Brandon Teague

September 9, 2025

CYSE 200T

Professor Charles E. Kirkpatrick

The CIA Triad:

The CIA Triad consists of Confidentiality, Integrity and Availability. Confidentiality means keeping something secret or private. Integrity means that the information or data hasn’t been tampered with, like when using digital signatures in email. And availability means that the data is there and ready. These three together form the basis for Cybersecurity, however as technology and defending this technology evolves so must the CIA triad. Such as adding authorization and authentication to the mix. Authorization determines what a person is allowed to do or not allowed to do. While authentication is verifying that the person trying to access something is authorized to do so. Examples of authentication would be passwords, 2FA, security tokens, etc. Authorization would be permissions, certain roles in your position or on the network. Both of them work together in a way but are different.

The risks and rewards of SCADA systems:

Brandon Teague

Old Dominion University

CYSE 200T

Professor Charles E. Kirkpatrick

October 12, 2025

            The vulnerabilities associated with critical infrastructure systems are the fact that more modern systems are connected to the internet which opens more areas of attack, human error on more localized networks (like plugging an infected USB into the network), some systems in place still use legacy hardware and software, and keeping these systems up to date and patched can be a challenge. If any of these risks were to be exploited there would be bad consequences since these systems are in place to protect such vital systems to our infrastructure. But because there are risks that doesn’t mean there aren’t any ways to protect these systems.

            One of the ways to mitigate these risks is to implement a full business or operational risk assessment. You would also need to implement normal security measures like you would for any network, principle of least privilege, setup firewalls and network segmentation, patching regularly, hardening devices, etc. These systems are critical to the infrastructure of so many important tasks and products so implementing security properly as well as training the personnel working on or around these systems is important.

            SCADA plays a role in mitigating these vulnerabilities by organizing and separating the system into layers based on its specific roles and communication boundaries. The model used for this is called the Purdue model. This model separates the ICS and the IT systems. Ensuring that strong access controls can be enforced without affecting business operations. This model secures the SCADA system thus ensuring the business is protected as well.

References:

Fortinet. (2019). Independent study pinpoints significant SCADA/ICS security risks.. https://www.fortinet.com/content/dam/fortinet/assets/white-papers/WP-Independent-Study-Pinpoints-Significant-Scada-ICS-Cybersecurity-Risks.pdf

Fortinet. (n.d.). SCADA and SCADA systems. Fortinet Cyberglossary. Retrieved October 7, 2025, from https://www.fortinet.com/resources/cyberglossary/scada-and-scada-systems

IEEE. (n.d.). Cybersecurity of critical infrastructure with ICS/SCADA systems. IEEE Public Safety Technology. Retrieved October 7, 2025, from https://publicsafety.ieee.org/topics/cybersecurity-of-critical-infrastructure-with-ics-scada-systems/

Palo Alto Networks. (n.d.). What is the Purdue model for ICS security. Palo Alto Networks Cyberpedia. Retrieved October 7, 2025, from https://www.paloaltonetworks.com/cyberpedia/what-is-the-purdue-model-for-ics-security

SCADA systems. (n.d.). Google Docs. Retrieved October 7, 2025, from https://docs.google.com/document/d/1DvxnWUSLe27H5u8A6yyIS9Qz7BVt_8p2WeNHctGVboY/edit?tab=t.0

Balancing the Budget: A CISO Strategy for Cybersecurity Tradeoffs:

Brandon Teague

Old Dominion University

CYSE 200T

Charles E. Kirkpatrick

October 19, 2025

I would allocate more funds towards training and the human side of my organization. Probably a 60/40 split. 60% towards training and policy while the remaining 40% would go towards the technology, software, hardware, infrastructure, etc. Putting more money into the employees and their training would help mitigate any human error. If I allocated more funds towards technology and human error messed it up, then it would be a waste of money on both sides. However, if I were to invest in my personnel and keep them properly trained then equipment can be taken care of, hardened securely, the network will be maintained, and the organization would run into less issues. Also, if you don’t have the right people and proper training, setting up any hardware can be done incorrectly, which would be a waste of funds, especially if you have a limited amount. Ultimately it comes down to what you are willing to invest in, and I am not willing to invest in unqualified and untrained personnel.