Even after all the reported attacks and threats, utilities still view security as a cost center and remain challenged to allocate security funding beyond compliance minimums.
But there is progress, according to Pike Research’s Smart Grid Industrial Control System Security report on the smart grid.
Moving at a snail’s pace, the discussion of ICS security among utilities, vendors, systems integrators, and public regulators is more common now.
Along those lines, the market for smart grid ICS cyber security will reach $369 million in 2012 and grow to $608 million by 2020, according to the report.
Utilities as a group appear better informed of cyber risks to their grids and substations. Operations teams are better aware of cyber security issues and expect vendors to understand how their grids operate before they will discuss any purchases, according to the report.
Services engagements are more common than one year ago, which could mean more cyber security deployments within the next one to two years. However, the level of education varies from one utility to the next, with driving the dialogue while others ask open-ended questions such as, “What do I need to do to secure my distribution grid?”
Security providers that specialize in control systems security remain optimistic – they are receiving more requests for proposals (RFPs) than ever and have a great deal of work. In contrast, general-purpose security vendors take a mixed view of the market, with some vendors not yet seeing growth.
Vendor approaches to the market also vary: Some strategically propose a full cyber security solution for an entire control network, while others take a more tactical approach and propose only solving specific problems. Whether taking a strategic or a tactical approach, security providers must orient their discussions with utilities around solving operational and business problems, not technical concepts.
Technology innovation for smart grid ICS security remains stagnant, the report said.
One vendor said, “For the past three years, I have seen the same vendors at every conference, giving the same presentations.” The selection of products available today is sufficient to secure a control system. However, more innovation would be welcome, especially in the areas of threat management and staff efficiency.
The main obstacle to secure control systems is simply the will to allocate enough budget to achieve a secure environment. Despite the improved awareness, utilities remain challenged to allocate security funding beyond that needed for compliance minimums.
“The shallow growth curve for ICS cyber security through the remainder of the decade reflects utilities’ historically measured approach to technology upgrades—the focus on reliability trumps any abrupt shift to the next great thing,” said senior research analyst Bob Lockhart.
“Despite the improved awareness of potential threats and risks, many utilities remain reluctant to allocate security funding beyond that needed for compliance minimums,” he said. “That will change as the technology improves, prices go down, and the cost of complacency becomes more apparent.”