Drives and Controls Magazine
Industrial cyber-security suppliers face a shakeout
Published:  23 September, 2014

There are currently more than 160 suppliers of industrial cyber-security products, offering a variety of hardware, software and services, according to new research from IHS. It describes the market as “extremely immature” and predicts that there will be a shakeout. Although the market is likely to attract some new entrants, this will be largely offset by companies choosing to quit the business, and by acquisition-driven consolidation.

Unlike other parts of the industrial automation market, no one vendor dominates the cyber-security sector. Those with the highest market share tend to specialise in a particular region, industry sector or technology.

Many control systems currently in use are inherently insecure and are sustaining the market for “on-top” industrial cyber-security hardware, software and services. IHS points out that upgrades to such control systems are expensive and they typically need to run for many years to show a return-on-investment.

But the analyst adds that a “quiet revolution” is now underway which will lead to a new generation of inherently secure control systems. Vendors of control systems have united around the IEC 62443 standard (the international version of ISA-99) which, when finalised, will describe how to secure control system assets throughout their lifecycle (including development). While security was an afterthought for earlier generations of control systems, users are now pushing suppliers to restructure their products to implement security features that provide inherent protection.

So far, only parts of IEC 62443 have been released, but IHS expects all tier 1 vendors to offer IEC 62443-compliant products soon after the full standard and certification services are available.

It is likely that these products will have varying levels of capability. IEC 62443 specifies seven key criteria for building secure components/systems. It borrows some terminology from the world of safety – the security levels (SL) are analogous to safety-integrated-levels, ranging from 1 to 4 (SL 1 being the least secure, and SL 4 being the most secure). However, the final security level depends on how the asset owner implements the component or system.

The global market for industrial cyber-security products in $m. The dark blue bars represent sales of hardware; light blue is software; and green is services. Source: IHS

IHS forecasts good, but not spectacular, revenue growth from industrial cybersecurity hardware, software and services, with an average annual growth rate of 12% from 2013 to 2019. During this period, the market will be sustained by the large number of legacy assets that need to be secured.

Over a longer 10–15 year timeframe, the demand for on-top hardware/software/services is likely to decrease, as fewer compensating controls will be needed to secure control systems that are already secure by design.

The largest “known unknown” remains legislation. IHS thinks that there is unlikely to be legislation affecting the process and discrete industries. One lesson from NERC-CIP (the industrial cyber-security legislation that covers the power industry in North America) is that it is possible to spend a lot of money without necessarily improving security. That said, a major incident could change everything, with some governments feeling compelled to act.

IHS is concerned by the effect of investment on profit. It points out that the oil industry (both upstream and downstream) is a major spender on industrial cyber-security products, because the high price of oil can support the investment. However, the water industry, despite its importance to society, does not spend much on these products, because it consists of smaller companies whose prices are often set by regulators.