cyber security SPONSORED BY INTELLIGENCE BY ZPRYME | ZPRYME.COM | SMARTGRIDRESEARCH.ORG © 2013 ZPRYME RESEARCH & CONSULTING, LLC. ALL RIGHTS RESERVED. survey JANUARY 2013 Table of Contents Decision Making about Cybersecurity.................................................. 15 Real-Time Overlay for Visualization of Security Status ........................ 15 Executive Summary .................................................................................... 2 Scalable Security “Dashboard” for Monitoring Security Status ......... 16 About This Report ....................................................................................... 2 Cyber Securitity Importance to Ensure Reliability and Resilience .... 16 Methodology .............................................................................................. 2 Providers of Cyberattacks Solutions ...................................................... 17 Major Findings ............................................................................................. 2 IT-based Security – Securing the Electrical Grid .................................. 17 Cybersecurity Survey Implications and Recommendations .................. 4 Need for Cybersecurity Legislation ....................................................... 18 Market Implications .................................................................................... 4 Zpryme Outlook ........................................................................................ 19 Recommendations .................................................................................... 5 Conclusions ................................................................................................. 5 Survey Respondent Characteristics .......................................................... 7 Organization Size ........................................................................................ 7 Title Within Organization ............................................................................ 7 Industry Type................................................................................................ 8 Utility Type .................................................................................................... 8 Cybersecurity Survey Detailed Findings ................................................... 9 Priority of Automation Security Real-time systems for Utilities .............. 9 Least Secure Segment of the Electrical Grid ......................................... 9 Overall Security of Electrical Networks in the U.S. ............................... 10 Expected Cyberattacks on U.S. Utilities in 2013 ................................... 10 Concern for Potential Cyber and Network Attacks ........................... 11 Major Risks Associated with Cyberattacks ........................................... 11 Benefits of Secure Automation Technology ........................................ 12 Expected Cybersecurity Investments in 2013 ...................................... 12 Roles Standards Play in Security Automation....................................... 13 Security Automation Demand by Technology .................................... 13 Technologies Most Vulnerable to Cyberattacks ................................. 14 Annual Utility Cybersecurity Budget ...................................................... 14 1 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. ViaSat Presents: Utility Cybersecurity Study | January 2013 Executive Summary A hacker wearing a fake beard and dark sunglasses took the stage at a computer security conference in Miami, Florida this month and showed a group of about 60 security researchers how to intercept smart grid radio communications.1 “If you can understand the way these systems speak to one another, the potential to hack them is very real.” - Atlas, January 17, 2013 Building the utility of the future is expected to yield numerous benefits such as lower power losses, cleaner power, lower electricity bills, and a healthier environment. In fact, Smart Grid investments to date have been largely in technologies that can yield these benefits. However, the consequences of not securing a digital grid connecting billions of devices such as smart meters, electric vehicles, sensors, intelligent electronic devices, transformers, smart phones, and home energy monitoring systems are just now being seriously discussed. Simply put, Smart Grid rollouts across the globe provide more “entry ways” for potential hackers or cyberattacks to cause electrical disturbances. Utilities, global utility conglomerates, niche solution providers, government stakeholders, and security experts across the globe are working tirelessly to develop standards, protocols, and system architectures that address Smart Grid cybersecurity. To assist in this effort, Zpryme‟s Smart Grid Insights and ViaSat have set out to address several issues around utility cybersecurity, and identify vulnerable parts of electrical systems and networks. Overall, the major findings in this report