Do you have the energy for adjacent markets?
In today’s market, the hunt is on for adjacent markets -- those sweet spots where companies can bring solutions and technologies developed for one set of customers, and apply it to a new but similar customer or market.
It was with this in mind that I attended an IBM Corp. dinner on Monday to talk about cybersecurity and energy.
I hear a lot of government contractors talk about energy as an emerging market. The lack of a national energy policy has slowed its emergence, but with so much focus on decreasing cost and increasing effectiveness, the energy market will continue to grow.
And because it is a critical infrastructure that is primarily owned by commercial entities, and is highly regulated, there are a lot of requirements that crossover from government to private sector.
And as the electrical grid gets smarter, for example, a lot more IT needed to manage and operate it, cybersecurity is a bigger issue, again making it a good target for government contractors who are steeped in network operations and cybersecurity.
Attendees at the dinner included a range of electrical utility industry representatives, including Michael Kuberski, CIO of Pepco Holdings, a large power company, David Batz and Scott Aaronson of the Edison Electric Institute, an association of shareholder-owned electric companies, and Miles Keogh, director of grants and research with the National Association of Regulatory Utility Commissioners, which represents state utility regulatory commissioners.
One message came through loud and clear during the discussion; the last 18 months to two years, there has been a sea change in attitudes in executive suites of power companies. Cyber is no longer seen as just a cost factor, but as a requirement for doing business.
President Obama’s cybersecurity executive order has also pushed cyber to be a top priority in the c-suites of electrical utilities.
CEOs across the utility industry have made cybersecurity a priority, and you can imagine if you are a contractor who has been securing networks at the Defense Department and other national security agencies, you probably have the resume they are looking for.
Here are a couple areas I heard where government contractors can play a role:
First, bringing risk/benefits and risk mitigation processes. As the power grid gets smarter and brings more benefits such as renewable energy, better management and quicker recovery times, it also brings more points of vulnerability.
While no one used this term, I couldn’t help but think of the challenges described at the dinner as problems that could benefit from an enterprise systems engineering approach. In part, this kind of approach seeks to understand how different systems interact and impact each other.
A cyber attack isn’t a matter of if, but of when, so utility companies need help understanding and identifying the risks in information systems, physical security and power infrastructure. They also need to understand what is the impact of an attack because an attack on one part of the system can do more damage and cause more harm than another part of the system. This kind of information is critical for making sound business decisions on where to invest in cybersecurity and mitigation.
While the executive order on cybersecurity has been a benefit, there are some areas that need more attention.
One area is better coordination of incident response between local authorities, the utility companies and the federal government. Cyber legislation is likely needed here to foster more real-time reporting of incidents and to provide some liability coverage for utility companies.
For Aaronson, from the Edison Electric Institute, the power industry also is envious of some of the tools available to government agencies in areas of networking monitoring. An example is the cooperation that exists between the defense industry and defense and intelligence agencies such as the National Security Agency, and how they work together to monitor critical networks.
Another example that Aaronson used are the network monitoring and intelligence efforts put behind National Special Security Events, which are heightened security efforts around events such as national political conventions, NATO meetings, G8 summits and the Olympics.
Led by the Secret Service, the federal government moves into an area and identifies and mitigates risks surrounding a special event. Part of that includes working with the local utility companies.
But after the event, the special monitoring and security apparatus gets packed up and moved away.
“Every CEO [of a utility] who has participated in a NSSE has said, ‘I want that back,’” Aaronson said.
As part of the dinner IBM – which was very low key about it – a white paper was released, “Best Practices for Cyber Security in the Electric Power Sector.”
Four of the five best practices are ones that I think play to the strengths of government contractors as they try to move into this market:
- Security as risk management
- A fully integrated security enterprise
- Security by design
- Business-oriented security metrics and measurement
The fifth, change that begins at the top, is more focused on the culture of the utility companies, and on the need to have a c-level executive responsible for security and compliance of IT and operational technologies.
There also was a fair amount of utility industry jargon thrown around at the dinner that went over my head, so as you go after this adjacent market, do your homework on the FERC (Federal Energy Regulatory Commission) and PMAs (power marketing administrations). You probably need to know the difference between a distribution system and transmission system. And yes, there is a difference, but I’ll let you figure it out.
Posted by Nick Wakeman on Apr 03, 2013 at 9:03 AM