Nov 21, 2024
Cyberattacks are a constant threat every industry needs to pay attention to.
Cyberattacks are a constant threat every industry needs to pay attention to. Threat actors are out there, looking for the most vulnerable. Unfortunately, a new study reveals that the U.S. energy sector is exactly that. Our energy sector supply chain is especially vulnerable to cyberattacks.
Power generation and delivery is obviously essential to the American way of life. So much so that, even as the debate continues over renewable power vs. fossil fuels, we cannot ignore security concerns. There are threat actors all over the world who would love nothing more than to disrupt our grid completely and permanently. It is incumbent upon the industry to make sure that this does not happen.
More About the Study
The study in question was conducted by KPMG and Security Scorecard. Its authors focused on how energy is produced and delivered in the modern era, and how threat actors might launch their cyberattacks. Here are three especially alarming statistics from their research:
45% of energy sector breaches are related to third-party vulnerabilities.
29% of the breeches across other industries are also related to third parties.
90% of U.S. energy companies reporting repeated breaches site third-party channels.
In simple English, the energy sector has a much higher rate of cybersecurity breaches than other industries looked at in the report. Furthermore, among the energy companies reporting ongoing cyber security problems, the majority of their vulnerabilities are down the supply chain.
What does this say about power generation and delivery? It means both are potentially at risk of severe disruption should threat actors work their way in and do their dirty work.
What Has Changed
A question on the minds of many is, "what has changed?" How has the energy sector become increasingly prone to cyberattacks over the last decade or so? According to Black Duck Scott Johnson, the digital transformation has played a big role. It continues to do so.
Johnson describes energy companies as "software companies that deliver energy to their customers via software and technology." He is not wrong. The digital transformation has made power companies software-based deliverers of energy products. As the industry has transitioned to digital, it has thrown all of its proverbial eggs into that basket.
Wherever an industry relies so heavily on software to deliver products and services, there are vulnerabilities. But that alone does not explain why the energy sector is more vulnerable than other industries. The study's implication of third-party vendors offers an explanation.
Not on the Same Page
Maintaining maximum security across an organization's entire network requires compliance both within and without. In terms of the latter, you are talking third parties up and down the supply chain. An energy company can practice all the most stringent security strategies while simultaneously employing the best hardware and software on the market. But if third-party partners do not practice the same level of security, the energy company is only as strong as the weakest partner in the supply chain.
As the study points out, once threat actors gain a foothold within the network of a third-party vendor, they can begin moving across the supply chain. That is exactly what they do. And they are especially interested in energy sector companies because there is so much reward waiting for them.
The U.S. energy sector should absolutely continue to pursue renewable energy. Improving power generation is a must. But protection and controls are equally important, especially in the arena of cybersecurity. The fact that the sector is especially vulnerable to cyberattacks needs to change. We cannot afford any serious disruptions to energy production or the grid.
Back to All Insights