show that utilities are becoming increasingly cognizant of credible threats to their electrical systems and networks. More importantly, utilities are now prepared to install cybersecurity systems that can identify, isolate, and mitigate attacks to prevent catastrophic system disturbances. About This Report The purpose of this report is to assess the overall cybersecurity threat faced by utilities, and identify the key benefits of cybersecurity investments. Additionally, this report identifies key budgeting considerations for cybersecurity, and where these funds are most likely to be spent. And finally, this report outlines system architectures or approaches that will best provide grid security. Methodology Zpryme surveyed 213 Smart Grid and utility professionals in November of 2012. Respondents were asked 21 questions. The survey was conducted over the internet. Major Findings Nearly half (47%) of the respondents believed automation security belonged in the top 10% of all priorities for utilities. http://bits.blogs.nytimes.com/2013/01/17/a-hacker-says-smart-grid-can-bepenetrated/ 1 2 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. ViaSat Presents: Utility Cybersecurity Study | January 2013 The least secure of an electricity grid‟s components were the end user segment and the distribution system; and only 4% of the sample said that U.S. electricity grids were very secure. Over half (52%) believed that IT-based solutions alone were insufficient for securing the electrical grid. The most important role that standards play in implementing security automation technologies was to ensure interoperability among components. Seventy-seven percent of the respondents reported that cyberattacks on U.S. utilities would increase in 2013 with power outages and damage to electricity control systems being the major impacts. The top-rated benefit of secure technology was reliable service. automation Nearly two-thirds of the sample (65%) said investments in cybersecurity in 2013 would increase, with private industry software companies and system integrators providing the best systems to thwart cyberattacks. This sample said the average organization amount being budgeted for cybersecurity was $1,450,000 annually. Almost three-fourths (73%) felt that the Cybersecurity Act of 2012 should have been passed. 3 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. ViaSat Presents: Utility Cybersecurity Study | January 2013 Cybersecurity Survey Implications and Recommendations The survey results (presented in figures 1 – 21) in this report offer key insights about how utilities will proceed with cybersecurity projects in the near future. In this section we present the major implications of the data, and recommendations that can assist in advancing cybersecurity deployments. Market Implications Several implications of the survey supplement evidence from published articles about cybersecurity. Survey respondents noted that security issues involve the IT sector as well as operations technology. And there is some evidence that security spending over the next three years could be heaviest on equipment protection and management.2 Although survey data reflected that the end user was less secure than the distribution system, requiring more security automation, other evidence suggests that the distribution system will reap more benefits from security spending than from an advanced metering system.3 Both, in fact, require substantial “shoring up” to reduce cyberattack risks. Further, Pike Research forecasts more investment in smart grid control systems transmission upgrades, substation automation, distribution automation than in smart metering.4 Whitney, L. http://news.cnet.com/8301-1009_3-10447430-83.html, 2010. www.pikeresearch.com/research/smart-grid-cyber-security, 2011. 4 Lockhart, B. and Gohn, B. Utility Cybersecurity: Seven Key Smart Grid Security Trends to Watch in 2012 and Beyond. Pike Research. 2011. 2 3 4 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. Hackers, terrorists, industrial spies, criminals, and disgruntled employees are all potential threats to the electrical grid. There are two major pathways into the electrical grid: the internet and wireless networks.5 The NIST- published report in 2010 identified 137 interfaces points of data exchange within or between smart grid systems and subsystems where opportunity exists for security breaches.6 A fullspectrum of security measures is needed to best protect the electrical grid. Tight security for industrial controls, physical security such as cameras, badge access, and perimeter security are all crucial to limit unwanted access.7 Politics are a consideration for creating and enforcing cybersecurity standards. Survey respondents supported the recent Senate-rejected Cybersecurity Act of 2012. However, some experts are concerned that the division of responsibility between state and federal regulations requires clarification.8 Further, evidence implies that utilities are more concerned about regulatory compliance than achieving effective cybersecurity.9 Political uncertainty also impacts utilities‟ willingness to follow guidelines until they are enforceable.10 And the lack of enforceability creates a reluctance to invest until laws have been enacted. Goldman, C. FreeWave Technologies. www.elp.com/articles/powergrid_international/print/volume-17/, 2012. 