Skip to main content

IHS on industrial cybersecurity

Hydrocarbon Engineering,

According to IHS, the market for industrial cybersecurity products remains extremely immature, with currently over 260 vendors offering a wide range of hardware, software and services. In contrast to other parts of industrial automation markets, no one vendor dominates; and those with the highest market share typically specialize in a particular region, industry sector or technology.

IHS believes that there will ultimately be a shake out – although the market will attract some new entrants, this will largely be offset by companies choosing to exit the business and by acquisition-driven consolidation.

Control systems already in use will sustain the market for ‘on-top’ industrial cybersecurity services (control systems upgrades are expensive and must be kept in place for many years to show a return on investment); many of these sytems are inherently insecure.

IHS holds that a quiet revolution is already taking place. Vendors of control systems have united around IEC 62443 (the international version of ISA-99), which when finalised will describe how to secure control system assets throughout their lifecycle. Whereas security was an afterthought in earlier generations of control system, asset owners have pushed suppliers to restructure their products to implement security features that provide some inherent levels of protection. Only parts of the IEC 62443 standard have been released so far; but once the standard and certification services are available, all tier 1 vendors are expected to soon offer an IEC 62443 product.

It is likely that these products will have different levels of capability. IEC 62443 has seven major criteria for building secure components/systems. The security levels ‘SL’ are analogous to safety integrated levels, with levels ranging from 1 to 4 (SL1 being the least secure, SL 4 being the most secure) although the final security level depends on how the asset owner implements the component or system.

Overall, IHS projects a good but not spectacular growth rate for industrial cybersecurity hardware, software and service revenues, with an annual average growth rate of 12% from 2013 to 2019. The market will be sustained by the high number of legacy assets which require securing. Over a much longer 10 – 15 year timeframe, the demand for on-top hardware/software/services is likely to decrease, as fewer compensating controls will be required to secure control systems that are secure by design.

The largest unknown remains legislation. IHS believes that legislation affecting the process and discrete industries is unlikely; as one of the lessons of NERC-CIP (industrial cybersecurity legislation affecting the power industry in North America) is clearly that it is possible to spend a lot of money without necessarily improving security. That said. All bets are off should a major incident occur; some government will be compelled to ‘do something’.

The effect of investment in profit is also a concern: the oil industry (both upstream and downstream) is one of the major spenders on industrial cybersecurity products, as the high price of oil can support investment. However, the water industry, despite its importance to society, is not a major spender on these products, as it comprises smaller companies with prices often set by regulators.

Adapted from a press release by Emma McAleavey.

Read the article online at:


Embed article link: (copy the HTML code below):