The Rising Threat of Third-Party Risks in the U.S. Energy Sector

In an era where cybersecurity is paramount, a recent joint study by SecurityScorecard and KPMG has unveiled alarming statistics regarding the vulnerabilities within the U.S. energy sector. The findings indicate that nearly half (45%) of security breaches in this critical industry can be attributed to third-party vendors. This revelation underscores a pressing need for energy companies to reassess their cybersecurity strategies and strengthen their defenses against external threats.

The Scope of the Problem

The study, which analyzed data from the 250 largest U.S. energy companies, highlights a concerning trend: over 90% of companies that experienced multiple cybersecurity breaches were compromised due to third-party risks. This figure starkly contrasts with a global average of 29% for supply chain breaches across other industries. The energy sector’s unique vulnerabilities are further illustrated by the fact that 90% of attacks on energy companies that resulted in multiple breaches involved third-party vendors.

Among the breaches analyzed, a significant portion—67%—was linked to external software and IT providers, while 22% involved other energy companies. This reliance on third-party vendors creates a complex web of vulnerabilities that can have far-reaching consequences.

The MOVEit Vulnerability: A Case Study

One of the most notable findings from the study was the identification of the MOVEit file transfer software vulnerability as the largest contributor to third-party breaches in the energy sector. In 2023, this vulnerability accounted for a staggering 39% of all breaches. The exploitation of such software vulnerabilities highlights the critical need for energy companies to scrutinize their third-party relationships and ensure that their vendors adhere to stringent cybersecurity standards.

The Call for Action

Experts in the field are sounding the alarm about the implications of these findings. Prasanna Govindankutty, a principal for cybersecurity at KPMG, emphasized the generational risk exposure faced by the energy sector due to geopolitical and technology-based threats. He stated, “With geopolitical and technology-based threats on the rise, this complex system is facing an equally generational risk exposure that could harm citizens and businesses alike.”

Ryan Sherstobitoff, Senior Vice President of Threat Research at SecurityScorecard, echoed this sentiment, noting that the energy sector’s growing dependence on third-party vendors poses significant risks. He urged the industry to take decisive action to bolster cybersecurity measures before a breach escalates into a national emergency.

Key Takeaways from the Study

The SecurityScorecard and KPMG report provides several critical insights into the state of cybersecurity in the energy sector:

1. High Third-Party Risk: Third-party risks are disproportionately high in the energy sector, driving almost half (45%) of breaches.
2. Cybersecurity Ratings: The U.S. energy sector received a “B” rating on cybersecurity, with 81% of companies rated A or B. However, the remaining 19% with weak scores pose a significant risk to the entire supply chain.
3. Vendor Vulnerabilities: Software and IT vendors are the leading cause of third-party breaches, accounting for 67% of incidents.
4. Performance Disparities: Fossil fuel companies scored better than their renewable counterparts, with oil and natural gas firms achieving an “A” rating compared to the “B” score of renewable energy firms.
5. Key Risk Factors: Vulnerabilities were concentrated in three key risk factors: application security (40%), network security (23%), and DNS (Domain Name System) health (29%).

The Need for Collective Defense

The rising threat to the energy sector, particularly from third-party vulnerabilities, highlights the urgent need for a collective defense approach. Emily Phelps, director at threat intelligence provider Cyware, emphasized that organizations can no longer afford to operate in silos. She stated, “Collaboration between trusted companies and industries, alongside the operationalization of threat intelligence, is critical to staying ahead of attackers.”

By turning intelligence into actionable insights, organizations can identify risks earlier, coordinate defenses, and reduce response times to potential threats.

Addressing Aging Infrastructure

Another significant challenge facing the U.S. energy sector is the prevalence of legacy systems. Willy Leichter, CMO at security provider AppSoc, pointed out that the slow, deliberate nature of software update processes leaves the sector vulnerable to supply chain attacks. He noted, “Given the risk involved, it’s understandable that patches are viewed with suspicion and must be thoroughly vetted, which unfortunately leaves known vulnerabilities exposed for extended periods.”

To mitigate these risks, energy companies must find more agile ways to decouple software updates from operational infrastructure, ensuring that they can respond to vulnerabilities in a timely manner.

Proactivity is Key

Experts agree that a proactive approach is essential for energy companies to safeguard their critical infrastructure. Phelps stressed that relying solely on reactive measures could leave businesses exposed to recurring threats. “Only through shared intelligence and coordinated efforts can we address these complex, evolving risks effectively,” she stated.

Conclusion

The findings from the SecurityScorecard and KPMG study serve as a wake-up call for the U.S. energy sector. With third-party risks driving nearly half of all security breaches, it is imperative for companies to reassess their cybersecurity strategies and take decisive action to strengthen their defenses. By fostering collaboration, embracing proactive measures, and addressing aging infrastructure, the energy sector can better protect itself against the rising tide of cyber threats. The time to act is now—before a breach becomes a national emergency.