6 www.nist.gov/public_affairs/releases/nist-finalizes-initial-set-of-smart-grid-cyber-securityguidelines, 2010. 7 www.accenture.com/us-en/Pages/insight-critical-infrastructure-protection-smart-grid/, 2012. 8 http://dailycaller.com/2012/07/25/report-utilities-focused-on-regulatory-complianceinstead-of-cybersecurity/, 2012. 9 Ibid. 10 Lockhart, B. and Gohn, B. Utility Cybersecurity: Seven Key Smart Grid Security Trends to Watch in 2012 and Beyond. Pike Research. 2011. 5 ViaSat Presents: Utility Cybersecurity Study | January 2013 The entire system, IT and operational technology, has to become the focus for cybersecurity implementation. When separate system components are secure, this does not mean that the entire system is safe. A cybersecurity architecture is needed for a system-level approach. Recommendations 1. Utilities should strive for real-time situational intelligence visualization of the security posture of their operational technology (OT) systems. Attacks on utility OT systems can easily cause millions of dollars in damages, and reduce customer confidence in their electricity provider. Real-time situational awareness of OT systems gives utilities actionable data so they can significantly mitigate any potential threats in a timely manner. 2. Utilities should recognize that threats can originate both inside and outside the utility‟s systems. For example, compromised supply chains where malware is embedded in new equipment or anyone with access to a utility‟s system can use a simple USB thumb drive to execute an internal attack. 3. The multiple networks (and silos) across a utility system make both IT and OT systems vulnerable to cyberattacks. Multiple networks often have varying degrees of security and often do not integrate with one common system, leaving „security gaps‟ that hackers can easily identify. Thus, utility cybersecurity systems should enable integration of OT and IT networks and scale across multiple service territories and systems. 5 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. 4. Utilities should work closely together with vendors that use standards based architecture that will enable them to implement scalable security systems that work in a multi-vendor environment. 5. Defense in depth is strongly advocated for cybersecurity by implementing multiple levels of security to achieve: Prevention Detection Identification Mitigation Threats will continue to evolve, but a multi-layered approach to security is a critical defensive strategy 6. As new technologies drive OT and IT network convergence, utilities should establish a specialized representative or office where security accountability for all networks is priority one. Conclusions Electric utilities are recognized as perhaps the most fundamental critical infrastructure sector, and thus need to be protected from the cascading effect of both physical events and cyberattacks. The drive towards pervasive automation calls specific attention to the need for integrated cyber-physical security systems that will enable the advances in technology to truly deliver on the promise of improved efficiency, resiliency and reliability. ViaSat Presents: Utility Cybersecurity Study | January 2013 The Stuxnet cyberattack using a highly sophisticated computer worm during the summer of 2010 demonstrated that control networks (i.e., Siemens industrial softwareSCADA) are no longer secure simply because they are isolated from the electrical network.11 The attack has led to a critical need to upgrade electrical grid security. The utility industry will be spending significant money on cybersecurity (some reports as much as $21 billion by 2015 around the globe).12 Therefore, the security investments need to be coordinated among all stakeholders to promote effectiveness across the utility industry. The aging infrastructure combined with unique regional needs means each utility provider will have to examine its own specific security needs to customize a response to counter potential threats. Lockhart, B. and Gohn, B. Utility Cybersecurity: Seven Key Smart Grid Security Trends to Watch in 2012 and Beyond. Pike Research. 2011. 12 Whitney, L. http://news.cnet.com/8301-1009_3-10447430-83.html, 2010. 