The 101 covered what happens on the wire: A-ASSOCIATE handshakes, AE Title “authentication,” vendor fingerprinting. This one covers what’s inside the files. DICOM’s Part 10 file format was designed for interoperability and absolutely nothing else. No integrity by default. No authentication. No validation. That makes it a file format worth understanding if you’re testing or defending imaging systems.
Threat models and risk assessments are universal. If you have the mentality, you can consistently apply it in all aspects. I spend a lot of time thinking about medical device security, but I also spend a lot of time on rivers doing whitewater rafting and kayaking. The crossover between the two is striking.
Medical device product security doesn’t fit cleanly into a strict IT or OT security categorization — but if you had to say, they lean OT, as far as how to secure them, but with IT assets. Let’s break down why and where either analogy breaks.
Most people don’t know that Nmap, the port scanning tool everyone and their grandma has used, actually supports DICOM. And not in some half-baked way — there are real NSE scripts doing real protocol-level work. As someone who works on medical devices, I felt the need to break down a few DICOM security concepts so you can better understand how to use the supported tooling.
All threat modeling methods define abstractions of reality; what differs is the entry point.
I keep finding myself repeating the same advice to junior engineers. None of it is about tools. None of it is about certifications. All of it is about how you think.
My viewpoint on threat modeling has matured since my last post on templates. Recently, I have been using a combination of template threat modeling, combined with process and user-needs threat modeling with some GenAI sprinkled in to help out. If you’re not familiar with template threat modeling, check out my other post.
I’ve been kicking around some ideas on threat modeling lately – scoring timing, PASTA’s problem, where to start, and some project ideas that keep nagging at me. None of this is groundbreaking. Most of it is stuff the community has been circling for years.