US energy sector faces critical cybersecurity challenges

A recent report by SecurityScorecard and KPMG LLP details significant cybersecurity vulnerabilities within the U.S. energy sector, highlighting the increasing risks associated with supply chain dependencies.

The report, titled "A Quantitative Analysis of Cyber Risks in the U.S. Energy Supply Chain," provides a thorough examination of cybersecurity threats faced by the 250 largest U.S. energy companies. The timing of this report is notable as regulatory bodies are stepping up cybersecurity measures in response to global discussions and initiatives.

SecurityScorecard's research reveals the prevalence of threats, such as ransomware attacks targeting IT systems, which can lead to major disruptions in the energy sector. The industry's shift towards renewable energy may enhance these vulnerabilities, as a more interconnected grid that relies heavily on software is more susceptible to cyberattacks.

Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, stated, "The energy sector's growing dependence on third-party vendors highlights a critical vulnerability – its security is only as strong as its weakest link. Our research shows that this rising reliance poses significant risks. It's time for the industry to take decisive action and strengthen cybersecurity measures before a breach turns into a national emergency."

Key findings from the report demonstrate that third-party risks are particularly acute in the energy sector, accounting for nearly half of all breaches. This is considerably higher than the global average of 29%. Notably, 90% of companies that experienced multiple breaches were compromised via third-party vendors.

The report assigns the U.S. energy industry a "B" on cybersecurity based on SecurityScorecard's methodology, with 81% of companies scoring an "A" or "B" rating. However, the remaining 19% with lower scores present a substantial risk to the supply chain.

Software and IT vendors were identified as the primary source of third-party breaches, responsible for 67% of incidents studied, while renewable energy companies showed relatively weaker cybersecurity scores compared to their oil and natural gas counterparts.

Prasanna Govindankutty, Principal and Cyber Security US Sector Leader at KPMG, commented, "The energy industry is a complex system that is undergoing a generational transition with a heavy reliance on a steady supply chain. With geopolitical and technology-based threats on the rise, this complex system is facing an equally generational risk exposure that could harm citizens and businesses alike. Organizations that are able to quantify these risks and establish mitigation measures will increase their odds of success in the energy transition journey."

The report suggests several strategies for the energy sector to enhance its cybersecurity posture. These include prioritising risks from software and IT vendors, improving security around renewable energy sources, and learning from foreign ransomware attacks to bolster defences.

SecurityScorecard researchers studied 250 top U.S. energy companies, considering factors such as market capitalisation and the companies' positions within the oil, gas, and renewable energy sectors. The findings aim to assist the energy sector in strengthening its cybersecurity resilience amid evolving threats.