11 6 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. ViaSat Presents: Utility Cybersecurity Study | January 2013 Survey Respondent Characteristics Organization Size Title Within Organization More respondents (45%) were located in organizations with less than 100 employees than in any other size range. Other organization size responses were: 101 – 500 (12%), 501 – 1000 (6%), 1001 – 5000 (14%), 5001 – 10,000 (6%), and those with over 10,000 employees (18%). A sample average was 2878. The sample was composed of: 36% professional/staff, 31% executives, 19% management personnel, 2% operations, and 11% “other.” How many employees are in your organization? (figure 1, source: Zpryme) What is your title within your organization? (figure 2, source: Zpryme) Operations, 2% Other, 11% Over 10,000, 18% 1,001 – 5,000, 14% Executive (CEO, VP, Director), 31% Less than 100, 45% 5,001 – 10,000, 6% Professional/ staff, 36% Management, 19% 101 – 500, 12% 501 – 1,000, 6% 7 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. ViaSat Presents: Utility Cybersecurity Study | January 2013 Industry Type Utility Type Respondents classified themselves as: a consultant (business, technical, engineering) (25%); a vendor (integrator, technology, electrical equipment, etc.) (32%); a utility employee (24%); a nonprofit organization employee (4%); a power generation organization employee (4%); a state/federal government employee (2%); or from other industries (9%). The types of utilities where respondents were employed were: investor-owned utility (41%), municipal (27%), federal/state owned (15%), and cooperative (11%). Another 6% said other (than one of these four types). What industry are you currently in? (figure 3, source: Zpryme) Nonprofit State/federal government, 2% organization, 4% At what type of utility are you employed? (figure 4, source: Zpryme) Other, 9% Consultant (business, technical, or engineering), 25% Other, 6% Federal/State Owned, 15% Utility, 24% Coop, 11% Vendor, 32% 8 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. Power generation, 4% IOU, 41% Muni, 27% ViaSat Presents: Utility Cybersecurity Study | January 2013 Cybersecurity Survey Detailed Findings Priority of Automation Security Real-time systems for Utilities Least Secure Segment of the Electrical Grid The respondents believed that automation security was important for utilities‟ real-time systems and should be placed in the top 50% of all priorities, with 25% saying top 5%, 22% saying top 10%, 23% saying top 25%, and 29% saying top 50% of all priorities. In fact, nearly half (47%) said automation security belonged in the top 10% of all priorities. The largest group of respondents (43%) said that the end user segment was the least secure component of the electricity grid. The distribution system was next less secure (38%), with the transmission system (14%) and the generation system (5%) both lowest security risks. The end user and distribution system appear most vulnerable to security threats. What priority should automation security for the realtime systems have for utilities? (figure 5, source: Zpryme) When considering the entire electrical grid, what segment is least secure? (figure 5, source: Zpryme) 50% 35% 25% 43% 45% 29% 30% 38% 40% 25% 22% 23% 35% 30% 20% 25% 15% 20% 10% 14% 15% 10% 5% 2% 0% Top 5% of all priorities Top 10% of all Top 25% of all Top 50% of all priorities priorities priorities Not a priority issue at all 9 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. 5% 5% 0% Generation Transmission Distribution End users ViaSat Presents: Utility Cybersecurity Study | January 2013 Overall Security of Electrical Networks in the U.S. Expected Cyberattacks on U.S. Utilities in 2013 When considering electrical networks in the U.S. as a whole, only 4% of the sample believed they were very secure. Forty-three percent said the networks were somewhat secure, 39% said somewhat insecure, and 15% said very insecure. Respondents were asked to predict how cyberattacks on U.S. utilities would change in 2013. While 23% believed attacks would stay the same, 77% said they would increase (20% would be focused on information technology (IT) systems, 57% on both IT and operations technology). Overall, how secure are electrical networks in the U.S.? (figure 6, source: Zpryme) How do you expect cyber attacks on U.S. utilities to change in 2013? (figure 6, source: Zpryme) 60% 50% 57% 43% 50% 39% 40% 40% 30% 30% 23% 20% 15% 10% 10% 4% 0% Very secure 20% 20% Somewhat secure Somewhat insecure Very insecure 10 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. 0% 0% Increase in Increase in frequency, but still frequency, but focus on the IT expand to include systems both OT and IT systems Stay the same Decrease in frequency ViaSat Presents: Utility Cybersecurity Study | January 2013 Concern for Potential Cyber and Network Attacks Major Risks Associated with Cyberattacks Nearly two-thirds (63%) said utilities should be very concerned about the potential for cyber and network attacks, with 33% saying moderately concerned, and the remainder (5%) saying slightly concerned. The major risks associated with cyberattacks on a utility distribution system were reported as (in descending order of frequency): power outages (44%), damage to electricity control systems (22%), financial losses and fines (9%), denial of service (8%), damage to operations equipment (7%), and safety equipment failure (5%). Another 5% said risks (other than those in this list) would occur. What concern level should utilities have about the potential for cyber and network attacks? (figure 7, source: Zpryme) What is the major risk that is associated with a cyber attack on a utility’s distribution system? (figure 8, source: Zpryme) 50% 70% 44% 63% 60% 40% 50% 30% 40% 33% 22% 30% 20% 20% 10% 10% 5% 5% 5% Safety equipment failure Other 7% 8% 9% 0% 0% Very concerned Moderately concerned Slightly concerned Not concerned at all 11 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. 