Cyber-Security – Part II: Characterizing the Market Opportunity in the Power Sector
- Vulnerability of the power system to cyber-attacks is increasing
- It isn't yet clear how the market structure for cyber-security products and services will evolve for the power sector
- Two important national programs that address the vulnerability of critical infrastructure of the power system to cyber-attacks have been underway at NERC and NIST
- The market opportunity is large, estimated variously at >$1 billion per year
- Large mature cyber-security companies from other sectors are now active in the power sector, with strong expertise in physical-and IT-related cyber-security protection products and services
- There may be less competition in the area of specialized power engineering for protecting distribution management systems, and equipment upstream of the distribution system
- There are a number of significant industry-specific market barriers for cyber-security businesses
- There is an unresolved cultural issue in utilities regarding the allocation of responsibility for IT-related versus power engineering-related cyber-security measures
For our initial SGiX cyber-security business case dialog, we presented “Cyber-Security – Part I: Simulation Results for the Costs of a Coordinated Attack on a Regional Power System” (link). In Part II of the business case dialog, we discuss the market for power systems cyber-security products and services.
Industry’s Potential Vulnerability to Cyber Attacks Is Increasing
There is considerable and visible concern within the electric power industry and among government policy-makers and regulators about the possibility of a coordinated cyber-security attack on the U.S. power system infrastructure, and the extent to which the system is vulnerable to such an attack.
Today’s power system is vulnerable to cyber-attacks for a number of reasons.
As the power system transitions into a smart grid, by definition its elements are becoming more inter-operable, providing new access pathways into utility operating systems for hackers. In addition, the deployment of Advanced Metering Infrastructure (AMI) significantly increases the number of the outer “attack edges” of the power system, making it more vulnerable to a multiple-point, coordinated cyber-attack at its edges. AMI itself creates vast amounts of granular data, providing another rich source for would-be hackers.
The system is also vulnerable because it consists of a mixture of communications and control systems of different vintages (“legacy systems” designed before cyber-security was an issue) -- it is in the middle of a transition from these legacy systems to smart grid systems with more protection, but it is far from completing that transition.
Adding to these risks is the increasing sophistication of cyber-attack teams and individual hackers.
Is There a New Business Opportunity for Smart Grid Cyber-Security?
Well, it isn’t clear yet how the market will evolve.
For example, is there an industry-specific business opportunity that is solely focused on cyber-security products and services for the power system sector?
Many competent businesses already provide the cyber-security products and services in other sectors of the economy in the three main cyber-security applications: (1) physical access systems, (2) information technology (IT) protection, and (3) industrial control systems (ICS) protection. In particular, almost all of the physical and IT-based applications can be ported directly to the power sector without any additional development, while the ICS applications have some similar features across industries.
There is a growing sense that the area most likely to spawn a specialized business is in the power system engineering side of the house. The operations there involve systems that are highly tailored to manage a very dynamic, instantaneous commodity whose supply and demand must be balanced approximately every 0.02 seconds. This presents special challenges for cyber-security applications.
In the past five years or so, a great deal of work has been done to analyze the physical-, IT-, and industrial controls systems-based vulnerability of the power system to cyber-attacks, focusing on its critical assets. the National Electricity Reliability Council (NERC), under a Federal directive to protect critical national infrastructure from cyber-attacks, has issued nine auditable Critical Infrastructure Protection Standards (“CIPS”) and mandated eleven “responsible entities” to implement the CIPS in the bulk power market.
In parallel, the National Institute of Standards and Technology (NIST) is leading a voluntary, phased initiative involving stakeholders across the electricity sector that has developed detailed draft communications and control standards for the smart grid as a whole. These include cyber-security provisions. NIST’s Smart Grid Interoperability Group (SGIP) has been a leader in these efforts.
There are clear overlaps between the NERC and NIST programs. It seems logical that these will be better coordinated and may even merge over time.
Market momentum will likely be boosted by the recent White House executive order. It instructs the National Institute of Standards and Technology to work with other agencies and private industry in developing a risk framework and best practices could improve public-private information sharing and spark the adoption of best cyber-security practices by the nation's critical infrastructure companies. Regulatory agencies that oversee critical infrastructure sectors are directed by the executive order to determine whether they can and should develop more forceful carrot and stick mechanisms to ensure adoption.
