Virtualization Technology News and Information
Article
RSS
67% of Energy Sector Breaches Linked to Software and IT Vendors, SecurityScorecard Reports
SecurityScorecard and KPMG LLP released a co-authored new cybersecurity research report on the 250 largest U.S. energy companies. In "A Quantitative Analysis of Cyber Risks in the U.S. Energy Supply Chain," security researchers and industry subject professionals provide a detailed analysis of cybersecurity vulnerabilities across the energy sector and its supply chains.

Novel insights into energy sector cybersecurity

This report arrives at a pivotal moment as regulatory bodies worldwide intensify cybersecurity requirements and initiatives for the U.S. energy sector. It aligns with global efforts to bolster cybersecurity across the energy supply chain, reflecting commitments made during the June 2024 G7 summit to enhance defenses against escalating cyber threats. The White House just convened the fourth round of International Counter Ransomware Initiative (CRI) meetings. CRI's 68 members issued a joint statement following the meeting, which continued "the joint commitment to develop a collective resilience to ransomware."  In parallel, the U.S. Department of Energy is actively convening energy sector leaders to advance the Supply Chain Cybersecurity Principles.

SecurityScorecard's latest research highlights frequent threats, such as ransomware attacks on conventional IT systems, which are often enough to cause widespread disruption across the energy sector. Much attention has been paid to potential attacks on industrial control systems (ICS) and operational technology (OT), which will continue to be a focus for risk mitigation. As the shift to cleaner energy accelerates, however, the sector's vulnerabilities may grow, as a greener, more interconnected grid becomes increasingly reliant on software, making it more susceptible to cyberattacks.

Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, said: 

"The energy sector's growing dependence on third-party vendors highlights a critical vulnerability - its security is only as strong as its weakest link. Our research shows that this rising reliance poses significant risks. It's time for the industry to take decisive action and strengthen cybersecurity measures before a breach turns into a national emergency."

Key findings

  • Third-party risks are disproportionately high in the energy sector: Third-party risk drives almost half (45%) of breaches in the energy sector. This is significantly higher than the global rate of 29%. Additionally, 90% of companies that suffered multiple breaches were hit via third-party vendors.
  • U.S. energy scores a "B" on cybersecurity: The U.S. energy industry scores a "B" on average based on SecurityScorecard's scoring methodology. 81% of companies have either an A or B rating, but the remaining 19% with weak scores pose a significant risk to the entire supply chain. 
  • Software and IT vendors are the leading cause of third-party breaches: Software and IT vendors outside the energy sector are the main source of third-party breaches. Of the incidents studied, 67% of third-party breaches were due to software and IT vendors, with only four involving other energy companies.
  • Renewable energy companies fall behind: Oil & natural gas companies scored well above average with an "A-," while renewable energy firms lagged behind with a "B-" score.
  • Vulnerabilities condensed in key risk factors: 92% of companies had their lowest scores in just 3 of 10 risk factors: application security (40%), network security (23%), and DNS (Domain Name System) health (29%).

Cybersecurity recommendations for the energy industry

Based on this analysis, the SecurityScorecard STRIKE team offers actionable insights for enhancing cybersecurity in the energy sector:

  • Prioritize software & IT vendors: Focus on mitigating risks from software and IT vendors, which pose the highest third-party risks.
  • Emphasize product security in new acquisitions: Help ensure that new technology acquisitions are secure, following initiatives like CISA's "Secure by Design" and integrating the U.S. Department of Energy Supply Chain Cybersecurity Principles.
  • Prioritize the improvement of security around renewable energy sources: Strengthen security programs to protect against potential supply chain risks and geopolitical threats, particularly from nation-states. 
  • Prepare for disruptions and balance other risks: Prepare for disruption without neglecting the pervasive risk of data breaches and other common cyber threats. 
  • Learn from attacks on foreign targets: Gain valuable insights by studying ransomware attacks on foreign counterparts to improve resilience and cybersecurity defenses.
Prasanna Govindankutty, Principal, Cyber Security US Sector Leader, at KPMG, said: "The energy industry is a complex system that is undergoing a generational transition with a heavy reliance on a steady supply chain. With geopolitical and technology-based threats on the rise, this complex system is facing an equally generational risk exposure that could harm citizens and businesses alike. Organizations that are able to quantify these risks and establish mitigation measures will increase their odds of success in the energy transition journey."
Published Wednesday, October 23, 2024 11:37 AM by David Marshall
Filed under: ,
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<October 2024>
SuMoTuWeThFrSa
293012345
6789101112
13141516171819
20212223242526
272829303112
3456789