0% Damage Denial of Financial Damage to service losses and to operations fines electricity equipment control systems Power outages ViaSat Presents: Utility Cybersecurity Study | January 2013 Benefits of Secure Automation Technology Expected Cybersecurity Investments in 2013 The sample was next asked to rate the benefits of secure automation technology by using a scale where 1 = lowest benefit and 6 = greatest benefit. Benefit ratings were; reliable service (4.58), accurate network information (4.36), positive control of safety systems (4.33), low/no fraudulent activities (4.06), and low/no power losses (4.02). Expectations about how utilities would change their investments in cybersecurity in 2013 were pulsed. Sixty-five percent of the sample said investments would increase; 34% said investments would remain stable; but only 1% said investments would decrease. How do you expect utilities to change their investments for cybersecurity in 2013? (figure 10, source: Zpryme) Rating of the following benefits of secure automation technology? (figure 9, source: Zpryme) 5.00 4.33 4.50 4.02 4.00 4.36 4.58 4.06 70% 65% 60% 3.53 50% 3.50 3.00 40% 34% 2.50 30% 2.00 1.50 20% 1.00 10% 0.50 1% 0.00 Other Low/no Low/no power losses fraudulent activities Positive control of safety systems Accurate network information 12 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. Reliable service 0% Increase investment level Keep the same investment level Decrease investment level ViaSat Presents: Utility Cybersecurity Study | January 2013 Roles Standards Play in Security Automation Security Automation Demand by Technology The most important role that standards play in implementing security automation technologies was to ensure interoperability among components for 41% of these respondents. Another 23% reported that providing acceptable protection levels was most important, with 17% saying to enable communications across utilities, and 16% saying to provide metrics to measure security status. The technology that will see the strongest demand for security automation and applications (in descending order of frequency) was: smart meters/AMI (32%), distribution automation (26%), upgrade of existing transmission and distribution equipment (18%), advanced transmission monitoring systems (15%), and substation automation (10%). What is the most important role that standards play in implementing security automation technologies? (figure 11, source: Zpryme) Which technology will see the strongest demand for security automation technologies and applications? (figure 12, source: Zpryme) Ensure interoperability among components 41% Provide acceptable protection levels 10% 15% Substation automation 3% 0% 18% Advanced transmission monitoring systems 16% Other 26% Upgrade of existing transmission and distribution equipment 17% Provide metrics to measure security status 32% Distribution automation 23% Enable communication across utilities Smart meters/AMI 20% 30% 40% 13 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. 50% 10% 0% 10% 20% 30% 40% ViaSat Presents: Utility Cybersecurity Study | January 2013 Technologies Most Vulnerable to Cyberattacks Annual Utility Cybersecurity Budget The technology that is most vulnerable to cyberattacks is: operations and information technologies equally (47%), information technology (35%), and operations technology (18%). Clearly, information technology has the highest risk. Their organizations were budgeting differing amounts for cybersecurity on an annual basis: less than $100,000 (25%), $100,001 to $500,000 (30%), $500,001 to $1,000,000 (5%), $1,000,001 to $2,500,000 (20%), $2,500,001 to $5,000,000 (10%), and over $5,000,000 (10%). Although around half (55%) spent $500,000 or less, the average amount for the entire sample was $1,450,000 annually for cybersecurity, which is substantial. Which technology is most vulnerable to cyber attacks? (figure 13, source: Zpryme) 50% 47% How much is your organization budgeting annually for cybersecurity? (figure 14, source: Zpryme) 35% 45% 30% 30% 40% 35% 35% 25% 30% 25% 20% 20% 25% 20% 15% 18% 15% 10% 10% 10% 5% 5% 5% 10% 0% 0% Operations technology Information technology Operations and information technologies equally 14 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. Less than $100,000 $100,001 to $500,001 to $1,000,001 to $2,500,001 to Over $500,000 $1,000,000 $2,500,000 $5,000,000 $5,000,000 ViaSat Presents: Utility Cybersecurity Study | January 2013 Decision Making about Cybersecurity Real-Time Overlay for Visualization of Security Status The organizational level where decisions are made about cybersecurity was: executive (CEO, VP) (37%), management (47%), or professional/staff (16%). Having a real-time overlay for visualization of their organization‟s security status was important (28% said very important, 72% said moderately important) to these respondents. At what organization level are decisions made about cybersecurity? (figure 15, source: Zpryme) 50% 47% How important to your organization would a real-time overlay for visualization of security status be? (figure 16, source: Zpryme) 80% 72% 70% 40% 37% 60% 50% 30% 40% 20% 16% 30% 28% 20% 10% 10% 0% Executive (CEO, VP) Management Professional/staff 15 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. 