The U.S. Energy Sector\u2019s SCADA and ICS networks often are criticized in the press for being outdated, non-standardized, and difficult to manage because of inscrutability to all but a select few. I prefer to think of those as advantages. \u00a0Our infrastructure for SCADA and ICS are heterogeneous and distributed. Combine those advantages with the high bar for insider knowledge or engineering expertise necessary to understand and operate these systems and you have created a natural, layered defense! Still, threats and their corresponding risks exist.My audacious risk predictions for the remainder of 2016 address the nature of the cyber threat and the potential for the energy sector to encounter it during the year. The risks are divided into High, Moderate, and Low. I've based these upon the basic Risk Equation: Risk=Threat x Vulnerability x Cost. \u00a0[ PRIMER: Defining the threat in the energy sector ]Cyber crime\u00a0\u2013\u00a0high risk.\u00a0 Administrative systems are most at risk. Commonality of operating systems and the ability of utilities to pay large ransoms make the energy sector a very attractive target for ransomware and data theft.Hacktivism\u00a0\u2013\u00a0moderate risk. Hacktivists\u00a0often focus on social issues. The energy sector may be targeted after accidents that affect the environment. DDoS intrusions remain a threat to administrative and customer service systemsCyber espionage \u2013 moderate risk. Actors will continue to probe and insert persistent backdoors or other malware. In spite of declarations and treaties,\u00a0cyber espionage\u00a0will probably remain at current levels for the next year.Cyber attack \u2013 low risk. The potential for effective, coordinated cyber-physical attacks involving intrusion into U.S. energy networks is low.How do I justify my analysis?There's nothing like a slight time delay in getting a publication online - in the interim between my predictive analysis and the posting of this article, DHS in April released a document on the same subject with basically the same predictions. That's a good indication that the private and public sectors are not so far apart in thinking about threats as some would have us believe.\u00a0What can I do with this information?Though these threats appear in a hierarchy, nothing prevents an adversary from changing tactics, techniques, and procedures. Just as it's impossible to legislate against tomorrow's cyber threat, it's impossible to predict their exact nature - that's why an adversary motivation approach is a good fit for enabling a more accurate risk analysis and risk management protocol. \u00a0In the end it always boils down to the user. An employee might sell the company's crown jewels or SCADA architecture - the insider threat. A recent survey found that 27 percent of U.S. employees would sell their passwords for less than $1,000. About 47 percent reported that after leaving their company they still had remote access to their accounts.An employee on a lunch break browses an innocent web site, following each and every guideline the company provides for personal Internet use at work. Through no fault of the employee, the web site has unknowingly been infected to deliver a malware package to visitors - the Watering Hole attack. \u00a0An offended hacktivist group might focus world-wide resources on your organization because they didn\u2019t like a single tweet out of the thousands you\u2019ve sent. Now you\u2019re the target of a spear phishing or whaling campaign \u2013 trying to get access to your systems and bring your business down. Barring that, a DDoS campaign is a handy alternative. Hacktivism may have more supporters than you imagined.\u00a0Anybody in cyberspace can suffer an intrusion at any time. It's time to stop blaming the victim for cyber intrusions. At the same time, don\u2019t set yourself up as the instrument of your failure. An aware user is\u00a0always\u00a0the first line of defense for both administrative and operational sides of your network. Be the aware user.