Gartner Blog Network


On Tanks vs Tractors

by Anton Chuvakin  |  July 24, 2015  |  5 Comments

Well, you all expect deep technical guidance from us at Gartner GTP – but here you are going to get another “philosophical post” (aka rant) – inspired by the “Jeepgate”, naturally.

Many recent IoT security “faux pas” [and I am happy to say faux pas, rather than disasters] seem to trigger a rage of security pundit commentariat like “ZOMG, these people/developers/manufacturers/monkeys are so freaking dumb!!”

Let’s step away from this for a bit and think about tanks and tractors- both heavy, tracked machines.

tank https://flic.kr/p/2WYJV6 tractor https://flic.kr/p/6Kap8o

When you design a tractor, you have to think [presumably] about it not rusting, breaking down under load, falling into a ditch, etc. There are lots of safety and operational resiliency considerations. However, do you think tractor’s product design documents include items like “survive EMP”, “drive over sharp metal objects”, “drive over people lobbing grenades”, “generate electronic countermeasures”? Of course, they do NOT. A lot of technology is NOT meant to survive deliberate threats, we don’t use bullet-proof glass at home and we don’t build bomb-proof bridges and buildings [in most cases]. A lot of technology – and I mean this very, very broadly – is NOT designed to survive deliberate attacks, and that is just fine. Tractor “threat model” does NOT include deliberate threats.

Now, on the other hand, a tank is meant to survive deliberate “tampering” – and occasionally drive right over said “tamperers” (the connoisseurs also suggest turning over them a few times). It is, after all, a machine of war, and war implies that you have dedicated, often creative adversaries (humans … but maybe eventually AIs :-)). These adversaries may use whatever they can think of – old, new, and sometimes entirely unknown to the tank designers – to make it break. They also often have your tank in their lab.Thus, they will look for vulnerabilities (like areas with thin armor), design flaws (like wrong location for fuel tanks), and may utilize entire new classes of technologies to stop you. As you can see, it is VERY different from the above. Tank “threat model” DOES include deliberate threats.

Finally … the point.

BUILD ANYTHING THAT IS ON THE INTERNET AS A MACHINE OF WAR.

CONNECTED? INCLUDE DELIBERATE ATTACKS IN YOUR DESIGN REQUIREMENTS.

ANYTHING ON THE INTERNET MUST SURVIVE DELIBERATE ATTACKS.

There you have it! The future of IoT security :-) “Every business is a digital tank-building business”

Select blog posts tagged “philosophical”:

Category: future  iot  philosophy  security  

Anton Chuvakin
Research VP
5+ years with Gartner
16 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on On Tanks vs Tractors


  1. […] Anton Chuvakin Well, you all expect deep technical guidance from us at Gartner GTP – but here you are going to […]

  2. Nichols says:

    Great point, Anton. A mindset of Threat-Oriented Security will change a lot in our business.

    • Indeed, especially for those folks who never dealt with anybody intentionally breaking their product AND never felt responsible for such “breakage”, if it occurred.

  3. […] his On Tanks vs Tractors IoT blog last week Anton Chuvakin from Gartner “philosophized” that anything that […]

  4. […] his On Tanks vs Tractors IoT blog last week Anton Chuvakin from Gartner “philosophized” that anything that is on the […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.