0% Very important Moderately important 0% 0% Slightly important Not important at all ViaSat Presents: Utility Cybersecurity Study | January 2013 Scalable Security “Dashboard” for Monitoring Security Status Cyber Security Importance to Ensure Reliability and Resilience And having a scalable security “dashboard” to monitor their organization‟s security status was felt to be useful for them: 22% said very useful, 56% said moderately useful, and 22% said slightly useful. A strong majority (82%) said that cybersecurity was very important to ensuring the electricity grid reliability and resiliency. Fewer said cybersecurity was moderately (16%) or slightly (2%) important. How important is cybersecurity to ensuring the electrical grid’s reliability and resiliency? (figure 18, source: Zpryme) How useful would a scalable security “dashboard” be for monitoring your organization’s security status? (figure 17, source: Zpryme) 60% 56% 90% 82% 80% 50% 70% 40% 60% 50% 30% 22% 40% 22% 20% 30% 16% 20% 10% 10% 0% 0% Very useful Moderately useful Slightly useful Not useful at all 16 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. 2% 0% Slightly important Not important at all 0% Very important Moderately important ViaSat Presents: Utility Cybersecurity Study | January 2013 Providers of Cyberattacks Solutions IT-based Security Solutions – Securing the Electrical Grid When asked who will provide the best solutions to thwart cyberattacks on utilities, respondents said: private industry software companies (42%), system integrators (27%), utility companies themselves (14%), or private hardware companies (9%). An “other” category (than these four choices) was chosen by an additional 9% of respondents. Two final statements were provided and respondents were asked for their level of agreement. The first statement was: “IT-based security solutions are sufficient for securing the electrical grid.” About half (48%) agreed with this statement (7% strongly, 41% somewhat) with slightly more (52% disagreeing (28% somewhat, 24% strongly). Slightly more than half of the sample believed more than just IT is involved in securing the electrical grid. Who will provide the best solutions to thwart cyber attacks on utilities? (figure 19, source: Zpryme) How much do you agree with this statement: “IT-based security solutions are sufficient for securing the electrical grid.” (figure 20, source: Zpryme) 50% Private industry software companies 42% 41% 40% Systems integrators 27% 28% 30% Utility companies themselves 24% 14% 20% Other 9% 10% Private industry hardware companies 7% 9% 0% 10% 20% 30% 17 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. 40% 50% 0% Strongly agree Somewhat agree Somewhat disagree Strongly disagree ViaSat Presents: Utility Cybersecurity Study | January 2013 Need for Cybersecurity Legislation The second statement was: “The recent Senate-rejected Cybersecurity Act of 2012 was an important piece of legislation and greatly needed by the electricity industry.” A large majority (73%) agreed with this statement (19% strongly, 54% somewhat), while fewer (28%) disagreed (22% somewhat, 6% strongly). Nearly three-fourths of this sample believed the Cybersecurity Act should have been passed. The recent Senate-rejected Cybersecurity Act of 2012 was an important piece of legislation and greatly needed by the electricity industry. How much do you agree with this statement? (figure 21, source: Zpryme) 60% 54% 50% 40% 30% 20% 22% 19% 10% 6% 0% Strongly agree Somewhat agree Somewhat disagree Strongly disagree 18 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. ViaSat Presents: Utility Cybersecurity Study | January 2013 Zpryme Outlook Utilities are becoming increasingly cognizant of the fact that their electrical systems and networks face many credible threats. Smart Grid rollouts across the globe further provide more „entry ways‟ for potential threats to cause electrical disturbances. In the short-term, utilities will focus on preparing a plan of action to secure the most vulnerable part of the grid. Thus, field proven systems and technologies that can increase the security for end-users and the distribution system will be in high demand among utilities. The focus on Smart Grid cybersecurity will also demand higher budget allocation to technologies that enhance grid security. Although many utilities will hold-off on large scale cybersecurity investments until well defined standards are in place, forward looking utilities will be the first to install the best of breed cybersecurity, irrespective of costs and standards. The high demand for grid security products will bring multiple key and niche players in the market. However, niche players will face an uphill battle with utilities if they do not have previous experience working with the electrical sector. Creating a „hacker-proof‟ electrical grid is going to take five to ten years, but utilities with a long-term vision and plan to secure their grid will be best able to mitigate the losses associated with cyberattacks. 