Threat models and risk assessments are universal. If you have the mentality, you can consistently apply it in all aspects of life. I spend a lot of time thinking about medical device security, but I also spend a lot of time on rivers doing whitewater rafting and kayaking. The crossover between the two is striking.
Medical device product security doesn’t fit cleanly into a strict IT or OT security categorization — but if you had to say, they lean OT with IT assets. Let’s break down why and where either analogy breaks.
Most people don’t know that NMAP, the port scanning tool everyone and their mother has used, actually supports DICOM. And not in some half-baked “we added a port number” way. There are real NSE scripts doing real DICOM protocol work. As someone who works on medical devices, I felt the need to break this down because the default tooling should have been doing more here all along.
My viewpoint on threat modeling has matured since my last post on templates. Recently, I have been using a combination of template threat modeling, combined with process and user-needs threat modeling with some GenAI sprinkled in to help out. If you’re not familiar with template threat modeling, check out my other post.
I keep finding myself repeating the same advice to junior engineers. None of it is about tools. None of it is about certifications. All of it is about how you think.