Logical Fallacies and the SCADA Problem
The arguments for extreme events are interesting, and one has to wonder about the motivation for them. The argument that a “STUXPOCALYPSE” will not occur and hence we need not worry about the security of critical systems is astounding.
The first logical flaw is an argument based on the misrepresentation of an opponent’s position.
The argument is not one of apocalypse, it is one of widespread damage. Here, 100 deaths and a few million dollars are considered widespread damage. It is quantitatively different from the end of the world. The point is not whether an attack against Supervisory Control and Data Acquisition (SCADA) will result in the end of civilisation as we know it. Even World War II did not manage to do so with all the damage it created, and a SCADA cascade will not do something as dire.
So one has to wonder what the motivations and imperatives are for those who attempt to downplay the security concerns surrounding unsecured control systems.
Using rhetorical tricks in order to mask the concerns around the security of control systems and to downplay the nature of such threats smells a little fishy.
False Dichotomy or the Fallacy of Bifurcation
It brings us to the next flaw in the arguments: the supposition that only two alternative statements are the only feasible options. It of course is not the truth, and the arguments here abound. There are many more possibilities than those who seem to want to hide the security flaws in SCADA systems will allow.
The attack and compromise of a PLC using fine control are seen as the only issue. More, the only attack vector is promoted as the sites being easily found through a Google dork search.
First, those sites that both are online and result in a discovery using a simple search-engine query are the vast minority of sites. For each site that is poorly configured enough to have been indexed through a search engine, many hundred exist online that have not been indexed.
In fact, none of the systems I have written about in recent times are accessible through a simple web search. It does not mean that they are not accessible through the Internet.
NAT and simple technologies leave such systems obscured but online. Here we see that there is some avoidance of obscurity. Which is a poor security control. It may help alleviate simple scanning worm attacks to some extent, but the reality is, only to some extent.
Most of the attacks against Internet-connected hosts are not being targeted against the sites you can find on a Google dork list. They are more and more targeted against internal systems where a compromised client system is leveraged to attack the internal systems.
An external attacker with a flash-based exploit, a re-pinning attack against the client’s JRE, or for that matter any number of malware and crimeware-based exploits can bypass simple firewall and NAT controls. ATM networks associated with St George that are supposedly offline were impacted through a worm infestation. Rail Services Australia managed to have a scanning worm inside the secure network a few years ago, and just recently we have seen the U.S. Army’s drone network being compromised by a password-sniffing Trojan.
Merely being behind a firewall or a NAT device does not make you offline. It does stop some of the simple Google dork searches; but they have only ever been the tip of the proverbial iceberg.
Argumentum ad Ignorantiam
Next, we have the often cited claim that is assumed to be true (or false) simply as a result of not having been proven false (true). In some cases, they are claims that cannot be proven false (or true in the converse).
I face the same in court from time to time, where it comes to the extreme. In one instance, the barrister of the opposing party for whom I was acting as an expert witness decided, as they could not attack the results I had obtained (the opposing expert having said the same in a published paper that he neglected to note in court), to attack my beliefs. I have a degree in theology (and in law, various sciences, mathematics, management, and more), and I am a trustee and from time to time a lay pastor.
I was told in court that I could not be a good scientist as I believed in imaginary beings (I believe in God). Basically, we have here an argumentum ad ignorantiam, an argument that can neither be proven nor disproven through science — which does not stop it from being deployed as an argument.
At the same time, we see it time and time again in calls to leave things as they are, to let sleeping dogs lie, and to remain with obscurity and our heads in the sand, safe in the knowledge that what we cannot see (foresee) will not hurt us.
But for SCADA systems, we have: “I do not see how, therefore it cannot be.” In saying so, we look at the effects of attacking PLCs and the differences in the systems, and simply forget that most of them are controlled from Windows-based systems. That LynxOs, Windows CE, and more act as agents.
Again, we assume it needs to be a nation-state effort such as Stuxnet, and forget it was a system designed for fine control and not simply chaos. Chaos is far easier to achieve than fine control. It takes a lot of effort, skilled people, and technical knowledge to create a system that can be automated and left to run remotely.
Breaking a system… is far simpler.
One of my old favourites that is so often used is the attempt to distract one’s readership (listeners if live) by going off topic. In other words, to deviate from the topic at hand. In doing so, we can add a separate argument which the author believes will be simpler to address and to run from the topic at hand.
There is a qualitative difference between cyber-terror events and kinetic terror events.
