This article lists factors that would inhibit the growth of the market for security offerings and services for industrial automation.
The cyber security market for industrial control systems (ICS) did not exist just 10 years ago, but a sequence of well-known events has made it extremely important. Higher levels of integration, pervasive connectivity, cyber crimes, more sophisticated attacks, terrorism, and most recently, threats of “cyber warfare” have certainly raised the visibility of ICS cyber risks. There is growing awareness that significant ICS cyber security planning and investment is a compulsory part of business and government as well.
- Lower priority for business managers Most business managers still see security as a technical issue that is being handled by the IT organization. This tends to make budget justification and prioritization more difficult compared to more visible business issues and initiatives. Adding to this, most businesses do not seem to know how much they spend on cyber security, reducing the likelihood that it will receive attention.
- Business case from financial point of view It is still difficult to demonstrate a cyber security business case. Security components and practices are costly but they do not have a positive effect on system or business performance. Instead, security practices prevent possible negative events. The difference may be subtle but important for understanding how to justify security spending.
- Lack of data to backup the security business case Lack of industry visibility to actual incident information including frequency, operational consequences, costs, and related prevention methods makes it difficult to get beyond the same tired old stories and develop a sense of realism about the situation. This realism is necessary to convince some, such as operations managers who are inclined to wait until they actually encounter the problem themselves.
- Increasing complexity dampers feasibility of deploying security in complex infrastructures (e.g. Heterogeneous networks) Security technology is getting extremely complicated, making it more difficult to create a sound architecture and effectively manage the resulting system. IPS and IDS are good examples; some investment in ongoing tuning is necessary to be most effective.
- In house security Many businesses are inclined to handle security internally. This not only inhibits the growth of third-party services, but also the shortage of skilled staff delays the adoption of additional solutions and the development of new practices.
- ICS overshadowed by physical security ICS cyber security is only one part of the general security issue. Physical security issues are more apparent and easier to appreciate. Furthermore, budget managers tend to have little understanding of the unique risks associated with ICS.
- Ranking certain industries less critical impacts motivation to implement security in certain situations Some industries have been identified as critical infrastructure industries, implying that others have less to worry about. While the likelihood that terrorist attacks is lower, the risk of other threats, such as criminal activities, is equally high for all industries.
- Mistaking regulations/conformance with security Regulations in some industries run the risk of being viewed as “guaranteeing security,” resulting in users doing too little and inhibiting further investment. Furthermore, technically specific regulations can run the risk of inhibiting innovation and adopting more effective solutions.
|Labels: marketing, security, networking, automation|