Market Size and Early Products and Services
The smart grid cyber-security market size has been estimated in January 2010 by Research and Markets at $1.2 billion in 2009, growing at about 21%/year. The market comprised substation automation, distribution automation, electric vehicle management, and AMI.
Frost & Sullivan (2007) estimated the utility physical and associated logistical security market at $1.3 billion annually with a growth rate of 9%/year. They noted that this segment of the cyber-security market is mature and highly competitive. We assume that this means that profit margins are tight.
The NERC CIPS were mandated for compliance by 2009 and auditability by 2010. Other policy and regulatory momentum are clearly building. These include discussions about certification requirements for critical infrastructure components and systems.
Specialized risk assessment, planning and configuration services seem to be the dominant types of business in the early going, with applications in SCADA, distribution management systems, and smart metering. Some vendors of distribution system components are incorporating protections directly into their products. Much of the market appears to be starting with retrofits and overlays of security protection for existing equipment in the field.
To date, the companies active in power sector cyber-security are mostly large with mature products in IT and physical security, already operating in multiple verticals. A number of large companies from the military-industrial complex with deep experience in cyber-security have also entered the power sector. Specialist cyber-security consulting companies are active. Some smaller companies that have specialized over the years in the power engineering aspects of the electricity industry constitute a small minority of the players in the market – EnerNex (an electric power research, engineering, and consulting firm, heavily involved in the NIST program) and N-Dimension Solutions (a “pure-play” cyber solutions company providing distribution system security and technical support to utilities complying with the NERC CIPS), come to mind. (Disclosure: Dom Geraghty provided due diligence services on N-Dimensions for an investor). Other interesting smaller companies include Industrial Defender (privately-owned and active in smart grid applications) and Garrettcom (acquired in 2010 by Belden Inc. (NYSE)).
Utilities cannot afford to have a cyber-security department. In fact, certified cyber-security specialists are scarce and in very high demand. So, there creates an opportunity for specialized consulting companies that can provide these as outsourced services to utilities and power system operators.
The main customers for power system-related cyber-security products and services are utilities worried about asset protection, reliability of service, and potential liabilities, ISOs concerned about regional reliability, and end-user customers concerned about business interruption.
Investors, in the main, do not like regulation-driven businesses, because regulations are a function of the political process. The early market has strong regulatory and policy drivers, and if utilities don’t appear to be making tough decisions in their self-regulating initiatives, the prospect of heavier mandating or required certification will become more likely. This will create increasingly viscous decision-making -- think about how long it takes to obtain UL certification today, as an analogy. Either way, the regulatory and political nature of these market drivers creates uncertainty.
Because of rising customer bills, utilities are facing head-winds in getting new expenditures into their rate base. Yet, they face enormous pressure from regulators and customers to maintain a very high level of service reliability. How will they decide to protect themselves against potential cyber-security attacks, i.e., high-impact, low-frequency (HILF) events which may never occur? Will special insurance be available as an alternative? Usually, acts of terrorism are not insurable. Could the Federal Government establish an insurance pool? If it does, how will that affect cyber-security product and services companies?
Cyber-security standards and mandates are being released incrementally and involve lengthy germination periods. The smart grid itself is a dynamic entity with communications and control systems evolving continuously. There is concern among utilities about complying with cyber-security mandates too early, only to have their cyber-protection solutions become obsolescent. We can imagine cases of “pilotitis”, similar to the AMI market, emerging – a “wait-and-see” strategy. Of course, hacking techniques will continue to evolve and protection against emerging techniques will also need to be dynamic.
Some utilities are making the case that many of their infrastructure assets are not “critical” because they are already protected by the utilities’ power system and the Independent System Operator’s contingency plans, both of which incorporate contingencies to allow for system flexibility for the case of unexpected outages.
Inside utilities, there has been an early cultural conflict related to who is responsible for cyber-security protection. The IT departments maintain that it is their responsibility because they have been protecting the company’s IT systems and physical access systems for years. The power engineering departments assert that specialized power system engineering expertise is necessary to incorporate and manage cyber-security protection within the industrial communication and control systems of the power system. So, who is the buyer of cyber-security products and services? Well, both?
Of course, a big, damaging, incident will change everything. But what’s the probability of that happening?
Dialog Question: What can we conclude about the cyber-security market for smart grid applications? Is there an entrepreneurial opportunity? What is the business case? Who pays the costs, who receives the benefits?
Please comment below in the comment box.