What IoT (and Security) Needs to Learn From the DeWalt Mitre Saw
Lance Spitzner
Director, SANS Institute : Board Member, National Cybersecurity Alliance : Founder, Honeynet Project
I recently purchased my first power tool ever, a DeWalt Compound Mitre Saw, an intimidating piece of machinery that can not only rip through huge pieces of wood, but potentially chop your hand/arm clean off. As such I was very nervous when I received it, to include reading through the safety manual several times and numerous YouTube videos. Once I had reviewed everything and started playing with this tool, I came to an amazing realization. This device is so well designed from a safety perspective that I would have to try really hard to harm myself. Even better I did not have to really think about all the safety measures as they were built into the device, they were designed to work with me, not against me. I list some of the key safety features that impressed me at the bottom but something really else hit home for me. Why are we struggling so hard to do the same for security? Right now IoT is one of our biggest security challenges, with millions of IoT devices being used for DDoS attacks. The challenge? People are not changing the default passwords. Our communities response? Security professional around the world are lamenting why people are so stupid/lazy as not to change the default passwords.
*sigh*, this says it all right here about our profession and why we are failing. Instead of blaming people, we should be taking a long, hard look at ourselves. Why do IoT devices even need a password? If they do, why are those passwords so hard to find/change on the device? Remember, you may think changing a password is easy, but security is your job. For most people they don't want to think about security and/or find technology intimidating (like I found the Mitre Saw). In addition, when you have 5, 10 or even 15 IoT devices changing passwords on all of them becomes a real PITA. Just like DeWalt and any other large power tool company, we need to take people into account and make security simple. We have to stop blaming others and look at ourselves. Until we do, the bad guys are going to continue to win.
By the way, here are some of the key safety features that are built into the DeWalt Mitre Saw. Notice in all three of these examples you do not have to do anything special, just use the device. This is how we need to think from a security perspective.
- Safety Cover: There is a plastic safety cover that protects the entire rotating blade. The only time the blade is actually exposed is when you lower the saw to actually cut into the wood. The moment you start to raise the blade after cutting, the plastic cover protects everything again. This means to hurt yourself you have to manually lower the blade with one hand then insert your hand into the cutting blade zone.
- Power Switch: Actually, there is no power switch. Instead, after the saw is plugged in, to activate the saw you have to depress a lever. Let the lever go and saw stops. This means if you fall, slip, blackout, have a heart attack or any other type of accident and let go of the lever, the saw automatically stops. In other words, the saw always fails to the off (safe) position.
- Shadow: The saw has a light that projects a shadow of the cutting blade precisely on the wood where the blade will cut. No guessing where the blade is going to cut.
Safety is like security, you cannot eliminate risk. But I feel this is a great example of how security can learn from others on how to take people into account.
Principal Consultant: Cybersecurity, IT Architecture, Project Management & Private Equity Advisor
8 年As always, Lance is clear and concise and entertaining and correct. I would like to add that the lever falls into the category of "dead person switch", which is ironic since it may actually prevent that particular disposition. That mode of Fail Closed is so essential but lacking in many security approaches. Absolutely necessary but often neglected when designing and considering pathological conditions. Also, besides instructional videos for correct operation, I would recommend "Ash vs the Evil Dead" as a good source of information regarding misuse of power tools and their consequences.
Security Guy
8 年Interesting post. I think the concept of the "failsafe" seems to be fairly lost in general in the cyber world. The default is usually "fail closed" because people think it's the most logical action in security. Using your "real world" analogies, what if there's a failure in the mechanism for a fire exit? Should it fail closed or fail open (hint, you want to get out of the building in an emergency without hindrance instead of burning alive or being crushed by the roof in an earthquake). This is the same in the Cyber world. E.g. some DDoS protection appliances will accidentally block your customers if it doesn't properly understand an attack (fail closed) and it ends up doing a better job than the attackers might have done. I think the key in this point is that security needs to be contextually aware and understand the context under which the condition is happening, not just that "condition x happened, therefore block".
Chief OT / ICS Strategist The opinions and content expressed here belong solely to me and do not reflect the views of my employer or another.
8 年The IoT devices are an emerging technology to many but honestly it's just another widget we need to secure and take into account for DR/BCP/IR. But the saw has features that protect you. Why are they there? Because people have been injured in the past and law suits have been filed. My concern with how we are treating IoT devices is why have we not learned from other devices and used that knowledge to secure them better in the first place, because the tool industry ensures safety across other types of tools. .. safety triggers on nail guns, emergency stop switches on drill presses, and even table saws that destroy themselves on contact with skin. One big difference in the tool world and IoT world though...... someone has generally gotten sued for tool related injuries and companies learned, it's generally not the same in the computing world.
Director, SANS Institute : Board Member, National Cybersecurity Alliance : Founder, Honeynet Project
8 年Just saw this, its a document from the UK National Cyber Security Center explaining how to simplify passwords for organizations and people. This is a real breath of fresh air and recommended reading for anyone in charge of password policies. I hope US NIST is listening. https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach
COO ISRSEC International, Ltd. CISO ISRSEC (North America)
8 年'ballistic armor' built into suits/jackets/etc ,,, nothing sticks out to casual viewer/wearer. How to reprogram an old VCR clock? Most techies aren't even that technical ,,, transparent security (foundation of CRYSTAL TERRACE) ;)