The smart grid has a huge challenge ahead of it when it comes to securing itself against cyberattack -- it's called critical infrastructure protection, or “CIP" for short. It's hard to protect a system that combines decades-old, legacy electromechanical equipment with the latest in sensor, communications and control technologies, all being accessed via the internet by utility workers in the office and afield, multiple third-party vendors, or even customers themselves. Even harder for utilities, perhaps, is figuring out how to justify the cost of security against the unknown risks, which can range from business-as-usual to catastrophic.
But, with news of Chinese hackers (allegedly) breaking into smart grid vendor systems, as well as such sacrosanct data stores as the Defense Department and Department of Energy, it looks like CIP and cybersecurity are no longer going to be an option. The Obama administration issued an executive order this week demanding “increasing information sharing” among industry partners on cybersecurity, as well as a jointly developed strategy and framework to guide utilities, power plant operators, chemical and oil and gas plants, and other critical infrastructure managers in securing their assets.
All of this makes it a good time for a CIP cybersecurity startup to raise money. Cylance, the Irvine, Calif.-based startup founded last year by former McAfee CTO Stuart McClure with a focus on enterprise-wide infrastructure cyberprotection, announced Wednesday that it has raised $15 million in venture capital from Khosla Ventures and Fairhaven Capital.
Cylance has brought on board experts including retired Admiral William J. Fallon as a board member, and Eric Cornelius, former deputy director and chief technical analyst for the Department of Homeland Security (he led the ICS-CERT response team that's looked into recent reports of infrastructure hacks).
Two other Cylance employees, Billy Rios and Terry McCorkle (formerly of Google and Boeing, respectively), are well known for their private work exposing holes in the supervisory control and data acquisition (SCADA) systems of a number of key global SCADA vendors, including Schneider Electric, General Electric, Siemens and others (check out the duo’s “100 bugs in 100 days” project for more details). Cylance bought Rios and McCorkle’s firm, SpearPoint Security Services, last month, and also bought Skout Forensics, an “automated forensic acquisition” technology startup, in December.
As for how Cylance goes about its protective tasks, it’s called “Presponse” security, and the company’s website describes it as “response that will not only detect a compromise inside an organization, but also determine its attack vector and source, and predict the most likely path of attack for the future.”
In a December interview with VentureBeat, McClure described what Cylance does in a four-step process. First, the company takes a full inventory of critical infrastructure at a customer, including electric, gas and water systems, telecommunications, critical healthcare assets, and the like. Then it tallies all connection points (web services interfaces, key card readers, customer end-devices like smart meters or thermostats) that could yield an access point for intrusion. Then, it does a full assessment of the company’s exposure to risks associated with the potential (or discovered) flaws in protection. Finally, it also provides a service to help predict and plan responses to future attacks or intrusion attempts.
All in all, it sounds a bit like the critical infrastructure change management technology and expertise being offered by Industrial Defender, the Foxboro, Mass.-based company with big grid clients including Schneider Electric’s Telvent and ABB, which is also a strategic investor. Industrial Defender’s key task is to track and verify all the changes that come along with, for example, connecting a legacy SCADA system to an enterprise service bus serving the utility at large, to ensure they don’t open any holes in security -- and then to manage that ongoing process of change as the system keeps evolving.
Of course, cybersecurity is a complicated field, with many different tasks to manage. Companies in the space include N-Dimension, which raised a $3.85 million Series A round last year; Mocana, which helps big utilities find and fix security holes in remote terminal unit (RTU) and programmable logic controller (PLC) technology used in smart grid systems; Wurldtech, which does cybersecurity testing and certification for some of the world’s biggest automation equipment makers; and FireEye, a startup that builds a “virtualized hardware environment” that recreates a customer’s IT system and then exposes it to real-world attack, thus catching and defending against cyberthreats as they emerge.
All of these CIP-focused companies will be working with one another, and with the IT giants in the smart grid field, to ensure a holistic, “defense-in-depth” approach to cybersecurity. A big part of good cybersecurity lies not in preventing all attacks -- an impossible task -- but in catching, containing, eliminating and then learning from all the attacks that keep coming in, day after day -- and that means that the more information the good guys share, the better the security becomes. (The same can be true for the bad guys, of course.)
Just how to measure the market potential for cybersecurity services and expertise in the smart grid field remains a much trickier matter. Right now, the main source of revenue for many is in helping utilities comply with the various audits and reports they need to turn in to regulators. NERC-CIP, the set of guidelines North American utilities must follow or face multi-million-dollar fines, recently went through a revision that adds a lot more smart grid technology to its purview, and will be asking utilities to meet those new guidelines over the coming year, to take one example.
The National Institute of Standards and Technology (NIST), a big player in setting smart grid standards, is also a key player in the cybersecurity field. President Obama’s new executive order names NIST as the key coordinator of a new effort to “develop the framework relying on existing international standards, practices, and procedures that have proven to be effective” in critical infrastructure protection. That, of course, can include everything from making sure all the doors are locked and the passwords set to anything other than “password,” all the way to high-tech cyber-counter-espionage. Stay tuned for a lot more developments on this front.