Cleantech Market Intelligence
Smart Grid Governance a Work In Progress
After a month’s researching smart grid governance for our upcoming report on smart grid governance, I’ve been reminded of this exchange, from the classic BBC sitcom Blackadder:
Blackadder: Baldrick, your brain is like the four-headed, man-eating haddock fish-beast of Aberdeen.
Baldrick: In what way?
Blackadder: It doesn’t exist.
It’s a bit harsh to say that smart grid governance doesn’t exist, but we have a ways to go before there is widespread deployment of genuine GRC – governance, risk management, and compliance – in smart grids. Especially in industrial control networks. To set the scope, I considered the following as part of GRC:
- Cyber asset discovery and identification
- System of record for cyber assets
- Cyber asset-based risk assessment tools.
- Document architectures, policies, and standards
- Change management
- Configuration management
- Accept asset, event, and compliance feeds from many systems
- Legislative and regulatory compliance capabilities
- Pre-built templates for relevant smart grid standards and regulations such as NERC CIP
- Preparation for and management of audits
This list comes with the standard cyber security disclaimer that many of these capabilities may be assigned to other areas of cyber security as well as GRC. As with nearly every assessment of smart grid cyber security vendors, I ended up with a mix of vendors that fit roughly into three categories:
- Large companies who offer their general purpose GRC products to utilities as well
- GRC Specialists – companies that were formed specifically to sell GRC
- Niche specialists – who target a narrow, and possibly very successful, subset of GRC
All three sets of vendors have innovated, each in their own ways. Some of the specialists have been doing GRC for nearly two decades. That is surely impressive for a market often thought to be no older than Sarbanes-Oxley. But there is no vendor offering an entire GRC suite based upon the above list of capabilities. Maybe that’s okay, as the scope is rather wide.
Still, forced to choose between large companies with general purpose offerings or small companies with more focused offerings but not the same resources, I concluded that there are no leaders in this industry. That’s not surprising for a relatively new industry.
More challenging than identifying an industry leader was to identify a client base for any of the vendors that were profiled. Some very large vendors – and some of the innovators – could quote a list of utility customers in the 5-10 range, but clearly no GRC vendor has taken the utility market by storm. The obvious corollary to small client bases is that very few utilities have deployed smart grid GRC yet. Hence the reference to poor Baldrick.
So, Smart Grid GRC can be summarized as a new industry, with no established leaders, no company with a commanding market share, and the prospect of much legislation that has not yet been written. That looks an awful lot like a growth industry, and for me, fun to watch. But which way will it go? The way of cyber security, with many point solutions that may or may not someday form a working whole, or similar to the meter data management market, wherein vendors compete to offer the most all-inclusive business-oriented solution for the market?
GRC solutions place a premium on business awareness and thoroughness – not something that can be said of cyber security disciplines such as encryption or embedded device protection. So let’s hope that GRC will go the way of MDM. There’s one other aspect of the MDM market that must be recalled: nearly all the MDM innovators have now been acquired by much larger companies.