Vendors responsible for almost half of breaches in the energy sector, study finds


Critical US energy infrastructure might be unprepared for cyber risks in the current threat landscape, with nearly 1 in 5 companies rated as having poor cybersecurity evaluations, according to a new SecurityScorecard and KPMG study.

Analysis of 250 energy companies reveals that almost half (45%) of cybersecurity breaches in the industry were caused by third-party vendors. IT vendors were responsible for two-thirds (67%) of third-party breaches. These percentages are significantly higher compared to global averages.

What’s also alarming is that many US energy companies score poorly on cybersecurity. The study reveals that 19% of companies score C to F on the likelihood of a breach. Less than half, or 42%, of organizations received an A grade, while 39% of companies got Bs.

ADVERTISEMENT

The whole energy sector scores B on cybersecurity.

“The energy sector’s growing dependence on third-party vendors highlights a critical vulnerability – its security is only as strong as its weakest link,” said Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard.

“This rising reliance poses significant risks. It’s time for the industry to take decisive action and strengthen cybersecurity measures before a breach turns into a national emergency.”

Only three out of ten risk factors seem to plague the industry. Application security, network security, and DNS (Domain Name System) health were responsible for the lowest scores among 92% of companies.

However, despite well-founded concerns about possible energy supply disruptions, many compromises in energy sectors are simple data breaches, with no impact on the infrastructure and supply chain.

“40 breaches were publicly reported across 35 of the 250 companies, translating to 14% of the sample,” the report reads. “Compared to our S&P 500 study, where 21% of companies reported breaches within a year, the 14% figure appears more favorable.”

Most of the recent breaches were related to the MOVEit vulnerability. Ransomware remains a major threat. Attackers are lured by the large effect an operational downtime could cause, increasing the likelihood of payouts.

The study found that renewable energy companies had lower scores compared to other energy subsectors, signaling a “critical need for heightened cybersecurity measures.”

ADVERTISEMENT

The researchers recommend energy companies prioritize vetting software & IT vendors.

“Focus on mitigating risks from software and IT vendors, which pose the highest third-party risks.”

Other recommendations include ensuring that new technology acquisitions are secure by design, preparing for disruption, balancing risks, and learning from attacks on foreign targets.