Yet, we see responses such as: “For that matter, one could just get some C-4 and get a job at the facility long enough to plant a bomb.” Well yes, we could, and having completed a degree in organic chemistry specialising in fuel sciences (over a decade ago now), I also know just how likely you are to remove several fingers in the attempt to make it.
Yes, it is possible (although not as simple as the movies would it make out) to obtain C4, Semtex, and other forms of explosives containing RDX (cyclotrimethylene trinitramine) and PETN. But there is nothing on how they are peppered with 2,3-dimethyl-2,3-dinitrobutane (DMDNB) allowing for both tracing the source and a detective control.
Unfortunately for Bruce Willis, it is not actually as simple as it seems to sneak large quantities of C4 into federal buildings unannounced anymore.
Fertiliser-based explosives are easier, but even then you can expect to be investigated from time to time, and there is a level of risk with any kinetic engagement these days. Such is why for all the people out there wanting to blow things up in the US, it remains a rare event. It is not easy, and not all terrorists want to blow themselves up in order to achieve an objective.
It is why cyber terror is qualitatively different.
You can access an online system from anywhere in the world. The independent hackers (cough FSB sponsored) in Russia who attacked Estonia and Georgia never suffered any repercussions. It is not as simple as people think to organise a large-scale kinetic attack. It requires a high degree of co-ordination and effort.
On the other hand, hackers have managed to obtain access to critical systems by accident. Here, we are not even thinking of the efforts of a former and disgruntled employee in attacking a water treatment plant, who of course also got caught as he was stupid.
Such is what is really different here. To blow up a facility, you need to spend a lot of time, effort, and money learning systems, building reputation, and doing more where you most likely have only one attempt (and which, as history shows us, fails more often than it succeeds, even if we remember the successes and forget the failed attempts).
To engage in a cyber-terror exercise on a vulnerable system requires skills that also allow an attacker to engage in cyber crime and hence fund activities (and lifestyle) whilst remaining relatively anonymous. More, you can be seated comfortably anywhere in the world, and as one detractor showed, you can even simply do a Google dork search for such systems and choose what you feel like opposing AFTER you have selected a target to attack.
Staying with a red herring, we have a very special form of it: the ad hominem attack, where we attack the person to avoid facing the actual argument.
Here, we see comments such as: “Please go back to writing entry-level forensics books.” Not that writing guides for people starting in a field should be seen as a detractor, but it is ignoring that that does not mean we also do not do high-end academic research — which would not suit the argument and would not allow the attack to seem as belittling.
The attack also comes in the form of an appeal to ridicule, where statements such as “For the apocalypse of stupid that will be happening thanks to the likes of CNN and the book of Langer and Wright.” are used as an argument and the attempt is made to present the opponent’s argument as being ridiculous. Which does not actually constitute a valid argument, rather we see a form of petty attack.
We see the same in other attempts to ridicule:
When he opened the seventh seal, there was silence in heaven as the malware began changing PLC code.
From the book of Langer & Wright: Revelation Chapter 1 Verse 1
I guess it manages, again, to bring the straw man back up that has been supposed. In arguing widespread damage, it seems that such must be a revelation-level event, or nothing we should be concerned with. I wonder myself, what ever happened to middle ground?
Appeal to motive is next, and here we have a situation where the premise is dismissed through a question of motivation. That is, by calling into question the motives of its proposer. The basis is to say that a matter was all about money or similar. There are a number of flaws with such an argument in my case, not the least of which is revealed as I donate most of the SCADA time and in doing more work in the area simply make life more difficult for myself. Basically, I do so as it helps the people I care for. Then, such appeal to motive was never a valid argument in any event.
I am still awaiting many of the other ad hominem attacks such as:
- Poisoning the well: Here, adverse information is put forward in order to discredit one’s opponent. It can be true or not. It does not, of course, relate to the argument at hand. I did mention one example above, saying I believed in God (as a bad thing) as an example of why I couldn’t engage in scientific discourse (I also believe in evolution).
- Appeal to spite: a specific type of appeal to emotion. In such a fallacy, the argument is made based on an exploitation of the listener’s (reader’s) bitterness or spite towards the other (opposing) party and/or its beliefs, position, etc.
Argumentum ad Nauseam
Argumentum ad nauseamis an argument such as in the form of: “We have discussed the security issues around SCADA for years, and nobody cares to discuss it anymore.”
Well, SOME people do not want to discuss it anymore. Then, nothing is making them do so. In fact, in actually engaging in the argument, they disprove their argument through their own actions.
