The energy sector is facing a surge in supply chain risks thanks to a growing dependence on vendors, with two-thirds of breaches now coming from software and IT vendors.
In a report from SecurityScorecard and KPMG, ‘A Quantitative Analysis of Cyber Risks in the U.S. Energy Supply Chain’, security researchers and industry subject professionals highlighted frequent threats such as ransomware attacks on conventional IT systems.
Researchers warned that as the shift to cleaner energy accelerates and a more interconnected grid becomes increasingly reliant on software, the energy sector’s vulnerabilities are only likely to grow.
"The energy sector's growing dependence on third-party vendors highlights a critical vulnerability — its security is only as strong as its weakest link," said Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard.
"Our research shows that this rising reliance poses significant risks. It’s time for the industry to take decisive action and strengthen cybersecurity measures before a breach turns into a national emergency."
According to the report, third-party risk drives almost half of breaches in the energy sector - much more than the global rate of 29%. More than nine-in-ten companies that suffered multiple breaches were hit via third-party vendors.
Moreover, software and IT vendors were identified as the leading cause of third-party breaches, accounting for 67% of incidents, with only four involving other energy companies.
Many derived from the MOVEit file transfer software vulnerability that was exploited by the Clop ransomware gang last year.
Application security, DNS health and network security were all highlighted as the sector's greatest security weaknesses.
The report comes as the US Department of Energy convenes energy sector leaders to advance the Supply Chain Cybersecurity Principles. This calls on energy firms to focus more attention on mitigating risks from software and IT vendors, which pose the highest third-party risks.
As part of the scheme, operators should help ensure that new technology acquisitions are secure, implementing initiatives like CISA's Secure by Design and integrating the Department of Energy Supply Chain Cybersecurity Principles.
They also need to strengthen security programs to protect against potential supply chain risks and geopolitical threats, particularly from nation states, and study ransomware attacks on their foreign counterparts to improve their own resilience and cybersecurity defenses.
"The energy industry is a complex system that is undergoing a generational transition with a heavy reliance on a steady supply chain. With geopolitical and technology-based threats on the rise, this complex system is facing an equally generational risk exposure that could harm citizens and businesses alike," said Prasanna Govindankutty, principal, cybersecurity US sector leader at KPMG.
"Organizations that are able to quantify these risks and establish mitigation measures will increase their odds of success in the energy transition journey."
