In a time when cyber threats are growing more sophisticated and pervasive, a new report by SecurityScorecard and KPMG LLP sheds light on critical cybersecurity vulnerabilities facing the U.S. energy sector. Titled "A Quantitative Analysis of Cyber Risks in the U.S. Energy Supply Chain," the report analyzes the cybersecurity performance of the 250 largest U.S. energy companies and their supply chains, with a particular focus on third-party risks.
Released at a pivotal moment, as global regulatory bodies intensify their focus on protecting critical infrastructure, the findings raise alarms about the sector's increasing dependence on third-party vendors and the resulting vulnerabilities.
One of the report's most striking findings is the disproportionate impact of third-party vendors on energy sector breaches. Third-party vendors were responsible for 45% of breaches in the energy sector—well above the global average of 29%. More alarmingly, 90% of companies that experienced multiple breaches were compromised through third-party connections. IT and software vendors were the leading source of these breaches, with 67% of incidents stemming from external software providers.
The U.S. energy sector scored a B average on SecurityScorecard's cybersecurity grading system, with 81% of companies receiving an A or B. However, the 19% of companies with weaker scores pose a significant threat to the entire energy supply chain. Renewable energy companies, in particular, were found to lag behind in security, scoring a B− on average, compared to A− for traditional oil and gas companies.
As the energy sector becomes more digitalized, interconnected, and reliant on software to drive operations, its attack surface widens significantly. The transition to greener energy also introduces new vulnerabilities. According to Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, this dependency on third-party vendors creates a dangerous situation for the entire sector:
"The energy sector's growing dependence on third-party vendors highlights a critical vulnerability—its security is only as strong as its weakest link. Our research shows that this rising reliance poses significant risks. It's time for the industry to take decisive action and strengthen cybersecurity measures before a breach turns into a national emergency."
Sherstobitoff's concerns are amplified by the complexity of the energy supply chain, which involves multiple stages from production to distribution, each with unique vulnerabilities that could be exploited.
Several cybersecurity experts weighed in on the growing risks facing the energy sector.
Craig Jones, Vice President of Security Operations at Ontinue, noted the evolution of threats in line with technological advancements:
"As infrastructure becomes increasingly connected and reliant on digital systems, the potential attack surface for cybercriminals rises. We can expect to see more sophisticated attacks that exploit specific vulnerabilities in these systems moving forward. Furthermore, the ever-growing value of data may lead to more targeted ransomware attacks that aim to extract or encrypt particularly valuable or sensitive information."
Jose Seara, CEO and Founder of DeNexus, stressed the importance of quantifying cyber risks to enable better decision-making:
"Vulnerabilities in third-party software and remote access to industrial equipment are certainly among the top contributors to cyber risk today. It is imperative for these companies to better understand their cyber risks, identify them, and quantify them in monetary terms to drive data-driven decisions on cybersecurity investments."
Seara's focus on proactive risk management highlights the need for energy companies to implement a clear playbook for responding to cyber incidents and ensuring that stakeholders are aware of the potential financial losses.
The push toward greener energy has led to the rapid expansion of renewable energy companies, but with that expansion comes security challenges. These companies often have smaller budgets and less mature security programs, making them an attractive target for cybercriminals.
[RELATED: More Renewable Energy Projects Bring More Cybersecurity Concerns]
Omri Weinberg, Co-founder and CRO at DoControl, expressed concerns over the vulnerability of renewable energy firms:
"Perhaps most concerning is what we're seeing with renewable energy companies. They're scoring notably lower in security ratings, likely because they're newer players with smaller budgets and less mature security programs. This is particularly worrying as we push toward greener energy sources."
Weinberg further emphasized the need for mandatory security standards for vendors working with critical infrastructure. While federal funding can help, energy companies must take action now, continuously monitor their vendors, and implement robust incident response plans to prevent supply chain breaches.
Based on their findings, the SecurityScorecard STRIKE team offers several recommendations for bolstering cybersecurity in the energy sector:
As the energy sector faces mounting pressure from geopolitical tensions, technological advancements, and regulatory shifts, the findings from SecurityScorecard and KPMG make it clear that cybersecurity must be a top priority. The interconnected nature of the sector's supply chain means that a breach at one point can ripple across the entire industry, disrupting critical services.
Prasanna Govindankutty, Principal and Cyber Security U.S. Sector Leader at KPMG, summarized the urgency of the situation:
"The energy industry is a complex system that is undergoing a generational transition with a heavy reliance on a steady supply chain. With geopolitical and technology-based threats on the rise, this complex system is facing an equally generational risk exposure that could harm citizens and businesses alike."
The path forward will require collaboration between energy companies, third-party vendors, and regulatory bodies to ensure that cybersecurity is embedded into every layer of the energy supply chain. The stakes are high, but by taking proactive steps now, the sector can mitigate risks and protect its critical infrastructure from potentially catastrophic cyber threats.
Follow SecureWorld News for more stories related to cybersecurity.