucial that users and leadership recognize that additive manufacturing systems are IT systems and we need to protect them.
Tom Temin: Karla Roark is program director for audit cyberspace operations in the DoD Office of Inspector General. Thanks so much for joining me.
Karla Roark: Thank you, Tom.