I know aerospace ≠ automotive but many years ago I worked in a shop and any time the wheels came off a vehicle the mechanic/tech torqued the lug nuts to spec, then a second person independently verified and re-torqued the lug nuts.
It seems like adding a network connection and all that goes with it also introduces additional points of failure, no?
While a second person would indeed reduce the number of issues, it’s still another human to fuck things up. What if the second person is lazy? Or they get tired of checking every door because “it’s never been off before, why would it be off now?”
Human error caused the issue in the first place, why are we assuming a human will always find and fix the problem on a second pass?
Human error caused the issue in the first place, why are we assuming a human will always find and fix the problem on a second pass?
I’m not sure why you should trust a piece of technology to be infallible.
I mean, if a networked tool can be hacked then should it be trusted to be accurate? How do you know it hasn’t been hacked and maliciously modified to report correct torque even when wrong?
Didn’t GM just suspend sales of their new cars without CarPlay because their new system had software issues? Trust a company trying to save money to skimp on the implementation costs of any technology they put in place too.
It’s not so much the technology as the people running a business that worry me, VW programming emission modes is a great example. Relying on companies to regulate safety is a sure fire way to get corners cut so they can make a cent. The network wrench may be a good idea but only if regulated by the FAA and not the company.
In my experience its more prone to mistakes, because people just accept what computers tell them as infallible unless its something so massively, egregiously wrong that it shatters what little common sense they have… and even then its only 50/50.
Hard to hack a person. Sounds like sacrificing security to save a buck if that’s the only reason, especially considering you’re not just paying for a tool when you network it.
People are actually the easiest to hack. That’s why social engineering is such a huge security risk, why employees have minimum amount of access required to systems, why corporate laptops are so locked down, and why huge phishing assessments are done.
It’s just that we are more accustomed to monitoring people, and it also gives a focus that everyone understands that can take the blame for mistakes.
Sorry, I assumed the context was obvious, but it’s hard to hack a person standing there turning a wrench.
What’s easier to hack? That person standing there turning a wrench or a network connected wrench? Especially considering the points you made; the wrench turner probably has access to less than the network connected wrench.
God, I hope the wrench has access to less of the network than the employee.
It’s an IoT device.
You never trust IoT.
It should be on an isolated vlan dedicated to the wrenches that allows it connect to its storage server, only.
Putting the wrenches on a pvlan would further limit the scope of any breaches to a single wrench.
Any access to the wrench vlan/pvlan should be from a trusted management vlan. Any traversal of the firewall for this access should be logged.
Ultimately, this is a device being used by a company that requires per-bolt certification of torque. You can bet that every part of their process has an equivalent level of scrutiny, including certification of network security/auditing.
In fact, following sensible IoT network security mitigates all of the CVEs listed - because they need the attacker to have network access.
Sure, most of the CVEs are the stupidest “my-first-web-app” level of mistakes (csrf, xss, directory traversal) and shouldn’t exist. But it’s still an IoT device, and should always be treated as a black box of leaky security regardless of the manufacturer.
Best practice ≠ real world application. Based on my 10+ years in IT I’d be very unsurprised to find that the networked wrench has greater access than the person.
Why not have a two stage torque process?
I know aerospace ≠ automotive but many years ago I worked in a shop and any time the wheels came off a vehicle the mechanic/tech torqued the lug nuts to spec, then a second person independently verified and re-torqued the lug nuts.
It seems like adding a network connection and all that goes with it also introduces additional points of failure, no?
While a second person would indeed reduce the number of issues, it’s still another human to fuck things up. What if the second person is lazy? Or they get tired of checking every door because “it’s never been off before, why would it be off now?”
Human error caused the issue in the first place, why are we assuming a human will always find and fix the problem on a second pass?
I’m not sure why you should trust a piece of technology to be infallible.
I mean, if a networked tool can be hacked then should it be trusted to be accurate? How do you know it hasn’t been hacked and maliciously modified to report correct torque even when wrong?
Didn’t GM just suspend sales of their new cars without CarPlay because their new system had software issues? Trust a company trying to save money to skimp on the implementation costs of any technology they put in place too.
It’s not so much the technology as the people running a business that worry me, VW programming emission modes is a great example. Relying on companies to regulate safety is a sure fire way to get corners cut so they can make a cent. The network wrench may be a good idea but only if regulated by the FAA and not the company.
You are erring dangerously close to the classic “computers don’t make mistakes” argument.
Not at all. A human plus a computer is going to be less prone to mistakes than a human plus a human though.
In my experience its more prone to mistakes, because people just accept what computers tell them as infallible unless its something so massively, egregiously wrong that it shatters what little common sense they have… and even then its only 50/50.
Labor costs are likely the highest input. That solution doubles labor costs for that process.
Hard to hack a person. Sounds like sacrificing security to save a buck if that’s the only reason, especially considering you’re not just paying for a tool when you network it.
People are actually the easiest to hack. That’s why social engineering is such a huge security risk, why employees have minimum amount of access required to systems, why corporate laptops are so locked down, and why huge phishing assessments are done.
It’s just that we are more accustomed to monitoring people, and it also gives a focus that everyone understands that can take the blame for mistakes.
Sorry, I assumed the context was obvious, but it’s hard to hack a person standing there turning a wrench.
What’s easier to hack? That person standing there turning a wrench or a network connected wrench? Especially considering the points you made; the wrench turner probably has access to less than the network connected wrench.
God, I hope the wrench has access to less of the network than the employee.
It’s an IoT device.
You never trust IoT.
It should be on an isolated vlan dedicated to the wrenches that allows it connect to its storage server, only.
Putting the wrenches on a pvlan would further limit the scope of any breaches to a single wrench.
Any access to the wrench vlan/pvlan should be from a trusted management vlan. Any traversal of the firewall for this access should be logged.
Ultimately, this is a device being used by a company that requires per-bolt certification of torque. You can bet that every part of their process has an equivalent level of scrutiny, including certification of network security/auditing.
In fact, following sensible IoT network security mitigates all of the CVEs listed - because they need the attacker to have network access.
Sure, most of the CVEs are the stupidest “my-first-web-app” level of mistakes (csrf, xss, directory traversal) and shouldn’t exist. But it’s still an IoT device, and should always be treated as a black box of leaky security regardless of the manufacturer.
Hahahahahaha!!! Does solarwinds123 sound familiar?
Best practice ≠ real world application. Based on my 10+ years in IT I’d be very unsurprised to find that the networked wrench has greater access than the person.
Nah. Usually the double checking is added onto a list of another person’s tasks with no increase in wages or allocated time! Lol