New reliability rules put a charge in IT spending by utilities

Computerworld - LAS VEGAS -- The era of voluntary reliability standards for electric utilities ended Monday, and power companies now face a set of federally mandated rules that can cost them up to $1 million a day in fines if they turn the lights out on their customers.

But the day of reckoning for one industry is an opportunity for another -- namely, the IT industry. The new regulations are boosting IT spending by utilities, particularly for security technologies, according to analysts.

Spending on cybersecurity tools is now the fastest-growing segment of the utility software market in North America, said Christine Richardson, an analyst at IDC's Energy Insights unit in Framingham, Mass. Cybersecurity purchases are growing at an annual rate of 11.2%, compared with an overall growth rate of 7.1%, she said.

The new reliability rules have triggered "a huge rush from companies to have products to make sure they are compliant," said Richardson, who predicted that cybersecurity spending by utilities will increase to nearly $435 million by 2010.

The regulations stem from the Northeast Blackout of 2003, a cascading power outage that left 50 million people in eight U.S. states and Ontario without electricity and cost businesses billions of dollars in lost revenue. It was the result of a series of utility company mishaps -- from a failure to remove tree branches dangling over power lines to computer system errors.

The blackout prompted public outrage, similar to the complaints that followed the Enron and WorldCom accounting scandals and led to the passage in 2002 of the Sarbanes-Oxley Act, which set new financial reporting requirements on publicly traded companies.

In the utility industry's case, Congress ultimately decided that voluntary reliability measures were no longer working and imposed mandatory and enforceable standards for power providers via the Energy Policy Act of 2005.

The North American Electric Reliability Corp. (NERC), an industry-owned self-regulatory organization in Princeton, N.J., is responsible for enforcing compliance by utilities with the new standards. NERC said earlier this month that it will work with eight regional entities to monitor compliance and take enforcement actions when violations are identified (download PDF).

NERC spokeswoman Susan Boucher said the increased IT spending being prompted by the regulations is less expensive than the possible alternative: another blackout that wreaks havoc on customers and the economy. "Whatever money is being spent is not [equal to] the hit the economy takes when there is a blackout," Boucher said.

One vendor that has started aiming IT security products at the utility market is Hewlett-Packard Co. HP has adapted its Atalla network security and data encryption technology, previously used in ATMs and point-of-sale systems, to utility applications. Atalla subsystems are bundled into an umbrella offering called the Trusted Compliance Solution for Energy, which HP announced last month to provide utilities with hardware-based cryptography, authentication and other security services.