Securing the new IT infrastructure of the power grid against cyber-attack is going to be big business, but that’s not because it makes money for the utilities that are buying it. Instead, today’s smart grid cybersecurity investments are mostly about meeting regulations, satisfying shareholders, and trying to justify the costs based on what it’s trying to prevent.
Putting a dollar figure on averting the consequences of a successful cyber-intrusion is a risky business, of course. Utilities have to worry about everything from data theft to a full-blown attempt to take over grid assets in order to cause blackouts or overload generators. Reports of cyber-attacks on U.S. infrastructure by foreign actors, as well as hacks at the Defense Department and Department of Energy, have brought the issue into focus this year, and the Obama administration has issued an executive order demanding that the industries involved come up with a plan to deal with the threats.
Research firm Zpryme has just come out with its own forecast on what these trends add up to in terms of market opportunity, and it’s a pretty big chunk of change. According to the firm’s estimates, U.S. utilities will spend a cumulative $7.25 billion in security from now until 2020, with distribution automation assets as the core focus.
That seems to jibe with other figures out there. Pike Research, which is now owned by Navigant, predicted in 2011 that global utility cybersecurity spending would reach $14 billion through 2018, with about 63 percent of that spending aimed at the industrial control systems and SCADA networks used to control today’s grid assets. (We’ve seen wilder claims, such as GlobalData’s prediction of a $79 billion global market by 2020, which exceeds total smart grid spending figures in most of the world.)
Zpryme’s report finds that North America accounted for 42 percent of the global market in 2012, with Europe at 30 percent and Asia-Pacific at 17 percent, but the report also finds that China will overtake the U.S. as the largest market by 2017, leaving the Asia-Pacific region with 35 percent of the market by 2020. Over the same time span, China, Japan, South Korea, and Russia will see growth rates of 40 percent and up, the report predicted.
GTM Research’s 2010 Smart Utility Enterprise report predicted the U.S. market for cybersecurity products and services would grow from $120 million in 2011 to $237.6 million in 2015, making it the second-largest segment of operations behind distribution automation in terms of software costs. It’s hard to calculate just how those predictions have played out so far in the real world, however, as costs have been spread amongst individual equipment vendors, software partners, and utility operations and IT departments, as well as tucked away inside budgets for broader smart grid system activation and back-end IT integration.
As the 2010 GTM Research report put it:
"We expect a robust market for cybersecurity planning services over the next 18 to 24 months, followed quickly by a wave of spending on technologies like firewalls, identification and authentication, and data encryption. We expect low-seven-figure annual spending on security planning services from the top 20 to 30 North American utilities leading the smart grid charge between 2011 and 2013, with a second tier of smaller organizations making mid-six-figure investments in planning. Slightly larger tactical investments in security technologies will happen in parallel. We expect a major wave of spending on enterprise security software and implementation services to follow as leading utilities begin to understand the seriousness of their vulnerabilities and develop comprehensive security strategies in response."
How far along the industry is toward that vision is hard to say. After all, one of the key tenets of cybersecurity is that you don’t talk about cybersecurity -- at least, not the specifics of how you’re discovering, isolating, eliminating and building new protections against new intrusions and attacks that change from day to day.
Those threats can range in intent from simple intrusion and data theft, to full-scale attempts to take over control systems, and can vary in sophistication from cheesy password-stealing scams to sophisticated “advanced persistent threats” coming from shadowy government-backed, quasi-criminal "hacktivist" and mercenary groups.
On the side of the good guys, we’ve seen a major push for utilities around the globe to secure their infrastructure, whether that means locking gates and doors at isolated substations, making sure smart meters on the edges of their mesh networks are secure, or installing the latest cyber-intrusion detection schemes and professional support services, along the lines of what the banking and telecommunications industries have done.
We’ve also seen a bit of investment activity on that front. Foxboro, Mass.-based Industrial Defender won a strategic investment from customer ABB in 2011, and N-Dimension raised a $3.85 million round A last year. Silicon Valley startup Cylance raised $15 million in venture capital earlier this year, and boasts employees including former Homeland Security cyber-responders and a pair of software engineers whose cybersecurity exploits of the world’s SCADA industrial control systems are publicly available via videos of their “100 bugs in 100 days” presentations. (Navigant’s Pike Research predicted in December that the market for smart grid industrial control system cybersecurity will grow from $369 million last year to $608 million by 2020, indicating a small but growing appetite amongst the world's controls giants to plug these well-publicized holes.)
Other companies in the space include Mocana, which helps big utilities find and fix security holes in remote terminal unit (RTU) and programmable logic controller (PLC) technology used in smart grid systems; Wurldtech, which does cybersecurity testing and certification for some of the world’s biggest automation equipment makers; and FireEye, a startup that builds a “virtualized hardware environment” that recreates a customer’s IT system and then exposes it to real-world attack, thus catching and defending against cyberthreats as they emerge. At the same time, all the major IT giants and integration experts in the smart grid space -- IBM, Cisco, Microsoft, Accenture, Capgemini, Lockheed Martin, Boeing, SAIC, etc. -- are promising cutting-edge security as part of the reason utilities should work with them.
In North America, much of that spending is being driven by the North American Electric Reliability Corporation (NERC)’s Critical Infrastructure Protection (CIP) requirements. Covering the U.S. and Canada, these rules come with stiff fines of up to $1 million per day for utilities that can’t prove they’re meeting security guidelines, and newer versions add a lot more serial-connected smart grid assets to their purview. The Department of Energy's $4.5 billion in stimulus grants also came with cybersecurity strings attached, as outlined by the ongoing government-industry work being coordinated by the U.S. National Institute of Standards and Technology, or NIST.
Other parts of the world have their own regulations in place for how to secure the grid. The European Union’s cybersecurity agency, ENISA, is building a framework that, in “contrast to the U.S.’ strict regulatory path,” is aimed at a risk-based approach that allows “a certain degree of ‘freedom’” to the utilities and technology partners involved.