SCADA Systems
Introduction
In this write up I’m going to explore the vulnerabilities in the critical infrastructure of SCADA systems. I will be looking into the applications within the system to see what role it plays in the vulnerabilities. I’m going to discover if the applications do enough to secure themselves against their vulnerabilities. This should determine if SCADA systems are worth using.
Human Machine Interface
Human Machine Interface (HMI) is used in the SCADA systems to allow a human operator to control the processes of the system. HMI is linked to the diagnostic data, management data, and logistical data of a system. This allows operators to change the system from the HMI graphical interface. The operators can see everything that is happening from the HMI interface.
HMI Vulnerabilities
HMI has vulnerabilities in its’ authentication process and file path traversal. The authentication process is either lacking or nonexistent. This vulnerability increases the odds that an attacker can get into the systems. The attacker can extract files from the system by manipulating the filename parameter and affecting the file path (Silva, 2024). The lack of an authentication process leaves the system open to all attackers.
SCADA Systems Hardware
The hardware used in the SCADA systems is a combination of SCADA and third-party hardware. The hardware must be monitored because it must be in its’ own facility. This is where the most vulnerabilities are present.
Hardware Vulnerabilities
The vulnerabilities begin with the lack of security evaluations on the third-party hardware (Amos, 2022). There is no system currently in place to vet any hardware from a separate organization. The hardware itself has outlived its’ shelf life. Some systems haven’t updated to meet current security standards (Amos, 2022). The hardware has outdated software and there aren’t any regular patches in place to address this major security risk. The network security of these systems are also in need of modernization (Amos, 2022). The network infrastructure isn’t equipped to provide sufficient security against attackers.
In Conclusion
SCADA systems aren’t equipped with current security measures or hardware. The security lacks the authentication process and is the most egregious of the vulnerabilities. The lack of an authentication process is a vulnerability that should’ve been already corrected. It doesn’t help that the hardware being used is out of date and has security vulnerabilities with third-party vendors. These applications don’t provide any security against their vulnerabilities. I don’t believe that SCADA systems are worth using given the amount of vulnerabilities present.
References
SCADA Systems. (n.d.). SCADA Systems. http://www.scadasystems.net
Silva, D. (2024, December 6). Major Vulnerabilities Found in Human Machine Interface [Review of Major Vulnerabilities Found in Human Machine Interface]. University of Hawaii – West O’hau. https://westoahu.hawaii.edu/cyber/ics-cybersecurity/ics-weekly-summaries/major-vulnerabilities-found-in-human-machine-interface/
Amos, Z. (2022). 9 SCADA System Vulnerabilities and How to Secure Them. Isa.org. https://gca.isa.org/blog/9-scada-system-vulnerabilities-and-how-to-secure-them
CIA Triad
Introduction
The purpose of this write up is to describe the CIA Triad and determine the difference between authentication and authorization. The CIA Triad is important and by the conclusion of this write up the reasons for its’ importance will be explained. I will provide examples of authentication and authorization. I will also describe the difference between authentication and authorization.
The CIA Triad
The CIA Triad is the core principles of cybersecurity consisting of Confidentiality, Integrity, and Availability. Confidentiality is keeping the private information and data of users safe and secure. Integrity is maintaining the security of data to prevent any alterations or breaches. Availability is providing access to the data to the appropriate users. These three principles form the cybersecurity model based on protecting data (Prakash, 2022).
Authentication vs Authorization
Authentication is the process of verifying the user’s or system’s identity. Authentication is a cornerstone of digital security and is the first defense against unauthorized access (Team, 2024). There are many ways to authenticate a user. The most used are Single-Factor Authentication (username and password), Two-Factor Authentication (password and a separate code sent to the user), and Biometric Authentication (face scan and fingerprint scan). Authorization is the process of granting permissions to authorized users (Team, 2024). This means that having access to a system comes with restrictions based on what the user has permission to do within the system.
What is the difference?
The difference is that authentication can authenticate a user, and authorization can grant permissions to the user. This means authentication will always come before authorization because to use a website or access information you must be allowed to have access. Even with access to a website or information depending on the permissions of the user the actions after gaining access can be restricted.
In Conclusion
The CIA Triad is the model used in cybersecurity to maintain and protect the private information of users. Authentication can only authenticate a user to have access to information and authorization determines what the user can do once given access. This means that authentication will always come before authorization in determining who has access to the private information being protected.
References
Prakash, M. (2022, June 28). What is CIA triad? examples, components, importance & goals. knowledgehut. https://www.knowledgehut.com/blog/security/cia-in-cyber-security
Team, C. W. (2024a, September 27). What is authentication? – types, role & how it works!. Cyber Security News. https://cybersecuritynews.com/authentication/
Team, C. W. (2024b, September 30). What is authorization? definition, use case & models. Cyber Security News. https://cybersecuritynews.com/what-is-authorization/
Cybersecurity Budget
Introduction
The purpose of this write-up is to determine if having a limited budget can provide sufficient training and implement cybersecurity technology. Cybersecurity is important and having qualified employees monitoring it is just as important. The effectiveness of a limited budget will be determined in the conclusion of this write-up. I will also explain my reasoning for how I would use the budget. For this write-up the budget for the training and cybersecurity technology will be $3,000.
The Training
For this write-up, the budget is going to be applied towards in-house training. This means the company directly trains their employees. The type of training is an essential part of determining the training costs. The two options are bootcamps or shorter specialized training courses. The bootcamps are fast tracking the employees to develop their skills to be efficient in cybersecurity. The bootcamps can range from $2,500 to $20,000, and the more intensive bootcamps range from $10,000 to $17,000 (Cybercrim, 2025). The shorter specialized training can cost $2,500 to $4,500. The shorter specialized training could be more depending on which specialized training is being used.
The Technology
To operate cybersecurity technology, it requires an initial investment of $115,00 to $300,000 (Team, 2025). The cost to maintain the technology ranges from $20,000 to $50,000. The overall cost to maintain the business could be $500,000 or more. The cost of the business revolves around the cost of the technology being used and the salaries of the team members. The needs of the business determine the cost to maintain the business.
The Budget
Using the $3,000 budget I can train employees with the shorter specialized training. The purpose of the budget in this write-up was to portray a small business that has a small team. In my opinion, budgeting for cybersecurity training is essential for them. I would send one employee to the training and have that employee train his coworkers. In this scenario the budget was $3,000 for the training and technology and not for the entire business.
In Conclusion
The limited budget of $3,000 is barely effective in managing the training and technology. The budget would have to be a loan from the bank. The loan just creates another expense that a business can’t afford to have. The cost of cybersecurity technology would be completely outside of the budget. The limited budget isn’t effective in cybersecurity and wouldn’t provide any sustainable result for the business.
References
CyberCrim. (2025). How Much Does Cyber Security Training Cost In 2025 [Review of How Much Does Cyber Security Training Cost In 2025]. CyberCrim. https://cybercrim.com/career/cyber-security-training-cost/ Team, B. (2025, April 4). What Are the 9 Operating Costs of Cyber Security for Businesses? Business Plan Templates. https://businessplan-templates.com/blogs/running-costs/cyber-security