M7 D2

Criminal Justice
Name
Institution
Course
Date

The primary challenge of developing and implementing a risk-based supervisory control and Data Acquisition (SCADA) cyber security program is the rate at which cyber threats are expanding. The cyber threats are growing at a rapid rate making it a big challenge for engineering managers to come up with systems that are safe from cyber-crime. Besides risks to SCADA systems are rapidly evolving hence more resources are needed to mitigate the expanding risk map (Henrie, 2013). Engineers must ensure that they are adequately reducing cyber risks. The incapacitation or even destruction critical systems can have a significant impact on the defense and economic security of the United States hence the need to address the challenges to SCADA systems.
SCADA programs should incorporate risk assessment methods so as to help them in responding to emerging threats and risks. Risk assessment methods that can be included in SCADA programs include the risk quantification/consequence matrix. This approach provides an organization with a mechanism for assigning an assessed state to the question of the overall cyber security risk. This method reduces the analysis to qualitative terms that are usually assigned based on input from the subject matter. The next is the successful exploit plot which quantifies an organization’s risk level based on the combined variables of the probability that vulnerability is present and that a threat agent can successfully exploit the vulnerability (Panton, 2013).

These risk assessment methods have a weakness since they fail to adequately quantify a profile of risks that show the occurrence of very low probability threats which if they can occur resulting in catastrophic consequences for any organization, state or and even a nation.
The biggest vulnerability of SCADA systems improper input validation. The next is in permissions, privileges and access controls to the system. The others include improper authentication, insufficient verification of data authenticity, an indicator of poor code quality, security configuration and maintenance and credential management. All of the vulnerabilities require a range of mitigating effort so as to reduce the overall system risk.
A vulnerability market approach is an approach that enables security researchers and hackers to disclose any vulnerability in a system in exchange for financial gain. Some of the vulnerability market strategy includes the bug challenge where a vendor offers a reward for any vulnerability reported about a product. The other is the bug bounty whereby a seller pays researchers to identify any malicious code that can be used to infiltrate their systems. This market model enables the vendor to identify any undetected vulnerabilities that can be used by hackers currently. The next is the bug action that utilizes the action theory that is an online action is conducted were by sellers of vulnerabilities attempt to maximize profit while buyers of the vulnerabilities try to minimize the cost. All of this vulnerability models can be useful for mitigating risks in the SCADA cyber security programs since they will be able to identify the ever-evolving risk and deal with them before they occur. Although this method may be effective, it may not be viable as it is both legally and economically unfeasible especially when been applied to government systems. It can also be exploited by systems developers who could be developing systems with vulnerabilities so as to benefit from the model. Systems acquired should be those that are secure by design and not those secure by obscurity.
References
Henrie, M. (2013). Cyber security risk management in the SCADA critical infrastructure environment. Engineering Management Journal, 25(2), 38-45.
Panton, B. C. (2013). Strengthening US DoD Cyber Security with the Vulnerability Market (No. AFIT-ENV-GRP-13-J-06). AIR FORCE INST OF TECH WRIGHT-PATTERSON AFB OH GRADUATE SCHOOL OF ENGINEERING AND MANAGEMENT.