Lockheed Martin Corp. (LMT) is selling its military and intelligence expertise to electric utilities as the world’s largest defense contractor tries to exploit a U.S. push to guard power grids from terrorists and hackers.
Lockheed plans to enter the projected $1.3 billion market for utility cybersecurity next month with Palisade, a software program developed in partnership with American Electric Power Co. of Columbus, Ohio. The program alerts power companies to hacker intrusions and attacks on their electronic systems.
President Barack Obama’s administration proposed in May requiring utilities and other companies that operate “critical infrastructure” to develop cybersecurity plans that would be reviewed by commercial auditors. Companies could also work with the Department of Homeland Security to improve their plans.
Without adequate protection, the “smart grid” is “vulnerable to attacks that could result in widespread loss of electrical services essential to maintaining our national economy and security,” a Government Accountability Office report found in January.
Lockheed’s product gives utilities “the big picture of what’s really happening” within their networks, Rich Mahler, the company’s senior manager for cybersecurity in its energy solutions business, said in an interview. Bethesda, Maryland- based Lockheed suffered an attack on its own computer system last month.
The U.S. electricity network is increasingly becoming a smart grid as it is overhauled with advanced information technology. Power companies are installing next-generation digital meters in buildings while preparing to attach more renewable energy resources and as many as 1 million electric autos to the grid by the middle of the decade. All those innovations give hackers more ways to break into a network.
“Cybersecurity is being talked about at the CEO level” at U.S. utilities, David Batz, manager for security, infrastructure and operations at the Edison Electric Institute, a Washington- based industry group, said in an interview.
Investment in security for the computerized electrical grid is expected to increase to $1.3 billion in 2015 from about $800 million this year, according to Pike Research LLC, a Boulder, Colorado, firm that studies the clean-energy market.
IBM, which says it’s the market leader in power-company cybersecurity, is involved in about 150 smart-grid projects globally, with customers including Sempra Energy (SRE) of San Diegoand Japan’s Tokyo Electric Power Co.
“What we’re watching is an entire sector of the U.S. economy and the global economy modernizing,” Andy Bochman, an energy security specialist for Armonk, New York-based IBM, said in an interview.
Raytheon provides utilities with consulting services and software to protect their power grids, according to Charles Cartwright, who heads Raytheon’s integrated command systems business. The Waltham, Massachusetts-based company is working with utilities “mainly across the South,” he said in an interview.
Chicago-based Boeing won $8.56 million in pilot projects from the U.S. Energy Department to develop prototype smart-grid systems in collaboration with Consolidated Edison Inc. in New York and Southern California Edison Co., the department said last year.
Lockheed, which drew 84 percent of its $45.8 billion in sales in 2010 from government contracts, said the May 21 cyber attack on its system was the result of a data breach at security provider RSA Security, a unit of EMC Corp. of Hopkinton, Massachusetts. Lockheed detected the “significant and tenacious” threat “almost immediately” and no customer, program or employee information was compromised, according to a statement from the company.
“I’m sure it hurts their credibility a little bit,” Mark Weatherford, security chief at the North American Electric Reliability Corp., a U.S.-approved power-grid watchdog, said in an interview.
Lockheed was able to respond immediately, “which is something that a lot of companies could not have done,” Weatherford said. “If you’re in this business long enough, you’re going to get hacked.”
Lockheed opened a cybersecurity research center in Gaithersburg, Maryland, in 2009 to develop tools to fight electronic attacks. What the company learns from government work can sometimes be adapted for utilities, Mahler said.
Palisade runs on a utility’s existing networks, linking security components throughout the company’s computer and power- line system, according to Mahler.
“What we try to do is suppress a lot of the false alarms” so that utilities “can respond appropriately to the real ones,” he said.
American Electric, the biggest U.S. producer of coal-fueled electricity, received $75 million to make smart-grid upgrades under the 2009 U.S. stimulus law and teamed with Lockheed, which developed a new cybersecurity product for the utility’s network. The companies plan to run Palisade as a pilot project through 2012.
American Electric and Lockheed have been working with 15 other utilities, whose names haven’t been made public, to share the security threat information that the software provides.
“The sharing of threats from one company to another is really what this is all about,” Kevin Stogran, American Electric’s director of information risk services, said in an interview.
None of the other utilities working with Lockheed has committed to buy the software. A “majoroil company” is considering purchasing it, Mahler said. Lockheed officials have declined to say how much Palisade costs.
“Right now security is definitely not integrated into the grid,” Weatherford said during a briefing in Washington last week. “Security is bolted on,” he said.
At a minimum, utilities are required to meet cybersecurity standards of the North American Reliability Corp., established in 2008, or face penalties of as much as $1 million a day.
The Obama administration’s smart-grid blueprint, which includes protection against cyber attacks as a primary goal, aims to coordinate public and private efforts to upgrade the aging power grid. Members of Congress are considering legislation that would provide the Federal Energy Regulatory Commission greater authority to respond to a cyber attack.
The Government Accountability Office in January determined that the electric utility industry doesn’t have a way of measuring the effectiveness of cybersecurity efforts, and power companies lack a means for sharing information about threats to the grid.
“Utilities are focusing on regulatory compliance instead of comprehensive security,” according to the report.