19 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. ViaSat Presents: Utility Cybersecurity Study | January 2013 About Zpryme Smart Grid Insights: White Paper Credits: Zpryme-powered Smart Grid Insights Publication, Practice and Advisory Board help organizations understand their business environment, engage consumers, inspire innovation, and take action. Zpryme Smart Grid Insights represents an evolution beyond traditional market research and consulting: combining sound fundamentals, innovative tools and methodologies, industry experience, and creative marketing savvy to supercharge clients‟ success. At Zpryme, we don‟t produce tables and charts; we deliver opportunity-focused, actionable insight that is both engaging and easy-to-digest. For more information regarding our custom research, visit: www.zpryme.com. Zpryme: Managing Editor Megan Dean Sr. Research Analysts Roger Alford, PhD Paula Smith Research Lead Stefan Trifonov Nivedita Wantamutte ViaSat (Expert Contributor): Brett Luedde (brett.luedde@viasat.com) Director, Critical Infrastructure Security Secure Network Systems Zpryme Smart Grid Insights Contact: smart.grid@zpryme.com | +1 888.ZPRYME.1 (+1 888.977.9631) www.smartgridresearch.org (Zpryme Smart Grid Insights) About ViaSat ViaSat delivers fast, secure communications, Internet, and network access to virtually any location for consumers, governments, enterprise, and the military. The company offers fixed and mobile satellite network services including Exede® by ViaSat, which features ViaSat-1, the world's highest capacity satellite; service to more than 1,750 mobile platforms, including Yonder® Ku-band mobile Internet; satellite broadband networking systems; and network-centric military communication systems and cybersecurity products for the U.S. and allied governments. ViaSat also offers communication system design and a number of complementary products and technologies. Based in Carlsbad, California, ViaSat has established a number of locations worldwide for customer service, network operations, and technology development. For more information about ViaSat, please visit: www.viasat.com/critical-infrastructure-security 20 www.zpryme.com | www.smartgridresearch.org | www.viasat.com Copyright © 2013 Zpryme Research & Consulting, LLC All rights reserved. Disclaimer: These materials and the information contained herein are provided by Zpryme Research & Consulting, LLC and are intended to provide general information on a particular subject or subjects and is not an exhaustive treatment of such subject(s). Accordingly, the information in these materials is not intended to constitute accounting, tax, legal, investment, consulting or other professional advice or services. The information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser. These materials and the information contained herein is provided as is, and Zpryme Research & Consulting, LLC makes no express or implied representations or warranties regarding these materials and the information herein. Without limiting the foregoing, Zpryme Research & Consulting, LLC does not warrant that the materials or information contained herein will be error-free or will meet any particular criteria of performance or quality. Zpryme Research & Consulting, LLC expressly disclaims all implied warranties, including, without limitation, warranties of merchantability, title, fitness for a particular purpose, noninfringement, compatibility, security, and accuracy. Prediction of future events is inherently subject to both known and unknown risks, uncertainties and other factors that may cause actual results to vary materially. Your use of these and the information contained herein is at your own risk and you assume full responsibility and risk of loss resulting from the use thereof. Zpryme Research & Consulting, LLC will not be liable for any special, indirect, incidental, consequential, or punitive damages or any other damages whatsoever, whether in an action of contract, statute, tort (including, without limitation, negligence), or otherwise, relating to the use of these materials and the information contained herein. ViaSat Presents: Utility Cybersecurity Study | January 2013 INTELLLIGENT RESEARCH FOR AN INTELLIGENT MARKET SONSORED BY INTELLIGENCE BY ZPRYME | ZPRYME.COM | SMARTGRIDRESEARCH.ORG FOR MORE INFORMATION ABOUT VIASAT, PLEASE VISIT VIASAT.COM/CRITICAL-INFRASTRUCTURE-SECURITY