Onus Probandiis the logical fallacy based on a premise that a party needs not prove its claim, but that we must prove it is false — not as a hypothesis or any other such thing, but just as a matter of fact.
They cannot, of course, and hence we see the concept again and again.
Argumentum ad Antiquitam
Here, again, we come to a conclusion that has its sole support in the matter of history. In other words, something must be true as it has long been held to be true.
The argument goes along the lines of: “We have not seen many SCADA attacks, thus there cannot be any SCADA attacks.”
Well, the fact that we have not seen an event does not make it improbable. In fact, we have the issue here that the class of events in the ‘90s was distinct from those present in the current decade. We are more connected, and more systems are vulnerable.
Fallacy of the Heap
How about we improperly reject the claim that SCADA systems are at risk simply due to imprecision. In other words, as we cannot say which systems will be attacked and we cannot say exactly when an attack may occur, we are concluding that it cannot ever occur.
Ummm… It seems that there is a consistent flaw in all of them.
I can add many more fallacies…
Ignoratio Elenchiis the constant use of irrelevant conclusions that miss the point. In some cases, the argument is valid in itself. But it does not actually address the issue in question. SCADA systems are running insecurely, and the compromise of such systems can lead to a loss of life.
One such example would be the compromise of rail signalling systems. Which could lead to a peak-hour collision of two incoming commuter trains.
- Is it the end of society as we know it? No.
- Is it a tragedy? My God, yes!
Which is the point. Extending the loss of life to an argument where it is only valid if the entirety of society collapses is ludicrous at best.
Here we see the use of multiple inconsistent arguments to defend a position.
“EMP’s Man Made & Solar… Now There’s Your Apocalypse”
Well… How about FUD?
Let us ignore the fact that making any real device that has a large-scale effect is both difficult and expensive (and limited in range) and jump to something that is truly FUD.
We have systems that are not difficult to secure. We say they are, but the reality is: people are the impediment, not the technology. In some cases, securing such systems will create a positive ROI from day 1.
More, we have a situation where small investments can forgo large losses.
The argument is not that civilisation will end, but that small incremental improvements, some that do not actually cost money or even time, can make us much safer.
Economics is all about incentives. It is creating systems where people and groups do the right thing. Right now, we are creating externalities and not allowing those who have failed systems to be responsible for their failures.
The reason for doing so is that it costs money to implement a secure online system. If you can get away with not securing a system AND do not have to face the consequences of a failure (rather when and not if), you have an economic advantage over another party by securing to a level that any reasonable groups would expect.
I for one have to wonder about the vitriol that some individuals hold for society if they can simply treat the loss of life and property as inconsequential simply as it has not resulted in the complete collapse of society.
Right now, we incentivise poor security practices. The firms and organisations involved with SCADA systems who actually care to secure their systems are penalised. When we create negative incentives in bailing SCADA operators out from the trouble they have caused in running insecure systems and yet fail to offer positive incentives to such groups who actually act in a manner that is consistent with giving a damn, we create less secure systems.
So, SCADA systems are online. We seem to have agreement that you can even get their details (which is the tip of the iceberg again) with a simple SCADA search. Such are systems that have large-scale effects.
Yes, it may be true that damaging a nuclear reactor in a manner that results in a meltdown is really beyond anything less than a nation state, but so what?
Loss of power in a city for a few days will result in lost lives (and I happen to care about the extremely young, the old, the infirm, and others that seem to be overlooked in the opposing argument).
Again, WHY are some people trying to defend poor practice and NOT take SCADA operators who are ILLEGALLY running systems online to task?
Why do some people want to continue to incentivise poor security?
Where Does It Leave Us?
World War II was a global and catastrophic event, but the earth still stands. So, do I think the earth and civilisation will come to an end due to SCADA flaws (or FUD through EMP/HEMP devices)?
What is at stake is the loss of life and property that will result from compromised SCADA systems. Not just PLCs as the opponents of such a position like to try and presuppose, but Windows XP and other systems that act as controllers. A Trojan on a Windows host allows an attacker to control the PLC without actually writing specialised malware such as Stuxnet.
You think the scenario does not occur… Well, there you are wrong. The dumping of sewerage in Queensland (here in AU) cost millions to clean, it cost businesses revenue, it cost jobs, and it also meant that many people in the area were unable to enjoy their properties in safety.
Well, I am the Australian in the “debate,” so I am wondering why it is the other side that is making the “don’t worry she’ll be ‘right mate” assertions?